Information Vs Intelligence
The cybersecurity industry can be awash with various terms, three-letter abbreviations, and jargon which is used incorrectly. This sets the wrong expectations and outcomes.
We are referring to Cyber Threat Intelligence (CTI), Open-Source Intelligence (OSINT), Social Media Intelligence (SOCMINT), Human Intelligence (HUMINT), and Technical Intelligence (TECHINT). All have a common theme running through them: the term intelligence. It is an industry buzzword that is designed to generate intrigue, resonate around boardrooms, and make practitioners of the varying disciplines walk ten feet tall.
There is however an underlying issue with at least three of those disciplines; the data they produce is arguably classed as information rather than intelligence, and commonly they are the terms used to aggregate collection capability rather than a polished end product. There is a clear difference between information and intelligence.
Information is everywhere. As soon as you start browsing the internet, you are presented with information, be that from news articles, blogs, tweets, Facebook updates, or a funny YouTube clip.
As people walk down the street there are billboards showing information, newspapers containing information, people having conversations, and messages being sent via mobile phones, all of which contain information. These uncorroborated sources of information are just that: sources.
The same can be applied to information. It is someone’s opinion; it is someone’s word, or it is someone’s theory. They are standalone, uncorroborated sources of information that by themselves are meaningless.
When a CTI analyst starts a piece of work, be that a regulatory engagement (CBEST, TIBER et al) for a large financial organisation (as directed by the regulator), or a CTI task for a smaller client that needs some clarification on the threats they are likely to face, they start to follow the stages of the intelligence cycle. Those stages are typically as follows:
Direction is agreed upon between the analyst and the client at the start of the engagement. It should be driven by how the client will consume the intelligence provided and will need to define the scope of the work and the deliverables at the end.
The next stage is where information comes into play. The analyst will begin scouring the various information repositories they can access to start collating relevant data and information.
The data they receive can be structured or unstructured, human-readable, or machine-readable. An experienced analyst will know when they have collated enough information and will begin the task of sifting through the data to find information that is relevant and actionable to answer the necessary questions.
Each source of information can be graded for its reliability and information accuracy according to a well-defined matrix. There are several versions of this available, but one is shown in the table below.
|Information Grading Table|
|A. Completely reliable||1. Confirmed by other sources|
|B. Usually reliable||2. Probably true|
|C. Fairly reliable||3. Possibly true|
|D. Not usually reliable||4. Doubtful|
|E. Unreliable||5. Improbable|
|F. Reliability cannot be judged||6. Truth cannot be judged|
Military Intelligence practitioners are taught early on in their careers the difference between information and intelligence. The definition they are taught is simple yet succinct.
‘Intelligence is processed information’
This brings us to the third stage of the intelligence cycle: processing. To turn a piece of information into actionable intelligence, it must have been processed by a trained or qualified analyst.
An analyst will take pieces of the selected information, being conscious of numerous biases that can often creep into their work, and begin to analyse it. They will critique it, question it, and see if it fits in with what other sources of information are telling them.
If not, why not? What is different? What has one source seen that the others have not? These are questions that need answering.
There are well-documented analysis techniques such as the Analysis of Competing Hypothesis (ACH) or cones of plausibility, to name a few. They are designed to remove bias so that when the analyst has finished, they are presenting refined observations with informed assessment. These assessments are then used by decision-makers to make informed decisions.
Intelligence aims to answer questions like:
- Who are the threat actors most likely to target my organisation
- What are their known Tactics, Techniques and Procedures (TTPs)?
- What are they looking to gain access to?
- Are they financially motivated or are they looking to gain a persistent foothold in the network for espionage purposes?
These are questions that CTI can and should be answering. To ensure questions are answered, the analyst will digest the information, make assessments, and present that information in a digestible manner.
When reviewing Intelligence offerings from vendors, we must be cognisant of what is intelligence and what is material to support marketing efforts. Seeing watered-down assessments or incomplete analysis is often indicative of marketing or sample material, with the ‘good stuff’ often saved for paying clients. Unfortunately, we also see organisations simply looking at the news and deciding that the business is suddenly going to be attacked by a nation-state threat actor just because an organisation in an entirely different vertical and geographic location was attacked – this is not sound logic.
Intelligence does not exist in binary form either. Assessments that we push analysts so hard to make need to be quantified, as nothing in intelligence is ever definitive. Defence Intelligence uses the ‘uncertainty’ yardstick, which is a great way to portray the confidence we have behind our assessments:
|Qualitative statement||Associated Probability Range|
|Remote or highly unlikely||<10%|
|Improbable or unlikely||15-25%|
|Probable or likely||51-74%|
|Highley likely/Very probable||75-89%|
By taking a reasoned approach and engaging the services of an experienced and qualified cybersecurity consultancy that specialises in Threat Intelligence, are you able to answer the aforementioned questions? Remember, Cyber Threat Intelligence is a core component that can help you protect your organisation. Information or threat feeds by themselves will not.
There is a stark difference between information and intelligence. Information is raw, uncorroborated data that appears everywhere. Any tweet, post, or news article is information that provides a single opinion. It is unverified and can lead to the wrong decisions being made. This is where a trained CTI analyst and intelligence come in.
The process of turning information into intelligence requires diligent processing, knowledge, expertise, and experience with the right direction. It involves taking a piece of information and questioning its authenticity. Does it confirm what I am seeing? Is this clickbait? Is this useful? Once these questions are answered and the information has been gathered, an analyst can begin to see the threat landscape. They can make informed assessments and provide context to the decision-making process, ultimately making the organisations they are responsible for safer.
By knowing who will attack you, you will be better placed to defend yourself and your critical assets.