BLUF

Evaluations such as risk are partially built on external threat assessments, regarded as intelligence. Understanding what intel is, what it can do and what it cannot is foundational to recognise the spectrum of offerings. The following synopsis of intel from a cyber perspective starts a whole new line of inquiry.

Background

Intel – short for “intelligence” – is the analysis and interpretation of gathered information to determine security posture and risk. Intelligence analysts interpret trends, events, or incidents to evaluate outside threats to help drive immediate and long-term decisions, making intelligence an especially useful tool for individuals in leadership roles. Intelligence can be used to describe an activity (i.e. doing intelligence work) or to denote a finished product (i.e. intelligence report).

Cyber intel (often referred to as Cyber Threat Intel or CTI) is a subset of traditional intel focusing on cyber incidents, actors, victims, and surrounding contexts. By helping organizations understand the cyber threat landscape, intel can drive action and decision making, assist organizations in responding effectively to cyber incidents, and predict immediate and long-term security trends.

Generally, intel falls into a few categories:

• Tactical – Tactical intelligence analysts are on the front line in looking for threats that may have direct impact to an organisation. Once identified, the tactical intel practitioners often work with response teams to evaluate those threats holistically.

• Operational – Looking deeper into how adversaries plan, conduct, and sustain their efforts, operational intel analysts bring the near-term threats into context. This gives decision-makers a better sense of the direction of a threat based on our understanding of who is doing it.

• Strategic – Strategic analysts examine broader trends on the evolution of threat and the projected impacts down the road. Strategic intel can align with an organization’s high level goals and objectives.

• Technical – The technical intelligence analysts look at the technical indicators and properties of the tools used in order to better understand malware and the capabilities of the actors using it. This provides directly actionable data to peer teams for further response options.

What cyber intel (or any intel, really) is not:

• The Full Picture – Often intel works with many smaller pieces to put together the best understanding of what is being seen. There are other variables and unknowns that may factor in to the end result, but are not revealed to analysts. Absence of evidence is not evidence of absence.
• Simply Facts or Information – A great deal of information is available to us, but the facts alone are not enough to see ahead of the curve.
• Able to See all Business Data – Unless the data is offered, much of intel’s focus is external to the organisation – relating to threats and potential threats.
• Able to Make Decisions – Intel’s job is traditionally to help inform decision makers by giving the best context and understanding to the choices presented. If the need is a recommendation for controls, internal data would need to be provided in order for the intel team to better understand what is already in place.
• 100% Certain – In looking at incomplete data to analyze the potential threats, there are always unknowns that could impact the end result. While there is no 100% solution, what intel offers is our best estimate based on data, context, and experience.

How is intel different from risk? What is the lifecycle and what are some of its challenges? How is intel different between public and private sectors? What role does intel have in OpRes? What else should be factored into cyber intel and decision-making?

All for future posts, I assure you.

-scl