There have been several concepts or definitions around what cyber threat intelligence is; Gartner defines it as evidence-based knowledge with the inclusion of mechanisms, implications, context, indicators, and actionable advice against an emerging threat or hazard. It’s an example, and while it is a good definition, the question remains – what does it mean or imply? How can threat intelligence benefit us, even?
The Illusion of Threats
In today’s world, the word itself has lost meaning, often abused for situations beyond the boundaries of its conventional definition. Threat. That’s right.
What organizations fail to realize is that a threat to one organization may not necessarily translate as a threat to another. Often, this results in the allocation of security resources in all the wrong areas. Some might even spend too much time on processes such as vulnerability or risk analysis, instead of working on the underlying matter of fixing or mitigating pre-existing issues.
In reality, there are a combination of things required to spur a threat into existence. Three words – intent, capability, and most importantly – opportunity. Without this combination, the assumed threat is not actually a concern, at least at that point in time. Let’s look at these three components in a little more detail:
- Intent: An attacker’s desire to target you or your organization
- Capability: The ability or means of an attacker to pull off an attack (specific malware, for example)
- Opportunity: The opening an attacker needs; vulnerabilities in software, hardware, or personnel
To put things into perspective, should an attacker possess the necessary intent and capability, but find the organization impregnable, no opportunity, the threat is non-existent.
Threat Intelligence: What is it?
Threat intelligence is usually presented in the form of threat feeds or Indicators of Compromise (IoCs). But, effective utilization of said intelligence requires an organization to understand themselves first, and then the adversary. Know thy enemy; it’s what Sun Tzu would’ve said.
If an organization fails to understand its infrastructure, business operations, personnel, and assets, it also fails to understand or identify the presence of an opportunity for attackers. In most situations, a lack of this understanding leads to the misidentification of an attacker’s intent.
On the other hand, capabilities are easier to identify, considering public information and effective use from time to time, more commonly – phishing emails. A good threat intelligence platform may even be able to identify novel capabilities, including the trends behind usage and target specifications. But unfortunately, despite progress in the fields of cyber threat intelligence, an organization fails to gain the most out of their intelligence when lacking in the butter and bread of basics.
In simple terms though, cyber threat intelligence is analyzed information around the intent, capability, and opportunity of attackers. A threat intelligence platform identifies threats, but this intelligence requires analysis as well to understand if it is valuable to said organizations.
Such scenarios beg for planning. An organization must be able to identify what information is applicable to their situation. Someone must be in place to make those decisions, to understand if the intelligence is applicable even. It could be a vendor tailored to your needs, or even a customer; ideally, it will be both. But if there is zero customization, threat intelligence falls to become an inapplicable abundance of data.
At Marlabs, we understand the value behind sharing threat intelligence and strategic choices. After all, the ability to utilize tailored threat intelligence provides actionable tactical and strategic choices that impact security. That’s where threat feeds or Indicators of Compromise step in.
Threat Feeds and IoCs
They call strategic intelligence abstracts – abstracts of data that identify certain threats, and the course of action required to mitigate the same. It enables smart decisions around allocation of budgets and focus areas for personnel.
On the flipside, tactical intelligence is acquired through attempts to collect accurate network information, analysis of said information, and in the identification of threats along with response methodologies.
A basic understanding around strategic and tactical intelligence allows for organizations to utilize IoCs to its full potential.
At the end of the day, there is no real way to cover everything via cyber threat intelligence. Even the best of platforms fails at it. The key is in understanding the basics, and a great threat intelligence platform does go a long way towards upgrading upon those basics. Why restress the matter? Well, now you know that intelligence is worthless without the ability to identify insights most in line with your organization’s present situation.
The basics already eliminate an innumerable amount of threats. And you really don’t need to jot the basics down to perfection. You just need to reach a point of zero ROI around the basics before moving onto more complex methods.
As Sun Tzu once said, know thyself, then the enemy. As difficult as it may sound to accomplish these two things, in combination, it returns the upper hand to the defender. All it requires is a strong approach towards what’s necessary, and an eye to discriminate hype from fact.