Last updated: 
1 month 3 days ago
Blog Manager
I'm the Information Security Manager at Janet and through this blog I'll be sharing some of my experiences, ideas and thoughts on information security topics.

Group administrators:

What makes for good threat intelligence?

Wednesday, April 13, 2016 - 16:17

The term “threat intelligence” seems creep in scope to cover any and all information in cyber security, regardless of whether it involves any actual intelligence. Threat intelligence needs a number of qualities to be truely valuable.

  • It needs to be specific to our organization’s context, and not so general that it could apply to anyone.
  • The “intelligence” needs to be more refined than just raw information, and feature some analysis that makes reasonably sound deductions based on previously acquired information, skills and experience.
  • There needs to be clear and practical action that the organization can take. If there is little that can be done to address the threat – perhaps the skill level of the adversary is just too high – then the intelligence can distract from more pressing issues.

Examples of good threat intelligence might be:

Last time we issued an unfavourable press release we received threats of DDoS attacks. Tomorrow we’re releasing a similar press release, we should expect more threats.

Other companies in our industry have recently been targeted using vulnerability CVE-1234-5678 and received a lot of press coverage. We know that any systems we have that a vulnerable to this can be easily found, we should refocus our efforts on patching these systems.

Poor examples of threat intelligence might be:

A vulnerability has been discovered in FooSoft, patch now

A study has shown that users pick poor passwords

The NSA hacked ChipCorp, other technology companies should be careful

It’s not that this information isn’t useful – the industry blogs and press are full of it - but it lacks the specific, analysed, and actionable qualities we should expect of intelligence.