In the world of security, there are three types of threats: known knowns, known unknowns, and unknown unknowns. That is, there are threats we're fully aware of, threats that we can't precisely anticipate but know are out there, and threats that we don't even know exist.
Cyber intelligence is all about illuminating those unknown unknowns and making them known. The goal of cyber intelligence efforts is to identify and mitigate harmful events in cyberspace.
At the most fundamental level, cyber intelligence helps organizations be proactive rather than reactive in dealing with cyber threats. The gold standard in cybersecurity is to anticipate threats and have protective measures already in place when they occur. Moreover, good cyber intelligence informs better, faster decision-making during and after an intrusion, allowing organizations to efficiently detect and respond to cyber threats and mitigate damage.
It's clear that the cybersecurity workforce needs to make anticipating future cyber threats a high priority. This is done by gathering three main types of cyber threat intelligence:
Tactical Intelligence: The "What"
At the tactical level, cyber intelligence is highly technical, including IP addresses, domains, file names, hashes, and other specific pieces of information that may indicate a system has been compromised.
Tactical intelligence is used to identify specific, immediate threats and respond to them in the short term. This type of intelligence is almost always gathered using automated tools, since it is both relatively simple to collect and has a very short shelf life — malicious IPs and domain names may become obsolete in a matter of days or even hours.
Operational Intelligence: The "Who"
Operational cyber intelligence focuses on the human actors behind cyber threats, including their goals, capabilities, and motivations. At the operational level, cyber intelligence seeks to understand the tactics, techniques, and procedures (TTPs) that dangerous actors use to compromise systems.
While machines can collect some of the data needed for operational threat intelligence, human analysis is absolutely needed to identify the "who" and "why" of an attack. As compared to tactical intelligence, operational intelligence is both more difficult to gather and longer-lasting, since cyber attackers cannot change their TTPs as quickly as they can change a domain or IP address.
Strategic Intelligence: The "How"
The strategic layer of cyber intelligence focuses on the big-picture, overarching risks that come from cyber threats and informs how organizations can plan their overall cybersecurity strategy.
Strategic intelligence goes beyond cyberspace to understand the broader context of a cyberattack. At the national level, for example, cybersecurity insights have to be combined with geopolitical knowledge to understand cyber threats. Likewise, at the business or organizational level, the broader market conditions must be considered. When properly understood, strategic intelligence allows organizations to plan their overall approach, anticipate future threats well in advance, and respond to those changing threats in real-time.
So how, how do cybersecurity professionals go about collecting this intelligence?