by Monty St John
Intent. It’s all about attention, or resolve if you prefer. It’s equally a discussion of focus and the point behind performing an action. Those reasons are key points behind the inclusion of Intent, the “I” in CHRIME, in the first place. It speaks to the “why”, something always asked in the context of an event. After all, who hasn’t, as an intelligence analyst, been asked the question of “why did this happen?”, or “why did they attack us?”. Intent also applies to the other side of the attack wheel. Why did the adversary take a specific action or why did a series of events happen in the particular order observed? It’s intent that defines that course of thought. Intent can be specific, like erecting a phishing site that uses a slightly misspelled version of your own site alongside a duplicate of content. Intent can also be indeterminate, where the aim and focus behind the events you can observe are cloudy—those are instances where you know actions have happened, but can’t prove or clearly identify the focus. Insiders are great examples of cloudy intent. Were their actions purposeful, leading to an educated act of compromise, or accidental? The three-hour session they left open to a website where suspicious activity occurred — was it purposeful or an accident of misfortune.
The eyes are windows to the soul
The metaphor doesn’t lie; the eyes truly tell reams of data about a person. Intent sits in the middle of CHRIME because it’s important, but needs context around it to be functional. Intent in CHRIME has a duality, where you look at the overt actions while at the same time observing the deeper, hidden meaning that might be present. Some use cases to consider:
- Malware is found on a workstation. Malware, by implication, has a default intent. Malware is crafted to steal, damage or destroy. That’s the overt intent. It’s deeper, more subtle action could be to act as a beachhead for another attack, be a part of something greater; or, be a misdirected, random act that caused damage, but whose intent was focused elsewhere.
- Stolen credentials are located for sale and trade in an underground market. The overt, initial intent is for the adversary to gain resource (make money) or influence (show off their chops). The deeper meaning might be to offload credentials no longer needed, which could lead to many interesting paths of investigation about how the credential were acquired, when and so forth.
- Business email compromise (whaling) attack is made against your chief financial officer. Overt implication is to gain money (resources) by social engineering. While it could be prestidigitation and misdirection, its likely exactly what it depicts overtly.
Why defining Intent is needed
CHRIME demands you define intent for the simple reason that you are going to do so anyway and it should be a planned activity if it’s going to happen. Intent will be a question asked, either from you, the analyst, or the person who requested the action. Example: Security Operations Center asks you to re-investigate a domain that was previously blocked because an employee is asking access to it. The original intent behind the block is important, just as the intent of the domain and its usage is important. A block put in place because of a phishing event happened in the past is appropriate, but is likely temporal in nature. This class of events contains a lot of criminally appropriated (stolen) domains whose mainline purpose is not phishing. Therefore, intent is very important here. A domain, whose WordPress installation is compromised to act as a phishing site has a temporary malicious intent, but not a long term, deep one. It’s true intent is to deliver non-malicious content, not the other way around. So, a block might be appropriate, but should have a sunset on it, so once the infection is cleaned up it can be freed of the block.
Getting down to it
Defining intent. When defining CHRIME, it struck us that defining intent wasn’t necessarily a commonplace skill. To do so, you need to consider two primary tests. First, intent is born out of planning, where a person (singly or in a group) visualizes an outcome to an action. Second, the will to perform the action exists. If both can be defined, then intent exists. Overt intent is what you can immediately or causally see. Deeper intent comes from examination, usually over a series of iterations of the actions and results. Some examples are easy, such as the bouma of a domain, e.g., misspelled by a single letter, hosting content that mimics your own. That’s a pretty easy intent to read, especially if the actions there focus on stealing credentials or information from users. Probing of your web access firewall (WAF) for vulnerabilities? On the surface, the overt action is they are looking for a weakness. Deeper intent? They could be a researcher, performing a public service or someone with deeper hate and intent, focused on finding a way in to do something more malicious. Intent is hidden in fog here, and needs to be navigated with care to not get lost or end up in the wrong location.
As you may have gathered, I’ve split intent two ways. The first is a quick, high-level glance of the action and outcome, with a thought to what it means. That’s the overt intent. For CHRIME, defining overt intent is step one. If that, when combined with the rest of the initial stages of each initial in CHRIME meet the requirements to support a decision point, then its sufficient. If not, then a deeper look is required. This deeper intent, looks further into what’s occurring. It’s always encouraged for complicated decisions and should be entertained for even the simplistic ones, e.g., should I block this email that just sent us phishing.
Legal definitions of Intent
It’s worth noting that the laws of several countries have endless reams of definition around intent and tests to measure it. These tend to work very well in a legal definition, but less exceptionally in a cyber one. These are basic and specific intent, direct and oblique intent, unconditional and conditional, purposeful and knowledge-based intent. These may be necessary to explore and meet if the situation warrants. An incident that might evolve into a criminal case that might go to court or be swept up in criminal proceedings where understanding and handling the tests involved might be appropriate.
Methods and Means
Observe, Orient, Decide, Act or OODA Loop, is perhaps the best tool to use when examining intent. Plenty of others exists and should be used in combination with OODA. Since the majority of our data stems from observation (or inference), however, OODA leads properly into examination via this technique. Collecting your observations and then understanding them in context—the “Orient” of OODA—drives your understanding of intent. This section of OODA is a gestalt of history, reputation, your vantage point, the “placement” of the examined, analysis and plenty more. The clueless, but necessary savant that works in your company, but keeps going to the wrong websites out of thoughtless desire can be a tough nut to hammer down when it comes to intent. Without the gestalt of understanding about them, they make look like an insider acting with dangerous intent, instead of an unintentional one.
A second, important concept here is understanding how to clear up intent disambiguation. When intent is ambiguous, it means it can be interpreted more than one way. A series of failed log-in attempts within a short period of time can look like a brute force attack, a misconfiguration, someone failing to log-in and re-attempting to do so multiple times, and plenty of other scenarios. Disambiguation process starts at this point. A key function of the disambiguation process is a review to understand the other information present and the meaning of that information. Each element of known information influences the intent until it reaches a point of maximum plausibility and coherence. The clueless savant is recognized as such from the accompanying information, instead of from the cold facts of observed malicious activity found in network traffic analysis.
We began with a phishing event for an example. Phishing, especially in the example case of a credential phishing event that is one of a series of events aimed at garnering credentials from our enterprise, has a simple overt intent. The deeper intent is a sustained campaign against us. If we cannot find evidence of other companies being targeted by the same campaign, it’s healthy to assume it’s targeted at us. That raises the risk and angles our estimation of intent towards a goal of breaking into the enterprise to do further actions; any of the three of damage, destruction or theft.
Overt Intent (credential theft)
Form that steals credentials
Phishing across hundreds of employees
Deeper Intent (likely future or near future break in attempt)
Part of a sustained campaign
Looks to be singly focused
Employee targeting is broad but focused on individuals with special access
We also use CHRIME in our daily work and you can find me talking about it at ISSA and conferences pretty year round. In fact, CyberDefenses believes in this technique so much that we have a full-day dedicated training course to it. You can find about our offerings on CHRIME and other via this link: www.cyberdefenses.com/academy/.
This also ends the 4th discussion on the History component of CHRIME. If you missed the other articles on CHRIME in this series, you can find the rest of the series on our blog.