Threat Intelligence for the 99%: Explaining the Issue
Cyber threat intelligence isn’t just for the 1%.
If you’re in cybersecurity, odds are you’ve heard a lot about threat intelligence these last few years. But unless you’re part of an organization with a massive budget for cybersecurity, you probably haven’t had the chance to conduct any threat intelligence practices or maybe even fully explore what it is (and isn’t).
The truth is, threat intelligence isn’t just for the 1%. It’s for everyone, and we’re here to help set you on your way to success.
We’re pleased to introduce a new eight-part blog series titled Threat Intelligence for the 99%. In this series we’ll dive deep into all topics surrounding threat intelligence, what it means and how to approach it depending on the needs and resources of your organization.
In this first post, Explaining the Issue, we’ll get through a series of definitions to set the table for how any organization—regardless of staff, budget or technical security expertise—can approach cyber threat intelligence. Let’s get started with the basics.
What is a cyber threat?
The U.S. National Institute of Standards and Technology (NIST) defines a cyber threat as: “any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service.”
What is cyber threat information?
NIST also defines cyber threat information as “any information that can help an organization to identify, assess, monitor and respond to cyber-threats. Examples of cyber-threat information include indicators (system artifacts or observables associated with an attack), tactics, techniques and procedures, security alerts, threat intelligence reports, and recommended security tool configurations.”
What is intelligence?
The Oxford English Dictionary defines intelligence as “the ability to acquire and apply knowledge and skills,” and “the collection of information of military or political value.”
What is cyber threat intelligence?
The SANS Institute calls cyber threat intelligence (or CTI): “the analysis of an adversary's intent, opportunity, and capability to do harm is known.” It goes on to say: “Intelligence is not a data feed, nor is it something that comes from a tool. Intelligence is actionable information that answers a key knowledge gap, pain point, or requirement of an organization. This collection, classification, and exploitation of knowledge about adversaries gives defenders an upper hand against adversaries and forces defenders to learn and evolve with each subsequent intrusion they face.”
A History Lesson on Intelligence
Intelligence from a military and strategic point of view goes back millennia. According to the New World Encyclopedia (NWE), spying is mentioned in Homer’s Iliad and the Bible. The Roman Empire used spies across the world to gather information about neighboring nations and their people. In ancient China, theoretical works on information gathering were written around 500 BC.
The NWE goes on to say:
“As governments became more organized, so did their militaries and military intelligence systems, eventually evolving into the complex and multi-faceted organizations of today. Technological advancements such as radio led to advancements in areas like cryptography, as well as more advanced systems to intercept and decode messages. [Military Intelligence] has fueled many technological advances; the first world-wide computer network, for example, was not the internet, but the international network connecting surveillance stations.”
As the battlefield evolved in the 1980s and 1990s from fields and oceans to the cyber realm, the military evolved their intelligence capabilities to include the production of intelligence within the cyber sphere. This eventually led to the founding of military cyber commands in the 2000s.
Soon after this, there was a recognition that the intelligence gleaned from these military applications had actionable defensive and protective value to the private sector. At this point, CTI was born. It would grow to serve as a foundational element of many large organizations’ defensive and response strategies in the 2010s.
As we look to the 2020s, the growth in machine learning and artificial intelligence will drive the cost and resource requirements down to smaller organizations allowing them to reap all the benefits that CTI can provide.
Intelligence = Action
So, what does all this mean for you?
You can distill this down to three major themes:
- All organizations regardless of size, industry, or geography will have threats to their infrastructure, assets and people. There is no escaping this.
- Data is available around these threats from a variety of sources and the mechanisms to consume and triage will get easier over time.
- The collection and interpretation of this data to drive an action is the essence of intelligence. Without an action, all you have a great story to tell but you are not really impacting the defensive posture of your organization.
Join us for the next part of the series as we take a look at why doing CTI is so important today and in the future.
Want to learn more about how to boost your threat intelligence program? Come see us at RSA Conference at the Moscone Center in San Francisco at Booth 935 from March 4-8.
Here are the rest of the posts in this series:
Part 4: What CTI Approach Do You Take?
Part 5: Building Your Own - CTI Feeds
Part 6: Building Your Own - CTI Tools
Part 7: Building Your Own - Stitching It Together
Part 8: Final Thoughts & Takeaways
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!