Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

01:30 PM
Paul Kurtz
Paul Kurtz
Connect Directly
E-Mail vvv

Threat Intelligence Is (Still) Broken: A Cautionary Tale from the Past

There is much to be learned from the striking parallels between counter-terrorism threat analysis before 9-11 and how we handle cyber threat intelligence today.

When it comes to threats in cyberspace, is it fair to say “what’s past is prologue”?


Former CIA Director George Tenet’s statement less than two months before 9-11 that “the system was blinking red” is eerily familiar to our current threat environment in cyberspace. We have a preponderance of reporting on adversaries but the availability of specific, actionable detail is sparse.

This is not a prediction of a “cyber 9-11” but rather identification of the striking parallels between how we approached counter-terrorism threat analysis before 9-11 to how we handle cyber threat intelligence today. Our approach to cyber threat intelligence is broken.

Image Source: Adam Parent via Shutterstock
Image Source: Adam Parent via Shutterstock

Before Everything Changed
As a member of the counter terrorism team at the White House for two years leading up to 9-11, we had more than a sinking suspicion that the most important intelligence about al-Qaeda’s attack plans was kept inside the walls of our own intelligence agencies. During daily video conferences with FBI, NSA, and CIA, I was told certain reporting details could not be shared with all of the participants because of source sensitivity, legal constraints, or bureaucratic turf wars. It was disturbing and disastrous, as we know what ultimately happened. Critical data —including information on the hijackers’ pilot training classes— remained unavailable to other agencies.

On the counter terrorism team we had extensive access to terrorism reporting, but as documented in the 9-11 Commission’s report, the team did not have access to “internal, non-disseminated information at the NSA, CIA, or FBI.” While agencies were charged to work together, in reality, each worked independently to gather and assess threat data while withholding certain details from each other, failing to understand the dangers of non-disclosure.

The challenge that we faced then —and now— is how to gain access to what is really happening inside company networks.

What’s the Same?

  • The most important data remains inside organizations. Before 9-11, we understood al-Qaeda was a threat, but we did not have access to specific details, which if fused could have shed light on the plot underway to launch the attacks. Today we know that Russia, Iran, North Korea, and China and criminal organizations represent a serious threat, yet the specific details of tactics, techniques, and procedures (TTP) they use to gain access to systems remain closely held. For example, consider the email hacks against the DNC that were attributed to Russia during the 2016 election called Grizzly Steppe. The U.S. government’s first release of Grizzly Steppe information on December 29 was not useful because it lacked context. After the security community voiced concern, the government released additional information providing more context. Individual organizations are aware of TTP, but are unwilling to release data in a timely way because it’s seen as too risky from a market perspective.
  • The system is blinking red. There was a drumbeat of intelligence in the summer of 9-11 with reporting presented to top officials on Bin Ladin launching attacks in the U.S., India, Israel, Italy, and the Gulf. Analysts could barely keep pace with the reporting. Today, similarly, data on cybersecurity threats is continually growing, as is the frequency and severity of attacks. The “blinking red” analogy is an apt description of the situation at Target prior to the attack in 2013 and several more since, illustrating a race to the bottom with an endless offering of threat data - much of which is not timely, actionable or relevant.
  • No common situational awareness. Our current picture of cyberspace is strikingly similar to the pre-9-11 environment. Much like each intelligence agency having its own view prior to 9-11, we have a company-centric view of cyberspace. It is necessary but not sufficient to self-select into sector-specific sharing when we know that adversaries use the same tools and infrastructure to strike multiple sectors. 

What’s Different?

  • Government can’t help. In the case of counterterrorism, government has the mandate, authority, and resources to track and address the threat. This is not the case in cyberspace. Government’s ability to act is limited. Government agencies are unaware of the attacks occurring on a daily basis inside companies. Companies assume that the U.S. government can provide “tip off,” when, in fact, the private sector may possess the most useful data and either not know it, or be unable to share it or access it effectively.
  • Adversaries are more plentiful. There are numerous terrorist organizations in existence today, and unfortunately, the number of cyber adversaries are more plentiful. Adversaries range from terrorists themselves to hacktivists, criminals, and nation states. Their motives vary and they can easily mask their identities, obfuscate attribution, or piggyback on the work of others. We learned from the recent Wikileaks Vault 7 dump that the CIA’s alleged “Marble Framework” has obfuscation technology that can make it appear that an attack has come from elsewhere.
  • Doing more damage with less. Adversaries have an asymmetric advantage as they leverage computers to do their work for them from afar and need only find one way in to render significant damage ranging from the theft and destruction of data. They are using software to increase their speed, reach, and returns. They share attack infrastructure as well.

Change is Necessary NOW
Avoiding large scale disasters in cyberspace requires a shift in thinking. While individual companies are responsible for securing themselves, it is no longer possible for any one company to “go it alone” and defend itself without real-time insight of what attacks are happening against others.

The current landscape of threat intelligence platforms (TIPs) and tools can assist with the aggregation of external threat feeds from thousands of open source feeds or proprietary intelligence providers inside an organization. But this siloed approach creates a noisy false sense of security, and does little to protect or incentivize actual intelligence exchange and collaboration across teams, tools, and companies. These platforms lack the technology needed to scale real-time exchange between companies that can discern market risk, and identify what has immediate value to security operators.

While the government is hamstrung by bureaucracy and regulations, the private sector has the imperative to determine its own destiny when it comes to threat intelligence sharing. This isn’t a pipe dream; we’re seeing organizations like the Cloud Security Alliance and OASIS take steps towards this new era of intelligence exchange today.

We must continue to lay the groundwork for a secure exchange network across the private sector so that we can avoid future large-scale hacks.

Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.

Related Content:


Paul Kurtz is Executive Chairman and Co-founder of TruSTAR Technology. Prior to TruSTAR, Paul was the CISO and chief strategy officer for CyberPoint International LLC where he built the US government and international business verticals. Prior to CyberPoint, Paul was the ... View Full Bio
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...