Security Experts:

Misconceptions of Cyber Threat Intelligence

This article stems off of a previous one I wrote, but as I’ve spoken with many organizations and read different blogs that cover cyber threat intelligence, it’s clear more level-setting is needed. While threat intelligence is considered a buzzword by some in the cyber realm, intel has actually been around for a long time. Intelligence has been used by governments to gain an edge over other countries, on the battlefield, and to combat terrorism. Intel has also been used by business for competitive intelligence, business intelligence for marketing, sales, and finance. The concept of intel is tried and true.

Cyber threat intelligence (CTI) is the same concept - understand the actors, the threats, the landscape, your risks, and how these all tie together - but within the cyber realm. Setting the proper expectations around the threat intelligence you receive, perform or are planning to receive and/or perform can help you extract the full value and sidestep common pitfalls. Here are some guidelines to follow in terms of what threat intelligence is, what it isn’t and who it’s for.

Information isn’t intelligence. Information certainly is part of the intelligence process, but intel and info are very different. Example of “Information” is an indicator of compromise (IOC), but the IOC by itself is not intelligence. It may add detail to a piece of intelligence, but the IOC must be researched, analyzed and put into context of the situation and organization. Threat intelligence goes beyond an indicator or even a set of indicators - it requires tradecraft of evaluating and analyzing information about the intent, opportunity and capability of malicious actors. To uplevel information to intelligence, you must: plan, collect, process, produce and disseminate analyzed information. This information must be specific to the organization to ensure its value and significance.

Intelligence includes assumptions, but do not assume your assumption is complete.  Threat intelligence is not an exact science; it’s squishy. While good intelligence can make a huge difference in changing a security outcome, bad intelligence can send you in the wrong direction. So while some level of assumption is typically involved, it takes sound information, experience and intellect to make good judgements. Intel analysis is typically performed against an imperfect/incomplete dataset. Confidence assessments (i.e. High, Medium, Low) are a good way to add context and additional research to back those assessments can add weight.

Intelligence should give you more than a story. Your cyber story is certainly an important part of the equation, but good intel should also provide the conclusion. How does the story end? Based on the analysis of the threat, the environment, risk level, impact, etc... what recommended mitigation steps should an organization take to improve their situation? What assets are at greater risk? Where should cyber defense efforts be focused? Evidence and logic must be a part of the analysis to reach a conclusion. And remember, sometimes stories evolve. Information is always evolving so it’s important to stay current if something new comes to light and determine if that changes the story, or adds to it.

There is no such thing as real-time threat intelligence. As a colleague of mine blogged about a few months ago, real-time threat intelligence is simply data. Threat intelligence requires research and analysis. Don’t get me wrong, speed IS important, and automation plays an important role in the overall intelligence gathering and processing process, but analysis requires human expertise. And that requires some amount of time. Anything in real-time is just more data, not intel.

Intelligence isn’t a platform, tool or a feed - it’s a capability. Platforms, tools and/or feeds are ways to deliver intelligence, but creating intelligence requires the trifecta of people, process and technology all working together. Delivery of intel IS important because different users have different needs for consumption, but intelligence is the combination of people (analysts, risk officers and sec ops personnel who research, interpret, analyze, deliver and consume the final intelligence), process (how data is collected, processed, analyzed, delivered and consumed) and technology (used to collect data, automate classification and some level of analytics, visualize data trends, etc.).

Intelligence should be in-depth, yet concise. Yes, this says two things at once, but what I mean here is that while you need to have substance and evidence to reach the conclusion, an intelligence report should not force the reader to pore through pages upon pages of background information. It’s not about showing how much you know, but more about what the consumer of the intel needs to know in order to take the appropriate course of action and ultimately change a security outcome for the better. Get to the point quickly, so the intel can be used in a timely manner and provide the support and depth as needed.

Intelligence should include your business characteristics, internal data and an understanding of what is happening outside your company walls. Leveraging internal threat intel or external threat intelligence only provides you one piece of the puzzle. You need to be able to compare/contrast/correlate internal and external intelligence to paint an accurate picture of risk for your organization.

Who is threat intelligence for?

One last consideration is the consumption of intelligence. It isn’t just for the actual defenders. Different types of intelligence have value and support different use cases. Traditionally, threat intelligence has been consumed within the SOC for very tactical reasons. But, the intelligence can also help connect the dots to the business from a broader risk management perspective.

• For cybersecurity personnel - Tactical threat intelligence (low-level technical indicators) is used to corroborate events coming into the SOC. Defenders can use low-level CTI to block malicious activity from hitting the network or to support a detection and response mission.

• For threat intelligence analysts - Operational intelligence focuses more on the adversary. Analysts review and analyze collected information on adversaries and their techniques, tactics and procedures (TTPs) and link campaigns, capabilities, opportunities and intent to the organization's operating environment.

• For business executives - Strategic threat intelligence is where cyber threats, cyber risk and business risk are all correlated and analyzed to help members of the c-suite and the board of directors gain visibility and understanding of cyber risks that can have financial, operational and reputational impact. This level of intelligence can be used to drive smarter security investments and achieve more risk-informed decisions.

To reemphasize, cyber threat intelligence isn’t just another tool or layer of protection for your organization. It’s a capability that drives more effective cybersecurity decisions and more investment. And this capability can help numerous areas of the business to reduce risk.

view counter
Adam Meyer is Chief Security Strategist at SurfWatch Labs. He has served in leadership positions in the defense, technology, and critical infrastructure sectors for more than 15 years. Prior to joining SurfWatch Labs, he was CISO for the Washington Metropolitan Area Transit Authority. He formerly served as the Director of Information Assurance and Command IA Program Manager for the Naval Air Warfare Center, Naval Air Systems Command one of the Navy's premier engineering and acquisition commands. Mr. Meyer holds undergraduate and graduate degrees from American Military University and Capitol College.