November 12, 2020 • The Recorded Future Team
Editor’s Note: Over the next several weeks, we’re sharing excerpts from the third edition of our popular book, “The Security Intelligence Handbook: How to Disrupt Adversaries and Reduce Risk with Security Intelligence.” Here, we’re looking at chapter two, “Types and Sources.” To read the entire section, download your free copy of the handbook.
When the right intelligence is delivered at the right time, right where security teams and business leaders need it, it empowers them to confidently and efficiently disrupt adversaries and protect the organization. Yet, the “right intelligence” may vary dramatically from team to team, since each group is focused on very different organizational priorities.
That’s why the concept of security intelligence encompasses two very different types of intelligence — operational and strategic:
- Operational security intelligence is knowledge about ongoing cyberattacks, events, and campaigns. It’s specialized, technical, and comprehensive — making it most useful to teams focused on defending the organization against adversaries.
- Strategic intelligence is a broader view of organizational risk, providing a 1,000-foot view to easily consume and understand — making it ideal for executives and security leaders.
To effectively reduce risk, both types of intelligence under the security intelligence umbrella must deliver a robust blend of threat data from various high-quality feeds, publicly available information from across the internet, and insights gathered from private channels and dark web forums.
The right security intelligence solution will not only enrich each team’s knowledge and streamline decision-making — it will also align everyone in the organization around shared objectives.
The following excerpt from “The Security Intelligence Handbook” has been edited and condensed for clarity. Continue reading below to explore the important distinction between operational and strategic security intelligence, and review the roles of data feeds, private channels, and the dark web:
Two Types of Security Intelligence
Security intelligence is a broad concept that is actually made up of two kinds of intelligence — operational and strategic. These two types of intelligence differ in their sources, the audiences they serve, and the formats in which they appear.
The purpose in making this distinction is recognizing that the various security teams have different goals and degrees of technical knowledge. As we said earlier, intelligence needs to be actionable — but because the responsibilities of a vulnerability management team differ significantly from those of a CISO, “actionability” has distinct implications for each, and the form and content of the intelligence they’ll benefit from the most will vary.
Operational security intelligence
Operational security intelligence is knowledge about ongoing cyberattacks, events, and campaigns. It provides specialized insights that enable the individuals that use it to understand the nature, intent, and timing of specific attacks as they are occurring. It’s generally sourced from machines.
Operational intelligence is sometimes referred to as technical security intelligence or technical threat intelligence, because it usually includes technical information about attacks, such as which attack vectors are being used, what vulnerabilities are being exploited, and what command and control domains are being employed by attackers. This kind of intelligence is often most useful to personnel directly involved in the defense of an organization, such as system architects, administrators, and security staff.
Threat data feeds are often used to inform technical information. These feeds usually focus on a single type of threat indicator, such as malware hashes or suspicious domains. As we discuss below, threat data feeds supply input for security intelligence, but the data points they provide are not security intelligence.
Operational security intelligence is commonly used to guide improvements to existing security controls and processes, and to speed up incident response. An operational intelligence solution that integrates with data from your network is crucial because it answers urgent questions unique to your organization, such as, “Is this critical vulnerability, which is being exploited in my industry, present in my systems?”
Strategic security intelligence
Strategic security intelligence provides a broad overview of an organization’s entire threat landscape. It’s most useful for informing high-level decisions by executives. The content is generally business oriented and presented through reports or briefings. Machines aren’t capable of generating these materials — they must be created by humans with expertise.
This kind of intelligence requires human interaction because it takes analytical thought to evaluate and test new adversary TTPs against existing security controls. Pieces of this process may be automated, but a human mind is required to complete the exercise.
Good strategic intelligence must provide insight into the risks associated with certain actions, broad patterns in threat actor tactics and targets, geopolitical events and trends, and similar topics.
Common strategic security intelligence sources include:
- Policy documents from nation-states or nongovernmental organizations
- News from local and national media, articles in industry- and subject-specific publications, and input from subject-matter experts
- White papers, research reports, and other content produced by security organizations
Organizations must set strategic security intelligence requirements by asking focused, specific questions. Analysts with expertise outside of typical cybersecurity skills — in particular, a strong understanding of sociopolitical and business concepts — are needed to gather and interpret strategic security intelligence.
Some aspects of the production of strategic security intelligence need to be automated. Even when the final product is non-technical, producing effective strategic security intelligence takes deep research on massive volumes of data, often across multiple languages. These challenges make initial data collection and processing too difficult to perform manually, even for those rare analysts who possess the right language skills, technical background, and tradecraft. A security intelligence solution that automates data collection and processing reduces this burden and enables analysts with various levels of expertise to work more effectively.
The Role of Threat Data Feeds
We mentioned earlier that data is not intelligence, and that threat data feeds often overwhelm analysts already burdened with countless daily alerts and notifications. However, when used correctly, threat data feeds provide valuable raw material for security intelligence.
Threat data feeds are real-time streams of data that provide information on potential cyber threats and risks. They’re usually lists of simple indicators or artifacts focused on a single 14 | The Security Intelligence Handbook area of interest, like suspicious domains, hashes, bad IPs, or malicious code. They provide a quick, real-time look at the threat landscape.
Many feeds are filled with errors, redundancies, and false positives. These create confusion and extra work, so it’s critical to select high-quality data feeds.
Instead of viewing dozens of feeds separately, use a security intelligence platform that combines them all into a single feed, removes duplicates and false positives, compares them with internal telemetry, and generates prioritized alerts. The most powerful security intelligence platforms even allow organizations to create custom security intelligence feeds, or curate and set up automated alerting.
The Role of Private Channels and the Dark Web
Threat data feeds and publicly available information are not the only external data sources for security intelligence. Vital operational and strategic intelligence on specific attacks, attacker TTPs, political goals of hacktivists and state actors, and other key topics can be gathered by infiltrating or breaking into private channels of communication used by threat groups. These include encrypted messaging apps, exclusive forums on the dark web, and other sources.
However, there are barriers to gathering this kind of intelligence:
- Access: Threat groups may communicate over private and encrypted channels, or require proof of identification or an invitation from an administrator.
- Language: Activity on forums is carried out in Russian, Chinese, Indonesian, Arabic, and many other languages — and slang and specialized jargon are used regularly.
- Noise: High volumes of conversation make it difficult or impossible to manually gather good intelligence from sources like chat rooms and social media.
- Obfuscation: To avoid detection, many threat groups employ obfuscation tactics like using codenames.
Overcoming these barriers requires a large investment in tools and expertise for monitoring private channels — or a security intelligence service provider that has already made that investment.
Look for security intelligence solutions and services that employ algorithms and analytical processes for automated data collection on a large scale. A solution that uses natural language processing, for example, will be able to gather information from foreign-language sources without needing human expertise to decipher it.
Get ‘The Security Intelligence Handbook’
This chapter is one of many in our new book that demonstrates how to disrupt adversaries and measurably reduce risk with security intelligence at the center of your security program. Subsequent chapters explore different use cases, including the benefits of security intelligence for brand protection, vulnerability management, SecOps, third-party risk management, security leadership, and more.