There have been some interesting discussions on TWITTER
based upon a
comment
made by Robert M. Lee, the Founder and CEO of Dragos. I have added my
abbreviated 2
-cents
worth where appropriate, but I think we have been talking around a definition
problem; the term ‘cyber threat intelligence’ is either being misused or poorly
defined.
Information Quality
I spent some of my time in the Army working in a Battalion
S-2 (intelligence) shop. As part of my on-the-job training (and some military
correspondence courses) I learned the importance of the difference between
information and intelligence. Information is something that someone has seen or
heard. Intelligence, on the other hand, is the result of analysis based upon
information, earlier intelligence, and
the knowledge and skills of the analyst. From a military point of view, the
purpose of intelligence is to provide the Commander with the current best guess
about the enemy’s intentions and capabilities so that the current battle plan
can be adjusted accordingly.
Now the military intelligence analyst is reminded constantly
about two constraints placed upon the quality of the information available.
First, and foremost, the enemy is going to do their absolute best to try to
deny the analyst access to high-quality, accurate information. Part of this
involves hiding the enemy’s activities as long as possible, but another part
frequently involves actively providing ‘access’ to inaccurate or misleading
information.
The second is that information is provided to the analyst by
human beings and that information is affected by any number of human foibles
and failings. This is best exemplified in the five categories of ‘reliability’
assigned to human intelligence sources (the names have probably changed since I
left the military, but the concept remains):
• Usually reliable;
• Somewhat reliable;
• Unknown reliability;
• Frequently unreliable; and
• Usually unreliable
For this discussion, the first and last categories are the
most important. The military has long recognized that human information sources
are never 100% reliable; even the best source can provide incorrect (or
incomplete) information for any number of reasons. And even the worst data
resource is going to provide good information every once in a while.
Thus, the intelligence analyst has to take into account both
the quantity and quality of the information available when providing the
commander with intelligence on the enemy’s intentions and capabilities.
Analyst Training
When the military trains an intelligence analyst, they train
them about the tools of the trade and how to go about the analysis process.
They also receive some training about the history of their expected adversary.
That includes information about adversary equipment and training as well as
training on the enemy’s social and political system which affects how the
adversary will make decisions. Where possible this includes developing dossiers
on the main players about which the analyst expects to be making operational
decisions.
During conventional operations, the analyst has the
advantage that most modern militaries have schooling on military arts that
includes professional publications that discuss tactics and equipment. This
provides the analyst with both information on tactics and equipment, but also
with some insight into the thinking of the individuals writing the articles and
the milieu in which they operate.
With the advent of technical collection means the military
was forced to add an intermediate layer of intelligence analysis. It started
with photo analysis, where people developed the skills and techniques to pull
information from aerial (and later satellite) photos. With the increasing use
of electromagnetic systems for communications and other military technologies,
a whole new class of signals intercept and analysis technicians became an
integral part of intelligence analysis.
Cyber Intelligence
In recent years the whole area of cyber intelligence has
become an increasingly important part of military intelligence. From a military
point of view, it is just another system of data collection, processing and
analysis. It is just another means of providing the Commander with the best
guess about another enemy capability on the modern battlefield.
Cyber Threat Intelligence
What has become a phenomenon of the later portion of the information
age is the rise of cyber threat intelligence. While it is similar to the cyber
intelligence used by the military, it is distinguishable from cyber
intelligence by two very important characteristics. First it is being produced
by private companies that are driven by profit motives and are responsible to
shareholders. Second, the intelligence product is designed to be used by
corporate entities that have not been trained to understand the limitations of
the intelligence product and are ill-equipped to modify their business plans to
respond to the potential consequences of the capabilities and intentions of
poorly identified adversaries.
The commercial nature of the organizations that produce CTI
has an inevitable, if variable, effect on the product offered to their
customers. Because there are multiple competing players in the production of
CTI there is frequently an increased urgency in producing and moving an
analysis product to market to beat the competition. This can result in
shortcuts being taken in information collection, data analysis and quality control.
While the military has a different cause for urgency in their intelligence
reporting needs, their relatively uncompetitive market allows them the luxury
of putting out frequent updates of their analysis. Commercial CTI firms, on the
other hand are expected to provide their customers with finished, comprehensive
reports.
Most players in the CTI field have no formal training in the
data collection and analysis process, the field is just too new. Even
organizations where the founder has such training (Dragos comes quickly to
mind) find it difficult to push that background down to the personnel actually
doing the collection and analysis without a formal educational system to
provide the necessary foundation. As more military cyber analysts begin to move
to the private sector, this will begin to change. Even these personnel,
however, will need some fundamental retraining in the differences between
military and commercial operations. Hopefully, we will see the CTI field begin
to be addressed in an academic setting.
Use of Cyber Threat Intelligence
The biggest difference between cyber intelligence and CTI is
the user of the end-product. In the military each level of command in the hierarchy
has their own information collection and analysis capability. Thus, commanders
have been taught about the limitations of the collection and analysis process
as they rise through the ranks. While cyber information collection and analysis
has not yet been pushed down the chain of command to the tactical level, this
background makes the commanders at all levels much more effective users of all
sorts of intelligence.
One of the ways that military commanders increase the
effectiveness of intelligence is that they are responsible for intelligence
preparation of their portion of the battlefield. They provide their data
collection and analysis assets with specific requirements for types of intelligence
that will be expected to affect their operations. They also request similar
types of information from higher (and frequently adjacent) headquarters. This makes
the commander an active participant in the intelligence process.
The users of CTI typically have little or no background in
either the use or production of CTI. This means that there is little likelihood
that they will be effective users of the product or that they will be able to
influence the production of useful CTI. It seems unlikely that many corporate
entities will develop in-house cyber-information data-collection and analysis
capabilities at multiple levels in the organization. Thus, there will be little
or no in-house training of managers in the use of CTI as they rise thru the
ranks.
Increasing CTI Effectiveness
If CTI is going to be a useful tool for corporate users,
training is going to have to be an increasing portion of the CTI product. Not
only are CTI producers going to have to be responsible for the bulk of the
training of their collection and analysis personnel (academia is way too slow
to respond to new areas of study), but they are going to have to be able to provide
training to their customers in the utilization of their product.
While much of the training is going to have to (initially at
least) be focused on the upper management of an organization, the truly successful
CTI provider is going to be able to push training down to the operational level
in organizations. Not only are they going to have to provide training on the
use of CTI, but they are also going to have to push data collection and analysis
training down to the lowest levels of the organization to increase the targeted
effectiveness of their products.
The CTI production industry is a relatively new part of the
cyber landscape. We can expect to see significant changes in the CTI landscape.
Successful companies are going to be those that have active programs in place to
increase the effectiveness and professionalism of their work force while making
it easier for their customers to effectively utilize their products. The
successful companies are going to be those that realize that training is going
to be as large a part of their operation as is the collection and analysis of
cyber information.