“Intelligence” is an overloaded concept in that the term may refer to a variety of items, actions, and deliverables. Attempts to define intelligence have existed for decades, and for a seemingly direct concept lead to extended discussion. As such, relatively new variations of this concept, such as “cyber threat intelligence” (CTI), are even fuzzier in nature and definition. Attempting to search for a universally recognized and accepted definition of CTI is an interesting game as doing so results in multiple vendor and marketing takes on the subject. However, some “neutral” definitions do exist, from NIST and FIRST, that give us a succinct review in the former and a quite detailed look in the latter.
Central to both views of CTI, and intelligence more broadly, is gathering, processing, and analyzing information for the sake of enabling something. This “something” can be viewed as the differentiator in intelligence types as the end result of intelligence analysis—geopolitical analysis to inform government or military stakeholders, or technical analysis of threats to inform an information security team—guide the type and nature of collection, processing, and so forth. Intelligence must be driven by stakeholder decision support and needs in an imperfect information landscape, driving subsequent processes. Thus CTI can be viewed as a discipline of intelligence with a predominantly technical nature to assist in decisions concerning cybersecurity items of interest and related decisions.
This view of CTI takes it as an extension of more formal or general types of intelligence. This perspective would then appear to support extending the same sort of formal guidance, methods, and structures used in formal intelligence analysis, as one would find in mature Intelligence Community (IC) applications, to disciplines such as CTI. If so, in-depth understanding of and familiarity with Richards Heuer and structured analytic techniques (SATs) would appear to be not just desirable but necessary for success in the CTI space. Such views have inspired perspectives like the following:
There is much to unpack in the above, but a core proposition is the claimed necessity of classic, formal intelligence tradecraft to enable valuable, meaningful CTI results. Given the former discussion where CTI can be viewed as simply a different arena of intelligence analysis, such a position would appear true, but on further analysis does so in a vacuous way that omits much in context and value proposition for CTI.
Essential to the discussion is asking “what is CTI for?” If, and only if, we view CTI as simply a branch of standard, IC-type intelligence then similar formal processes and such matter. This may very well be the case for some outputs of CTI, such as long-term trend analysis and historical event investigations to drive high-level strategic decision making. Yet these perspectives align with a vanishingly small segment of the overall CTI “market” and decision maker desires. The perspective of an IC-aligned and -directed CTI process is rooted in an intelligence function that exists largely for its own benefit and success, and is divorced from the actual needs and desires of the vast majority of CTI consumers.
As laid out by FIRST, CTI can arrive at varying levels:
IC-focused perspectives on CTI production and delivery align overwhelmingly with strategic perspectives, in providing high level, abstract analysis at timescales that can appear glacial with respect to the practice of cyber defense. Meanwhile, the majority of CTI consumers—security operations, incident response, threat hunting, detection engineering, and similar—operate in an environment that moves quite rapidly and demands tactical and technical support on timescales that match the pace of adversary operations.
On these compressed timescales, formal SATs and deliberate analysis of competing hypotheses (ACH) in the process of CTI production may represent an “ideal,” but one where the very attempt at reaching it places intelligence support behind the needs of decision makers. We thus need to critically ask ourselves, just what are we trying to achieve through the production of CTI, and who is our primary audience in its delivery? When speaking in policy or related circles, again taking a buttoned up IC-based approach, formal (and slow) approaches to CTI may be desirable. But the vast majority of organizations seeking CTI support do so to ensure improved day to day security for their organization. Understanding these differences in desire is far more critical than performing a well executed ACH for the delivery of actionable and timely CTI.
The previous discussion brings us back to an earlier topic: what is the definition of CTI? When viewed as an outgrowth of traditional intelligence tradecraft, the time-sensitive, dynamic needs of CTI consumers become at odds with our definition. We should thus ask, is CTI usefully viewed as an extension of “intelligence” as a discipline, or is CTI something else entirely?
“Intelligence” when viewed through a traditional IC lens is represented as a cycle. This perspective is very valuable in emphasizing the iterative nature of intelligence processes, and the necessity of evaluation and feedback in developing accurate, effective intelligence functions.
However, the cyclical representation masks that such actions take place with the resulting sacrifice of time through each phase of operation. Instead, a linear view as seen in JP2-0 better illustrates the refinement of information over time into a finished intelligence output.
The above image shows the steps involved in moving from raw data to finished product. Missing from this view is an explicit recognition that in most instances each step, each enhancement comes at the sacrifice of time taken to collect, process, and analyze items under consideration. As already stated, the majority of “CTI” use cases are time-constrained in nature, thus the further along this refinement scheme we move the greater the likelihood that CTI products arrive after their moment of maximum efficacy and usefulness.
A concept in military support, related to but divergent from traditional IC approaches, is the idea of threat indications and warning (I&W). For I&W, minimally enriched information provided now is superior to inform a tactical decision than fully enriched information provided later. Such processes relate to items such as threat tipping or tracking in terms of radar or sensor contacts, where a decision maker must be aware of such items immediately in order to begin processing appropriate responses and countermeasures to a dynamic development.
The idea of I&W thus seems far more applicable for the type of tactical support most organizations seek out in CTI deliverables. Cyber I&W is nothing new, but is also less formally developed than IC-driven intelligence perspectives and often looked down upon by those residing in Ivory Towers populated by three letter agency veterans and national security academics. Instead of focusing on robust SATs and follow-on formal reporting, CTI from an I&W perspective narrows its remit to items of tactical decision making value and the processes necessary to support such results. In this fashion disciplines such as file triage, log analysis, and infrastructure tracking become far more critical skills than performing a well-executed ACH.
At this stage, the murkiness of “intelligence” when applied to “CTI” becomes quite apparent as most—or potentially, the most valuable—CTI isn’t quite “intelligence” at all. Rather, CTI in its most effective state for most applications in the marketplace aligns with the concept of I&W, where entirely different rules on tradecraft dominate. In labeling such support as cyber threat intelligence, we thus create confusion in terms of just what CTI is for and its best practices in development and dissemination. Breaking CTI away from the field of intelligence, while difficult due to entrenched interests (not the least of which being the desire of traditional intelligence entities to remain relevant in a rapidly evolving landscape), may represent a necessary step to eliminate such confusion and ground the practice in items actually needed by the marketplace instead of those dictated by legacy interests.
Having said that, a cyber-nexus intelligence practice will still need to exist, and certainly has customers. They just happen to overlap with the same entities that are consumers of traditional, IC-type intelligence: militaries and governments, and some very large or complex private organizations. These entities will continue to demand and apply formal intelligence approaches to cyber. But just as we would think it ridiculous for a medium sized business to invest in acquiring CIA-like analysis in traditional intelligence spaces, the same applies to traditional intelligence tradecraft in the cyber field as well.
Core to the above discussion is understanding the audience and the decisions supported. In this sense, both formal intelligence and less formal indications and warning are alike: they need to accurately identify the parties supported and what those parties require to execute their functions. By analyzing this with a clear vision, we see a sharp bifurcation between the need for traditional intelligence support with cyber perspectives and the necessity of informed tactical decision making for cyber defense. In the case of the latter, time is an enemy we simply cannot escape, and pursuing rigorous, formal tradecraft will set us up for failure (or worse yet, irrelevance) in a dynamic threat environment.
The above is not to say that cyber I&W need not look for or utilize elements of SATs and similar. Having familiarity with these approaches is valuable, and can be borrowed from to better inform more rapid decision making processes. But rather than remain beholden to legacy reasoning and tradecraft in formal intelligence production, the field of CTI needs to break away from these perspectives to develop tradecraft and standards suited to the technical orientation and time sensitivity of cyber defense support. Doing so will take time and effort, but continuing to ground the field of cyber defense decision support on legacy, IC-focused perspectives on intelligence will set the field up for failure and irrelevance.
0 Comments