Communicating Threat Intelligence Relevance

Rel·e·vance
/ˈreləv(ə)ns/
Noun. the quality or state of being closely connected or appropriate

Threat intelligence without relevance is just information. It might be novel and provoking, but without context on why we should care, it creates noise. Even if we make that information clear, actionable, and timely, if the consumer doesn’t understand why it is important, it will not get the attention and prioritization it may warrant, and it cannot be considered intelligence.

Alternatively, it’s not enough to immediately tie a threat to the bottom line, brand reputation, or other aspects of enterprise risk. If everything is equally important, then none of it is important. Executives worth their roles will see through clichés.

As a threat intelligence analyst or manager you must be able to walk your executive quickly, clearly, and directly through the threat, and explain what it means not only for the operators or the subject matter expert, but also for the organization. As with math, you’ve got to be able show your work, especially when delivering to the C-suite.

The What and the So What

Anyone with experience crafting products based on threat intelligence is familiar with this question, or its close cousin, “What’s in it for me?” The concept is a cornerstone for making intelligence products clear with the intent to communicate relevance to the reader. Depending on the execution, however, it’s not always clear how we get there.

Let’s use Recorded Future’s Insikt Group’s most recent threat analysis — “China Altered Public Vulnerability Database to Conceal MSS Influence” — as an example.

What: CNNVD altered the original publication dates in its public database for at least 267 vulnerabilities that we identified as statistical outliers in our research published in November 2017.

So What: This large-scale manipulation of vulnerability data undermines trust in the CNNVD process and could compromise security operations relying solely on the CNNVD for that information.

The So What of the So What

The “so what” may not always get us as far as we need to demonstrate an issue’s impact on a business. Maybe your company has offices in China, or perhaps your CFO is considering opening an office in China. Put those intelligence requirements and your knowledge of your industry and business to work. Don’t have them? That’s another blog altogether.

Let’s take the “so what” that Insikt Group provided, and take it a step further by asking ourselves, “What’s the so what of the so what?”

What: CNNVD altered the original publication dates in its public database for at least 267 vulnerabilities that we identified as statistical outliers in our research published in November 2017.

So What: This large-scale manipulation of vulnerability data undermines trust in the CNNVD process and could compromise security operations relying solely on the CNNVD for that information.

So What of the So What: Vulnerability management should be utilizing other sources of information to best prioritize patch management.

Closer! And in some cases, this may be enough, but if you really want to dig in and make it explicitly clear why this particular piece of information deserves undivided attention, channel your inner three-year-old — repeatedly ask, “Why?”

Why? Why? Why?

If the other two approaches don’t allow you to determine if the intelligence is related or useful to the executive level, then you haven’t drawn the impact out far enough. The best way to get there is to ask yourself, “Why?” until there isn’t anything else left to say. Let’s walk through this CNNVD research as a hypothetical.

What: CNNVD altered the original publication dates in its public database for at least 267 vulnerabilities that we identified as statistical outliers in our research published in November 2017.

Why is this important? This large-scale manipulation of vulnerability data undermines trust in the CNNVD process and could compromise security operations relying solely on the CNNVD for that information.

Why is that important? Enterprise X’s vulnerability management should be utilizing other sources of information to best prioritize patch management.

Why is that important? Enterprise X isn’t currently doing this.

Why not? Because it costs $X to get pre-NVD CVE information, and we already allocated our budget for the year. But there is a budget meeting coming up.

Why is this important? Because we can present this information as reason to ask for more resources to acquire said tool.

And there is it. You don’t have to be a China-watcher for this intelligence to be relevant. It applies to vulnerability remediation, companies with offices doing business in China, or vendors you may use that are based in China.

In Closing

For threat intelligence to be meaningful, you must demonstrate its importance to matters “at hand,” whatever method you chose. That is the meaning of “relevant,” and it applies not only to intelligence, but to all aspects of communication, whether that involves demonstrating program value to acquire more resources, requesting a particular technology solution or tool, or presenting members of your team for promotion consideration. This same approach applies.

So as you move ever forward navigating the threat intelligence landscape, ask, “Why?” over and over again … because “I told you so” is not an option.

Maggie McDaniel

Maggie McDaniel is the director of finished intelligence at Recorded Future.