Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11:30 AM
Matt Hartley
Matt Hartley
Connect Directly
E-Mail vvv

Cyber Threats: Information vs. Intelligence

Cyber threat intelligence or CTI is touted to be the next big thing in InfoSec. But does it narrow the security problem or compound it?

sensors. Multitudes of open-source and commercial data feeds dump bad IP addresses and other unevaluated indicators into your environment via machine-to-machine consumption leaving security teams to sort it all out. Even feeds delivering indicators with reputation scores are barely information that will leave security personnel wondering if a "71" is really bad, or the difference in risk between a "99" and a "94."

Cyber threat intelligence needs to include much more than raw data and information. It requires rich contextual knowledge that can only be created with the application of analysis, or it’s not really intelligence. Contextual knowledge includes an understanding the past, present, and future methodologies of a wide variety of adversaries. It incorporates the contextual linkage between technical indicators, infrastructures, tactics, techniques and procedures (TTPs), campaigns, and the motivation and intent of adversaries who are employing them and information about who is being targeted.

Cyber threat intelligence starts with solid data and information gathered through collection, research, and identification of real threats from ongoing monitoring of malicious groups and actors from within the global threat ecosystem. Without contextual analysis, there is no support for the decision making process pointed to by both the FBI and Gartner as the core value of intelligence. Human analysis empowered by and infused into technology automation enables the creation of timely and accurate intelligence. Intelligence that is specific, vetted, and also rich in context and actionable can inform real severity of alerts, can help on incident response, can improve decisions on how to prioritize and respond to an existing or emerging threats, and can even inform the development of a security strategy to proactively invest in control that address real threats to your organization.

So as you approach the adoption of cyber threat intelligence, consider three things:

1. Capturing more event data and fusing it with mountains of raw data and feed information will necessitate a dedicated team of analysts to sort through it;
2. If you plan to conduct intelligence analysis in-house, you’ll want to look for partners who have the human skills -- including global cultural knowledge and presence to extend your reach;
3. If you are not planning on hiring a dedicated intelligence team, be sure to look for partners that provide real intelligence.

In the end, more data and information will only overstress technologies, exacerbate false positive alerts, create even more work for people who are probably already overloaded, and create a dilemma about what security teams should prioritize. Clearly, providing a dump of raw data into an already strained organization doesn’t help to narrow the security problem -- it actually compounds it.

Matt Hartley has held a variety of responsibilities at iSIGHT Partners including leading government programs, managing technology partnerships, and leading a team launching new service offerings. Previously, he was a Senior Program Manager of Advanced Concepts at Lockheed ... View Full Bio
2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
iSight Matt
iSight Matt,
User Rank: Author
4/27/2015 | 8:13:21 AM
Re: CTI too much info?
Hi Paul, thanks for your comments.  I think a key insight given your comments is that true cyber threat intelligence inherently needs to be about those threats outside your own enterprise and organization and their motivations and intents for attacking you.  Another simple way to think about it is understanding the who, what, when, where, why, and how for your adversary or adversaries.

Many companies right now are trying to sell event data and machine intelligence as CTI and sending security teams down a "big data" solution pathway.  Unfortunately that's not really going to give you insight into the threats targeting you beyond possible insights into their current set of attacks, as many of your points indicate.

Overall, I propose that a reactive inside-out approach leaves you trying to connect the dots between fleeting attacks from short-lived infrastructures and the adversary behind them.  I prefer the outside-in approach of knowing your adversaries and their activities and actions and proactively preparing for their attacks.  (And as a side note that doesn't necessarily mean you need full detailed attribution on the adversary, you just need to be able to bucket or group them.)

There are tons of analogies here - sports teams use opponent film to plan and prepare, militaries collect intelligence on who might attack them in order to be better prepared, etc.  We could learn from all these groups - we shouldn't wait until we are attacked, we should be proactively well-prepared and practiced ahead of "game time".
BPID Security
BPID Security,
User Rank: Strategist
4/24/2015 | 12:38:12 PM
CTI too much info?
CTI seems like a solution till you look at it in perspective. That perspective is:

Is there sufficient data? This limits CTI to big data. Big data eliminates the largest number of sites/domains leaving huge retailers, government and business enterprises.

Can it really anticipate future attacks? Here the logic of using big data to detect, is one possibility, but to anticipate means you know the vulnerability. If you know them and didn't fix it before the attack, why not. If it is to detect intrusion - does that need a buzz word?

Using patterns like associating an individual or account to a geo fence of IPs is not new. Does it qualify as CTI?

Perhaps it is just the buzz word du jour, like Web 2.0, meta-data, SEO, G4 LTE, and a host of terms that have a life expectancy of 'till the next buzz word'.

Can intelligent analysis reveal patterns which might alert and block perimeter intrusion? Definitely. Can they be developed and maintained economically? Questionable as will they be proactive or reactive. Will they solve or have a major impact in the reduction and prevention of attacks. That is a really tough call as it depends on the intelligence of the designer of the CTI program.

Thanks for a great post.

Paul Swengler

iSight Matt
iSight Matt,
User Rank: Author
10/23/2014 | 8:35:05 AM
Re: CTI is a Project
It's taken a long time for many in industry to recognize the insight you included on ROI: the more raw data and information you throw at your team, the more time they have to spend making heads or tails of anything that matches, and processes get less efficient and more expensive.  Thanks for your comment!
User Rank: Ninja
10/22/2014 | 2:53:52 PM
CTI is a Project
I absolutely agree with you here and I have to stress that, to accomplish the right level of CTI, it should be treated as a project initially before being optimized as an operation.  I was reading the SANS paper on CTI recently [Tools and Standards for Cyber Threat Intelligence Projects] and while focused on standards and tools, it's a good reminder that actual work and planning needs to go into CTI.  You don't simply plug in a machine and monitor the network.  And, as a project, a good deal of time should be put into the skill set requirements of the analysts that actually process the raw data and output intelligence.  Without the right eyes on the data, your CTI could be less than worth the money you put into it.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-18
A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the boot loader module when measuring commandline parameters.
PUBLISHED: 2019-11-18
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
PUBLISHED: 2019-11-18
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.
PUBLISHED: 2019-11-18
In elliptic-php versions priot to 1.0.6, Timing attacks might be possible which can result in practical recovery of the long-term private key generated by the library under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which m...
PUBLISHED: 2019-11-18
/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG1218) V22.5.9.163 devices allows remote authenticated users to execute any command via shell metacharacters in the cgi-bin/luci autoUpTime parameter.