Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10/22/2014
11:30 AM
Matt Hartley
Matt Hartley
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Cyber Threats: Information vs. Intelligence

Cyber threat intelligence or CTI is touted to be the next big thing in InfoSec. But does it narrow the security problem or compound it?

Cyber threat intelligence (CTI) is one of the hottest topics in our industry right now and the noise surrounding it is deafening. Gartner and Forrester are covering the sector. Run a quick Google search and you’ll find nearly 2 million results, including a wave of product offerings and the creation of dedicated intelligence teams to help you build those offerings.

What is CTI? Ah, definitions! But yes, semantics do matter. To borrow a line from the Chris Farley comedy, Tommy Boy, “Just because you slap a label on it that says cyber threat intelligence, doesn’t make it intelligence...” Much like the now ubiquitous banner of cloud computing, cyber threat intelligence risks becoming a watered-down phrase, the purpose of which is to sell existing technology solutions. That is, unless we are careful to use the term consistently and in the right way.

I find it critically important to recognize the fundamental difference between raw or processed information and real intelligence. The former supports the latter but they are distinctly different in their value. A useful comparison of the difference between information and intelligence is summarized below. It is largely driven from the pioneers in the field of intelligence, our governments and militaries around the world, as well as the information science community.

Table 1: Info v Intel
INFORMATION INTELLIGENCE
Raw, unfiltered data Processed, sorted, and distilled information
Unevaluated when delivered Evaluated and interpreted by trained expert analysts
Aggregated from virtually every source Aggregated from reliable sources and cross correlated for accuracy
May be true, false, misleading, incomplete, relevant, or irrelevant Accurate, timely, complete (as possible), assessed for relevancy

Our militaries and governments have spent thousands of years (and much in the way of resources) to create and disseminate useful intelligence. Even if they don’t do it perfectly, nor always move as quickly on new threats or new technologies as we would like, we can clearly turn to them as experts in defining CTI. For example, the FBI has a published definition for intelligence that is useful: “simply defined, intelligence is information that has been analyzed and refined so that it is useful to policymakers in making decisions – specifically, decisions about potential threats to our national security.” Substitute “security and business professionals” for “policy makers” and change “national” to “corporate” or “organizational” and you’ve got a good working definition.

Similarly, information science gives the Data, Information, Knowledge, Wisdom (DIKW) hierarchy, in which data supports information which in turn can be used to create knowledge and ultimately enable wisdom. An example: all sensor data points could be data, and all the alerts within that data could be information. But knowledge comes with added context to those alerts, and wisdom could be the set of knowledge distilled into the skill of the security operator who is an expert on the process of distilling data to context and could create new automated technologies to do the same.

So going back to your challenge of figuring out how to leverage cyber threat intelligence in your organization, Gartner has published a useful definition: “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response...” That’s definitely more than data and information.

More data, more problems
As you approach your specific implementation, don’t equate cyber threat intelligence with raw information. Security teams and the technologies they employ don’t need more raw data or raw information -- they’re already swimming in it. Haystacks of haystacks of event data pile in from

 

Matt Hartley has held a variety of responsibilities at iSIGHT Partners including leading government programs, managing technology partnerships, and leading a team launching new service offerings. Previously, he was a Senior Program Manager of Advanced Concepts at Lockheed ... View Full Bio
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
iSight Matt
50%
50%
iSight Matt,
User Rank: Author
4/27/2015 | 8:13:21 AM
Re: CTI too much info?
Hi Paul, thanks for your comments.  I think a key insight given your comments is that true cyber threat intelligence inherently needs to be about those threats outside your own enterprise and organization and their motivations and intents for attacking you.  Another simple way to think about it is understanding the who, what, when, where, why, and how for your adversary or adversaries.

Many companies right now are trying to sell event data and machine intelligence as CTI and sending security teams down a "big data" solution pathway.  Unfortunately that's not really going to give you insight into the threats targeting you beyond possible insights into their current set of attacks, as many of your points indicate.

Overall, I propose that a reactive inside-out approach leaves you trying to connect the dots between fleeting attacks from short-lived infrastructures and the adversary behind them.  I prefer the outside-in approach of knowing your adversaries and their activities and actions and proactively preparing for their attacks.  (And as a side note that doesn't necessarily mean you need full detailed attribution on the adversary, you just need to be able to bucket or group them.)

There are tons of analogies here - sports teams use opponent film to plan and prepare, militaries collect intelligence on who might attack them in order to be better prepared, etc.  We could learn from all these groups - we shouldn't wait until we are attacked, we should be proactively well-prepared and practiced ahead of "game time".
BPID Security
50%
50%
BPID Security,
User Rank: Strategist
4/24/2015 | 12:38:12 PM
CTI too much info?
CTI seems like a solution till you look at it in perspective. That perspective is:

Is there sufficient data? This limits CTI to big data. Big data eliminates the largest number of sites/domains leaving huge retailers, government and business enterprises.

Can it really anticipate future attacks? Here the logic of using big data to detect, is one possibility, but to anticipate means you know the vulnerability. If you know them and didn't fix it before the attack, why not. If it is to detect intrusion - does that need a buzz word?

Using patterns like associating an individual or account to a geo fence of IPs is not new. Does it qualify as CTI?

Perhaps it is just the buzz word du jour, like Web 2.0, meta-data, SEO, G4 LTE, and a host of terms that have a life expectancy of 'till the next buzz word'.

Can intelligent analysis reveal patterns which might alert and block perimeter intrusion? Definitely. Can they be developed and maintained economically? Questionable as will they be proactive or reactive. Will they solve or have a major impact in the reduction and prevention of attacks. That is a really tough call as it depends on the intelligence of the designer of the CTI program.


Thanks for a great post.

Paul Swengler

 
iSight Matt
50%
50%
iSight Matt,
User Rank: Author
10/23/2014 | 8:35:05 AM
Re: CTI is a Project
It's taken a long time for many in industry to recognize the insight you included on ROI: the more raw data and information you throw at your team, the more time they have to spend making heads or tails of anything that matches, and processes get less efficient and more expensive.  Thanks for your comment!
RetiredUser
100%
0%
RetiredUser,
User Rank: Ninja
10/22/2014 | 2:53:52 PM
CTI is a Project
I absolutely agree with you here and I have to stress that, to accomplish the right level of CTI, it should be treated as a project initially before being optimized as an operation.  I was reading the SANS paper on CTI recently [Tools and Standards for Cyber Threat Intelligence Projects] and while focused on standards and tools, it's a good reminder that actual work and planning needs to go into CTI.  You don't simply plug in a machine and monitor the network.  And, as a project, a good deal of time should be put into the skill set requirements of the analysts that actually process the raw data and output intelligence.  Without the right eyes on the data, your CTI could be less than worth the money you put into it.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11931
PUBLISHED: 2019-11-14
A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prio...
CVE-2019-18980
PUBLISHED: 2019-11-14
On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022656 devices, an unprotected API lets remote users control the bulb's operation. Anyone can turn the bulb on or off, or change its color or brightness remotely. There is no authentication or encryption to use the control API. The o...
CVE-2019-17391
PUBLISHED: 2019-11-14
An issue was discovered in the Espressif ESP32 mask ROM code 2016-06-08 0 through 2. Lack of anti-glitch mitigations in the first stage bootloader of the ESP32 chip allows an attacker (with physical access to the device) to read the contents of read-protected eFuses, such as flash encryption and sec...
CVE-2019-18651
PUBLISHED: 2019-11-14
A cross-site request forgery (CSRF) vulnerability in 3xLogic Infinias Access Control through 6.6.9586.0 allows remote attackers to execute malicious and unauthorized actions (e.g., delete application users) by sending a crafted HTML document to a user that the website trusts. The user needs to have ...
CVE-2019-18978
PUBLISHED: 2019-11-14
An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.