Threat intelligence has achieved buzzword status. The good news behind that is people are talking about it – it is a critical component of a cyber risk management program. The bad news is too many folks have distorted and confused the term, so much so that it’s meaning varies widely depending with whom you’re speaking. And that fact is taking away from the real value of legitimate cyber threat intelligence.
A perfect example is in an article I read recently where it stated that said, “60% of organizations have had a threat intelligence program in place for more than 2 years.” It’s important to understand how “threat intelligence” is defined in this setting because there’s simply no way that a majority of organizations have a “threat intelligence program” established, let alone for the last 2 years.
Let’s look at some of the more common definitions of threat intelligence:
• Gartner defines threat intelligence as: “Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”
• Forrester defines it as: “The details of the motivations, intent, and capabilities of internal and external threat actors. Threat intelligence includes specifics on the tactics, techniques, and procedures of these adversaries. Threat intelligence’s primary purpose is to inform business decisions regarding the risks and implications associated with threats.”
• INSA says that “Threat intelligence is an analytic discipline relying on information collected from traditional intelligence sources intended to inform decision makers on issues pertaining to operations at all levels in the cyber domain. Relevant data to be analyzed may be about network data, ongoing cyber activity throughout the world or potentially relevant geopolitical events. What matters is that it is timely, actionable, and relevant, helping to reduce uncertainty for decision makers. The origin of the data or information is not important. When analyzed and placed in context, information becomes intelligence; and it is intelligence that reduces uncertainty and enables more timely, relevant and cost-effective policy, as well as high-quality operational and investment decisions.”
The trap many vendors and cybersecurity professionals unknowingly fall into is that information and intelligence are not one in the same. There is more information out there than anyone can possibly distill, analyze and use to quickly make sound decisions. Information is:
• Unfiltered and unevaluated
• Widely available
• Accurate, false, misleading, and/or incomplete
• Relevant or irrelevant
Information overload can kill your intelligence efforts because too much information is just a lot of outputs that requires a lot of time, money and staff. How much can you accurately automate? How large a staff of qualified analysts can you afford to review everything that isn’t automatically filtered out?
I like to think of intelligence as driving outcomes as opposed to outputs. Think of it as information that can be acted upon to change outcomes for the better. Intelligence is:
• Organized, evaluated and interpreted by experts
• Available from reliable, sources and checked for accuracy
• Accurate, timely, relevant and complete
• Aligned with your business
The world of cyber is infinite and with that comes many unknowns. Intelligence enables you to reduce your risk by moving from ‘unknown unknowns’ to ‘known unknowns’ through discovering the existence of threats, and then shifting ‘known unknowns’ to ‘known knowns’, where the threat i
s well understood and mitigated.
How To Measure Threat Intelligence
The KISS method is a good way to start… Good business managers run their business on a foundation of evaluated intelligence, or ‘known knowns’ – essentially the things you know with a level of certainty. The goal is to consistently look at the unknown and determine how to turn the uncertainty into more certainty. What are the characteristics that make up your business? What are the corresponding risks? Who are the Actors operating in your industry, which tactics, techniques and procedures do they favor? What has been their target commodity? What organizations have they targeted? What was the outcome from those efforts?
Pull in data on who you are as a company such as your products, employees, software and hardware, geographical locations, industry sector, the data you store/transact, and much more. Overlay this company data and compare your business traits against cyber threats on the horizon. Now you can understand your business risk exposures based on your relevant cyber threats.
Analysis is another critical differentiator between information and intelligence. When you establish an intelligence program, you are establishing a capability, not just deploying a tool. Automation can play a role, but “All operations in “cyber space begin with a human being” (INSA) and threat actors/adversaries are people, they have desires, motivations, and intent.
So What IS Cyber Threat Intelligence?
At the end of the day, cyber threat intelligence should focus your organization on making better decisions and taking the right actions. Every organization uses intelligence already, but in the form of business intelligence that evaluates information on financials, customers, logistics, products, as well as any other areas that the business needs to make decisions and take actions on. The need for cyber threat intelligence is no different as every organization relies on technology to deliver its products and services to the end user and those cyber risks need to be evaluated.
As I wrote recently on how cyber threat intelligence helps the business, intelligence should be giving decision makers the insights to understand if they are or are not well positioned for cyber threats – and if not, why not.