How to Get into Intelligence and How I Found a Security Whoopsie
Be wary when you order beer online! Don’t drink and intelligence!
CyBeer of The Week: Brewdog vs Northern Monk’ The Vermont Sessions’
Metal Artist of The Week: Linkin Park
It’s another glorious week in the world of cyber intelligence, and with that – it’s time for the latest ramblings of a metal-loving, beer-drinking Chelsea fan. So let’s get down to business, shall we? First up this week the coveted CyBeer of the week goes to ‘The Vermont Sessions’ collaboration between Brewdog and Northern Monk. This hazy New England style IPA is like all your Christmases come at once. It’s fruity, it’s hoppy, the mouth-feel is just right, and I am just sad there’s not more in the local supermarkets near where I live. It’s an absolute stunner. Try it. You will not regret it.
For this weeks metal artist, I’m running with the wonderful Linkin Park. The band have released a brand new track that includes the late Chester Bennington on vocals. The new track has a relaxed, mellow vibe, and while it’s not their best song – it’s great to hear something new from the band in the wake of the tragic suicide of Chester. Please go check it out and see what you think!
Security Whoopsie, you say?
So let’s get into the meat and bones of this weeks post. Firstly, I want to get into a recent interaction I’ve had following the identification of a security flaw on a website entirely by accident. So let’s paint the picture: It’s a Friday afternoon, you’re absolutely gasping for a real beer. Being asthmatic and living in London it’s probably not in your best interest to visit the pub. Then you remember! Favourites of your beloved blogger, Brewdog have a relatively new delivery service Brewdog Now! Aha! This is how you get yourself some of that sweet amber deliciousness. A quick download of the app and straight into ordering some of the good stuff. Easy. Delicious. Wonderful.
A few days later, I tried to log in to the same service via the website on my computer. Unable to login I attempt a password reset, it doesn’t work, but the app works on the phone, and I think it must just be a bug or something—no big deal. Until a few days later, I log into a different website, which uses multi-factor authentication. When I log in, though, I get a message from my web browser (Chrome) that my ‘password’ has been exposed in a data breach.
A little concerned that I didn’t receive any notification of a new breach from Have I Been Pwned or SpyCloud who both offer data breach alerting services for free, I check my password for the site from last pass. I do this by copying the password and simply pasting it into my address bar, so I can see what it is (and if it’s randomly generated or something I’ve set manually).
Now, forgive me – But this password is one I’ve re-used, which I usually only do when it’s something I might access on a different device that may not have last pass installed. Take that slight indiscretion away though, and I get a slightly uncomfortable suggestion appearing in my address bar.
Here it comes
Where I’d pasted the password into the address bar to see what it is, a URL for the Brewdog Now service appeared as a suggested site. This URL contained not only my password but also my email address and one-time password from when I tried to reset my password previously. All this data was available in plaintext and was sent as an HTTP request. This is definitely not cool.
Best Be Sure
So I went back to the Brewdog Now site and tried again to test my suddenly discovered hypotheses. Sure enough, a new code was received but whatever I entered on the password reset screen was being sent in the URL without any obfuscation or encryption whatsoever. So I did what any self-respecting and ethical cybersecurity professional would do. I started blasting the company on Twitter to get my ego massaged wrote an internet letter! Directing the email to the companies support team and the CEO on LinkedIn (he still hasn’t accepted my connection request, though).
I explained what and how I found the flaw, why it’s not a good look and could potentially land the company in some bother. Particularly if a nefarious actor were to discover said data leakage. It’s probably a low-risk on the whole, but we’re here to encourage best practice, and I don’t want my details stolen if I can avoid it. So this felt like the right way forward.
I felt like this could have been a simple oversight as the service was stood up pretty rapidly in the wake of COVID-19. And when things are rushed through there’s always the chance for a few things to get missed to try and get things up and running as soon as possible. I should also mention that a third-party, Hungrrr actually powers the Brewdog Now service. Still, as it’s Brewdog’s branding on the site, I thought they should be the first port of call (and I also have no idea if Brewdog is running it themselves or if Hungrrr does it on their behalf).
I also figured that by going through Brewdog that I’d get to the right person on their end to ensure the problem could be rectified. And sure enough – Within 48 hours I’d had emails back from the company who were looking into it. I had a call from a chap called James (not the CEO) who wanted to reassure me that the issue was being resolved. It transpired that this issue was apparent across all of Hungrrr’s customers and not just Brewdog. This to me was a gratifying moment, as although Brewdog are probably Hungrrr’s largest client, knowing that the flaw I’d found was also affecting many others. Seeing first-hand the subsequent fix felt like I’d be able to do some good, which is incredible.
This experience for me has helped to prove why security professionals should always follow the ethical path and look to do the right thing when they become aware of issues. I could easily have tweeted this out and got a few likes/followers, but the real impact would have been felt by people who wouldn’t even know their data was being exposed. By reporting this to Brewdog, who then went to Hungrrr, this issue was comfortably resolved, and no harm was done. Everyone wins. The response I had from Brewdog, and subsequently, Hungrrr in implementing the fix has been excellent. Both companies stepped up to their responsibility. Which is good for me, as a massive Brewdog fanboy (if you hadn’t noticed). I’m delighted to see they take security seriously. I don’t think I get a CVE number out of it, but that’s ok!
Intelligence – Where do you start?!
The other thing I wanted to cover this week was how to get started in intelligence. Since starting the site, and through LinkedIn/Twitter/other groups I have been seeing a lot of people starting to ask more questions about how they can learn or get into intelligence jobs, so it seemed like a good topic for a blog.
Intelligence – The Essentials
If you’re thinking of moving into an intelligence role or you think that’s where your career may go in the future, there are a few things you need to be aware of. Firstly, it is a relatively new, still growing industry. This is great because it’s exciting and there’s always something new to think about or learn. However, it also means that a lot of people and companies will have different opinions on what intelligence means compared to each other. This is something I see more in the CTI (cyber threat intelligence) space compared to OSINT (open-source intelligence) but is worth bearing in mind.
You probably want to figure out what kind of intelligence you want to be doing as well. Depending on what interest or motivates you, you might need to consider only public-sector/law enforcement/military work. There are many types of intelligence, but in the private sector, it’s a fledgeling industry. For example:
- SIGINT (Signals Intelligence)
- HUMINT (Human Intelligence)
- GEOINT (Geospatial Intelligence)
- IMINT (Image Intelligence)
- MASINT (Measurement & Signatures Intelligence)
The above types of intelligence collection are predominantly the preserve of the public-sector agencies, law enforcement or military. Of course, as technology evolves, we see the lines blur more and more. However, the following types of intelligence are becoming more prevalent in the industry and across the private sector:
- CTI (Cyber Threat Intelligence)
- OSINT (Open-Source Intelligence)
Of course, the publicly funded agencies and organisations also employ these methods. Still, if we look at purely employment opportunities, you are far more likely to find roles in CTI or OSINT than you would in SIGINT or HUMINT. That’s not to say they don’t exist, they’re just infrequent and usually require a high-level security clearance. And even then it’s likely to be contract work which could be very short-term.
Gimme Some of Those Secrets Though
If you think you want to go down the publicly funded route, you usually have a range of options. Here in the UK, we have three intelligence agencies, regional law enforcement (as well as the National Crime Agency) or the Military (and across our Army, Air Force and Navy a range of intelligence roles). You will usually find positions advertised across all of these areas, and in some instances, local councils will also recruit for intelligence analysts or officers.
The good news about these roles is that they can be very, very rewarding, and you can usually land a role without having any previous experience in intelligence (at least this is true for starter roles). The flip side, of course, a lot of intel roles in any publicly-funded national security type position, will require you to hold or undergo DV clearance. This can be a very long, intrusive process, and there are no guarantees that you will be approved at the end of it. You must be honest in this process, and you must have a handle on things like your personal finances. it all matters. The process is designed so a malicious actor can’t exploit you, so be truthful, no matter how embarrassing or uncomfortable it may be.
These kinds of roles also open opportunities to work across different areas of expertise, different types of approaches, technology or disciplines. It’s a good option for anyone starting in the world of intelligence.
Show Me The Money
One thing about any public sector work though, is that you can usually find a comparable role in industry that pays more (sometimes, a lot more). Of course, these roles will often demand a certain level of experience, familiarity with tools or approaches and sometimes security clearance. These are not things you usually just have so you need to get that experience somewhere. So in our assumption of someone either starting out or moving into intelligence from another discipline, there are some fundamental things to understand. The following will hold true across all intelligence collection disciplines, so are the baseline for any wannabe intelligence analyst:
- The Intelligence Cycle
- Intelligence Requirements
- Cognitive Biases
- Intelligence Reporting
- Analysis of Competing Hypotheses (ACH)
If we look at CTI as a separate discipline, you’ll also want to be familiar with:
- The pyramid of pain
- Structured Intelligence (STIX/TAXII, Bro, MISP etc.)
- Mitre ATT&CK Framework
- Diamond Model of Intrusion Analysis
- Cyber Kill Chain (less so nowadays, but worth being familiar with)
- Yara Rules
Now bear in mind, this is even before we think about tools or analysing any data. The good news, however, is that a lot of these ideas and fundamentals are intuitive and support each other. For example, you can use the ATT&CK framework to represent threat actor Tactic, Techniques & Procedures (TTPs) using STIX. This may not make sense right now, but once you’ve had time to familiarise yourself with the ideas, I’m sure they will.
So where do you start?
If I were just starting out, and I’d decided I wanted to work in intelligence. I’d look for either a junior/trainee/apprentice/graduate position in the private sector or a similar role in the public sector (depending on if the nature of the work in the public sector is more appealing to you or not). To give me the best chance of success, I’d ensure I was familiar with the baseline knowledge requirements above.
You don’t need to be an expert, but understanding the intelligence cycle, how and why to collect intel requirements, turning those into reports where you’ve considered pre-existing biases and offered different hypotheses would already put you on the road to becoming a successful intelligence professional.
As well as the above, I’d start looking for opportunities to start testing out some tools and skills to put things into practice. You can do this by taking part in Capture The Flag (CTF) events (Trace Labs or the Cardiff University CyberSOC one are great for testing your OSINT skills!). You may even just start analysing developments in the news to try and identify your own conclusions. The most important thing is just to start doing it! By getting into the mindset of an intelligence analyst, you’ll always be questioning what you read or what you’re told. As you get more comfortable and learning new tooling, you’ll be putting things into practice.
In a lot of ways, the intelligence cycle could be replaced with your own learning cycle. The diagram below shows how you could employ this methodology to learning new skills or tools:
Where Can I Learn More?
Assuming this is still of interest, and I haven’t entirely scared you off. You probably think that this is ok for a starting point, but where next? There are a lot of resources out there for learning intelligence. Depending on your preference you could try looking at Udemy, Cybrary, LinkedIn Learning etc. for courses that may be low-cost or free. Several intelligence providers also offer training, but these tend to be laser-focused on one discipline. Which might not be helpful if you’re after something different of course.
I hope that when I finish my book, this will help to form a baseline understanding and approach to using intelligence. I’ll obviously post more about it when I feel it’s getting close. I’m also considering building out some online training in the future, if that’s something you might be interested in, please let me know, and I’ll push it up my list of priorities a bit more.
There’s also a significant number of books out there you could read. Julie Clegg’s ‘How to Become a world-class investigator’ are a good start, and if you’re interested in OSINT, Michael Bazzell’s OSINT Techniques is the standard-bearer. If you have any other recommendations, let me know, and I’ll add them to this.
I hope this is useful, as always, questions and comments are always welcomed! You can leave them on the article, via the contact section of the site, or hit me up on Twitter or LinkedIn.
Until next time!