Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

01:30 PM
Paul Kurtz
Paul Kurtz
Connect Directly
E-Mail vvv

Threat Intelligence Is (Still) Broken: A Cautionary Tale from the Past

There is much to be learned from the striking parallels between counter-terrorism threat analysis before 9-11 and how we handle cyber threat intelligence today.

When it comes to threats in cyberspace, is it fair to say “what’s past is prologue”?


Former CIA Director George Tenet’s statement less than two months before 9-11 that “the system was blinking red” is eerily familiar to our current threat environment in cyberspace. We have a preponderance of reporting on adversaries but the availability of specific, actionable detail is sparse.

This is not a prediction of a “cyber 9-11” but rather identification of the striking parallels between how we approached counter-terrorism threat analysis before 9-11 to how we handle cyber threat intelligence today. Our approach to cyber threat intelligence is broken.

Image Source: Adam Parent via Shutterstock
Image Source: Adam Parent via Shutterstock

Before Everything Changed
As a member of the counter terrorism team at the White House for two years leading up to 9-11, we had more than a sinking suspicion that the most important intelligence about al-Qaeda’s attack plans was kept inside the walls of our own intelligence agencies. During daily video conferences with FBI, NSA, and CIA, I was told certain reporting details could not be shared with all of the participants because of source sensitivity, legal constraints, or bureaucratic turf wars. It was disturbing and disastrous, as we know what ultimately happened. Critical data —including information on the hijackers’ pilot training classes— remained unavailable to other agencies.

On the counter terrorism team we had extensive access to terrorism reporting, but as documented in the 9-11 Commission’s report, the team did not have access to “internal, non-disseminated information at the NSA, CIA, or FBI.” While agencies were charged to work together, in reality, each worked independently to gather and assess threat data while withholding certain details from each other, failing to understand the dangers of non-disclosure.

The challenge that we faced then —and now— is how to gain access to what is really happening inside company networks.

What’s the Same?

  • The most important data remains inside organizations. Before 9-11, we understood al-Qaeda was a threat, but we did not have access to specific details, which if fused could have shed light on the plot underway to launch the attacks. Today we know that Russia, Iran, North Korea, and China and criminal organizations represent a serious threat, yet the specific details of tactics, techniques, and procedures (TTP) they use to gain access to systems remain closely held. For example, consider the email hacks against the DNC that were attributed to Russia during the 2016 election called Grizzly Steppe. The U.S. government’s first release of Grizzly Steppe information on December 29 was not useful because it lacked context. After the security community voiced concern, the government released additional information providing more context. Individual organizations are aware of TTP, but are unwilling to release data in a timely way because it’s seen as too risky from a market perspective.
  • The system is blinking red. There was a drumbeat of intelligence in the summer of 9-11 with reporting presented to top officials on Bin Ladin launching attacks in the U.S., India, Israel, Italy, and the Gulf. Analysts could barely keep pace with the reporting. Today, similarly, data on cybersecurity threats is continually growing, as is the frequency and severity of attacks. The “blinking red” analogy is an apt description of the situation at Target prior to the attack in 2013 and several more since, illustrating a race to the bottom with an endless offering of threat data - much of which is not timely, actionable or relevant.
  • No common situational awareness. Our current picture of cyberspace is strikingly similar to the pre-9-11 environment. Much like each intelligence agency having its own view prior to 9-11, we have a company-centric view of cyberspace. It is necessary but not sufficient to self-select into sector-specific sharing when we know that adversaries use the same tools and infrastructure to strike multiple sectors. 

What’s Different?

  • Government can’t help. In the case of counterterrorism, government has the mandate, authority, and resources to track and address the threat. This is not the case in cyberspace. Government’s ability to act is limited. Government agencies are unaware of the attacks occurring on a daily basis inside companies. Companies assume that the U.S. government can provide “tip off,” when, in fact, the private sector may possess the most useful data and either not know it, or be unable to share it or access it effectively.
  • Adversaries are more plentiful. There are numerous terrorist organizations in existence today, and unfortunately, the number of cyber adversaries are more plentiful. Adversaries range from terrorists themselves to hacktivists, criminals, and nation states. Their motives vary and they can easily mask their identities, obfuscate attribution, or piggyback on the work of others. We learned from the recent Wikileaks Vault 7 dump that the CIA’s alleged “Marble Framework” has obfuscation technology that can make it appear that an attack has come from elsewhere.
  • Doing more damage with less. Adversaries have an asymmetric advantage as they leverage computers to do their work for them from afar and need only find one way in to render significant damage ranging from the theft and destruction of data. They are using software to increase their speed, reach, and returns. They share attack infrastructure as well.

Change is Necessary NOW
Avoiding large scale disasters in cyberspace requires a shift in thinking. While individual companies are responsible for securing themselves, it is no longer possible for any one company to “go it alone” and defend itself without real-time insight of what attacks are happening against others.

The current landscape of threat intelligence platforms (TIPs) and tools can assist with the aggregation of external threat feeds from thousands of open source feeds or proprietary intelligence providers inside an organization. But this siloed approach creates a noisy false sense of security, and does little to protect or incentivize actual intelligence exchange and collaboration across teams, tools, and companies. These platforms lack the technology needed to scale real-time exchange between companies that can discern market risk, and identify what has immediate value to security operators.

While the government is hamstrung by bureaucracy and regulations, the private sector has the imperative to determine its own destiny when it comes to threat intelligence sharing. This isn’t a pipe dream; we’re seeing organizations like the Cloud Security Alliance and OASIS take steps towards this new era of intelligence exchange today.

We must continue to lay the groundwork for a secure exchange network across the private sector so that we can avoid future large-scale hacks.

Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.

Related Content:


Paul Kurtz is the CEO and cofounder of TruSTAR Technology. Prior to TruSTAR, Paul was the CISO and chief strategy officer for CyberPoint International LLC where he built the US government and international business verticals. Prior to CyberPoint, Paul was the managing partner ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-21
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2002-0639. Reason: This candidate is a reservation duplicate of CVE-2002-0639. Notes: All CVE users should reference CVE-2002-0639 instead of this candidate. All references and descriptions in this candidate have been removed to prevent ...
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address allows attackers in the local network to access multiple quagga VTYs. Attackers can...
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.