The terms intelligence, cyberintelligence and cyberthreat intelligence have been used extensively and interchangeably in the information security community. However, they have often been used inaccurately to describe automated data feed services or data which may be used to further identify and mitigate threats. Intelligence, for example, is very different from information – and organisations need to be aware of the key differentiators.
As highlighted in our 2015 Global Threat Intelligence Report, they can be described as follows:
An exploit for a zero-day Java vulnerability is publicly released on a security mailing list. Shortly thereafter, malware is identified using the vulnerability. Security vendors notify clients of this threat and provide recommendations for mitigation. This is threat information and, while useful, it is not, by definition, threat intelligence.
A security vendor monitoring exploitation of the Java vulnerability notices that infection rates in Asia are much higher than in the US. New strains of malware, which install code associated with a botnet command and control system on victim devices, are being observed in the wild. At the same time, a large financial institution has announced the acquisition of a number of smaller, regional banks initiating an increase in their non-sufficient funds fee from $20 to $35, thereby angering consumers. A number of hacktivist groups begin discussing a protest against the US banking system on social media sites, promising to halt online transactions for a day at major institutions. One hacktivist Twitter account posts instructions for using botnet command and control software, which appears to be related to the botnet client code installed by the Java malware.
Piecing these data points together leads to a clearer picture – US banks are likely going to be targeted with a DDoS attack by a hacktivist group using botnets based on the Java vulnerability. Based on what is known about infection profiles, banks can expect the attacks to originate from Asian source IP addresses. This is threat intelligence – information gathered from a number of disparate sources, synthesised by human analysts to identify a specific threat to a specific target.
To summarise, there’s no doubt that changes to the cybersecurity landscape over the last several years have been the primary driver in the need for threat intelligence services. Yet, as organisations seek new sources of threat intelligence to help manage risk in their business, they need to be aware of the different types of intelligence being delivered by the security industry.