Attaining the “correct” Threat Insight
By definition, “threat insight” provides an understanding of threats in the context of your company. Insight of any kind is interesting and potentially useful but the most key and critical insight is the insight specifically related to you. In this case, your company and the threats: the known knowns, the known unknowns and lastly, the unknown unknowns.
These three threat categories represent threats and risks that you can easily define, those less easily defined, and those yet imagined but that threaten you from the shadows where your security light does not shine.
A way to think of these categories is:
• Not walk blindfolded on the highway (known knowns)
• Turning left might lead to an accident because you hear sirens (known unknowns)
• What you just ate was laced with poison and will kill you — even though you didn’t taste, smell, or notice the difference (unknown unknowns)
They are most threatening in a reverse order, with those unknown quantities you have not even considered being the most hazardous. Insight, therefore gives you understanding of a quantity you did not have before. Of the three, the last is the most obvious desired item, since it deals with the highest risk and hazard.
Prioritizing Threat Intelligence by Risk Severity
Insight identifies the quantities in that “unknown unknowns” category as the most valuable, followed in turn by the “known unknowns” quantities.
A profile that identifies the type of criminal who focuses on your business due to its activities is a powerful insight in the “known unknowns” category. That an adversary or two are focused on your business is no surprise.
That someone bypassed your security encryption by introducing a flaw into its creation a decade previously is an “unknown unknown”. The encryption looks solid and the flaw is unknown and unconsidered.
Threat insight is analysis and evaluation (key words there) that find hidden threats of this nature — or, at least consider their possibility and probability of occurrence.
Correct or quality threat insight is thr activity performed in areas relevant to your company. Insight into Chinese threat actors, malware and their operations is less pertinent to a business focused on crafting widgets for a variety of interesting devices. Barring a direct relationship, the threat is a third-hand risk; at best, a second-hand risk.
Profiling to gain insight on crooks aimed at your company operations is higher in precedence since the profile would identify criminals and other actors regardless of purported affiliation or geographical connection.
This type of threat insight can’t come from typical threat intelligence reports. It requires a knowledgeable cyber intelligence team who understands where and how to locate and identify that threats that affect your particular industry, organization type and even business structure.
They key differences between report-based threat intelligence and expertise-based cyber intelligence are:
- A dossier or report is primarily static, even dynamic ones. These are focused on “stuff” and leverage application on the accumulation and analysis of the stuff.
- Reports are limited in their application to building a control, measure or mitigation to handle an issue or incident.
- A profile has a single job: reduce the pool of possible matches to the lowest range of possibilities. Its less about “stuff” and more about observed characteristics and behavior.
Quality insight is the intelligence that casts light into shadowed areas and opens your eyes and decision making process to elements you did not even know existed, had overlooked or took for granted.