By Dori Fisher, VP Intelligence Solutions
Information security (“cyber security”) has rapidly evolved in recent years, and as a result, we need to reinvent and redefine concepts that were once considered clear and concepts that have not yet been addressed. One of these concepts is cyber threat intelligence, or CTI.
Market Guide for Security Threat Intelligence Services, a Gartner paper from October 2014, lists 27 companies in its CTI category. These include two very different Israeli companies, Check Point, known originally for its firewalls, and SenseCy, which is known for its intelligence.
Yet one-dimensional market categories do not reflect the specific activities of various companies. In other words, CTI, like DLP (data leakage protection) and other terms, is implemented in various ways and expresses different needs. Sometimes, with all the marketing hype, words lose their meaning. One of the biggest challenges with “CTI” is that it refers to intelligence when what is actually delivered is information.
What is Intelligence?
Intelligence, according to the FBI, is “information that has been analyzed and refined so that it is useful to policymakers in making decisions.”
Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice.”
The common thread in definitions of intelligence is that it is information analyzed to create value.
Stages of Cyber Intelligence
Cyber intelligence, like classic intelligence, consists of a number of major processes:
Developing sources: Where do you look and how do you get there? (For example, how do you become a member of a closed Indonesian carding forum?)
Collection: What do you look for and how do you find information? (For example, using various languages, automatic or manual tools, etc.)
Filtering and aggregation: Filtering and combining bits of information.
Analysis: Understanding the information and its value.
Conclusions and deliverables: Insights about the information analyzed and packaging of the information.
Computers have proven themselves efficient at collecting, aggregating, and filtering intelligence. However, human beings are still better at developing high-quality sources, analyzing, and drawing conclusions – despite the great promise of various analytic technologies.
Intelligence vs. Information
Many of the deliveries called intelligence (or CTI) are in fact, information.
Examples are information collection by means of honey pots, attack servers, network forensics, social networks, Internet networks not accessible through a Google search (the Deep Web), or networks requiring special browsing software (the Dark Web).
Without information collection there would be no intelligence, but the mere act of collection from one source or another does not make the information “intelligence.”
For example, a quote from a closed group that is planning to attack a certain bank on Christmas is important information, but the modus operandi, the tools to be used, the ability to actually carry out the attack, and the likelihood that the attack will take place is important intelligence.
Cyber Intelligence as a Nail and Information Security Tools as a Hammer
Psychologist Abraham Maslow noted that “it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.”
In the ancient world, when Joshua sent spies into Jericho, his tools were mainly between his ears, and the intelligence took form accordingly. Today, with firewalls, information security management systems, data leak prevention, and endpoint protection, we sometimes confuse intelligence with technological information like IP addresses and signatures that can be inserted into the products that we buy.
The technological information is the delivery but not the essence.
High-quality intelligence can sometimes also be expressed in technological deliveries, but the quality of intelligence can be measured based on the ability to act upon it, whether by updating firewall rules or redefining strategy or tactics in regard to a certain topic.