March 8, 2017 • RFSID
When investing in a threat intelligence platform, most organizations make one huge error, and unfortunately, don’t realize their mistake until after they’ve finished implementing the solution.
Making the decision to invest in threat intelligence isn’t the problem, of course — we wouldn’t be in the threat intelligence field if we didn’t believe 100% in the value it provides our customers.
No, the mistake most organizations make is far more basic. Simply, they assume that if they buy a threat intelligence platform it will do everything for them.
Sadly, that isn’t the case.
Let’s take a look at the differences between threat data, information, and intelligence, and the role of skilled analysts in moving from one to the next.
The main differences between data, information, and intelligence come in two forms: volume, and usability.
Data is typically available in huge volumes, and describes individual and unarguable facts. Details of individual connection requests are an excellent example of data, because they’re simple statements of fact and aren’t open to discussion.
Information is produced when a series of data points are combined to answer a simple question. For instance, sticking with our biometrics example, your height and weight can be combined to produce a BMI score, which can then be plotted onto a chart to determine whether you fall within the normal range for your country. Note that although this is a far more useful output than the raw data, it still doesn’t directly inform a specific action.
Intelligence takes this process a stage further by interrogating data and information to tell a story (a forecast, for example) that can be used to inform decision making. Crucially, intelligence never answers a simple question, rather it paints a picture that can be used to help people answer much more complicated questions. Returning once again to biometrics, your BMI score could be used by a hospital transplant committee in combination with relevant research to determine whether you’re likely to be a good candidate for a replacement organ. This intelligence doesn’t directly answer the question of whether you should be given the organ, but it does aid in their decision-making process.
Unsurprisingly, as we progress along the path from data to information to intelligence, the quantity of outputs drops off dramatically, while the value of those outputs rises exponentially. The image below, taken from the U.S. Department of Defense’s “Joint Publication 2-0: Joint Intelligence” report, does a good job of demonstrating this process.
But how does this translate into the security field?
Let’s consider a common data point for cyber security professionals: a single connection request sent to a server from a remote host. On its own, nothing can be determined from this data point, except that a connection request has been received from a specific IP address.
Moving on to the information stage, the request could be considered in the context of an unusually high number of requests being received within a short period of time. Now we can determine that, for some reason, a lot of stress is being placed on this specific server, and that something probably needs to be done.
Finally, to reach the intelligence stage, we could consider the requests in combination with our own past experience and the fact that many of the connections appear to be from IP addresses associated with known botnets, and conclude that the server in question is being targeted by a distributed denial of service (DDoS) attack. Assuming that we have procedures in place to deal with DDoS attacks, steps can be taken immediately to protect our assets.
Now that we’ve covered the difference between threat data, information, and intelligence, the huge mistake most organizations make is much easier to understand.
Quite simply, threat intelligence platforms don’t actually produce threat intelligence.
Sounds strange when you put it like that, doesn’t it? But how could they? Producing intelligence requires more than even a highly sophisticated computer algorithm can manage.
Most modern threat intelligence platforms do an outstanding job of producing threat data. These platforms, of which there are many, are primarily designed to organize and present basic threat data in a way that facilitates the job of human analysts.
Some threat intelligence tools go beyond this, and are able to combine and manipulate this data to produce threat information. This saves analysts a lot of time, as many false positives can be removed automatically, and many fundamental precursors to analysis can be completed automatically.
But in strict terms no automated product can produce threat intelligence. It takes highly skilled human analysts with a security background to produce threat intelligence that can be reliably acted upon to improve an organization’s cyber security program.
With that said, the very best threat intelligence vendors and products (among which we’re happy to count Recorded Future) can go a stage beyond producing information.
Using artificial intelligence (AI), Recorded Future produces an output which we could term “threat AI,” and while it does sometimes still require human attention to validate or dismiss, this capability frees up even more analyst resource for more complex intelligence processing.
This, then, is where most organizations go wrong: They assume that procuring a simple platform will provide them with intelligence, and neglect to ensure they have the human resource needed to reach the actual intelligence stage.
It’s true, of course, that some benefit can be gained from a threat intelligence platform without analyst support. Threat information provides answers to simple questions, such as “Are there any outstanding vulnerabilities in the organization’s software systems?” and the answers to these questions can yield positive results.
Even more benefits can be gained from implementing a more advanced threat intelligence product, such as Recorded Future, which can dramatically reduce the burden on analysts. But to gain the real benefits promised by threat intelligence, there’s no substitute for the human brain.
At this point you could be forgiven for wondering what the point of threat intelligence platforms is if they can’t produce intelligence.
The simple answer is big data. Let’s use Recorded Future as an example.
To produce a small but steady stream of actionable threat intelligence, massive quantities of data are required. Simple threat intelligence platforms are able to consume and organize threat data on a large scale, which makes the job of your analysts far easier, and their outputs more useful.
Recorded Future, by contrast, also harvests threat data from hundreds of thousands of sources, combining technical, narrative, and dark web data, with new sources constantly being identified and added automatically. Threat AI functionality (e.g., natural language processing in multiple languages) is conducted automatically, and the rate of ingestion is truly staggering.
On a typical day, Recorded Future ingests new threat data observations at an average of over 4,000 data points per second — well beyond what even a huge team of humans could achieve.
And it’s not just about identifying threats. Equally important is the process of discounting false positives, which can easily waste huge amounts of human time. Platforms like Recorded Future can automatically discount the vast majority of noisy false positives, freeing your human analysts up to focus on producing actionable intelligence on real threats.
Other valuable functions can also be automated, such as searching for and identifying proprietary data or credentials on threat actor forums or paste sites. Once again, this task would prove incredibly onerous for a human team, but can easily be left in the hands of threat intelligence software that can find these references and alert you in real time.
Ultimately the line between threat AI and threat intelligence is a fine one, and some of what is produced by Recorded Future could easily be considered to fall into the latter category. With that said, it’s really the combination of an industry-leading threat intelligence product and a team of skilled threat analysts that makes up a truly world-class threat intelligence capability.
One of the most important functions of threat intelligence products is to organize threats according to their potential to damage an organization. This is where the very best providers differentiate themselves from the rest of the pack: They’re able to prioritize threats automatically, so human analysts can focus their efforts on the most important threat data or information first.
This is key.
Because of the big data issues described above, having a tool that can prioritize threats is essential. If your analysts are digging through every single threat manually, you’ll find that many urgent threats aren’t identified until after the fact.
The process of combining and organizing threat data into threat information is fundamental to the prioritization process, so pick your provider with care.
When it comes to threat intelligence, action is the only thing that really counts. There’s absolutely no value in possessing threat data, information, or intelligence unless you use it to improve your security program or defend against an incoming attack.
Unsurprisingly, then, the very best security programs in the world have been developed over time by organizations that take consistent and proactive steps to prevent breaches. Every day, their analysts produce actionable intelligence that can be used to improve security mechanisms, close vulnerabilities, and stop attacks in their tracks.
If you’d like to take a more proactive approach to cyber security, download one of our most popular white papers. “Understand Your Attacker: A Practical Guide to Identifying TTPs With Threat Intelligence,” written by industry expert Levi Gundert, will help you understand the different tactics, techniques, and procedures (TTPs) used by threat actors to gain access to corporate networks every day.
With that information, you can start to systematically enhance your cyber security program and reduce your organization’s threat profile exponentially.