By Joe Slowik

Cyber threat intelligence developed into a significant discipline and commercial offering over the past half-decade, but this growth comes at the potential cost of relevance to day-to-day security operations. Intelligence in general is only as good as it enables or supports its consumer in their mission – and this will vary based on that consumer’s business or place within a larger organization. This concept of mission relevance is often lost in current threat intelligence offerings within the cyber security space, with one-size fits-all approaches applied to satisfy diverse customer needs. Furthermore, in looking at the analysis and production of intelligence, a significant gap exists between initial event discovery (or data collection) and final reporting – resulting in a delay for security personnel in responding to emerging events. To resolve these latent conflicts and provide more timely support to security operations (one particular type of consumer), organizations should seek out offerings that provide near real-time offerings of actionable information, a concept known in military circles as “threat indications and warning”. 

Threat intelligence – whether in the cyber security realm or elsewhere – is only as effective as its relevance to consumer needs. Toward this end, intelligence producers must remain continuously aware of who they are supporting and for what purpose. For example, providing an intelligence report for strategic planning differs significantly in scope, purpose, and function than delivering support for everyday security operations. The former is broad in scope, does not need to be especially timely, and communicates general trends, while the latter is focused on defender needs, must be provided in a timely fashion, and relates to specific events and incidents. Too often cyber threat intelligence takes an approach of providing one type of product to support these diverse needs, or at best breaks offerings into two distinct types: threat intelligence reports and indicator of compromise (IOC) feeds. 

Typical cyber threat intelligence offerings diverge into two types: intelligence reports that cover a discrete event or malware sample from earliest indications of attack through conclusion; and feeds of IOCs for defenders to block or search for within their environment. While both carry value, they correspond to different “poles” of an overall threat intelligence process: the capture of raw data (IOCs), followed by analysis and production, leading to a final report (threat intelligence reporting). The gulf between these is seldom bridged, and given the “debasement” of IOCs to atomic indicators lacking context, organizations often face a stark choice: react to datapoints with little or no context (resulting in false positives or other impacts to operations), or wait for a complete assessment of events in the form of a finalized intelligence report, during which the organization is vulnerable to the threat in question. 

To bridge this gap, organizations should demand that threat intelligence providers “meet them in the middle” by providing minimally-enriched information as quickly as possible to enable intelligent response to active threats. From a military context, this is typically referred to as threat “indications and warning” – the idea being to provide tactical decision-makers with timely, relevant information from which decisions can be made. In defense circles, intelligence professionals achieve this mission by providing just enough context around an observation (e.g., what platform or unit a RADAR type is associated with, or information on associated units for an overheard callsign) in order to push information to tactical decision-makers as quickly (and accurately) as possible. The desired end-state are informed, agile operations responsive to the threat environment as it unfolds, minimizing surprise and maximizing defender capability. 

From a network security perspective, the same concepts apply and fit well between the two extremes of current threat intelligence offerings: taking initial observations and enriching them just enough to provide context so intelligence consumers (in this case, operational network defenders such as incident response or SOCs) can make informed but timely decisions. While this may appear that threat intelligence providers are responsible for the current state of affairs and thus need to change, the same can be said of recipients. Namely, threat intelligence consumers must recognize that a gulf exists between typical intelligence products today, and what a “middle” offering really means. Essentially, intelligence consumers must accept and understand what they would receive as an “indications and warning” report is not finished intelligence, but a snapshot of events as they occur albeit with some level of enrichment. As such, events can change or information latter prove to be false or misleading – these are the risks that organizations need to understand and accept in exchange for greater flexibility and knowledge at the tactical level. 

Ultimately, threat intelligence should fit the needs of intelligence consumers to the greatest extent possible. Just as quarterly summaries are less than ideal for “in the trenches” security personnel, indications and warning “tips” are useless for strategic planners. From a consumer standpoint, organizations must identify to what end they will employ threat intelligence, what needs they are trying to meet, and how such information will be used – and then leverage this to guide product requirements. Conversely, vendors and intelligence providers must know their audience and ensure that products are tailored to defender needs. By increasing awareness and understanding of just what threat intelligence will be used for, organizations can ensure more robust, relevant, and actionable intelligence for consumers. 

The slides from this presentation can be viewed here: