A quick look at the news reveals a huge need for information security. You’ve probably seen more than a few stories of hacking elections, espionage, foreign intelligence, wiretaps, and surveillance.
If your job involves operationalizing information security within a sizeable or rapidly growing organization then you likely deal with “[cyber] threat intelligence,” or “CTI” for short. CTI includes a set of implied industry solutions and services such as threat data feeds, threat alerts and reports, threat advisory services, and threat research services.
Even with all the hard work that goes into information security, the value you receive from public news might be the most actionable intelligence disseminated to your team today. Why is this so common? The media isn’t trained in infosec, they certainly aren’t members of the intelligence community.
Short answer: The majority of threat “intelligence” you receive and attempt to operationalize successfully currently isn’t intelligence at all; it’s simply information.
What makes intelligence?
The real purpose of intelligence is to enable your organization to make a decision operationally, strategically, and/or tactically. The media succeeds in this regard because they are taking the information given to them and transforming it into a story, thus creating (in some cases) actionable intelligence.
Essentially, intelligence transforms “what” and “how” from the information into the “why” and “when” of the decision-making process. What makes information finished intelligence is the analysis of information. Let’s explore the differences between information, data, and intelligence.
Information
In this case “information” is essentially pieces of data, or facts that have been collected.
Data
“Data” is simply facts ready for processing or analysis. For the sake of this article, data is “individual collected elements that when put together and processed create contextual information.”
Intelligence
For our purposes, “intelligence” can’t be defined as a word. It is a disciplined process with multiple parts. It so happens that information is one component within this process and data another. Here is the definition according to the United States Department of Defense Online Dictionary.:
The product resulting from the collection, processing, integration, evaluation, analysis, and interpretation of available information concerning foreign nations, hostile or potentially hostile forces or elements, or areas of actual or potential operations.
The activities that result in the product.
The organizations engaged in such activities.
Intelligence is a tangible and provable product. Intelligence productization is a rigorously disciplined and iterative process. Through collection, processing, analyzing, and disseminating information via this discipline, decision-makers can quickly assess if the intelligence product proves to be intelligence. Therefore, we can only consider the product “intelligence” if it provides a relevant and actionability assessment of probabilities. The three components must collectively be true to determine that information is now considered intelligence.
The drive for fast-paced answers from intelligence tools and providers dilutes the understanding of what real intelligence is. Right now, most organizations only receive information because true intelligence requires analysis and production. If we can’t make a clear-cut decision with the immediate information we are given, then we need to re-apply the intelligence process until we arrive at a true intelligence product.
Let’s be clear though, many security intelligence tools do a great job of facilitating successful and scalable operational analysis of logged event data, which can assist in rapid operational response and remediation when threats are observed and indicators are identified. This is because the requirements (planning and direction) set for automated security devices and tools are designed to limit their abilities in order to solve a certain set of problems. Everything else is discarded, knowing that a human element is required to produce actual intelligence.
Tools and technology solutions are improving but their effectiveness as a holistic solution is limited.
How to create the intelligence cycle
Planning and Direction:
Decision-makers determine intelligence requirements based on objectives, likely in the form of a prioritized intelligence request (PIR).
The intelligence requirements are to be considered dynamic. Sending good PIRs is essential for scaling the intelligence process. They:
Ask only one question;
Focus on a specific fact, event, or activity;
Provide intelligence required to support a single decision;
Are tied to key decisions that have to be made; and
Supply the latest time the information is of value (LTIOV).
Collections:
Organizations should establish an Intelligence Collections Plan (ICP) that allows it to roadmap how the company will manage the gathering of viable information from multiple sources with varying formats of information.
Examples of cyber intelligence collections include honeypots that collect IP addresses and store the data, and human intelligence (HUMINT) online engagement with threat actors in online forums and chat sites.
Processing:
Once raw data or information have been collected, they can be processed. Processed information is predominantly what you see in a threat feed. Depending on the information collected and how it was collected, this process can be manual, automated, or a combination of both.
Analysis:
At this stage, information begins to become intelligence. Analysis aggregate all processed information and raw intelligence and begin correlation, analysis, investigation, and piecing together the puzzle. This stage attempts to develop new knowledge so that decision-makers can make good decisions about the next steps.
Dissemination:
Teams need to carefully consider to whom the data will be disseminated, why, when, and in what order (prioritization). Random or unrestricted dissemination of information can cause unnecessary chaos or confusion and present barriers to action when (or if) an imminent threat arises.
Finished Intelligence may come in many forms, such as reports, compiled data sets via API, or even a phone call. No one “perfect” method exists; intelligence should be circulated in the way that works best for your environment and the players involved.
Feedback:
Seek feedback from decision-makers after each phase and make revisions. Threat intelligence teams need to understand what type of information is useful to decision-makers, how decision-makers are using the intelligence provided (and even if they are), and what else can be provided to enhance future deliverables. If the current product isn’t helping executives make the best decisions for the organization, have a discussion about how to improve it.
Conclusion
Arriving at a decision about emerging threats to an organization requires more than sending processed data into appliances and log event correlators and then monitoring the outputs. Intelligence requires the coordination of many processes from the top down so that the organization can benefit from intelligence beyond the operational environment. From a consumer perspective, it’s important to clarify what you expect from finished intelligence. Communicate what the business needs so that intelligence teams can adjust accordingly.
Most importantly, threat intelligence is an iterative and ongoing process. What you have today won’t necessarily be suitable for tomorrow. The field of CTI is evolving constantly--on both the tools side and the human side--so it’s necessary to develop a process that takes intelligence gathering from “overwhelming” to “manageable.” You might still find that a breaking media headline is useful intelligence, but there is no reason that alert should be your only form of actionable intelligence.