The practice of gathering intelligence is not a new concept. While the methods and motives may change, the main idea is to collect information that will help you stop some form of future damage or harm. Just like law enforcement and government agencies work to establish intelligence sources to prevent future crimes, organizations can collect intelligence to prevent future cyberattacks.
This practice has become known as Cyber Threat Intelligence (CTI). There are lots of definitions that you can find for CTI, but the goal is to provide advanced warning and proactive detection of cyberattacks before they’re carried out. In other words, it’s trying to understand the Who, What, Where, When and Why behind a cyberattack. Think of it like PreCrime from the movie Minority Report, but instead of PreCogs with visions of future crimes, you’re leveraging a vast amount of digital activity and data to predict a cyberattack.
Cyberattacks are hardly ever done in isolation. There’s an entire underground ecosystem of data exchange, collaboration tools, black markets and chat rooms that are used primarily by cybercriminals. As hackers plan their attacks, they often tip their hand about how they will attack. These “Digital Breadcrumbs” can be tracked and used to anticipate when and how an attack might take place. For example:
In theory, threat intelligence is something that every company should be using. But going from raw data to finished intelligence is a challenging process, which has given rise to a variety of new tools and job functions.
Intelligence doesn’t just appear from thin air. Threat data needs to be collected, processed and analyzed for it to become threat intelligence. There’s no limit to the amount of threat and cybersecurity data out there, but the challenge is in turning this data into specific and actionable intelligence. Intelligence isn’t any good if it doesn’t help you take action.
This process involves collecting millions of data points from various internal and external sources. This data must be processed and filtered, then lastly, and perhaps most importantly, context and relevancy need to be applied. This is what differentiates intelligence from information. To give you a basic example, you might find out that a bank robbery will happen next week, but if you don’t know if it’s your bank being targeted and don’t how the robbery will happen, that information doesn’t do you much good.
You need to know how a threat relates your business and your customers. That’s why context and relevancy is critical in order for information to be turned into intelligence.
It’s important to note that these different types of intelligence are not mutually exclusive, but rather, a way of processing and interpreting data. For example, HUMINT and Dark Web Intelligence often overlap and involve similar activities, but the intent of the research and data collection may be different.
Like we mention above, there’s no limit to the amount of data out there, but the challenge is in turning this data into specific and actionable intelligence. So what are some of the ways you can use this intelligence?
Just like with any process or solution, there are always best practices for making its use more effective. Here are some best practices to keep in mind when developing and optimizing your threat intelligence program.