If you’re in cybersecurity, odds are you’ve heard a lot about threat intelligence these last few years. But unless you’re part of an organisation with a massive budget for cybersecurity, you probably haven’t had the chance to conduct any threat intelligence practices or maybe even fully explore what it is (and isn’t).
The truth is, threat intelligence isn’t just for the 1%. It’s for everyone, and we’re here to help set you on your way to success.
We’re pleased to introduce a new eight-part blog series titled Threat Intelligence for the 99%. In this series we’ll dive deep into all topics surrounding threat intelligence, what it means and how to approach it depending on the needs and resources of your organisation.
In this first post, Explaining the Issue, let’s get started with the basics and some historical perspective to understand where threat intelligence stands today.
What is cyber threat intelligence?
The SANS Institute calls cyber threat intelligence (or CTI): “the analysis of an adversary's intent, opportunity, and capability to do harm is known.” It goes on to say: “Intelligence is not a data feed, nor is it something that comes from a tool. Intelligence is actionable information that answers a key knowledge gap, pain point, or requirement of an organisation. This collection, classification, and exploitation of knowledge about adversaries gives defenders an upper hand against adversaries and forces defenders to learn and evolve with each subsequent intrusion they face.”
A History Lesson on Intelligence
Intelligence from a military and strategic point of view goes back millennia. According to the New World Encyclopedia (NWE), spying is mentioned in Homer’s Iliad and the Bible. The Roman Empire used spies across the world to gather information about neighboring nations and their people. In ancient China, theoretical works on information gathering were written around 500 BC.
The NWE goes on to say:
“As governments became more organised, so did their militaries and military intelligence systems, eventually evolving into the complex and multi-faceted organisations of today. Technological advancements such as radio led to advancements in areas like cryptography, as well as more advanced systems to intercept and decode messages. [Military Intelligence] has fueled many technological advances; the first world-wide computer network, for example, was not the internet, but the international network connecting surveillance stations."
As the battlefield evolved in the 1980s and 1990s from fields and oceans to the cyber realm, the military evolved their intelligence capabilities to include the production of intelligence within the cyber sphere. This eventually led to the founding of military cyber commands in the 2000s.
Soon after this, there was a recognition that the intelligence gleaned from these military applications had actionable defensive and protective value to the private sector. At this point, Cyber Threat Intelligence (CTI) was born. It would grow to serve as a foundational element of many large organisations’ defensive and response strategies in the 2010s.
As we look to the 2020s, the growth in machine learning and artificial intelligence will drive the cost and resource requirements down to smaller organisations, allowing them to reap all the benefits that CTI can provide.
Intelligence = Action
So, what does all this mean for you? You can distill it down to three major themes:
All organisations regardless of size, industry or geography will have threats to their infrastructure, assets and people. There is no escaping this.
Data on these threats is available from a variety of sources and the mechanisms to consume and triage will get easier over time.
The collection and interpretation of this data to drive an action is the essence of intelligence. Without an action, all you have a great story to tell but you are not really impacting the defensive posture of your organisation.
Read Part 2 of this series as we take a look at why CTI is becoming so critical today and in the future.