Those who read my pieces regularly likely realize that I enjoy writing on topics around which I see a lack of clarity. Whenever possible, I try to provide actionable information and guidance based on my experience that can be implemented operationally. After all, advice doesn’t do an organization much good if it can’t be leveraged in a real world environment.
In this piece, I’d like to tackle a topic around which I often see a tremendous amount of confusion. During the course of my travels, intelligence is a topic that arises frequently. Perhaps that doesn’t surprise you. What may surprise you, however, is the lack of clarity and understanding I see around the topic.
Granted, there are individuals and organizations that understand intelligence quite well, and it shows very clearly in their overall security maturity. Unfortunately, there is a wide spectrum of understanding when it comes to the topic of intelligence. Sadly, more individuals and organizations find themselves on the lower end of understanding than we’d like to think.
Information vs. Intelligence
When I hear some people discussing intelligence, quite often, what they are actually discussing is information. There is a fundamental difference between the two, and it doesn’t appear to me that that difference is particularly well understood. What’s the difference you ask? The principle difference is that information is merely data. Data by itself doesn’t include any context. It doesn’t help us understand how to apply it to a specific problem.
Perhaps it’s easiest to illustrate this difference through an example. I often hear people referring to data feeds and intelligence interchangeably. For example, when speaking of their efforts to build, improve, or sustain their intelligence capability, people sometimes begin listing the different malicious domain name feeds they receive. What’s the issue with this you ask? The issue is that these data feeds often lack any context whatsoever.
Context is king. To understand just how important context is, here are a few representative questions to illustrate the point:
● To what stage of attack are the data relevant?
● What is the nature of the activity associated with the data?
● During what dates was the activity seen?
● Across what industry verticals was the activity seen?
● What size businesses does this activity usually affect?
These are just a few of the many contextual details that differentiate information from intelligence. To use an analog world analogy, it’s like getting the price for a nice jacket you’d like to buy without knowing the currency that number is in. Is that number in US Dollars, Japanese Yen, Thai Baht, Argentine Pesos, or some other currency? As you might imagine, that context makes a big difference to how we apply, leverage, and act on that information. In that regard, a malicious domain name without its associated context isn’t much different than the price of a jacket without its associated currency. Only information and its associated context can be considered intelligence. Otherwise, it’s just data.
Before we can fully leverage the power of intelligence, we need to understand to what problems we’re going to apply any intelligence we have the opportunity to work with. Even the best intelligence in the world does an organization no good if it cannot be applied operationally to real world challenges. Maximizing the value and effectiveness of intelligence without diluting its value through a flood of false positives requires a strong foundation built upon a strategic, risk-based approach to security, as I and many others have discussed in the past. Intelligence can and should be appropriately mapped onto the relevant goals and priorities that result from approaching security in this manner. This allows an organization to be far more selective and strategic in its pursuit of intelligence.
In other words, if organizations approach the intelligence challenge correctly, they can flip it on its head. Most organizations purchase or otherwise receive intelligence and then look for a way to apply that intelligence. Wouldn’t it be empowering for an organization to identify goals and priorities it needs to address and then pursue intelligence that suits those objectives? This is a much different way of looking at intelligence, but it is one that generally produces far better results.
Perhaps it helps to illustrate the difference through an example. Let’s assume I’m concerned about spear phishing attacks against my executives with the objective of exfiltrating sensitive, proprietary, or confidential information. If I break that down into specific goals and priorities, I can then seek out very specific, reliable, high fidelity intelligence that facilitates mitigating that risk.
For example, I may look at protecting mail as a vector, monitoring email for spear phishing attacks, monitoring unusual activity on executive systems or on the network, or any number of other goals. As you can see, each of these goals is going to benefit from a different type of intelligence. As I mentioned earlier in this piece, context is king, and it facilitates a much different way to approach the subject of intelligence.
Metrics and Iteration
Unlike a Ronco Rotisserie, intelligence isn’t a “set it and forget it” endeavor. Making the most of intelligence is an ongoing process involving continual re-assessment and iteration. In previous pieces, I’ve written of the need to properly source, vet, retain, and leverage intelligence, as well as the need to scientifically measure its value to security operations. Although I won’t re-hash those points here, they are helpful and relevant to the larger discussion this piece focuses on. A successful intelligence program is one that continually tunes, reassesses, and updates itself according to the changing threat landscape and risk mitigation objectives of the organization it finds itself within.
In the realm of intelligence, context is king. Only with the proper context can data be considered intelligence, rather than simply information. Maximizing the value of intelligence also requires the right framework within which to apply it. Organizations that understand these points and practice them operationally reap far more value from intelligence than those that don’t. It’s the intelligent way to do intelligence.