Introduction to CTI as a General topic

Overview

The term Cyber Threat Intelligence (CTI) has been discussed as early as 2004. Unfortunately, the application of the term has been applied to a broad range of activities many of which, such as IP reputation lists and vulnerability management, pre-date the use of the term. At the same time information security practitioners have sought to bring new and novel techniques to advance the subject area, many of which have utility in the practical work of securing computers and the information held upon them. Discussion on the topic has been influenced by industry analysts, professional bodies, hardware & software vendors, and practitioners over time and a number of varying definitions exist in circulation today. Much of the discussion has centred around different types of intelligence from data-driven intelligence created through automated means, through to the techniques and analysis used to create finished intelligence products. The intention of this Special Interest Group (SIG) is to provide an inclusive approach to defining the field which enables members and practitioners to consider a broad range of capabilities when discussing the topic. This page seeks to draw upon existing work to put forward a working definition for the SIG.

A working definition for Cyber Threat Intelligence

One approach that can help to create a definition is to break the definition down into it's component parts.

A definition of cybersecurity

The precise definition of cybersecurity is a hotly debated, but cybersecurity has entered common parlance in the english speaking world. Merriam Webster defines it as

measures taken to protect a computer or computer system (as on the Internet) against unauthorised access or attack

Practitioners of the field of the related and overlapping fields of Information Security, IT Security, and Computer Network Security strongly contested the introduction of the term. However its use is now commonplace and generally accepted by non-practitioners and now the industry as a whole has for the most part, taken this term on board. An excellent summary of this discussion and an argument for it's use was suggested in 2016 by the security commentator Dr. Jessica Barker. Please note that cybersecurity might also include the role that cyber deception operations might play in gathering intelligence.

A definition of threat

During some work conducted by CREST in 2014 on behalf of the Bank of England a team of 30 penetration testers and threat intelligence companies debated what threat meant to them and suggested the following definitions

An expression of intent to do harm, i.e. to deprive, weaken, damage or destroy

an indication of imminent harm;

an agent that is regarded as harmful;

a harmful agent’s actions comprising of tactics, techniques, and procedures (TTPs).

Here, an agent is used in it's generic sense. It could be a person, a computer program, a government, a criminal organisation, or it could be a thing or activity. Weather, for example, could be regarded as harmful in certain circumstances and therefore be considered as a threat. It is intentionally broad since threat may come from any direction. There is some excellent writing on this topic from Naseem Nicholas Taleb.

In the topic field of Information Security, Threat is frequently expressed as a functional input into the understanding of Risk.

F(Risk) = (Threat, Vulnerability, Impact)

The OWASP framework lists another example of how these inputs can work here.

Threat itself is often also broken down as an expression of:

Threat = Capability (threat actor) x Motivation (threat actor) x Opportunity (target) (Reference)

A definition of Intelligence

The topic of intelligence is exceptionally broad and can relate to many different aspects of our world, indeed the dictionary definition is very broad indeed which can be summarised as:

the ability to learn, or the process of acquiring knowledge and skills
the skilled use of reason
the act of understanding
mental acuteness
information concerning an enemy or an area, also an agency engaged in obtaining such information
the ability to perform computer functions

For the purposes of Cyber Threat Intelligence, the intention is to apply techniques with the intention of preventing undesirable outcomes that might affect the cybersecurity of something we might be responsible for protecting. Some of these techniques come from the following areas:

the application of cognitive techniques to reduce uncertainty
the act of forecasting to help focus resources in a more efficient or meaningful manner
gaining insight or knowledge into a harmful agents actions to more effectively mitigate or reduce harm

Another useful discussion is that that distinguishes data from information, from knowledge and intelligence

The Bank of England CBEST guide gives the following explanation:

"Apart from the more general use of term to describe the ability to acquire knowledge and skills, intelligence is more specifically used in military, police or political environments to describe information, usually used or collected covertly, about an adversary or hostile activities.

Its use to date in the business world has been largely in non-threat domains such as customer intelligence. Intelligence is a particular kind of information. Intelligence and information are often used interchangeably as are information and data. To properly understand information (and therefore intelligence) it is necessary to put it in context and a useful model is the data information knowledge pyramid".

This goes on to explore work originally put forward by Michael Hey in 2004: https://www.jonohey.com/files/DIKW-chain-Hey-2004.pdf

It establishes the following useful definitions

Data: Data equates to elementary facts and observables. For example, name, age, postal address, telephone number, bank balance, etc. When describing the indicators that describe a cyber attack, the Lockheed Martin kill chain refers to elementary ‘atomic indicators’ that retain their meaning in the context of an intrusion, examples being IP addresses, email addresses and vulnerability identifiers (Hutchins, Cloppert and Amin (2011)). These equate to data. On its own, data does not provide any intrinsic value.
Information: Information is data in context, or a higher-level abstraction or viewpoint made on the basis of one or more data items. A general definition of information, drawn from classical information theory, is ‘that which reduces uncertainty’ (Shannon (1948). An example from the banking domain might be the abstraction ‘account is dormant’ on the basis that the balance on a credit card account has been nil for the past nine months. The Lockheed Martin kill chain refers to ‘computed indicators’ which are derived from data involved in an intrusion, examples being hash values and regular expressions (Hutchins, Cloppert and Amin (2011). These equate to information.

Data and information are often used interchangeably despite being different things. One potential source of confusion is that information can itself be subject to further abstraction and manipulation, in other words, one person’s information can be another person’s data.

Knowledge: The layer above information is knowledge, or the interpretation and exploitation of relevant information in order to solve a problem or to make a decision. This is usually undertaken by humans but can also be done by machines. Very often knowledge is expressed in the form of an ‘if-then rule’ (also known as a heuristic, implication, or, more commonly, a business rule). For example, to continue the previous banking example, a suitable heuristic might be ‘If an account has been dormant, and this month’s spending is very high, then it may have been taken over by a fraudster’ (where ‘has been dormant’ and ‘very high’ are information-level data abstractions of data). The Lockheed Martin kill chain refers to ‘behavioural indicators’ which are collections of both computed and stand-alone indicators, often subject to qualification by quantity and possibly combinatorial logic. An example might be ‘The intruder would initially used a backdoor which generated network traffic matching [regular expression] at the rate of [some frequency] to [some IP address], and then replace it with one matching the MD5 hash [value] once access was established’ (Hutchins, Cloppert and Amin (2011). This equates to knowledge. As with information, knowledge can be subject to further abstraction and manipulation, resulting in higher-level constructs such as wisdom, intuition, and so on. However, these serve to complicate the picture and are all variations on the core theme of a higher-level knowledge layer where information is structured and applied.
Intelligence: Formal definitions of intelligence vary. Some might say that intelligence can be very simply defined as anything that is classified. For many of the vendors who are rebadging their existing information security products, intelligence is a marketing term that can mean whatever they want it to mean. The original Hoover Commission definition from the Cold War is ‘Intelligence deals with all the things which should be known in advance of initiating a course of action’ (Clark (1955)). More recently, the US Army defined intelligence as "…the product resulting from the collection, processing, integration, evaluation, analysis, and interpretation of available information concerning foreign nations, hostile or potentially hostile forces or elements, or areas of actual or potential operations. The term is also applied to the activity that results in the product and to the organizations engaged in such activity" (United States Army (2010). There is no single agreed definition of intelligence although definitions seem to be converging and sharing some common terminology. Definitions generally vary with regard to the word count (and therefore clarity, many of them taking up multiple sentences) and whether they focus on intelligence as a product or a process.

At the Bank of England Cyber Working Group held on 9 January 2014 the following working definition of threat intelligence was drawn up: "Threat Intelligence is the contextualised output of a strategically-driven process of collection and analysis of information pertaining to the identities, goals, motivations, tools, and tactics of malicious entities intending to harm or undermine a targeted organisation’s operations, ICT systems or the information flowing through them." This was followed up at the CBEST threat intelligence workshop held on 13 March 2014, with three further definitions:

evidence-based interpretation of data, collected on or against the identities, goals, motives, TTPs and targets of malicious actors;
information that provides relevant and sufficient understanding for mitigating a harmful event;
the process of analysing data creating contextual knowledge to mitigate a threat. A threat is an event with potential to cause harm.

For the purposes of this report the second definition above has been adopted and refined:

There is a large variety of the skillet demonstrated by different commercial entities, as well as, a heavy overloading of terminology which has repeatedly caused issues with inter-company and inter-personal communication. This body of work is focusing on going back to the roots of this terminology and introducing the words and methods that have been used by professionals for many years and help adapt them for the reader in the context of CTI.

On this basis we put forward the following for consideration

“Information about threats and threat actors [and their behaviours] that provides relevant and sufficient understanding for mitigating a potentially harmful event [related to] the Cyber domain”

Stakeholders the consume or use intelligence

In order to provide an intelligence product, a producer would need capabilities for acquiring, transforming and analyzing raw materials into an intelligence product. To some extent this is covered by the Intelligence Lifecycle. Ultimately there may be different people in an organisation that would consume the resulting product.

An important question is to look at who uses or consumes threat intelligence. David Bianco's Pyramid of Pain, discusses how different types of intelligence products requires different types of investment in evidence to produce. Additionally this report by MWR and the NCSC sets out the following types of intelligence product.

Strategic: This is high level information, produced at a slower cadence, consumed by those that control the strategy of an organisation, typically executive teams or management. The focus of this information is on aspects of a threat that may impact business decisions.
Operational: This is intelligence that is specific to an organisation where there is relevance to the direct business operations of that organisation. This may be produced at a faster cadence and can be used to warn defenders of an impending attack or from an observed behaviour.
Tactical: This is specific information that relates to the Tools, Tactics, Techniques and Procedures (TTP’s) employed by an actor.
Technical: This is focussed on the more technical information that is provided in Indicators of Compromise (IoC), Indicators of Attack (IoA), forensic evidence and technical descriptions. In some cases this tactical information may form part of the operational defence capabilities of an organisation as firewalls, detection technology and response capabilities are updated in near real time in response to changes in known indicators.

And there you go, at the end we arrive at the...

Definition of Cyber Threat Intelligence

Cyber Threat Intelligence is systematic collection, analysis and dissemination of information pertaining to a company’s operation in cyberspace and to an extent physical space. It is designed to inform all levels of decision makers.

The analysis is designed to help keep situational awareness about current and arising threats.

[1] David Bianco “Pyramid of Pain”
http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

[2] UK NCSC – Paper sponsored by MWR Labs
https://www.ncsc.gov.uk/content/files/protected_files/guidance_files/MWR_Threat_Intelligence_whitepaper-2015.pdf

[3] Centre for Internet Security (CIS): https://www.cisecurity.org/what-is-cyber-threat-intelligence/ - defines strategic, operational, and tactical

[4] Dave Shackleford - SANS 2018 Survey on Cyber Threat Intelligence
https://www.sans.org/webcasts/cyber-threat-intelligence-today-cti-survey-results-1-105810/

[5] OASIS CTI Technical Committee
https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=cti

[6] - A Definition of Intelligence
https://www.cia.gov/static/554d7d05a62d7d6de84b5b84ae6702ae/A-Definition-Of-Intelligence.pdf

[7] Ryan Stillions - Detection Maturity Level model
http://ryanstillions.blogspot.com/2014/04/the-dml-model_21.html

[8] CIA, A definition of Intelligence
https://www.cia.gov/static/554d7d05a62d7d6de84b5b84ae6702ae/A-Definition-Of-Intelligence.pdf