Making Sense of Cyber Threat Intelligence
The security industry, more than any other industry, feeds on buzzwords to sell. As security breaches make the daily news hitting every industry and organizations of any size, information security managers are continuously looking for the latest silver bullet and solutions to stay ahead of the game. Threat Intelligence is being promoted as the latest silver bullet. Yet many organizations still don't have a gun to fire that bullet, nor the skills to operate one. Threat intelligence is a great thing to pursue and have but like anything in life, it is important to understand what it is and how it can help an organization before jumping to buy the latest trend in the industry.
What is Cyber Threat Intelligence (CTI)
Over the years, intelligence has been defined in many different ways, mostly studied in humans but also is animals and plants. When it comes to cyber security, Forrester Research defines cyber threat intelligence as:
"Details of the motivations, intent, and capabilities of internal and external threat actors. Threat intelligence includes specifics on the tactics, techniques, and procedures of these adversaries. Threat intelligence's primary purpose is to inform business decisions regarding the risks and implications associated with threats"
Other definitions exist from the likes of Gartner and whichever definition we use it is clear that there is a strong distinction between information and intelligence with the latter implying some level of analysis to make the information more useable to the recipient. Raw information itself can be processed intelligently or remain unprocessed and unused. Intelligence is the ability to process raw information in order to make decisions and it requires analysis. Better analysis means better intelligence. CTI is about providing context, i.e. providing meaning to information so that it can be acted upon.
The fundamental assumption of CTI is that the planning, resourcing and execution of an attack is not instantaneous, it does require human intervention and it can take up to years in case of the advanced persistent threats. Organizations can use this time to analyse information and gather intelligence that can be used to understand the tools and techniques used by the attackers and try to interfere with each of the attack phases, overall referred to as the kill chain.
Threat Intelligence must be actionable, which means it must be possible to use it to affect the various phases of an attack. In order to be actionable, the intelligence has to have the following properties:
- Timely – It needs to be available in time for it to transformed into actions
- Accurate – Accuracy is based on the number of false positive alerts or actions obtained from the threat intelligence. The lower the number of false positive, the more accurate the intelligence is
- Relevant – Relevance is measured in terms of how the intelligence is organized and delivered to ensure it addresses the industry the organizations belongs to and the relevant threats. If you are a telecommunication company, "actionable intelligence" targeting financial institutions will not be so actionable!
- Tailored – This property refers to the fact that each organization has different security roles with associated responsibilities and different intelligence must be provided to different people to enable them to make the decisions relevant to their role. Three levels of CTI are usually identified, which are Strategic, Tactical and Operational. Providing tactical intelligence to the company board members will not help them make useful strategic decisions!
Unfortunately, along with cloud and advanced persistent threat, the term threat intelligence is currently the most ambiguous and overused term in the security industry, which means different things to different people. Most vendors offer Threat Intelligence feeds from a wide range of sources. However little of such intelligence is actionable primarily failing on the relevance and on not being tailored. Threat intelligence is definitely not a product that companies can buy but rather a process, which turns raw information into actionable information (intelligence) through the use of competent professionals and of course technology. Not every company possesses competent people to develop such process and some may opt to "buy" threat intelligence. Ultimately, threat intelligence must be translated into actions for it to be effective and that requires competence. In short, there is no intelligence without human intervention and simply buying intelligence feeds will not by itself provide you with improved security!