Introduction to CTI as a General topic


The term Cyber Threat Intelligence (CTI) has been discussed as early as 2004. Unfortunately, the application of the term has been applied to a broad range of activities many of which, such as IP reputation lists and vulnerability management, pre-date the use of the term. At the same time information security practitioners have sought to bring new and novel techniques to advance the subject area, many of which have utility in the practical work of securing computers and the information held upon them. Discussion on the topic has been influenced by industry analysts, professional bodies, hardware & software vendors, and practitioners over time and a number of varying definitions exist in circulation today. Much of the discussion has centred around different types of intelligence from data-driven intelligence created through automated means, through to the techniques and analysis used to create finished intelligence products. The intention of this Special Interest Group (SIG) is to provide an inclusive approach to defining the field which enables members and practitioners to consider a broad range of capabilities when discussing the topic. This page seeks to draw upon existing work to put forward a working definition for the SIG.

A working definition for Cyber Threat Intelligence

One approach that can help to create a definition is to break the definition down into it's component parts.

A definition of cybersecurity

The precise definition of cybersecurity is a hotly debated, but cybersecurity has entered common parlance in the english speaking world. Merriam Webster defines it as

measures taken to protect a computer or computer system (as on the Internet) against unauthorised access or attack

Practitioners of the field of the related and overlapping fields of Information Security, IT Security, and Computer Network Security strongly contested the introduction of the term. However its use is now commonplace and generally accepted by non-practitioners and now the industry as a whole has for the most part, taken this term on board. An excellent summary of this discussion and an argument for it's use was suggested in 2016 by the security commentator Dr. Jessica Barker. Please note that cybersecurity might also include the role that cyber deception operations might play in gathering intelligence.

A definition of threat

During some work conducted by CREST in 2014 on behalf of the Bank of England a team of 30 penetration testers and threat intelligence companies debated what threat meant to them and suggested the following definitions

  • An expression of intent to do harm, i.e. to deprive, weaken, damage or destroy
  • an indication of imminent harm;
  • an agent that is regarded as harmful;
  • a harmful agent’s actions comprising of tactics, techniques, and procedures (TTPs).

Here, an agent is used in it's generic sense. It could be a person, a computer program, a government, a criminal organisation, or it could be a thing or activity. Weather, for example, could be regarded as harmful in certain circumstances and therefore be considered as a threat. It is intentionally broad since threat may come from any direction. There is some excellent writing on this topic from Naseem Nicholas Taleb.

In the topic field of Information Security, Threat is frequently expressed as a functional input into the understanding of Risk.

F(Risk) = (Threat, Vulnerability, Impact)

The OWASP framework lists another example of how these inputs can work here.

Threat itself is often also broken down as an expression of:

Threat = Capability (threat actor) x Motivation (threat actor) x Opportunity (target) (Reference)

A definition of Intelligence

The topic of intelligence is exceptionally broad and can relate to many different aspects of our world, indeed the dictionary definition is very broad indeed which can be summarised as:

For the purposes of Cyber Threat Intelligence, the intention is to apply techniques with the intention of preventing undesirable outcomes that might affect the cybersecurity of something we might be responsible for protecting. Some of these techniques come from the following areas:

Another useful discussion is that that distinguishes data from information, from knowledge and intelligence

The Bank of England CBEST guide gives the following explanation:

"Apart from the more general use of term to describe the ability to acquire knowledge and skills, intelligence is more specifically used in military, police or political environments to describe information, usually used or collected covertly, about an adversary or hostile activities.

Its use to date in the business world has been largely in non-threat domains such as customer intelligence. Intelligence is a particular kind of information. Intelligence and information are often used interchangeably as are information and data. To properly understand information (and therefore intelligence) it is necessary to put it in context and a useful model is the data information knowledge pyramid".

This goes on to explore work originally put forward by Michael Hey in 2004:

It establishes the following useful definitions

Data and information are often used interchangeably despite being different things. One potential source of confusion is that information can itself be subject to further abstraction and manipulation, in other words, one person’s information can be another person’s data.

At the Bank of England Cyber Working Group held on 9 January 2014 the following working definition of threat intelligence was drawn up: "Threat Intelligence is the contextualised output of a strategically-driven process of collection and analysis of information pertaining to the identities, goals, motivations, tools, and tactics of malicious entities intending to harm or undermine a targeted organisation’s operations, ICT systems or the information flowing through them." This was followed up at the CBEST threat intelligence workshop held on 13 March 2014, with three further definitions:

For the purposes of this report the second definition above has been adopted and refined:

There is a large variety of the skillet demonstrated by different commercial entities, as well as, a heavy overloading of terminology which has repeatedly caused issues with inter-company and inter-personal communication. This body of work is focusing on going back to the roots of this terminology and introducing the words and methods that have been used by professionals for many years and help adapt them for the reader in the context of CTI.

On this basis we put forward the following for consideration

“Information about threats and threat actors [and their behaviours] that provides relevant and sufficient understanding for mitigating a potentially harmful event [related to] the Cyber domain”

Stakeholders the consume or use intelligence

In order to provide an intelligence product, a producer would need capabilities for acquiring, transforming and analyzing raw materials into an intelligence product. To some extent this is covered by the Intelligence Lifecycle. Ultimately there may be different people in an organisation that would consume the resulting product.

An important question is to look at who uses or consumes threat intelligence. David Bianco's Pyramid of Pain, discusses how different types of intelligence products requires different types of investment in evidence to produce. Additionally this report by MWR and the NCSC sets out the following types of intelligence product.

[1] David Bianco “Pyramid of Pain”

[2] UK NCSC – Paper sponsored by MWR Labs

[3] Centre for Internet Security (CIS): - defines strategic, operational, and tactical

[4] Dave Shackleford - SANS 2018 Survey on Cyber Threat Intelligence

[5] OASIS CTI Technical Committee

[6] - A Definition of Intelligence

[7] Ryan Stillions - Detection Maturity Level model

[8] CIA, A definition of Intelligence