Is it really “threat intelligence” or just marketing hype?
The term “threat intelligence” is used widely in the Cyber industry for various products, forums and marketing campaigns. Examples include technical threat intelligence feeds for SIEM, threat intelligence updates, notes or publications, and even in naming teams themselves. Unfortunately most of this “threat intelligence” is actually only raw information with no analysis.
As a recent good article in Dark Reading by Nick Selby put it “Even the database itself is not intelligence, per se. It turns out that a database is just a collection of data. Don’t get me wrong: The data within the database — or the threat feed — can be highly useful to the intelligence process. But (and I am not picking nits here) it comprises a data feed, not an intelligence feed (except to marketers).” (http://www.darkreading.com/threat-intelligence/why-threat-intelligence-is-like-teenage-sex/a/d-id/1235049)
So what is information? It is essentially a raw piece of data that has not yet been analysed for its authenticity, veracity or reliability. The information can come from various sources and in the case of “Cyber Threat Intelligence” it generally originates from systems that generate bad IP addresses or other such raw information that is gathered from honeypots, anti-virus networks, etc. So it certainly has its place and provides a level of what is essentially tactical Cyber threat data.
Intelligence is more than just information— it is the analysis of information that is gathered through surveillance, reconnaissance and research. In the case of Cyber it is the collation, correlation and analysis of the data into building an assessment of various data in order to provide higher value to the information itself. Unfortunately, systems cannot provide intelligence although they can certainly help a professional intelligence analyst in conducting their assessment.
As defined in military doctrine “intelligence. 1. The product resulting from the collection, processing, integration, evaluation, analysis, and interpretation of available information…….” (JP 1-02)
Misuse of the term – Although I cannot put my finger on exactly when the term started to be misused, I do suggest that we at least try and correct the mistake and use the right terminology, instead of a marketing stunt. This will help to clearly differentiate between true intelligence professionals and services provided by the industry, in particular as it matures in this market. The time for higher value industry services and the use of government / military grade intelligence is coming for the Cyber industry in the form of Strategic Threat Intelligence. We have to act to turn the tables on the threat actors and move away from our loosing, reactive, defensive war of attrition we are currently in and true intelligence services are certainly part of the solution.