What is Cyber Threat Intelligence
Bottom Line Up Front (BLUF): Cyber Threat Intelligence is a product that results from the fusion of traditional intelligence-gathering disciplines into information related to adversaries with the intent, opportunity, and capability to harm in cyberspace.
Well-established and agreed-upon definitions of traditional intelligence-gathering disciplines, like human intelligence (HUMINT) and signals intelligence (SIGINT), exist. However, any attempt at defining cyber threat intelligence (CTI) as an intelligence-gathering discipline is unreasonable. The main reason is that traditional intelligence-gathering disciplines apply to CTI.
Rather than simply defining CTI as the collection, analysis, and assessment of cyberspace information, there is no longer a need for a concrete definition, and we do not attempt to describe it. Instead, the Deepwatch Adversary Tactics and Intelligence (ATI) team views CTI as a product that result from the fusion of traditional intelligence-gathering disciplines into information related to adversaries with the intent, opportunity, and capability to harm in cyberspace.
Deepwatch Intelligence Process & Methodology
At Deepwatch, the traditional Intelligence cycle is the fundamental process we use to turn information into intelligence. The stages of the intelligence cycle include gathering requirements, planning, and direction, and then collecting the necessary data and processing, followed by the analysis and production of the intelligence product. Finally, we complete the process when decision-makers provide feedback and revise requirements. Thus, the intelligence cycle effectively processes information and turns it into relevant and actionable intelligence.
Requirements Gathering, Planning, and Direction
The ATI team’s mission is to provide intelligence that drives effective business decisions. We derive requirements from a combination of shifts in the cybersecurity landscape and customers’ business needs.
Collection & Processing
ATI collects data through various methods, including open-source and internal intelligence. Collected data is processed and then ingested into a centralized system for analysis.
Analysis & Production
Threat Intelligence Analysts examine and evaluate all the information collected, add context as needed, and integrate it into a complete finished intelligence product. These products include assessments of events and estimates about the developing threat landscape.
Often these assessments and estimates include alternative scenarios and, when appropriate, warn customers about possible developments in the threat landscape. Furthermore, intelligence gaps are identified and used as the basis for additional requirements for further collection.
Relevant intelligence is disseminated both to Deepwatch internally and to our customer base through various mechanisms: including but not limited to weekly Cyber Intelligence Briefings, alerting, and time-sensitive Advisory Reports.
Feedback and Evaluation
Feedback and evaluations is a continuous process that occurs at all stages of the intelligence lifecycle and after we have completed the analysis and disseminated the final product. This process is essential to ensure that produced intelligence effectively provides cybersecurity operational value and drives strategic business decisions.
Tracking of Threat Activity
To track threat activity observed during incident response engagements, The Deepwatch Adversary Tactics and Intelligence (ATI) team uses Threat Activity Cluster designations (TAC-###) to track similar activity across multiple engagements.
An Explanation of Estimative Language and Analytic Confidence
To convey analytical assessments and estimates, the ATI Team uses phrases like “assess” and “estimate,” as well as probabilistic terms like “could” and “likely.” However, we do not base such claims on facts, proof, or knowledge. Instead, these evaluations and judgments are based on assumptions or prior assessments and often from incomplete or fragmentary data.
To convey the possibility or probability of our hypothesis, the Deepwatch Threat Intel Team employs probabilistic language in our assessments. Because analytical assessments are not certain, we use terms to denote that our hypothesis has a lower or greater than even chance of possibility or probability.
For instance, terms like unlikely, improbable, highly likely, or highly improbable denote that our hypothesis has a lower than even chance of possibility or probability. Likewise, words like likely, probable, highly likely, or highly probable indicate that our hypothesis has a higher than even chance of possibility or probability.
Furthermore, a “roughly even chance” denotes that our hypothesis has a roughly 50% possibility or likelihood of occurring. The following table denotes how specific terms relate to quantitative odds.
- Remote – 1 – 5% probability.
- Highly unlikely – 5 – 20% probability
- Unlikely – 20 – 45% probability
- Roughly even chance – 45 – 55% probability
- Likely – 55 – 80% probability
- Highly likely – 80 – 95% probability
- Almost certain – 95 – 99% probability
Weighing the following factors allows us to assign our assessments and estimates with high, moderate, or low levels of confidence: the complexity of the analytical task; the robustness, number, and applicability of analytic techniques employed, and the degree to which the results coincide; overall source reliability; the degree of corroboration and agreement amongst sources if multiple sources were available; analyst collaboration, expertise, and experience on the subject matter or topic; and finally, we account for any time pressures and deadlines faced by the analyst.↑