Should Cyber Threat Intelligence be source and veracity rated?
Is there danger in taking action on public / private Cyber threat intelligence feeds?
HUMINT treatment of information has a place in Cyber Threat Intelligence analysis
Ok…. before I start and for those that have been reading carefully….. in my last post I talked about the “intelligence” vs “information” for the ease reading and comparison I’ll continue to use “intelligence” for what is really information. But this article importantly starts to lead us to real “intelligence”.
What is HUMINT? Intelligence has always had an important place in various military and government operations. One such source of information is Human Intelligence (HUMINT). HUMINT is the gathering of information directly from a person or persons – this can be achieved in various ways through sources that are willing, unwittingly or even under various forms of duress. The largest challenge that HUMINT collectors have is to evaluate the information for truthfulness – since the source may not have had the information first hand, it maybe rumour or the source may want to be deceitful for whatever reason.
So how did HUMINT operators get around this? They addressed this in a twofold manner by separately analysing the source for reliability and then the information for credibility. This was refined and developed by NATO into what they call the admiralty rating system – also widely adopted by the western militaries of the world. The HUMINT operator would assign a letter from A to F to the source based on their historic reliability, regardless of the information provided. Secondly, the information itself is assessed and assigned a numeric value from 1 to 6 based on the veracity of the information. The tables below help explain the system. As an example information passed by a reliable source that could be verified by other means such as Signal Intelligence (SIGINT) – would likely be assigned a rating of “A1”. Whereas, on the other extreme a first time source that provided new information not yet seen, supported but neither counter information; would likely be assigned a rating of “F6”.
Naivety of Cyber “threat intelligence” – at the moment the industry and vendors provide the threat intelligence (largely tactical nature) through a “fire hose of consumption” with the tens of thousands events. I’d argue most organisations are drowning in the information and using the information a largely reactive manner to counter attacks that have already occurred. I have an issue that this feed of information has not been verified for source credibility or information reliability. Therefore, we are treating all of this information the same – I’d argue with a rating of A1 – and acting with naive confidence on the information provided.
So what next? – Well now for the obvious conclusion….. I believe that we as Cyber specialists and the Cyber industry should adopt analysis of the source and information in our “threat intelligence feeds” in order to provide a better product to the end user and assist in their analysis or action. Such ratings will become more important as the Cyber industry matures in the Intelligence field and moves up the “intelligence stack” to strategic intelligence, as evaluation is critical at such levels. Rather than create a new rating system, it would be great if the industry can adopt an existing international and proven standard such as the NATO Admiralty system which would provide further value in the global cyber epidemic of cyber warfare that is transcending industries, competitors, government and citizens.