Threat Intelligence Introduction

A definition of Intelligence

Threat intelligence is evidence-based knowledge, including context, mechanism, indicators, implications and actionable advice, about an existing or emerging menace or hazard to asset that can be used to inform decision regarding the subject's response to that menace or hazard. ~Gartner (2013)

Value Proposition of Intelligence

Context for current events and insight into potential future events.

Everything is Intelligence

  • Raw Data, collected but unevaluated
  • Raw Intelligence, evaluated but no context
  • Finished Intelligence, contextualized and packaged

Intelligence: Always a Support Function

Implications: - Close, ongoing contact with consumers - Unable to effectively support something you don't understand - Intelligence doesn't defend, it focuses and amplifies the work of network defenders

Generating Intelligence

External Data + Knowledge/Insight / Internal Data = Intelligence

The Intelligence Life Cycle

  • Planning & Direction / Requirements, critical to the success of any intelligence program
  • Collection, data acquisition and intelligence gathering
  • Processing, collation, validation, and evaluation of the collected data and information to confirm its usefulness and relevance
  • Analysis & Production, threat research, indicator expansion and pivoting, written intel conclusions
  • Dissemination & Feedback / Evaluation, provide intel products to stakeholders. Receive intelligence feedback from teams. Return to beginning of the cycle.

Key Points:

  • Purposeful
  • Structured
  • Reinforcing