In February 2002, Donald Rumsfeld, then US Secretary of State for Defense, stated at a briefing, “There are known knowns. There are things we know that we know. There are known unknowns. That is to say, there are things that we now know we don’t know. But there are also unknown unknowns. There are things we do not know we don’t know.”
Hidden in this nonsensical-sounding statement are some important truths that are particularly relevant to cyber intelligence.
It defines the three broad categories of risk and threats.
- Things we know
- Things we know we don’t know
- The unknown unknowns
Cyber Intelligence Leads to Effective Action
The third category, the unknown unknowns, trips up most people. The concept that something exists that we cannot conceive – but that still presents a problem – can be mind boggling.
This is where intelligence shines. It provides a line of sight into characteristics and behaviors that can shift our unknown unknowns into the first two categories of what we know and the known unknowns. From there, we can weigh our options, understand where we need to acquire more information, and make decisions that lead to the right actions.
The Difference Between Good Intelligence and Bad Intelligence
This all requires a bit of definition, though.
Properly formed cyber intelligence is born out of analysis. It informs and furthers decision making. Bad intelligence is quite the opposite. Analysis is weak or non-existent in the threat hunting process which means there is only data which can neither inform nor advance decision making. And sadly, most of the time, the bad intelligence label is mistakenly applied to data as the flawed ingredient.
Don’t be fooled.
A key differentiator is that intelligence is fashioned for a human to understand. A list of data is just that, a list. When that list of data is coupled with contextual analysis to point out behaviors and characteristics, the data undergoes a transformation and becomes intelligence. Intelligence, then can serve an important role as teacher, e.g., it can inform and support decision making.
Data Plus Analysis Becomes Intelligence Capable of Identifying the Unknown Unknowns
An enemy that is neither defined nor looked for is an unknown unknown. Intelligence that is aimed at the third category of unknown unknowns illuminates those hidden corners.
Intelligence should derive the enemy’s existence and plot the possible course of where they are likely to intersect with you. Intelligence should predict and consider the adversary’s activities and contrast that model to your own business or operational activities. The point of illumination is the place at which your activities and the cyber criminal’s activities cross.
Artificial Intelligence (A.I.) Can’t Go the Distance in Cyber Intelligence
Intelligence is not easy. It takes diligent effort and consistent care. It doesn’t sit on a shelf, waiting to be plucked or stream down in the easy ingest of a feed or jump off the pages of a threat intelligence report. It’s perishable and fragile. It requires people to create and people to understand. A.I. might help build it, but intelligence will never be fully understood without human perception.
Your adversary is human; therefore, you need a human capable of understanding them at the behavioral level, not just the data level, and you need a human who can understand you.
Without that conception, intelligence fails to deliver.
Cyber Intelligence Providers Are a Key Part of the Equation
Collecting data and implementing tools is straightforward. The same human factor that makes cyber intelligence so effective is the same factor that makes finding cyber intelligence support is a complicated endeavor.
When evaluating cyber intelligence vendors, make sure the vendor you are vetting can explain their analysis and provide references and sources for their data. Challenge them if they provide vague responses like, “I can’t disclose my source,” or equivocation, such as “telling you how I came to this conclusion is a secret or complicated or from our special tool.” Transparency demonstrates that they are truly capable of performing the necessary work.
You need someone who understands how to obtain the right information and who has proven processes for digging into the data and pulling out the relevant details. The right vendor is aware that there are unknown unknowns and understands how to transform them into the knowns you can act upon.
Be prepared to handle a cybersecurity incident. Download the Incident Response Plan Template.