Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cyber Threats: Information vs. Intelligence
Newest First  |  Oldest First  |  Threaded View
Matt Hartley
Matt Hartley,
User Rank: Author
4/27/2015 | 8:13:21 AM
Re: CTI too much info?
Hi Paul, thanks for your comments.  I think a key insight given your comments is that true cyber threat intelligence inherently needs to be about those threats outside your own enterprise and organization and their motivations and intents for attacking you.  Another simple way to think about it is understanding the who, what, when, where, why, and how for your adversary or adversaries.

Many companies right now are trying to sell event data and machine intelligence as CTI and sending security teams down a "big data" solution pathway.  Unfortunately that's not really going to give you insight into the threats targeting you beyond possible insights into their current set of attacks, as many of your points indicate.

Overall, I propose that a reactive inside-out approach leaves you trying to connect the dots between fleeting attacks from short-lived infrastructures and the adversary behind them.  I prefer the outside-in approach of knowing your adversaries and their activities and actions and proactively preparing for their attacks.  (And as a side note that doesn't necessarily mean you need full detailed attribution on the adversary, you just need to be able to bucket or group them.)

There are tons of analogies here - sports teams use opponent film to plan and prepare, militaries collect intelligence on who might attack them in order to be better prepared, etc.  We could learn from all these groups - we shouldn't wait until we are attacked, we should be proactively well-prepared and practiced ahead of "game time".
BPID Security
BPID Security,
User Rank: Strategist
4/24/2015 | 12:38:12 PM
CTI too much info?
CTI seems like a solution till you look at it in perspective. That perspective is:

Is there sufficient data? This limits CTI to big data. Big data eliminates the largest number of sites/domains leaving huge retailers, government and business enterprises.

Can it really anticipate future attacks? Here the logic of using big data to detect, is one possibility, but to anticipate means you know the vulnerability. If you know them and didn't fix it before the attack, why not. If it is to detect intrusion - does that need a buzz word?

Using patterns like associating an individual or account to a geo fence of IPs is not new. Does it qualify as CTI?

Perhaps it is just the buzz word du jour, like Web 2.0, meta-data, SEO, G4 LTE, and a host of terms that have a life expectancy of 'till the next buzz word'.

Can intelligent analysis reveal patterns which might alert and block perimeter intrusion? Definitely. Can they be developed and maintained economically? Questionable as will they be proactive or reactive. Will they solve or have a major impact in the reduction and prevention of attacks. That is a really tough call as it depends on the intelligence of the designer of the CTI program.

Thanks for a great post.

Paul Swengler

Matt Hartley
Matt Hartley,
User Rank: Author
10/23/2014 | 8:35:05 AM
Re: CTI is a Project
It's taken a long time for many in industry to recognize the insight you included on ROI: the more raw data and information you throw at your team, the more time they have to spend making heads or tails of anything that matches, and processes get less efficient and more expensive.  Thanks for your comment!
User Rank: Ninja
10/22/2014 | 2:53:52 PM
CTI is a Project
I absolutely agree with you here and I have to stress that, to accomplish the right level of CTI, it should be treated as a project initially before being optimized as an operation.  I was reading the SANS paper on CTI recently [Tools and Standards for Cyber Threat Intelligence Projects] and while focused on standards and tools, it's a good reminder that actual work and planning needs to go into CTI.  You don't simply plug in a machine and monitor the network.  And, as a project, a good deal of time should be put into the skill set requirements of the analysts that actually process the raw data and output intelligence.  Without the right eyes on the data, your CTI could be less than worth the money you put into it.

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-11-28
A Remote Command Execution vulnerability on the background in zrlog 2.2.2, at the upload avatar function, could bypass the original limit, upload the JSP file to get a WebShell
PUBLISHED: 2021-11-28
ZrLog 2.2.2 has a remote command execution vulnerability at plugin download function, it could execute any JAR file
PUBLISHED: 2021-11-27
janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
PUBLISHED: 2021-11-26
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via C...
PUBLISHED: 2021-11-26
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious...