The last days of 2021 saw PWC publish a report on the attempted extortion of the Health Service Executive (HSE) by the ransomware group Conti. Given that the HSE is the organisation responsible for public health care provision in the Republic of Northern Island and the fact that the attack by Conti resulted in significant disruption to the HSEs ability to deliver care, the incident was particularly significant even within the already lively history of ransomware attacks.

An Intelligence Failure is commonly understood as a failure by an organisation’s intelligence capability to anticipate the occurrence of future events that has the potential to negatively impact the host organisation. Intelligence Failures can occur in any field of threat intelligence and “cyber” is not an exception to this rule.

What was notable about the Conti attack on HSE was the period of time that the attacker was active within the network before the deployment of the ransomware that disrupted the HSE service. This period from the attacker’s initial compromise of the network to the defenders identification of the threat is termed “Dwell Time” and in the case of the HSE attack was from 18 March 2021 to 14 May 2021. It is within this period of approximately 8 weeks that an Intelligence Failure occurred for HSE where opportunities were missed to spot the activity of Conti and stop them before the deployment of the malware.

So what could have been done differently in the case of the HSE attack? The most simplistic answer to this is the HSE defenders could have identified the presence of Conti on the HSE network in the Dwell Time period between 18 March 2021 to 14 May 2021 and then potentially removed their access and defeated the attack. This is of course always easier said than done but the practicalities of executing on this process typically involve matching technical signals, termed “indicators of compromise” (IOCs) with an defined identity of a threat group such as Conti. Fundamental to this process is the flow from technical indicators on the victim network to a strategic understanding within the victim’s decision making process that a existentially dangerous threat is active on their network.

Shown below is a graphical depiction of how the process of drawing awareness from data happens within the discipline of threat intelligence.

Figure 1 visualises the four steps of the intelligence cycle (direction, collection, analysis and dissemination) and how data is –

  • turned into information by collection… 
  • …and onward from information to intelligence by analysis

If this flow – from data to insight – as visualised in Figure 1 is disrupted then the chances of an Intelligence Failure quickly increases. The model presented in Figure 1 is simple enough to understand, so why did this not happen and hence create an Intelligence Failure in the case of the Conti attack on HSE?

Lack of available data on the threat?

There is no lack of publicly available data on Conti, indeed the group is so well know they even have their own Wikipedia page. The issue is not gathering data in Conti, rather the challenge is extracting and correlating data with the Conti persona at the informational level. 

This interplay between the data and information is both integral to the intelligence process and deceptively complex to implement. Yes, with hindsight once the incident has occurred and the identity of the threat actor has been revealed its easy to conduct a retrospective survey of the IOCs that had been collected and correlate them to the Conti person however, it’s far more challenging to conduct this activity proactively and move from un-attributed IOCs at the data level to a defined persona at the information level. 

It is within this granular level of the Cyber Threat Intelligence workflow and the intersection of data and information that many Intelligence Failures originate. To define the problem further the challenge for the analyst is two fold, 

  1. Firstly, at the data layer, clustering IOCs from existing sources into a single data set that can be taken forward into threat hunting activities 
  2. Secondly, at the informational layer, correlating collected IOCs with an identified personas in order to understand the potential severity and impact of the threat.

Figure 2: visualising analyst activity within the workflow of data-to-intelligence

Could Elemendar’s READ. have made a difference?

To summarise the challenge at this juncture the problems are two fold – collection of IOCs and correlation of IOCs with defined threat personas. These issues are magnified as an intelligence operation scales, with your average CTI analyst having to manually read 20-100 incoming reports every day. At this volume spotting the links between different data sources, mapping data to defined threat persona and then identifying these threats within network data becomes a sisyphean task. Artificial intelligence tools such as READ. address this problem by automating the extraction and correlation of IOCs and threat actor personas amongst other functions. Critically, READ. has the ability to conduct this extraction and correlation activity at scale, potentially processing hundreds reports per day and thus empowering the human analyst to comprehend a far greater threat landscape than they would ever be able to do by manually reading threat reports.  

In the case of the HSE attack, if READ. had been operationalized within the the HSE CTI teams workflow they would have been able to  

  1. Extract and correlate threat reports from multiple sources, and in doing so create a corporate knowledge base of data on multiple threat actors that could be used for Threat Hunting activities 
  2. Cross reference the data set of known IOCs and mapped personas to their own network logs 
  3. Potentially identify the presence of Conti on the HSE networks during the Dwell Time period between the 18 March 2021 and the 14 May 2021 and thwart the attack

Management with hindsight is of course easy, the HSE defenders no doubt did the best they could and were rightly praised for their resolve and professionalism in the wake of Conti activating the malware. As the PWC report stated that HSE defenders lessened the impact of the Conti attack, 

“Through [the historical] observation of ransomware attacks on other healthcare organisations globally … [with] [e]ach of these incidents highlighted key learnings that…led [in turn led] to an improved level of crisis management maturity within the HSE.”

This statement is powerful in isolation, however tools such as READ. would have industrialised the learning process outlined above and could have turned an Intelligence Failure into a success for the HSE CTI team.  

To conclude, within the world of cyber threat intelligence where a huge percentage of knowledge on the threat is locked within text based documents, artificial intelligence tools such as Elemendar’s READ. are a new and critical partner for CTI analysts and their mission to avoid Intelligence Failures.