The term Cyber Threat Intelligence (CTI) has been discussed as early as 2004. Unfortunately, the application of the term has been applied to a broad range of activities many of which, such as IP reputation lists and vulnerability management, pre-date the use of the term. At the same time information security practitioners have sought to bring new and novel techniques to advance the subject area, many of which have utility in the practical work of securing computers and the information held upon them. Discussion on the topic has been influenced by industry analysts, professional bodies, hardware & software vendors, and practitioners over time and a number of varying definitions exist in circulation today. Much of the discussion has centred around different types of intelligence from data-driven intelligence created through automated means, through to the techniques and analysis used to create finished intelligence products. The intention of this Special Interest Group (SIG) is to provide an inclusive approach to defining the field which enables members and practitioners to consider a broad range of capabilities when discussing the topic. This page seeks to draw upon existing work to put forward a working definition for the SIG.
One approach that can help to create a definition is to break the definition down into it's component parts.
The precise definition of cybersecurity is a hotly debated, but cybersecurity has entered common parlance in the english speaking world. Merriam Webster defines it as
measures taken to protect a computer or computer system (as on the Internet) against unauthorised access or attack
Practitioners of the field of the related and overlapping fields of Information Security, IT Security, and Computer Network Security strongly contested the introduction of the term. However its use is now commonplace and generally accepted by non-practitioners and now the industry as a whole has for the most part, taken this term on board. An excellent summary of this discussion and an argument for it's use was suggested in 2016 by the security commentator Dr. Jessica Barker. Please note that cybersecurity might also include the role that cyber deception operations might play in gathering intelligence.
During some work conducted by CREST in 2014 on behalf of the Bank of England a team of 30 penetration testers and threat intelligence companies debated what threat meant to them and suggested the following definitions
- An expression of intent to do harm, i.e. to deprive, weaken, damage or destroy
- an indication of imminent harm;
- an agent that is regarded as harmful;
- a harmful agent’s actions comprising of tactics, techniques, and procedures (TTPs).
Here, an agent is used in it's generic sense. It could be a person, a computer program, a government, a criminal organisation, or it could be a thing or activity. Weather, for example, could be regarded as harmful in certain circumstances and therefore be considered as a threat. It is intentionally broad since threat may come from any direction. There is some excellent writing on this topic from Naseem Nicholas Taleb.
In the topic field of Information Security, Threat is frequently expressed as a functional input into the understanding of Risk.
F(Risk) = (Threat, Vulnerability, Impact)
The OWASP framework lists another example of how these inputs can work here.
Threat itself is often also broken down as an expression of:
Threat = Capability (threat actor) x Motivation (threat actor) x Opportunity (target) (Reference)
The topic of intelligence is exceptionally broad and can relate to many different aspects of our world, indeed the dictionary definition is very broad indeed which can be summarised as:
For the purposes of Cyber Threat Intelligence, the intention is to apply techniques with the intention of preventing undesirable outcomes that might affect the cybersecurity of something we might be responsible for protecting. Some of these techniques come from the following areas:
Another useful discussion is that that distinguishes data from information, from knowledge and intelligence
The Bank of England CBEST guide gives the following explanation:
"Apart from the more general use of term to describe the ability to acquire knowledge and skills, intelligence is more specifically used in military, police or political environments to describe information, usually used or collected covertly, about an adversary or hostile activities.
Its use to date in the business world has been largely in non-threat domains such as customer intelligence. Intelligence is a particular kind of information. Intelligence and information are often used interchangeably as are information and data. To properly understand information (and therefore intelligence) it is necessary to put it in context and a useful model is the data information knowledge pyramid".
This goes on to explore work originally put forward by Michael Hey in 2004: http://inls151f14.web.unc.edu/files/2014/08/hey2004-DIKWchain.pdf
It establishes the following useful definitions
Data: Data equates to elementary facts and observables. For example, name, age, postal address, telephone number, bank balance, etc. When describing the indicators that describe a cyber attack, the Lockheed Martin kill chain refers to elementary ‘atomic indicators’ that retain their meaning in the context of an intrusion, examples being IP addresses, email addresses and vulnerability identifiers (Hutchins, Cloppert and Amin (2011)). These equate to data. On its own, data does not provide any intrinsic value.
Data and information are often used interchangeably despite being different things. One potential source of confusion is that information can itself be subject to further abstraction and manipulation, in other words, one person’s information can be another person’s data.
Knowledge: The layer above information is knowledge, or the interpretation and exploitation of relevant information in order to solve a problem or to make a decision. This is usually undertaken by humans but can also be done by machines. Very often knowledge is expressed in the form of an ‘if-then rule’ (also known as a heuristic, implication, or, more commonly, a business rule). For example, to continue the previous banking example, a suitable heuristic might be ‘If an account has been dormant, and this month’s spending is very high, then it may have been taken over by a fraudster’ (where ‘has been dormant’ and ‘very high’ are information-level data abstractions of data). The Lockheed Martin kill chain refers to ‘behavioural indicators’ which are collections of both computed and stand-alone indicators, often subject to qualification by quantity and possibly combinatorial logic. An example might be ‘The intruder would initially used a backdoor which generated network traffic matching [regular expression] at the rate of [some frequency] to [some IP address], and then replace it with one matching the MD5 hash [value] once access was established’ (Hutchins, Cloppert and Amin (2011). This equates to knowledge. As with information, knowledge can be subject to further abstraction and manipulation, resulting in higher-level constructs such as wisdom, intuition, and so on. However, these serve to complicate the picture and are all variations on the core theme of a higher-level knowledge layer where information is structured and applied.
At the Bank of England Cyber Working Group held on 9 January 2014 the following working definition of threat intelligence was drawn up: "Threat Intelligence is the contextualised output of a strategically-driven process of collection and analysis of information pertaining to the identities, goals, motivations, tools, and tactics of malicious entities intending to harm or undermine a targeted organisation’s operations, ICT systems or the information flowing through them." This was followed up at the CBEST threat intelligence workshop held on 13 March 2014, with three further definitions:
For the purposes of this report the second definition above has been adopted and refined:
There is a large variety of the skillet demonstrated by different commercial entities, as well as, a heavy overloading of terminology which has repeatedly caused issues with inter-company and inter-personal communication. This body of work is focusing on going back to the roots of this terminology and introducing the words and methods that have been used by professionals for many years and help adapt them for the reader in the context of CTI.
On this basis we put forward the following for consideration
“Information about threats and threat actors [and their behaviours] that provides relevant and sufficient understanding for mitigating a potentially harmful event [related to] the Cyber domain”
Stakeholders the consume or use intelligence
In order to provide an intelligence product, a producer would need capabilities for acquiring, transforming and analyzing raw materials into an intelligence product. To some extent this is covered by the Intelligence Lifecycle. Ultimately there may be different people in an organisation that would consume the resulting product.
An important question is to look at who uses or consumes threat intelligence. David Bianco's Pyramid of Pain, discusses how different types of intelligence products requires different types of investment in evidence to produce. Additionally this report by MWR and the NCSC sets out the following types of intelligence product.
 David Bianco “Pyramid of Pain”
 UK NCSC – Paper sponsored by MWR Labs
 Centre for Internet Security (CIS): https://www.cisecurity.org/what-is-cyber-threat-intelligence/ - defines strategic, operational, and tactical
 Dave Shackleford - SANS 2018 Survey on Cyber Threat Intelligence
 OASIS CTI Technical Committee
 - A Definition of Intelligence
 Ryan Stillions - Detection Maturity Level model
 CIA, A definition of Intelligence