What Exactly Is Threat Intelligence?

April 10, 2017 • Amanda McKeon

We’re excited to announce our new podcast series that will take listeners inside the world of cyber threat intelligence. We’re sharing stories from the trenches and the operations floor as well as giving you the skinny on established and emerging adversaries. We’ll also talk current events, technical tradecraft, and offer up insights on the big picture issues in our industry.

Join the Recorded Future team, special guests, and our partners from the CyberWire to learn everything you want to know (and maybe some things you’d rather not know) about the world of cyber threat intelligence.

In our first episode, we start with the basics of threat intelligence. We talk about its emergence in cyber security and offer some relevant definitions. We describe where threat intelligence comes from, its purpose, and the context in which it’s used. In an age of information overload, we also look at the path from data, to information, to actionable intelligence.

These are important distinctions when organizations requiring threat intelligence face the prospect of sorting through competing claims, products, and services in the marketplace. As organizations adopt threat intelligence and look to protect themselves in a rapidly evolving threat landscape, discerning value, establishing priorities, and setting measurable goals become critical.

We talk through these issues with Staffan Truvé, our chief technology officer and co-founder; Levi Gundert, our vice president of intelligence and strategy; and Robert M. Lee, chief executive officer and founder at Dragos Security.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cyber security.

Dave Bittner:

Hello everyone and thanks for joining us, I’m Dave Bittner from The CyberWire. This is episode one of the Recorded Future podcast. Today is our first episode and we’re excited to embark on this new podcast focused on the topic of threat intelligence. We’re going to be taking you inside the world of threat intelligence for cyber security. Sharing stories from the trenches and the operations floor as well as giving you the inside skinny on established and emerging adversaries. We’ll also talk current events, technical trade craft, and offer insights on the big picture issues in our industry. You’ll hear from the experts on the recorded future team, industry leaders, and special guests. We here at The CyberWire are happy partnering with Recorded Future as we help you learn everything you want to know and maybe a thing or two you’d rather not know about the world of threat intelligence.

Today we’re going to start with the basics and talk about cyber threat intelligence is, find out how we got where we are, explore the importance of setting measurable goals, and much more.

We’re joined by Staffan Truvé, Recorded Future co-founder; Levi Gundert, Recorded Future’s vice president of intelligence and strategy; and Robert M. Lee, CEO and founder of Dragos Incorporated.

Robert Lee:

Threat intelligence is very simply knowledge of the adversary.

Dave Bittner:

That’s Robert Lee from Dragos.

Robert Lee:

It is generally analyzed information, meaning to some level of interpreted data and information relating to an entity that has the intent opportunity and capability to do you harm.

Staffan Truvé:

Threat intelligence is really all the external information you can gather around a continental organization, which helps you assess the risk situation around it. Both present and future threats.

Dave Bittner:

That’s Staffan Truvé, Recorded Futures co-founder and chief technical officer. He makes the point that while threat intelligence may be a relatively recent addition to the cyber security toolbox, it isn’t really a new idea. It goes way back.

Staffan Truvé:

In the old day, when you were protecting a city, you used to build a wall around the city to protect it. That’s sort of stopped the enemy once they got there, but of course you wanted to understand what was happening, so you had your spies on the outside who were trying to gather information and see if the enemy was getting closer and if they were arming themselves, what kind of arms did they have, and then so on.

In modern times, of course, this has continued and as more and more information has become digital, the kind of threat intelligence we do has become more important.

Levi Gundert:

We quickly saw in the early 2000s that there was essentially a need to have awareness of threats and risk to the business, prior to it actually affecting the business.

Dave Bittner:

Levi Gundert is Recorded Future’s VP of intelligence and strategy.

Levi Gundert:

Financial services was really the first industry to look at building these cyber threat intelligence teams and the capabilities and resources necessary to build those programs and show value to the business. I think now five, six years later, you’re seeing a lot of other industry verticals sort of follow the financial services lead. Now you’re seeing threat intelligence teams that are either part of an incident response or are their own team working with other operation security teams under the seasonal umbrella. You’re seeing those types of capabilities spread across really all industry verticals now, as there is a much more tacit acknowledgment that this is a critical capability for a business to have in order to properly do risk analyst.

Staffan Truvé:

You don’t want to be one step behind and discover that someone is at your doors or inside your system. You want to be able to anticipate that and take counter measures before things happen.

Dave Bittner:

We talk a lot in cyber security about information overload. The virtual fire hose of data that can come at any of us throughout the day. It’s an important distinction, when and how does information become intelligence.

Staffan Truvé:

The difference between information and intelligence, is really that intelligence is a refined product. You gather all kinds of information and you make assessments about what is credible or not, and you really try to be in the informed picture of something.

Robert Lee:

Information can fit into becoming intelligence, if you will. Once it meets an intelligence requirement.

Dave Bittner:

That’s Robert Lee.

Robert Lee:

But it’s really got to be analyzed and I think that’s a part of the problem in the industry, is the misunderstanding of the relationship of data to information to intelligence. A lot of folks who get fed up with threat intelligence are really just getting fed up with vendors sending them feeds of data at like an IP address, or the fact that the IP address is malicious or digital hash. That’s not intelligence, that’s just data. To be information, data has to answer a yes or no question. So is this IP address malicious and what is it related to? Oh, it’s command and control for this specific piece of malware. Well now it’s information that’s still not necessarily useful depending on your requirements. To make it intelligence, is the process of taking various sources of information, analyzing it together, and coming up with some sort of an assessment that meets an intelligence requirement.

Levi Gundert:

There’s information that comes from actively scanned internet. There’s information that comes from passively listening to information on the internet. There’s information that comes from sand boxing and processing malware samples. There’s information that comes from the web and the internet in general, both open forums and closed sources like criminal forums. There’s a lot different ways to obtain information, but it’s really analyst that have to determine what the value of that information is on an ongoing basis. There’s a tendency to want to pull in anything and everything, but you have to think about what the value of that stream really is.

Robert Lee:

A threat has to have three core things; intent, opportunity, and capability. Malware is just a capability. The vulnerability in your people, organizations, systems, whatever else is the opportunity. But intent is a hostile intent that’s leveraged by a human. The threat is the human, malware is just a capability. A lot of the information overload that we’ve seen in the industry has been an over focus on malware, and an over focus on relabeling malware reports as threat intelligence reports.

Staffan Truvé:

First of all, we aggregate a far larger number of sources and bits of information than any human could possibly read. Then we also algorithmically group together, so if there are numerous mentions about the same event, they get put in one bucket so to speak. We also algorithmize with what is trending so that you can get help prioritize what you should be focusing on. You know there is always a lot of noise around and you really want see what is of most importance because there’s an anemology or something is trending or something like that. It’s really gathering all of the information, aggregating it for you, and helping you prioritize it.

Levi Gundert:

When you think about strategic threat intelligence, it’s looking at specific threats, it’s looking at trends and threats, and it’s actually producing metrics for the business. Things like, how many new security architecture improvements or changes are happening based on the strategic threat intelligence being done by analysts? What are the number of new internal threat hunting methodologies that are being documented based on the threat intelligence being done by these analysts? What’s the analyzed number of updated loss probabilities that are delivered to senior executives and the board?

Those are some of the metrics that come out of strategic threat intelligence, but it’s really the process of taking the threat domain and translating it into the language of risk for senior decision makers.

Robert Lee:

To be good threat intelligence, to be the stuff that we really talk about that crosses the threshold of what we want in the industry. You’re talking around analyzed information. A human analyst, who has experience and expertise along the lines of what the intelligence requirements are, is able to take disparate portions of information, combine it together, and answer that intelligence requirement with an assessment or some sort of productized form like a report.

Dave Bittner:

Another way to make the flow of information manageable is through the behind the scenes use of machine learning and artificial intelligence.

Levi Gundert:

A lot of what we do is based on natural image processing. We’re able to identify important pieces of information based on where it appears and how it appears in context. We’re actually able to pull out different pieces of a sentence and then determine whether those pieces of the sentence add up to something that’s important or not.

Staffan Truvé:

These are things that humans can do. It’s just that with the volume of information we have, it’s impossible for humans to master all of that.

The second category is really where machine learning is used to do tasks, which are, I would say essentially impossible for humans to do. One example is that we’ve developed a way to predict future malicious IP addresses. Essentially, we talked about threat lists earlier and those are really today mostly describing things which have already happened.

We also produce threat lists for IP addresses, which we think will be malicious maybe four or five days into the future. The way we do that, is that we’ve gathered years of historic information about IP addresses, which have behaved maliciously and the context in which they have been mentioned and so on. Then we fed this into a machine-learning system and what that has done, is really then found a hidden model for what determines if a previously and hither-to-unseen IP addresses will be malicious in the future. This is a very complex thing to do. This algorithm is looking at thousands of parameters around that IP address; what neighbors it has in the IP address space, how people have been talking about those, how they’ve been behaving, and so on.

It’s much more complicated than what you really as a human can fathom. Here machine learning is really doing something in which we couldn’t do as humans and I think that’s pretty interesting — that’s the exciting part moving forward. To not only automate things, which humans can do, but actually break new barriers in what kind of threat intelligence we can provide using machine learning.

Dave Bittner:

One of the things our experts are in agreement about is that it’s not enough to say, for example, “I’m going to use threat intelligence to keep my organization safe.” They emphasize the importance of establishing measurable goal.

Robert Lee:

So to say, “Have a measurable goal about what you want to be able to accomplish.” That in of itself could be an intelligence requirement or it could even be just a larger security requirement. Your larger security requirement might be that currently it takes your security and incident response folks three weeks to scope the environment when new information about an adversary is out. Your measurable goal is to reduce that three week scoping process to under five days. To do that, you might come up with an intelligence requirement to say, “Okay, what types of threats is my organization facing? Where is the risk for us? Because if I try to scope everything that comes in, I’m going to take three weeks to do it every single time.” But if I can say, “I, as a financial organization, have a different threat landscape than the energy company in Kuwait, I can reduce the amount of information that I’m getting delivered, and that will naturally help me meet my security requirement better.” So my intelligence requirement is knowledge around what threats are operating in my industry at any given time. Now I can measure and perform against that.

Levi Gundert:

The business understands risk, they understand the language in risk. Threat intelligence when it can inform a really good quantitative risk analysis model is going to be really effective, because when you’re able to be specific about risk; you can list off all the statistics about operational ethicacy improvements. But, you can also go to senior executives of the board and say, “Here’s the specific probabilities around these threats and these are specific loss estimates correlated to these threats in this particular year.” When you can do that based on the threat intelligence that your analysts are doing strategically, it becomes a much more powerful capability and it’s much easier to communicate the value.

Dave Bittner:

You’ll often hear the phrase, there are no magic bullets in cyber security. So, when’s the right time to add threat intelligence to your toolbox, and how do you properly set your expectations?

Robert Lee:

Intel to me is not the end all, be all. It is not the magic pixie dust that fixes the industry. It is the 5% secret sauce that you can to each category. If you’re already a mature organization doing good things, you have patch policies, you have done well, and you’re trying to do better that’s when you add in intelligence. In the beginning stages, it’s actually very useful to hire one or two really smart people to start thinking about the problem and use outside vendors to complement what you want to be doing. And also, to see what you do and don’t like. As you go through that process you will find what suits you and you will continually be able to have a relationship with that one or two or few intelligence vendors that are providing you exactly what you need and a capability that you can’t obtain today. Especially as it comes to data access, the decision to use outsourced versus in house intelligence comes to a discussion of what can provide us that we can’t do internally. Is there unique access that they have, that they can provide us?

It’s almost a return on investment discussion, but not truly. It’s just sort of teetering along that. Additionally, at the very beginning, if you’re just starting out a new security operation and if you’re just starting out on a new security approach in general; you can bring intelligence in, in the beginning of that cycle as well to try to identify what your appropriate maturity would look like in the face of threats.

Intel should be at the very beginning and the end of your process. Outsource versus in-house should be based on requirements and what you can generate.

Dave Bittner:

Robert M. Lee from Dragos Incorporated.

Our thanks to; Robert, Staffan Truvé, and Levi Gundert for sharing their views on threat intelligence and thanks to you for checking out this podcast. Before we let you go, don’t forget to sign up for the Recorded Future Cyber Daily email and everyday you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, and suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel. You can also find more intelligence analysis at recordedfuture.com/blog.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes, coordinating producer, Amanda McKeon; executive producer, Greg Barrette; the show is produced by Pratt Street Media with editor, John Petrik; and executive producer, Peter Kilpe.

Until next time, I’m Dave Bittner from The CyberWire, on behalf of Recorded Future, thanks for listening.