I want to start sharing my thoughts on Threat Intelligence as a domain. Please don’t take my thoughts as only one truth. I could be wrong in details, but my notes should generally be close to reality.
From participating in discussions, listening to others, reading group chats, and commenting on social media, many people misunderstand the definition and purpose of Threat Intelligence as a domain and a process. This problem exists in C-level management and among security professionals from other blue team domains, such as IR, SOC, DFIR, etc.
Let’s talk about Intelligence in general first. Intelligence is a supporting function; I suggest following this definition. You can’t produce Intelligence if no one can consume it for the greater good. Intelligence helps decision-makers to make decisions. A decision maker could be any person, organization, or other entity who is able and wants to receive Intelligence. Suppose we are talking about policymakers and political powers. In that case, they consume the Intelligence related to foreign affairs or internal conflicts/relationships to take the proper steps and prepare for possible consequences from executed actions. Military personnel plan offensive operations based on Intelligence provided by intelligence officers. There is one massive example of how the hard work and dedication of US Intelligence Community analysts, a combination of SIGINT, HUMINT, and GEOINT, has helped the US Government to track down and eliminate the most significant terrorist threat ever – Osama bin Laden: for more details, I can’t resist to suggest the movie – “Zero Dark Thirty”, but for how Operational Intelligence helped SpecialOps unit to perform the ground operation, I can recommend reading “No Easy Day”. For C-level big organizations, we can refer to Business Intelligence, which helps them take the right approach for business expansion, merges, and other (mostly) strategic-level decisions. It is crucial to understand that the purpose of Intelligence is to analyze the present and past to predict the future in different aspects. Information flow is simple information -> data -> intelligence. Intelligence becomes Intelligence when we not only talk about the events but also analyze the information we give and provide insights. Intelligence is an essential function, which can add many points to the organization’s maturity and help to make better decisions. So, we understand the primary goal of Intelligence is to support other entities to make the most efficient decisions. Let’s move forward and talk about the main subject. What is threat intelligence?
The definition comes from the name Threat Intelligence, which is about the threats, threats in cyberspace in particular. So, threat intelligence is responsible for detecting potential threats in cyberspace, giving insights into the current threat landscape for organizations, and providing answers to questions to entities inside or/and outside the organization. Threat Intelligence solves problems that other entities have and want to solve. A few quick examples:
- Vulnerability Management struggling with vulnerability prioritization?
Vulnerability Intelligence for your service to find out which vulnerabilities could be exploited in the wild, have publicly available POC or exploit is for sale or/and already in the hands of threat actors. - The SOC wants to get context around hashes, URLs, and IPs?
Threat Intelligence Platform has joined the game with integrated open-source and privately available feeds to provide the required context. - The Incident Response team needs assistance in attribution or the direction for further investigation?
A comprehensive library, populated by the CTI Team, of TTPs, motivations, etc., can help with that. - Detection Engineering requires guidance across changing threats?
Threat intelligence can help with heatmaps and recent trends.
Moreover, Threat Intelligence can support C-level during acquisition, merging processes with other companies or expanding to other countries, or, most importantly, making the right strategic decisions and investments, allowing the organization to protect itself. Threat intelligence could be one connecting links between multiple teams and set the development vector to improve operations and bring innovations.
In an ideal world, threat intelligence is supposed to PREDICT attacks when you take necessary measures based on threat intelligence findings. Unfortunately, this is not always the case, and effective results depend on multiple factors, such as CTI team expertise, expectations from leadership, the relevance of intelligence requirements, technologies, operations, and policy excellence. Efficiency depends on the maturity level of security functions as well. Implementing the Threat Intelligence Program should start with an audit of security functions, as studying programming language should start from learning English for non-native speakers.
So, yeah… Threat intelligence is complicated; this is not a silver bullet to solve all your security problems. The approach to implementation should consists of multiple steps, and can take years to do it correctly.
In the following notes, I’ll dig into each component and how different teams imagine the role of a Threat Intelligence Analyst in their group.
Acknowledgments for inspiration:
Libra
mnemonic security podcast
The Defender’s Advantage Podcast Mandiant