Finished Intelligence is the Output of Taking Threat Information, Evaluating it and Deriving a Business Benefit
In the cyber threat intelligence space, there is confusion (much of which is driven by vendors)... where threat information is positioned as finished intelligence.
While the intel process starts with the collection of threat information, it is just that… a starting point. There is a vast difference between obtaining information en mass and producing finished intelligence. Picture 1000 dots scattered all over a chart - that’s information. But the dots connected in some way showing context and relevancy (We call that “Evaluated Intel”) - that’s intel that can be used to prepare and plan for future attacks, to shore up previously unknown risks, to focus efforts in the right areas. It can also help you understand from an incident response perspective what happened, why, and how.
Cyber threat intelligence (CTI) is a lifecycle process that ultimately produces a deliverable that can be consumed by different groups in numerous ways (depending on the level of threat intelligence being provided - strategic, operational and/or tactical). To be clear - CTI is not just about pulling in feeds of indicators or flooding a repository with data and applying those indicators in your environment.
Threat intel requires automation (in terms of data collection, processing, filtering and some analytics) combined with human analysis. The human element is too often overlooked in the feed frenzy. But here’s why that is a mistake. While there is a lot of information gathering going on these days, whether it’s scraping dark web sites or open sources - getting information is fairly simple (with the exception of having undercover personas in restricted black markets and forums). It’s just collecting and gathering data. Maybe it includes some processing and filtering, but the special sauce is in the intelligence analysis. This analysis, when done properly, ensures that the information is evaluated for accuracy, relevancy, timeliness and completeness. The intel is put into context specific to an industry or organization for different views and decisions. And it requires humans with experience and attention to detail.
At the end of the day, you need information in order to create intelligence. However, information itself is not intelligence and actually can overwhelm an organization and even point them in the wrong direction. Intelligence tells a story. While information provides a lot of potential actions, intelligence is meaningful and usable (I hate the overused word “actionable”), it supports planning, it provides direction and focus and ultimately helps you make better decisions on where you focus your efforts and resources.
When my team analyzes a threat campaign for example, we look at it through the lens of the “Avenue of Approach”, which breaks out the following:
• Industry Target - What specific organization(s) or group(s) is the actor going after?
• Technology Target - What technology (i.e. Adobe Flash, Internet Explorer, etc.) used by the organization(s) use that can be exploited by the actor to carry out an attack?
• Delivery Method - How did the actor deliver the payload to the target (i.e. spear-phishing, third party compromise, etc.)?
• Exploit Used - What specific exploit and/or known (or unknown for that matter) vulnerability was used by the actor?
• Presence Achieved - What level of presence (i.e. privileged accounts, database access, etc.) did that actor gain/use in order to carry out their attack?
• Effect/Harm Caused - What was the impact (i.e. stolen IP, service downtime, etc.) caused by the attack?
Understanding the avenue of approach provides meaningful context of what the threat is, how it works, what it targets, and what the impact is to an organization. Finished intelligence includes this type of analysis and includes threat indicators and supporting evidence, along with confidence levels and practical course of action recommendations. So not only are you getting the story of what happened and how, but impact assessment and mitigation steps to help from an incident response perspective or in a risk planning and preparation manner.
One thing that does not get enough discussion when it comes to threat intelligence is what I like to call the “go do’s”. Maybe this is what some vendors mean when they use “actionable” intelligence, but beyond being “actionable”, the intel should give you practical tasks to address the impending threat or identified risk. This is where the rubber meets the road and decisions are made that will influence future outcomes. At the end of the day finished intelligence is the output of taking threat information, evaluating it and deriving a business benefit from the effort, typically in the form of risk reduction to potential impact to a business operation.
If you can not easily articulate the business benefit from your current CTI efforts or have not defined them when looking to stand up a new CTI capability then you might be only collecting threat information and not conducting threat intelligence.