How Strategic Threat Intelligence Informs Better Security Decisions
- Threat intelligence is often thought of as a single function, but in reality, it can be broken down into four categories: strategic, tactical, operational, and technical.
- Strategic threat intelligence is non-technical, and is used by high-level strategists to inform specific decisions.
- For the most part, strategic threat intelligence comes from sources that are freely available. However, the volume of available sources combined with language constraints often makes it infeasible to collect manually.
- The success of strategic threat intelligence depends on strong two-way communication between threat analysts and their primary audience — usually the board of directors.
The reality is a little more complicated. As with most specialities, threat intelligence can be broken down into subcategories, each of which has its own uses, techniques, and challenges. Here are the four distinct categories that threat intelligence is typically boiled down to:
- Strategic Intelligence: Non-technical, risk-based intelligence used by high-level decision makers.
- Tactical Intelligence: Details of threat actor tactics, techniques, and procedures (TTPs).
- Operational Intelligence: Actionable information about specific incoming attacks.
- Technical Intelligence: Technical threat indicators (e.g., malware hashes, C2 IP addresses, etc.).
Today, we’re covering strategic intelligence.
What Is Strategic Threat Intelligence?In simple terms, strategic threat intelligence is a bird’s-eye view of an organization’s threat landscape. Not concerned with specific actors, indicators, or attacks, it instead aims to help high-level strategists understand the broader impact of business decisions.
Given that the audience is primarily C-suite and board level, strategic threat intelligence is almost exclusively non-technical. Instead, it covers factors such as risk scores and the possible outcomes of a given action or decision, such as entering a foreign market or taking an ideological position.
Since it’s used to inform specific, high-level decisions, strategic threat intelligence is usually gathered on demand rather than as an ongoing initiative, and is most often presented as a report or briefing.
Sources of Strategic Threat IntelligenceUnlike other intelligence categories, the majority of strategic threat intelligence sources are open source, meaning they can be freely accessed by anyone who cares to do so. Common examples include:
- Policy documents from nation-states and other groups of interest
- Local and national media
- Industry- and subject-specific publications
- Comments, online activity, and articles from individuals of interest
- Free content produced by security organizations (e.g., white papers, research reports, etc.)
Fortunately, if analysts are armed with the right tools, these difficulties can largely be sidestepped. Powerful threat intelligence solutions are able to scour a huge volume of sources automatically, identifying relevant information in real time and automatically translating non-native results.
Finding the Right Person for the JobPerhaps the most significant difference between strategic threat intelligence and other intelligence categories is the skill set needed for production. While typical security and analysis skills are still essential, producing strategic threat intelligence also requires a great deal of expertise in other areas — in particular, a strong understanding of sociopolitical and business concepts.
Since this type of broad skill set is rarely found in one individual, some organizations opt to hire analysts with state or military intelligence backgrounds and train them in the security-specific subject areas necessary for the role. While this approach takes time and resources to pull off, it is often quicker and more effective than holding out for the perfect applicant.
Asking Better QuestionsStrategic threat intelligence stands apart from the other three categories because it’s almost exclusively requested by (and produced for) a non-technical audience. While the outputs are produced in a format that senior executives and board members will understand, the audience’s lack of understanding of what is and isn’t possible can cause them to make requests that simply can’t be met by non-government analysts.
For example, if an organization’s board were considering expansion into another country, they might call on their threat intelligence analysts to provide some insights. As we’ve already seen, though, strategic threat intelligence is very much a “made-to-order” discipline, meaning those analysts will be doing their best to meet the specific requirements of their board.
This is where “asking good questions” comes in. An inexperienced (in the context of threat intelligence) board might be tempted to demand, “Tell us how, where, and by whom we’ll be attacked if we open this branch.”
Requirements like this are highly unlikely to lead to valuable insights for two reasons:
- Acquiring detailed intelligence on specific local or national actors is often impossible for non-state actors.
- Attempting to predict specific attacks is far less useful (and reliable) than understanding the most common threat trends and their relative likelihoods.
Ideally, there should be an open line of communication between an organization’s board and its threat intelligence specialists — mostly likely via the CISO — to ensure that strategic threat intelligence project parameters are set in a way that’s conducive to producing an actionable output.
Evaluating SuccessAs we’ve already seen, strategic threat intelligence outputs rarely include binary “yes or no” recommendations, focusing instead on variables such as risk and confidence scores. But that’s not to say that evaluation can’t (or shouldn’t) be attempted.
A strong feedback loop is essential to the consistent production of high-quality intelligence products. Just like any intelligence initiative, a strategic threat intelligence capability should be subject to ongoing evaluation.
This evaluation process should include feedback from the intelligence team’s primary audience — typically the board of directors — and answer key questions, such as:
- Was the intelligence produced in line with requirements?
- How helpful was the intelligence in making the stated decision?
- Was the intelligence pitched correctly for its (likely non-technical) audience?
- Strategic intelligence deals primarily with measurements of risk and likelihood, so even if an anticipated result doesn’t occur, that doesn’t mean the intelligence was inaccurate.
- It’s rarely possible to determine precisely what has (or hasn’t) happened in a remote situation.
The Guide to Threat IntelligenceStrategic intelligence has tremendous value for business decision-making, but it’s just one aspect of the broader threat intelligence discipline.
As we’ve already seen, the real-world function of threat intelligence is often misunderstood, and with so many vendors and solutions available, organizations often struggle to determine how best to invest in resources.
A recent guide from Gartner explains the various ways that threat intelligence can be used to improve the security profile of a modern organization and shares insight into:
- Definitions of common terminology
- Where, why, and how threat intelligence is commonly used (12 use cases)
- How to align common use cases with your specific requirements
- How to evaluate threat intelligence vendors based on your business needs