Demystifying Threat Intelligence: The Top 3 Misunderstood Aspects
“To win one hundred victories in one hundred battles is not the acme of skill. To subdue the enemy without fighting is the acme of skill.” -Sun Tzu
No article regarding threat intelligence is complete without the obligatory Sun Tzu quote…It also makes for a great tattoo, but that’s a story for another time. With a constantly evolving adversary landscape Threat Intelligence (TI) has emerged as a critical tool for organizations to anticipate, prepare, and respond to cyber threats. However, how many of us know what TI is? How do we effectively leverage it in our organization? In this article, we'll dive into the top three misunderstood aspects of Threat Intelligence: Priority Intelligence Requirements (PIR) and Collection Requirements (CR), the Intelligence Lifecycle, and the over-reliance on Indicators of Compromise (IOC) feeds. There’s no silver bullet or right answer in intelligence, however we assess with High Confidence that this article can help you and your TI program.
1. Priority Intelligence Requirements and Collection Requirements
The first common misunderstanding lies in the concepts of Priority Intelligence Requirements (PIR) and Collection Requirements (CR). These aren’t just buzzwords; they are the foundation of any effective Threat Intelligence strategy.
So what are PIRs? PIRs are the critical questions that need answers to support decision-making. They are the guiding force behind what intelligence is collected and how it is used. They help organizations focus their efforts on what truly matters, ensuring that the intelligence gathered is relevant and actionable. PIRs could range from understanding the capabilities of a potential attacker to identifying the vulnerabilities they might exploit. This allows key stakeholders to make risk informed decisions when determining enterprise cybersecurity strategy.
CRs, on the other hand, are the specific information needs that, when collected and processed, will satisfy the PIRs. They are the actionable steps that guide the intelligence gathering process. CRs could involve collecting data from specific sources, using certain tools or techniques, or focusing on particular areas of interest.
Imagine you're planning a road trip. Your PIR is your destination - it's the place you want to reach, the ultimate goal of your journey. It could be a specific city, a landmark, or a good burger joint. The destination guides your entire trip, influencing the route you take, the stops you make, and the sights you see along the way. Your CR, on the other hand, is your roadmap. It's the specific route you take to reach your destination. It outlines the roads you need to follow, the turns you need to take, and the crazy drivers you need to avoid. It's the actionable steps you take to reach your destination. Without a clear destination (PIR), you end up driving around, wasting time and burning gas without ever reaching a meaningful location. And without a roadmap (CR), even if you have a destination, you might get lost along the way, take longer routes, or miss out on important sights.
PIRs and CRs are not static; they are living, breathing entities that evolve with the threat landscape. As new threats emerge, old threats evolve, and organizational priorities shift, our PIRs and CRs must adapt accordingly. They require constant updating and review to ensure they remain relevant and effective.
2. The Intelligence Lifecycle
The second misunderstood aspect is the Intelligence Lifecycle. This is not a linear process, but a continuous cycle that feeds back into itself, ensuring that what your team produces adheres to the key tenants of intelligence: timely, relevant, accurate and ACTIONABLE. The Intelligence Lifecycle consists of several stages: planning and direction, collection, processing, analysis, and dissemination. Each stage is crucial, and skipping just one will significantly impact your overall collection apparatus.
Starting with proper planning and direction, a failure here will cause the collection stage to gather irrelevant data. Planning and direction includes defining the PIRs and CRs, setting the course for your entire collection efforts. As we said before, without the PIRs and CRs your car is still driving, burning valuable resources, but with no actual destination in mind.
The processing stage involves converting the collected data into a format that can be analyzed. Without this stage, the raw data remains just that - raw, unprocessed, and largely useless.
The analysis stage is where the magic happens. Here, the processed data is analyzed to extract insights, identify trends, and make predictions. This product is called Finished Intelligence or FINTEL and will provide your key stakeholders with the necessary insights for decision-making.
Finally, the dissemination stage involves sharing the intelligence with the relevant stakeholders. Without effective dissemination, intelligence remains locked away, unable to inform decision-making, drive action or reduce risk. Simply sharing the information isn’t enough, gathering feedback from your stakeholders after they consume the FINTEL is a critical component of the overall process. This ensures that the products you are providing are actually a value add for your customers, and not just more fodder for a weekly wrap-up or spam folder in Outlook.
Understanding the Intelligence Lifecycle is key to ensuring that the intelligence provided is timely, accurate, and actionable. It's not just about collecting an overwhelming volume of data; it's about turning that data into actual intelligence that can enhance the overall health and well-being of your enterprise security program.
3. Over-reliance on IOC Feeds
The final misunderstood aspect is the over-reliance on Indicators of Compromise (IOC) feeds. While IOCs are valuable for identifying known threats, they should not be the sole source of security.
IOCs are often seen as a silver bullet for cybersecurity, but they only provide information on threats that have already been identified. What most vendors fail to tell you is that they are research feeds, not something designed to dump into your firewall and walk away. Simply ingesting IOCs and wholesale blocking against those IPs can cause actual availability and uptime issues. One mistake in an IOC feed and your organization’s access to critical resources can potentially be blocked.
IOCs do not offer insights into new, emerging threats or advanced persistent threats that have not yet been detected. Relying solely on IOC feeds can create a false sense of security, leaving organizations vulnerable to unknown threats. A comprehensive Threat Intelligence strategy should incorporate IOCs but also include other sources of intelligence, such as threat reports, threat hunting, and human intelligence.
Unraveling the complexities of Priority Intelligence Requirements (PIRs), Collection Requirements (CRs), the Intelligence Lifecycle, and the role of Indicators of Compromise (IOCs) in Threat Intelligence can be a daunting task. Our latest article attempts to demystify these concepts, hopefully offering some food for thought as you reflect on your own TI programs. If these challenges resonate with you, we encourage you to reach out to schedule a free 30-minute call on how we can help you and your organization optimize and mature your TI program.