A likely relatable story...
Anyone who has access to the news today is starting to form an interesting picture of the world in which we security practitioners live. Topic analysis of recent press and other media reports returns inclusion of terms such as “hacking and elections,” “espionage,” “foreign intelligence,” “treason,” “wiretaps,” and “surveillance.” Countries associated with hacking and related topics include North Korea, Russia, China, and Iran. Even insurgent groups such as ISIS appear to maintain their own hacking teams.
For the layperson not working in the fields of law enforcement, intelligence, or information security ( known to many as “cybersecurity”) the news events of today may seem quite overwhelming. The irony is that for those who are employed in any of these fields, “overwhelming” is an understatement... especially if you hold a job working with operationalizing information security within a sizeable or rapidly growing organization. If that’s you, then you likely deal with another whole set of terms (a.k.a. buzzwords) along with managing the organization’s data. One buzzword, in particular, that surfaces often is “[cyber] threat intelligence,” or “CTI” for short. Included in the definition of CTI is a set of implied industry solutions and services such as threat data feeds, threat alerts and reports, threat advisory services, and threat research services.
Once you wrap your head around all of that and start examining everything in detail, you realize you now need places to centralize this wonderful new data, moving it from and sending it to your security devices via a Unified Threat Management (UTM) solution or Next-Generation Firewall (NGFW) appliance. On top of that, you have to manage and attempt to analyze everything operational by building out your own security operations center (SOC) using Security Information and Event Management software (SIEM) or contract with an MSSP (managed security services provider) to do it all for you. The SOC/MSSP team will need to constantly work with multiple other security, ops, and risk teams within your organization to discover new use cases and trends that occur so they can create event-driven content signatures which alert properly, since you are (of course) correlating all of the log data and cross-referencing them with all of that fresh, incoming threat data--that same threat data you wish you had time to analyze in order to gain confidence in the decisions you need to make around how to use this data most efficiently.
And while you’re accomplishing all of that… oh, great! Your phone just sent you a news alert from a public media source informing you that [insert nation state here] has been in your network for ten months. Then, ring, ring: It’s your boss calling (obviously). He/she rhetorically asks you why the company is learning about this from a public news source rather than your threat intelligence team in which the company has recently invested heavily.
You experience a sudden sensation of discomfort run through your body. That sensation is likely the very painful irony that the value you just received from the public news was probably the most actionable intelligence disseminated to your team today, thereby finally establishing the decision-making process that can now empower the rest of your organization.
Why is this so common? The media isn’t trained in infosec, they certainly aren’t members of the intelligence community. Why, then, do they consistently provide more of today’s security and breach intelligence than do the folks who are paid generously by our organizations to find and communicate this intelligence?
Short answer: The majority of threat “intelligence” you receive and attempt to operationalize successfully currently isn’t intelligence at all; it’s simply information!
So what makes it intelligence then?
This is a trick question. It’s not “what” or “how” that is important when it comes to threat intelligence, specifically. It’s “why” that is the key to producing true and valuable intelligence. This is because the entire purpose of receiving a finished intelligence product is to enable your organization to make a decision operationally, strategically, and/or tactically with the information you’ve been given. The media succeeds in this regard because they are taking the information given to them and transforming it into a story, thus creating (in some cases) actionable intelligence.
Essentially, intelligence transforms “what” and “how” from the information into the “why” and “when” of the decision making process. What makes information finished intelligence is the analysis of information.
Getting to know “Why”
The success of intelligence measurement is initiated at the cognitive/psychological level (see below) since you can actually measure external information states as they evolve in parallel succession with the internal cognitive state, giving you a measurable reference point for identifying finished intelligence product. This is accomplished through modeling the hierarchy of cognition, enabling us to recognize when what we’re seeing is simply information versus when it becomes cultivated intelligence.
To establish a clear baseline, let’s define information, data, and intelligence so that we can note the differences (especially if the organization is offered or has bought an “intelligence” service, yet we are only receiving data or information).
In this case “information” is essentially pieces of data, or facts that have been collected.
“Data” is simply facts ready for processing or analysis. For the sake of this article, we will define data as “individual collected elements that when put together and processed create contextual information.”
The definition of “intelligence” when applied to the tradecraft can’t be defined as a word, but actually has to be defined as a disciplined process with multiple parts. It so happens that information is one component within this process and data another. Here is the definition according to the United States Department of Defense Online Dictionary.
It is important to note that intelligence is a tangible and provable product. The intelligence productization is a rigorously disciplined and iterative process. Through collection, processing, analyzing, and disseminating of the information via this discipline, decision makers can quickly assess if the intelligence product proves to be intelligence. Therefore, we can only consider the product “intelligence” if it provides a relevant and actionability assessment of probabilities. The three components must collectively be true to determine that information is now considered intelligence.
As evaluators and consumers of information technology, the security industry should use this definition as a standard for our expectations of the deliverables from threat intelligence product offerings.
The drive for fast-paced answers from intelligence tools and providers dilutes the understanding of what real intelligence is. Right now, most organizations only receive information, because true intelligence requires analysis and production. This is also why many times the “intelligence” our companies are collecting or producing can’t be considered “actionable” or even “operational,” hence the not-so-fictional story about a frantic call from your boss mentioned at the start of this paper. If we can’t make a clear-cut decision with the immediate information we are given, then we need to re-apply the intelligence process until we arrive at a true intelligence product.
Let’s be clear though, a lot of security intelligence tools do a great job of facilitating successful and scalable operational analysis of logged event data, which can assist in rapid operational response and remediation when threats are observed and indicators are identified. This is because the requirements (planning and direction) set for automated security devices and tools are designed to limit their abilities in order to solve a certain set of problems. Everything else is discarded, knowing that a human element is required to produce actual intelligence. Tools and technology solutions are developing upgrades and advancements, but a limit to their effectiveness as a holistic solution exists today. As you’re planning and directing intelligence requirements for your organization, keep this in mind to ensure you are setting rational, reasonable, and manageable goals.
Defining the intelligence cycle
Planning and Direction:
Decision makers determine intelligence requirements based on objectives, likely in the form of a prioritized intelligence request (PIR).
For example, the Director of Mobile Security at a company sends a PIR email to the company’s threat intelligence provider:
PIR: “Are there any new risks or threats to our main mobile product caused by the latest Vault7 Wikileaks dump?”
The intelligence requirements are to be considered dynamic. Sending good PIRs is essential for scaling the intelligence process. They:
- Ask only one question;
- Focus on a specific fact, event, or activity;
- Provide intelligence required to support a single decision;
- Are tied to key decisions that have to be made; and
- Supply the latest time the information is of value (LTIOV).
Most of the intelligence process is quite human and always will be; you cannot take the human out of the intelligence process. Period. To keep it at scale, we constantly improve on the intelligence collections plan.
Organizations should establish an Intelligence Collections Plan (ICP) that allows it to roadmap how the company will manage the gathering of viable information from multiple sources with varying formats of information.
Examples of cyber intelligence collections include honeypots that collect IP addresses and store the data, and human intelligence (HUMINT) online engagement with threat actors in online forums and chat sites.
Once raw data or information are collected, they are passed along for processing. In the automated world this is predominantly what you see in a threat feed: Processed information ready for exploitation. Depending on the information collected and how it was collected, this can be manual process, automated process, or a combination of both.
At this stage information starts transforming into intelligence. Analysis will aggregate all processed information and raw intelligence and begin correlation, analysis, investigation, and piecing together the puzzle in an effort to develop new knowledge so that decision makers can compose a rational judgement about next steps.
Teams need to carefully consider to whom the data will be disseminated, why, when, and in what order (prioritization). Random or unrestricted dissemination of information can cause unnecessary chaos or confusion, and present barriers to action when or if an imminent threat is presented.
Finished Intelligence may come in many forms, such as reports, compiled data sets via API, or even a phone call. No one “perfect” method exists; intelligence should be circulated in the way that works best for your environment and the players involved.
One of the most important aspects of furthering improvements on an intelligence product is the feedback loop. Feedback from decision makers should be sought after each phase, and revisions should be made. Threat intelligence teams need to understand what type of information is useful to decision makers, how decision makers are using the intelligence provided (and even if they are), and what else can be provided to enhance future deliverables. If the current product isn’t helping executives make the best decisions for the organization, have a discussion about what they need to receive.
Arriving at a decision about emerging threats to our organization is not as simple as sending processed data into our appliances and log event correlators and then monitoring the outputs. Intelligence requires the coordination of a great many processes from top down so that security objectives can align with the necessary intelligence requirements and the organization can benefit from intelligence beyond the operational environment. From a consumer perspective, it’s important to drive home what you expect from finished intelligence rather than getting halfway there just to fail. Communicate what is helpful to the business so that intelligence teams can adjust accordingly.
Most importantly, threat intelligence is an iterative and ongoing process. Don’t expect that what you have today is suitable for tomorrow. The field of CTI is evolving constantly--on both the tools side and the human side--so it’s therefore necessary to develop a process that takes intelligence gathering from “overwhelming” to “manageable.” You might still find that a breaking media headline is useful intelligence, but there is no reason that alert should be your only form of actionable intelligence.