Over the years, drones have become a cornerstone of emerging technology in today's society. Drones speed up industrial processes and reduce the need for human contact in dangerous jobs, freeing up resources and time. However, it is not just the 'good guys' who are utilising drones but the 'bad guys' too. Drones, when employed safely, can be a mode of delivery across vast distances, conduct inspections in hazardous areas, or provide 3D modelling and surveys of large plots of land within minutes. Similarly, drones can also be used to deliver contraband into restricted areas, conduct weaponised aerial strikes with payloads fitted onto a modified chassis, or be used for surveillance against physical targets. Incidents like the latter are not uncommon and local law enforcement agencies are increasingly apprehending drone-enabled offenders. Government, aviation authorities and militaries across the world have raised concerns about the possible and rising threat of drones and are taking measures to ensure the ease and cost of such threats do not enable an influx in drone-responsible incidents.
The information gap
To better understand the threat vectors, red teaming is an essential activity within the drone sphere; that is, conducting a physical and digital security assessment against a perimeter, using the equipment often recorded as used by the malicious pilots.
The missing piece, however, is the threat intelligence (threat intel) that forms the substance of red teaming operations. These activities need to be intelligence-driven; not just using the same equipment from real-life scenarios, but the tactics, techniques and procedures used by the threat actors themselves. As a result, threat intel becomes a history-books lesson; record everything, catalog, and use that information to better inform your active red team.
Notify was DroneSec’s attempt at sourcing better threat intelligence to uplift our red team operations; we didn’t want to use a COTS drone where the majority of threat actors in the region had historically used custom drones, or take off from a prison parking lot when most actors had historically sought out nearby forests as launch-zones. To define, threat intelligence is the gathering and understanding of threats and threat actors towards the aim of mitigating such threats through an informed decision, and red teaming is fundamentally about putting oneself in the minds of attackers and carrying out various conventional and unconventional ways and methodologies in taking down a specified target.
How we started
DroneSec gathers and triages drone incidents, placing the data in a repository where information can be filtered and sorted. In short, a knowledge base on the locations, time details, incident summaries, and make/models of drone(s) used. This forms the basis of the planning and collection phases of the threat intelligence cycle. At this stage, threat intelligence organisations will start to see the raw data, or a broad overview, on the kind of drone incidents that are occurring worldwide. This provides law enforcement agencies with generalised attack vectors, common equipment types, and commonly targeted locations. The intelligence cycle for most threat intel organisations stop here as the requirement to process these huge amounts of raw data is labour intensive and resource-demanding.
What we did
DroneSec by nature is a data-driven intelligence firm; even so, the information we were gathering was not enough to provide substantial use cases for our aerial threat and red team simulations. For some time, we gathered and processed global incidents on the drone ecosystem – only limiting ourselves to the three pillars of drone security: drones, counter-drones and UAS Traffic Systems (UTM). We built a huge knowledge base of drone incidents while working with law enforcement agencies, drone organisations and cyber security researchers. We hired military drone pilots and military intelligence personnel to turn the raw data into meaningful information for understanding threats of drones of all shapes and sizes.
Our core team soon realised the complete gap in commercial threat intel for drones and the ineffectiveness (and signal to noise ratio) of utilising traditional cyber-security threat intel platforms for this need. We saw gaps in the drone ecosystem which were not addressed in today’s society and that formed the initial basis of having a drone-centric newsletter.
One key driver for us as a firm, from the very start, was placing Actionable Threat Intelligence (ATI) at the core focus; we wanted to track and characterise the threat actors to the minute detail. Actionable Threat Intelligence (ATI) is the information given to decision-makers allowing them to act upon, with an informed mindset, towards the formulation of a strategic, operational or tactical plan. ATI has allowed DroneSec to work towards a goal in mind, it has crafted the way we plan, direct, collect, and process our threat intelligence methodology. This gave us the push to release a weekly threat intelligence newsletter, DroneSec Notify, as a way of continually tracking threat actors' progress, innovation, and tactical utilisation of new technologies and products. For each incident, our threat intel process is simple; log, tag, catalogue and analyse.
Some really interesting Threat Intel we’ve been able to grasp from recording these on a weekly basis includes:
- How long threat actors use a new drone system from its release date to use in a crime;
- The make/model of drones most commonly used for airports vs prisons vs stadiums;
- The cost, availability and use of payload dropping mechanisms in ‘narcodrones’;
- The Standard Operating Procedures (SOPs) used by law enforcement vs private organisations;
How we've done it
With ATI, our core focus shifted to expanding the intelligence we possessed - to ensure that our intelligence was not just a means to uplifting our red teaming, but to provide data for early warning, pattern analysis and trend recognition for the ‘blue teams’ at the helm of counter-drone systems. With the proliferation of the Notify Drone Threat Intel weekly newsletter, our audience became crystal clear; there are market segments that care about drone security far beyond law enforcement, counter-drone organisations, and lawmakers. By learning what counter-drone ‘blue teams’ (that is, the defensive side) need to reduce their risk appetite and security posture, we were able to create some specific tools to aid their roles.
When we reached our limit of trying to do this through spreadsheets, we knew it was time to build a platform that could handle this. This led to the creation of Notify – as a platform. Completely designed and developed from the ground up, we set about thinking what type of information and markers would be needed to better enable our red team. How will drone information be displayed? Prioritised? What level of automation and how much human interaction on event triage? If we were a counter-drone operator, a security guard, an Air Traffic Control (ATC) tower or a government audit body; how could we display this information in a real-time and meaningful way? Long story short, the development of Notify has been one of change and adaption; its next few years of development will be incredibly interesting!
Interesting use cases along the way
DroneSec Notify helps law enforcement agencies. Analysis from Notify helped identify several heat zones in areas where drone incidents frequently occur. Not all of this information is gained at once – sometimes several sources are required to inform the full picture – for example, the ‘peak hour’ whereby offenders usually operate at, the typical ingress and egress path, the model of drones which are frequently used. Alone, somewhat helpful, in combination with several tracked conversations and videos observed online, very useful. This type of information provides a collection of insights in determining the modus operandi of malicious drone operators which have statistically led to the continued prevention of contraband delivery.
The second key use case is our ability to slot an act or incident into a ‘category’. No more going blind with a drone ‘incident’; it falls into a specific category, incident type and attack vector that we have previously measured and analysed. The best part about templating incidents like this is looking at the Root Cause Analysis (RCA) – similar incidents with different details may share the same characteristic or even threat actor, this makes defensive mitigation (or remediation steps) much easier to assess. Users of our ATI benefit from this – for example, by hammering home the same recommendation strategy for a ‘class’ of attack, a client recognised the possibility of a drone incident they had been exposed to (through Notify) and could make a time-crucial decision call as an early pre-empt. By analysing threat intel, organisations can also identify gaps without having to experience them first-hand and implement recommendations before actually facing the challenges themselves. How do you look through the eyes of someone who’s experienced an incident first-hand? This is where Notify threat intel comes in – sources include first responders, organisations facing several drones threats a month or experienced implementors in the counter-drone space. Record, inform, uplift, repeat.
DroneSec Notify has come a long way – from a small and humble beginning (uplifting our own internal practice) to working with interesting entities around the world on their complex (and often never-seen-before) drone security incidents. Our team’s constant mission to improve and grasp this new technology will continue to form the foundation of our technology for many years; personally, I’ll strive to bring you the most actionable and up-to-date threat intelligence in the drone ecosystem.