How Strategic Threat Intelligence Informs Better Security Decisions
September 13, 2018 • The Recorded Future Team
- Threat intelligence is often thought of as a single function, but in reality, it can be broken down into four categories: strategic, tactical, operational, and technical.
- Strategic threat intelligence is non-technical, and is used by high-level strategists to inform specific decisions.
- For the most part, strategic threat intelligence comes from sources that are freely available. However, the volume of available sources combined with language constraints often makes it infeasible to collect manually.
- The success of strategic threat intelligence depends on strong two-way communication between threat analysts and their primary audience — usually the board of directors.
On the surface, threat intelligence appears to be a single discipline. Practitioners collect data from a variety of sources, analyze it, and use the outputs to make decisions.
The reality is a little more complicated. As with most specialities, threat intelligence can be broken down into subcategories, each of which has its own uses, techniques, and challenges. Here are the four distinct categories that threat intelligence is typically boiled down to:
- Strategic Intelligence: Non-technical, risk-based intelligence used by high-level decision makers.
- Tactical Intelligence: Details of threat actor tactics, techniques, and procedures (TTPs).
- Operational Intelligence: Actionable information about specific incoming attacks.
- Technical Intelligence: Technical threat indicators (e.g., malware hashes, C2 IP addresses, etc.).
In this blog series, we’ll take an in-depth look at each of these categories, including how they are collected, analyzed, and used to enhance security.
Today, we’re covering strategic intelligence.
What Is Strategic Threat Intelligence?
In simple terms, strategic threat intelligence is a bird’s-eye view of an organization’s threat landscape. Not concerned with specific actors, indicators, or attacks, it instead aims to help high-level strategists understand the broader impact of business decisions.
Given that the audience is primarily C-suite and board level, strategic threat intelligence is almost exclusively non-technical. Instead, it covers factors such as risk scores and the possible outcomes of a given action or decision, such as entering a foreign market or taking an ideological position.
Since it’s used to inform specific, high-level decisions, strategic threat intelligence is usually gathered on demand rather than as an ongoing initiative, and is most often presented as a report or briefing.
Sources of Strategic Threat Intelligence
Unlike other intelligence categories, the majority of strategic threat intelligence sources are open source, meaning they can be freely accessed by anyone who cares to do so. Common examples include:
- Policy documents from nation-states and other groups of interest
- Local and national media
- Industry- and subject-specific publications
- Comments, online activity, and articles from individuals of interest
- Free content produced by security organizations (e.g., white papers, research reports, etc.)
While the accessibility of strategic sources can be a tremendous positive, it can also be a double-edged sword, as analysts must manually process huge quantities of raw data in order to identify valuable insights. Worse still, the most valuable insights are often “hidden” in foreign language sources, forcing analysts to spend even more time on translation.
Fortunately, if analysts are armed with the right tools, these difficulties can largely be sidestepped. Powerful threat intelligence solutions are able to scour a huge volume of sources automatically, identifying relevant information in real time and automatically translating non-native results.
Finding the Right Person for the Job
Perhaps the most significant difference between strategic threat intelligence and other intelligence categories is the skill set needed for production. While typical security and analysis skills are still essential, producing strategic threat intelligence also requires a great deal of expertise in other areas — in particular, a strong understanding of sociopolitical and business concepts.
Since this type of broad skill set is rarely found in one individual, some organizations opt to hire analysts with state or military intelligence backgrounds and train them in the security-specific subject areas necessary for the role. While this approach takes time and resources to pull off, it is often quicker and more effective than holding out for the perfect applicant.
Asking Better Questions
Strategic threat intelligence stands apart from the other three categories because it’s almost exclusively requested by (and produced for) a non-technical audience. While the outputs are produced in a format that senior executives and board members will understand, the audience’s lack of understanding of what is and isn’t possible can cause them to make requests that simply can’t be met by non-government analysts.
For example, if an organization’s board were considering expansion into another country, they might call on their threat intelligence analysts to provide some insights. As we’ve already seen, though, strategic threat intelligence is very much a “made-to-order” discipline, meaning those analysts will be doing their best to meet the specific requirements of their board.
This is where “asking good questions” comes in. An inexperienced (in the context of threat intelligence) board might be tempted to demand, “Tell us how, where, and by whom we’ll be attacked if we open this branch.”
Requirements like this are highly unlikely to lead to valuable insights for two reasons:
- Acquiring detailed intelligence on specific local or national actors is often impossible for non-state actors.
- Attempting to predict specific attacks is far less useful (and reliable) than understanding the most common threat trends and their relative likelihoods.
A far better line of questioning would be, “Is this expansion likely to open us up to increased cyber risk? If it is, which threat vectors are most likely to be employed, and what would be the cost of preparing for or responding to those threats?” This type of question gives analysts far greater scope to explore useful avenues of research and is much more likely to result in an insightful and actionable intelligence product.
Ideally, there should be an open line of communication between an organization’s board and its threat intelligence specialists — mostly likely via the CISO — to ensure that strategic threat intelligence project parameters are set in a way that’s conducive to producing an actionable output.
As we’ve already seen, strategic threat intelligence outputs rarely include binary “yes or no” recommendations, focusing instead on variables such as risk and confidence scores. But that’s not to say that evaluation can’t (or shouldn’t) be attempted.
A strong feedback loop is essential to the consistent production of high-quality intelligence products. Just like any intelligence initiative, a strategic threat intelligence capability should be subject to ongoing evaluation.
This evaluation process should include feedback from the intelligence team’s primary audience — typically the board of directors — and answer key questions, such as:
- Was the intelligence produced in line with requirements?
- How helpful was the intelligence in making the stated decision?
- Was the intelligence pitched correctly for its (likely non-technical) audience?
This type of feedback will typically be collected informally by the CISO and should be used to improve future strategic intelligence gathering and presentation. Of course, one obvious question still remains to be asked: Was the intelligence proven accurate over time? Unfortunately, this question often proves extremely hard, if not impossible, to answer, for two primary reasons:
- Strategic intelligence deals primarily with measurements of risk and likelihood, so even if an anticipated result doesn’t occur, that doesn’t mean the intelligence was inaccurate.
- It’s rarely possible to determine precisely what has (or hasn’t) happened in a remote situation.
With all that said, the accuracy of strategic intelligence should be monitored as far as possible, and used to improve processes and intelligence outputs.
The Guide to Threat Intelligence
Strategic intelligence has tremendous value for business decision-making, but it’s just one aspect of the broader threat intelligence discipline.
As we’ve already seen, the real-world function of threat intelligence is often misunderstood, and with so many vendors and solutions available, organizations often struggle to determine how best to invest in resources.
A recent guide from Gartner explains the various ways that threat intelligence can be used to improve the security profile of a modern organization and shares insight into:
- Definitions of common terminology
- Where, why, and how threat intelligence is commonly used (12 use cases)
- How to align common use cases with your specific requirements
- How to evaluate threat intelligence vendors based on your business needs
To learn more, download your free copy of Gartner’s “Market Guide for Security Threat Intelligence Products and Services.”