Since 2020, the DGSI (General Directorate for Internal Security, which depends on the Ministry of the Interior) has set up a recruitment stand at the FIC (International Cybersecurity Forum) in Lille. A clear way to show that intelligence services are always looking for skills in computer security.
But the intelligence services are also present at the SSTIC in Rennes (Symposium on the security of information and communications technologies) or other technical conferences. The DGSI and the DGSE are indeed major R&D players in cybersecurity, as is Anssi.
CTI (Cyber Threat Intelligence), a discipline dedicated to knowledge, defense and anticipation of cyber risks, is therefore the business of state organizations such as NIST, in the same way as IT security publishers or associations. specialized as MITER.
Standardized tools
Any cyberattacker leaves traces of his malicious activities. This is Locard’s exchange principle. These traces can make it possible to deduce the attack techniques he has used, to understand how a vulnerability works. When put together, this data can make it possible to know which group of hackers is using which modus operandi (we speak of tactics, techniques and procedures, or TTPs), or even sometimes to be able to attribute the origin of the attack. For example, it is possible to detect that groups of cybercriminals from North Korea are attacking casinos in South America or banks in Asia with certain types of tools such as DarkComet.
To help standardize these investigative methods, MITER has developed a framework, MITER ATT&CK (Adversarial Tactics, Techniques and Common Knowledge), which classifies the various tactics and related techniques employed by cybercriminals. The association also contributed to the creation of a standard exchange format (STIX, Structured Threat Information eXpression) on threats.
We should also note the birth of collaborative and open source initiatives such as MISP and OpenCTI (initiated by Anssi) making it possible to share these indicators / markers and information about attackers and their methods.
The community and the various contributors therefore tend to standardize the tools in order to facilitate exchanges but also to reduce detection times and improve understanding of the chains of events of cyber-maliciousness.
State structures open to information sharing
The objective of these standardization initiatives is to facilitate communication between all actors in the fight against cybercrime. While publishers and associations, particularly in the world of open source, have long been involved in these sharing actions, state structures have long been more discreet.
Today, they contribute more and more to exchanges by sending their information back to the community. They also communicate publicly about their actions. For example, Anssi, which closely scrutinizes attacks on OIVs (operators of vital importance), publishes to a certain extent the results of its research through CERT-FR opinions. They are available with different levels of confidentiality: for the general public but also for target companies and actors in the fight against cybercrime. You can also find on the internet challenges offered by the intelligence services to cybersecurity specialists such as that of the DGSE or that of the DGA.
This capitalization notably allows a forensic analyst to direct his research. For example, if a healthcare company experiences an exploit of the CVE-2020-10189 vulnerability, the analyst can make the following investigative hypothesis: the attacking group could be APT41. He can therefore look for traces of execution of Mimikatz but also of Windows Credential Editor, which are the techniques for recovering identifiers used by the group.
Initiatives that complement security solutions
All CTI platforms are compatible with the STIX format. Major publishers contribute to the fight against cybercrime, by collecting and disseminating critical information gathered from their own research, which can also be inspired by techniques used by intelligence services. In the same spirit, the publishers of network solutions, present in most companies, collect information and participate in the CTI.
The information shared by these ever-increasing numbers of players, on ever-increasing attacks, has a positive effect: it is possible to capitalize on incidents to better analyze trends and anticipate risks. Thus, “Ransomware-as-a-Service”, very fashionable today among cybercriminals, will evolve into other types of techniques. However, identifying the next threats does not mean that we can escape them. Ransomware attacks on hospitals are a perfect example of this: we have known about the growing threat for several years, but their lack of means in terms of cybersecurity solutions – their priority being more to obtain resuscitation beds than firewalls – in make prime targets for hackers. The CTI is therefore inseparable from the implementation of advanced and up-to-date security tools.