Title: Assignment IV - Cyber Intelligence Management Report

Master of Cybersecurity, AAIT

Prepared By: -
Adane Getnet | GSR/3704/15 [email protected]

Submitted to: - Dr. Festus Assamnew June 3, 2024

Contents
1. Abstract .......................................................................................................................................... 2
2. Objectives ....................................................................................................................................... 2
3. Introduction ................................................................................................................................... 2
4. Information requirement ............................................................................................................... 3
4.1. Define Requirements and Success Metrics ................................................................................. 3
4.2. Stakeholder Analysis .............................................................................................................. 3
4.3. Intelligence Requirements ..................................................................................................... 4
4.4. Cyber threat PROFILE AND Requirement-driven framework .......................................... 5
5. Collection of Cyber Intelligence .................................................................................................... 5
3.1. Technical Data Collection ...................................................................................................... 5
3.1.1. SIGINT Data collection .................................................................................................. 5
3.1.2. OSINT Data Collection .................................................................................................. 8
3.2. HUMINT data collection ....................................................................................................... 8
6. Analysis and Processing................................................................................................................. 8
6.1. Network traffic analysis ................................................................................................................ 8
6.2. SIGINT traffic Analysis ...............................................................................................................16
7. Challenges .................................................................................. Error! Bookmark not defined.
8. Dissemination and Reporting .......................................................................................................18
9. Conclusion.....................................................................................................................................19
10. Reference .................................................................................................................................. 20

PAGE 1
 1. Abstract
Cybersecurity threat, vulnerability, and event information are systematically
gathered, analyzed, and disseminated as part of cyber intelligence management.
The main ideas and recommended procedures for handling cyber intelligence well
are outlined in this document, including everything from collection to
dissemination.

2. Objectives
This assignment aims to provide students with hands-on experience in cyber
intelligence management, focusing on the entire process from data collection to
disseminating actionable intelligence. I engaged in practical exercises that
simulated real-world scenarios, enhancing their skills in collecting data from
various sources, analyzing it for patterns and anomalies, and effectively sharing
intelligence with relevant stakeholders.

3. Introduction
To proactively detect and neutralize cyber risks, effective cyber intelligence
management necessitates a methodical and structured approach that makes use of
technologies, processes, and knowledgeable analysts. Through the smooth
integration of information gathering, analysis, interpretation, and distribution, the
institution can improve its cybersecurity posture and successfully counter changing
cyber threats.

Figure 1. Cyber Intelligence Management: From Collection to Dissemination

PAGE 2
 4. Information requirement
This is the first stage of the intelligence management process. Under this process,
all requirements of intelligence management were clearly stated. Defining the
need for Cyber Threat Intelligence (CTI) can indeed be difficult, particularly in
cases where cyber risk or CTI are unfamiliar. To begin conquering this obstacle, it
would be wise to instil a fundamental knowledge of CTI within the organisation's
leadership. Consider the following best practices:

4.1. DEFINE REQUIREMENTS AND SUCCESS METRICS

In this report, I am focusing on some parts of information requirements, the reason
is there is no provided specific piece of predefined target information on
assignment instruction. While I am defining some of the issues related to
intelligence management. I am working on analyzing abnormal threats related to
malware analysis. Comprehensive intelligence management requirements. Here are
some key components to consider:

4.2. STAKEHOLDER ANALYSIS

The relevant stakeholders are IT security teams, management, and external
partners. By catering to the specific informational needs of IT security teams,
management, and external partners, the cyber intelligence management process can
be more effective and ensure that all stakeholders are well-informed and prepared
to act on the intelligence provided.

IT Security Teams

 Indicators of Compromise, Tactics, Techniques, and Procedures of threat actors

 Vulnerability information and patch updates
 Logs and network traffic data
 Malware analysis reports and Forensic investigation results
 Real-time alerts and notifications about detected threats and Status updates on
ongoing incidents and response efforts
 Detailed analysis of detected anomalies and threats and Network and system
vulnerabilities and their potential impacts
 Recommended actions and best practices for threat mitigation and
Configuration changes and updates to security policies

Management

PAGE 3
  High-level summaries of the current threat landscape and trends
 Risk assessments and potential business impacts
 Summarized reports of major incidents and their resolutions
 Impact assessments and recovery status
 Updates on regulatory requirements and compliance status
 Reports on adherence to security standards and policies
 Recommendations for resource allocation based on threat priorities and
Budget staffing needs for cybersecurity initiatives

External Partners

 Shared threat intelligence from partner organizations

 Collaborative analysis and joint investigation finding
 Alerts about threats that may impact partner organizations and Information
about widespread vulnerabilities and mitigation strategies.
 Shared compliance status, regulatory requirements, Legal considerations
and obligations in incident reporting.

4.3. INTELLIGENCE REQUIREMENTS

To effectively detect, respond to, and mitigate security threats and performance
issues affecting their network infrastructure, organizations need robust intelligence
management requirements. This includes implementing malware analysis tools and
technologies to continuously monitor network traffic and systems for any signs of
malicious software. By establishing these intelligence management requirements,
organizations can enhance their ability to detect and respond to malware-related
security threats and performance issues affecting their network infrastructure
effectively.

PAGE 4
 4.4. CYBER THREAT PROFILE AND REQUIREMENT-
DRIVEN FRAMEWORK
By developing a comprehensive cyber threat profile and a requirement-driven
framework, organizations can effectively manage cyber risks and enhance their
overall security posture. In this assignment, I do not specify a specific profile of
threat because there is no given threat.

5. Collection of Cyber Intelligence

The collection phase involves gathering raw data from various sources, including
network logs, threat intelligence feeds, open-source intelligence (OSINT), and
human intelligence (HUMINT). Automated tools such as intrusion detection
systems (IDS), security information and event management (SIEM) platforms, and
threat intelligence platforms (TIPs) play a crucial role in collecting and aggregating
large volumes of data.

3.1. TECHNICAL DATA COLLECTION

3.1.1. SIGINT Data collection
Target intelligence sources for Signals Intelligence (SIGINT) involve monitoring
various communication platforms and intercepting electromagnetic signals to
gather valuable insights into the capabilities, actions, and intentions of foreign
adversaries. Here are some key target intelligence sources commonly used in
SIGINT operations:
1. Network Traffic Analysis: Monitoring network traffic to and from target
entities' communication networks, including internet traffic, email exchanges,
VoIP (Voice over Internet Protocol) calls, and instant messaging platforms.
Analysis of network traffic patterns, protocols, and content can reveal
valuable information about the target's communication activities,
relationships, and intentions.
I used open Source dataset from Mawi team (http://mawi.wide.ad.jp)

PAGE 5
  I used an online dataset of botnet traffic that includes both normal
and malicious
traffic for analysis of public datasets for this assignment.
 Gather relevant data sources, including malware samples, network
logs, system artefacts, and any other evidence related to the suspected
abnormal threat. Ensure that data collection follows proper forensic
procedures to maintain the integrity of the evidence.
 MAWI Working Group Traffic Archive
 I used one-day traffic for this assignment among 6 days of traced files
 From the source the data were Collect network traffic data from the
transit link between WIDE and the upstream ISP. This can include
packet captures (PCAP files), NetFlow/sFlow data, or logs from
network devices such as routers or switches.

 From this network-captured data I detect, respond to, and mitigate security
threats and performance issues affecting their network infrastructure.
 The software used to view the data from the digitizers is Spectrum.
2. Electromagnetic Signal Interception Intercepting electromagnetic signals
emitted by target entities' communication systems, such as radio
transmissions, satellite communications, and microwave links. This involves
using specialized equipment and techniques to capture, decode, and analyze
electromagnetic signals to extract intelligence regarding the target's
communications, location, and operational activities.
 The interception and analysis of radar signals IQ Files: These files
contain in-phase and quadrature components of the signals, typically
captured from SDRs. WAV Files: Audio files that may be intercepted
and analyzed for voice communications.

PAGE 6
  GPX Files: GPS Exchange format files that store GPS data.
 KML/KMZ Files: Files used in conjunction with mapping software like
Google Earth to visualize the locations of signal sources.
Here are some of open source sites for this assignment.

 SIGIDWIKI is a comprehensive guide for identifying signals. It includes

sample IQ files and waterfall screenshots for a variety of signals.
 RadioReference is a resource for radio communications enthusiasts. It
includes forums and databases where users share sample IQ files and
recordings.
 Reddit SDR Community: The RTLSDR subreddit is a community of SDR
enthusiasts. Users often share sample IQ files and provide links to resources
for learning and experimenting with SDR.
 SatNOGS is an open-source global network of satellite ground stations.
They provide access to recordings of satellite signals, which can include IQ
data.
Example:- sample iq data at specified frequency range.

PAGE 7
 3.1.2. OSINT Data Collection

3.2. HUMINT DATA COLLECTION

Humans are very critical means of collecting intelligence that is not collected
through technology. Here are some of the tasks that will done by HUMINT.
HUMINT involves the collection of information through direct interaction with
human sources, such as informants, witnesses, experts, or insiders.

 Insider threat detection

 Threat action profiling
 Social engineering Awareness
 Culture and contextual understanding of Information warfare
I collected list of tools as follow

 IP LOOKUP tools (https://whatismyipaddress.com/)

 https://www.shodan.io/

6. Analysis and Processing

Once collected, raw data undergoes analysis and processing to extract relevant
intelligence.

6.1. NETWORK TRAFFIC ANALYSIS

Type of tool used for further processing and analysis to exploit sensitive
information from collected data.

 Wireshark for further analyzing network captured .pcap and .pcappng

packets.
 SDM (The WG investigates the approach to media as a service by
virtualization and abstraction of networked media infrastructure.)
 Jupiter is a platform for analyzing and visualizing collected data
 Agurim is a network traffic monitor based on flexible multi-dimensional
flow aggregation to identify significant aggregate flows in traffic. Users
can dynamically switch views based on traffic volume, packet counts,
address or protocol attributes, and temporal and spatial granularities. The
supported data sources are pcap, sFlow, and netFlow.

PAGE 8
  HXD editor for pattern analysis

The type of information I want to investigate

 Protocol
 IP address
 MAC address
 Bytes of a packet
 Application type
 Timestamp
 Average speed of traffic
Analysis network data collected from open source site stated on the above
collection phase. 202401011400.pcap.gz
 Read the .pcap file using scapy:
 Extract the relevant fields:
 Convert to a Pandas DataFrame:
Since the file is large size it was difficult to analyzing using python code. So I split
in to multiple of file. Using CMD and command

PAGE 9
Analysis and Next Steps: - Once you have the DataFrame, I performed various
analyses, such as:

Identifying Patterns: Group by source/destination IP to see the most frequent

communication pairs.
Trend Analysis: Use the timestamp to analyze the traffic over time.
Anomaly Detection: Look for unusual patterns in the data, such as unexpected
source IPs or protocols.
Step 1:- read data frame

PAGE 10
Step 2: Statistical Analysis

 Frequency Analysis
Identify the most frequent source and destination IPs to find the most active
devices on the network.

 Protocol Distribution

PAGE 11
 Understand the distribution of different protocols in your network traffic.

Step 3: - 2. Time-Based Analysis and Visualization

 Traffic Over Time

Analyze the volume of traffic over time to identify trends or spikes that may
indicate anomalies.

PAGE 12
Create a heatmap to visualize the communication between source and destination
IPs.

Step 4:- Anomaly Detection

Apply statistical thresholds and machine learning algorithms to identify anomalies.

PAGE 13
Description

 source_ip and dest_ip: These columns represent the source and destination IP
addresses involved in the network communication.
 protocol: This column denotes the protocol used in the communication. In this
case, it's protocol number 6, which typically corresponds to TCP (Transmission
Control Protocol).
 timestamp: This column shows the timestamp of each communication event.
 timestamp_numeric: This appears to be a numerical representation of the
timestamp, possibly for ease of computation.
 anomaly: This column indicates whether each communication event is
considered an anomaly or not. A value of -1 suggests that the event is an
anomaly according to the Isolation Forest algorithm.

PAGE 14
 In conclusion all the entries are marked as anomalies (-1) for the given source
and destination IP addresses, protocol, and timestamp. This could imply that the
Isolation Forest algorithm has identified this particular communication pattern
as unusual or potentially suspicious.

Step 5:- Communication Patterns

Identify the top communication pairs to understand network behavior.

Analyzing the top communication pairs can provide insights into which pairs of
devices are communicating most frequently in the network, helping you understand
the network behavior, detect any abnormalities, and optimize network performance

PAGE 15
Using open source tools listed in OSINT collection phase, I observed the anomaly
IP address.

6.2. SIGINT TRAFFIC ANALYSIS

Tools

 SDR# (SDRSharp): A popular SDR software for Windows.

 Wireshark: Though primarily used for network packet analysis, it can be
used to analyze digital signals.
 MATLAB: Provides extensive toolboxes for signal processing and analysis.
As stated in SIGINT data collection phase I used Russian HF data for this
assignment so I analyzed that one. I installed SDR# for analyzing this signal.

PAGE 16
The tool used to:
o Apply filter to remove unwanted noise and interference
o Spectrum visualization
o Identify pattern
o Apply anomaly detection algorithms to identify unusual signal segments and
on the spectrogram and waterfall plots.
From this analysis process we got some findings

 Frequency :- thee frequency 12.176 MHz,16.257 MHz,16.259 MHz

 The data transmission is apparently OFDM (Orthogonal Frequency-Division
Multiplexing)
 Bandwidth :- 3.2 kHz,24 kHz,48 kHz
 Content type :- continuous carrier for transmitting HF data communication

PAGE 17
 7. Dissemination and Reporting
Dissemination of intelligence results to relevant stockholders, such as law
enforcement agencies, executives, and IT security teams, is the focus of the
dissemination phase.in this phase the following issues are essential for enabling
decision-making and response to cyber threats:-

 Timely report
 Accurate report
 Relevance report
 Clarity report
Dissemination methods can vary depending on the nature of the information and
the audience preferences. Common dissemination channels include emails,
newsletters, reports, presentations, websites, social media, conferences, workshops,
and more.
Network traffic and SIGINT data were examined in this assignment to ensure that
the entities listed below are the correct intelligence holders.
 IT Operations Team
 Security Operations Center (SOC)
 Network Engineers/Administrators
 Executive Management
 Third-Party Vendors/Service Providers
 End Users
Reporting is to provide insights, analysis, or updates to stakeholders to aid
decision-making or understanding of a particular subject matter. Reports can be
generated periodically (e.g., daily, weekly, monthly, quarterly) or on an ad-hoc
basis, depending on the requirements. From this perspective, this network and
SIGINT findings will be daily reported.

PAGE 18
 8. Conclusion
In conclusion, cyber intelligence management is a critical component of modern
cybersecurity strategies, empowering organizations to stay ahead of cyber threats
and protect their digital assets. By adopting a systematic approach to collecting,
analyzing, and disseminating intelligence, organizations can enhance their
resilience to cyber-attacks and safeguard their information assets.

PAGE 19
9. Reference
1. http://mawi.wide.ad.jp/mawi/samplepoint-F/2024/202401121400.html
2. SDR# and Air spy Downloads - AIRSPY
3. (https://forums.radioreference.com/)
4. https://account.shodan.io/
5. https://whatismyipaddress.com

PAGE 20