Cyber Threat Intelligence

There have been some interesting discussions on TWITTER based upon a comment made by Robert M. Lee, the Founder and CEO of Dragos. I have added my abbreviated 2-cents worth where appropriate, but I think we have been talking around a definition problem; the term ‘cyber threat intelligence’ is either being misused or poorly defined.

Information Quality

I spent some of my time in the Army working in a Battalion S-2 (intelligence) shop. As part of my on-the-job training (and some military correspondence courses) I learned the importance of the difference between information and intelligence. Information is something that someone has seen or heard. Intelligence, on the other hand, is the result of analysis based upon information,  earlier intelligence, and the knowledge and skills of the analyst. From a military point of view, the purpose of intelligence is to provide the Commander with the current best guess about the enemy’s intentions and capabilities so that the current battle plan can be adjusted accordingly.

Now the military intelligence analyst is reminded constantly about two constraints placed upon the quality of the information available. First, and foremost, the enemy is going to do their absolute best to try to deny the analyst access to high-quality, accurate information. Part of this involves hiding the enemy’s activities as long as possible, but another part frequently involves actively providing ‘access’ to inaccurate or misleading information.

The second is that information is provided to the analyst by human beings and that information is affected by any number of human foibles and failings. This is best exemplified in the five categories of ‘reliability’ assigned to human intelligence sources (the names have probably changed since I left the military, but the concept remains):

• Usually reliable;

• Somewhat reliable;

• Unknown reliability;

• Frequently unreliable; and

• Usually unreliable

For this discussion, the first and last categories are the most important. The military has long recognized that human information sources are never 100% reliable; even the best source can provide incorrect (or incomplete) information for any number of reasons. And even the worst data resource is going to provide good information every once in a while.

Thus, the intelligence analyst has to take into account both the quantity and quality of the information available when providing the commander with intelligence on the enemy’s intentions and capabilities.

Analyst Training

When the military trains an intelligence analyst, they train them about the tools of the trade and how to go about the analysis process. They also receive some training about the history of their expected adversary. That includes information about adversary equipment and training as well as training on the enemy’s social and political system which affects how the adversary will make decisions. Where possible this includes developing dossiers on the main players about which the analyst expects to be making operational decisions.

During conventional operations, the analyst has the advantage that most modern militaries have schooling on military arts that includes professional publications that discuss tactics and equipment. This provides the analyst with both information on tactics and equipment, but also with some insight into the thinking of the individuals writing the articles and the milieu in which they operate.

With the advent of technical collection means the military was forced to add an intermediate layer of intelligence analysis. It started with photo analysis, where people developed the skills and techniques to pull information from aerial (and later satellite) photos. With the increasing use of electromagnetic systems for communications and other military technologies, a whole new class of signals intercept and analysis technicians became an integral part of intelligence analysis.

Cyber Intelligence

In recent years the whole area of cyber intelligence has become an increasingly important part of military intelligence. From a military point of view, it is just another system of data collection, processing and analysis. It is just another means of providing the Commander with the best guess about another enemy capability on the modern battlefield.

Cyber Threat Intelligence

What has become a phenomenon of the later portion of the information age is the rise of cyber threat intelligence. While it is similar to the cyber intelligence used by the military, it is distinguishable from cyber intelligence by two very important characteristics. First it is being produced by private companies that are driven by profit motives and are responsible to shareholders. Second, the intelligence product is designed to be used by corporate entities that have not been trained to understand the limitations of the intelligence product and are ill-equipped to modify their business plans to respond to the potential consequences of the capabilities and intentions of poorly identified adversaries.

The commercial nature of the organizations that produce CTI has an inevitable, if variable, effect on the product offered to their customers. Because there are multiple competing players in the production of CTI there is frequently an increased urgency in producing and moving an analysis product to market to beat the competition. This can result in shortcuts being taken in information collection, data analysis and quality control. While the military has a different cause for urgency in their intelligence reporting needs, their relatively uncompetitive market allows them the luxury of putting out frequent updates of their analysis. Commercial CTI firms, on the other hand are expected to provide their customers with finished, comprehensive reports.

Most players in the CTI field have no formal training in the data collection and analysis process, the field is just too new. Even organizations where the founder has such training (Dragos comes quickly to mind) find it difficult to push that background down to the personnel actually doing the collection and analysis without a formal educational system to provide the necessary foundation. As more military cyber analysts begin to move to the private sector, this will begin to change. Even these personnel, however, will need some fundamental retraining in the differences between military and commercial operations. Hopefully, we will see the CTI field begin to be addressed in an academic setting.

Use of Cyber Threat Intelligence

The biggest difference between cyber intelligence and CTI is the user of the end-product. In the military each level of command in the hierarchy has their own information collection and analysis capability. Thus, commanders have been taught about the limitations of the collection and analysis process as they rise through the ranks. While cyber information collection and analysis has not yet been pushed down the chain of command to the tactical level, this background makes the commanders at all levels much more effective users of all sorts of intelligence.

One of the ways that military commanders increase the effectiveness of intelligence is that they are responsible for intelligence preparation of their portion of the battlefield. They provide their data collection and analysis assets with specific requirements for types of intelligence that will be expected to affect their operations. They also request similar types of information from higher (and frequently adjacent) headquarters. This makes the commander an active participant in the intelligence process.

The users of CTI typically have little or no background in either the use or production of CTI. This means that there is little likelihood that they will be effective users of the product or that they will be able to influence the production of useful CTI. It seems unlikely that many corporate entities will develop in-house cyber-information data-collection and analysis capabilities at multiple levels in the organization. Thus, there will be little or no in-house training of managers in the use of CTI as they rise thru the ranks.

Increasing CTI Effectiveness

If CTI is going to be a useful tool for corporate users, training is going to have to be an increasing portion of the CTI product. Not only are CTI producers going to have to be responsible for the bulk of the training of their collection and analysis personnel (academia is way too slow to respond to new areas of study), but they are going to have to be able to provide training to their customers in the utilization of their product.

While much of the training is going to have to (initially at least) be focused on the upper management of an organization, the truly successful CTI provider is going to be able to push training down to the operational level in organizations. Not only are they going to have to provide training on the use of CTI, but they are also going to have to push data collection and analysis training down to the lowest levels of the organization to increase the targeted effectiveness of their products.

The CTI production industry is a relatively new part of the cyber landscape. We can expect to see significant changes in the CTI landscape. Successful companies are going to be those that have active programs in place to increase the effectiveness and professionalism of their work force while making it easier for their customers to effectively utilize their products. The successful companies are going to be those that realize that training is going to be as large a part of their operation as is the collection and analysis of cyber information.