September 13, 2018 • The Recorded Future Team
On the surface, threat intelligence appears to be a single discipline. Practitioners collect data from a variety of sources, analyze it, and use the outputs to make decisions.
The reality is a little more complicated. As with most specialities, threat intelligence can be broken down into subcategories, each of which has its own uses, techniques, and challenges. Here are the four distinct categories that threat intelligence is typically boiled down to:
In this blog series, we’ll take an in-depth look at each of these categories, including how they are collected, analyzed, and used to enhance security.
Today, we’re covering strategic intelligence.
In simple terms, strategic threat intelligence is a bird’s-eye view of an organization’s threat landscape. Not concerned with specific actors, indicators, or attacks, it instead aims to help high-level strategists understand the broader impact of business decisions.
Given that the audience is primarily C-suite and board level, strategic threat intelligence is almost exclusively non-technical. Instead, it covers factors such as risk scores and the possible outcomes of a given action or decision, such as entering a foreign market or taking an ideological position.
Since it’s used to inform specific, high-level decisions, strategic threat intelligence is usually gathered on demand rather than as an ongoing initiative, and is most often presented as a report or briefing.
Unlike other intelligence categories, the majority of strategic threat intelligence sources are open source, meaning they can be freely accessed by anyone who cares to do so. Common examples include:
While the accessibility of strategic sources can be a tremendous positive, it can also be a double-edged sword, as analysts must manually process huge quantities of raw data in order to identify valuable insights. Worse still, the most valuable insights are often “hidden” in foreign language sources, forcing analysts to spend even more time on translation.
Fortunately, if analysts are armed with the right tools, these difficulties can largely be sidestepped. Powerful threat intelligence solutions are able to scour a huge volume of sources automatically, identifying relevant information in real time and automatically translating non-native results.
Perhaps the most significant difference between strategic threat intelligence and other intelligence categories is the skill set needed for production. While typical security and analysis skills are still essential, producing strategic threat intelligence also requires a great deal of expertise in other areas — in particular, a strong understanding of sociopolitical and business concepts.
Since this type of broad skill set is rarely found in one individual, some organizations opt to hire analysts with state or military intelligence backgrounds and train them in the security-specific subject areas necessary for the role. While this approach takes time and resources to pull off, it is often quicker and more effective than holding out for the perfect applicant.
Strategic threat intelligence stands apart from the other three categories because it’s almost exclusively requested by (and produced for) a non-technical audience. While the outputs are produced in a format that senior executives and board members will understand, the audience’s lack of understanding of what is and isn’t possible can cause them to make requests that simply can’t be met by non-government analysts.
For example, if an organization’s board were considering expansion into another country, they might call on their threat intelligence analysts to provide some insights. As we’ve already seen, though, strategic threat intelligence is very much a “made-to-order” discipline, meaning those analysts will be doing their best to meet the specific requirements of their board.
This is where “asking good questions” comes in. An inexperienced (in the context of threat intelligence) board might be tempted to demand, “Tell us how, where, and by whom we’ll be attacked if we open this branch.”
Requirements like this are highly unlikely to lead to valuable insights for two reasons:
A far better line of questioning would be, “Is this expansion likely to open us up to increased cyber risk? If it is, which threat vectors are most likely to be employed, and what would be the cost of preparing for or responding to those threats?” This type of question gives analysts far greater scope to explore useful avenues of research and is much more likely to result in an insightful and actionable intelligence product.
Ideally, there should be an open line of communication between an organization’s board and its threat intelligence specialists — mostly likely via the CISO — to ensure that strategic threat intelligence project parameters are set in a way that’s conducive to producing an actionable output.
As we’ve already seen, strategic threat intelligence outputs rarely include binary “yes or no” recommendations, focusing instead on variables such as risk and confidence scores. But that’s not to say that evaluation can’t (or shouldn’t) be attempted.
A strong feedback loop is essential to the consistent production of high-quality intelligence products. Just like any intelligence initiative, a strategic threat intelligence capability should be subject to ongoing evaluation.
This evaluation process should include feedback from the intelligence team’s primary audience — typically the board of directors — and answer key questions, such as:
This type of feedback will typically be collected informally by the CISO and should be used to improve future strategic intelligence gathering and presentation. Of course, one obvious question still remains to be asked: Was the intelligence proven accurate over time? Unfortunately, this question often proves extremely hard, if not impossible, to answer, for two primary reasons:
With all that said, the accuracy of strategic intelligence should be monitored as far as possible, and used to improve processes and intelligence outputs.
Strategic intelligence has tremendous value for business decision-making, but it’s just one aspect of the broader threat intelligence discipline.
As we’ve already seen, the real-world function of threat intelligence is often misunderstood, and with so many vendors and solutions available, organizations often struggle to determine how best to invest in resources.
A recent guide from Gartner explains the various ways that threat intelligence can be used to improve the security profile of a modern organization and shares insight into:
To learn more, download your free copy of Gartner’s “Market Guide for Security Threat Intelligence Products and Services.”