What Is Cyber Intelligence And Why Is It Necessary?
In this short article, we will briefly discuss the meaning of cyber intelligence and why cyber intelligence is necessary in cyber security and we will also explain what cyber threat intelligence is. Lastly, we will pass on some of the tricks of cyber intelligence operations. Get ready to hear some serious insights from the experts!
Let's start with the definition of ‘intelligence’. According to Wikipedia; intelligence refers to process of gathering, analysing and interpreting tactical information in order to present to political authorities. Therefore the information must be combined, analysed, disseminated and interpretedto be defined as intelligence. In contrast, raw information can be gathered from any kind of source and it may be unrelated, unreliable, misleading and inaccurate.
This explanation is quite consistent and corresponds with the meanings of intelligence in other languages. Here we need to emphasise the importance of analysing and processing of information to be defined as intelligence. Also known as dissemination and processing of information; these steps are the main differences between intelligence and meaningless data.
Let’s move on to how we have started this journey. We have decided to build a cyber intelligence platform as a result of the fact that all available cyber intelligence products in the market were reactive andorganisations could only identify attacks after they actually happened.As these companies have carried on making investments without knowing the dark side of cyberspace(also referred simply as “underground”), it has became inevitable for us to build a platform that reports what happens on the dark side of the cyber world.
GPACT Cyber Intelligence Platform
Accordingly, we developed our GPACT Cyber Intelligence Platform (also known as the very first Cyber Intelligence Network Platform in Turkey with the name of U.S.T.A.) 6 years ago and introduced to many sectors - banking in particular. In 2013 GPACT platform was introduced at the Cyber Intelligence Conference where NATO was one of the participants. Therefore we are proud to say that that we are one of the first cyber intelligence platforms in the world. We were also actively involved in in the project of creating MITRE’s STIX. ( PRODAFT GPACT http://stixproject.github.io/supporters/)
It was quite difficult to explain six years ago what cyber intelligence was especially when this market did not even exist. However today we are happy to witness that there are many companies trying to provide cyber intelligence services even though some does not even fully understand what it stands for. Let’s now look into how cyber intelligence is marketed and the difference between “cyber threat intelligence” and “cyber intelligence” as well as their pros and cons.We will then continue with our GPACT Platform.
Cyber attackers leave traces (digital records) in digital world, just a like a normal criminals and they can be traced by the tools they use. These records are collected by different cyber security firms and shared/sold without any means of processing. This way, institutions try to take necessary security measures against potential threats. Even if these raw records, also known as cyber threat intelligence, are useful for the institutions , we have to say that they are far from cyber intelligence. Nevertheless one of the advantages of cyber threat intelligence is that they are easily processed by institutions. For example, a threat information metric can be quickly sent and processed by organizations by means of their SIEMs, Firewalls, etc. On the other hand; a well-scoped cyber intelligence report about the same cyber threat would require more time.
There are dozens of platforms where you can get free cyber threat intelligence . However it is important to know that the threat information received must be relevant for physical location and ecosystem of the institutions. To sum up, we cannot refer to these as “cyber intelligence” unless the various notifications you receive such as cyber threats, malicious software hashes, and malicious URLs are analysed, processed and interpreted in an understandable manner.
Well, we understood what cyber threat intelligence is and the value of this threat intelligence. What about cyber intelligence ?
Cyber intelligence is the process of transforming the data, gathered by ‘traditional methods of intelligence’ from the platforms of the attackers, into an actionable report for the target institution. The traditional intelligence methods may include passive follow-ups or actively created ‘persona’ to find out what the attackers are talking about, their new methods, their stolen information, and all other operational details. Surely these methods require high level of knowledge and experience. This is why it is very easy to say that one provides cyber intelligence but doing it properly requires a lot of experience in the field.
In order to clarify what we really do we added the cover page of our latest cyber intelligence report here. GPACT platform, with over 20 cyber intelligence analysts, regularly identifies and evaluates new threats and reports these to institutions.
Can anyone actually provide cyber intelligence (not cyber threat intelligence) ? Which features would differentiate a cyber intelligence service to another ? Can you have more intelligence than you need ? Let’s continue ;
Intelligence is defined as analysed, processed and accordingly reported information. Therothically anyone can say that they provide cyber intelligence services, however there are a few very important points to consider.
1- The methods how the information is gathered and the source of raw information must be clear and provable.
Any intelligence reported to an institution must be reported together with its source and credibility. Irrelevant information of deep dark web forums such as ‘they write about your institution that you will be hacked’ is just rumour and we call them cyber gossips.
2- What are the main features that differentiate a cyber intelligence service from others ?
The main feature and quality difference lies in the team. If a cyber intelligence service provider does not employ expert teams from different areas, it cannot report you the threats that may come from a variety of deep-web environments.The provider must have many experts within the team from different disciplines. Intelligence is not a science suitable for automation. We can underline the fact that success of our such a complex GPACT platform lies in our team
3- Is there such a thing as unnecessary intelligence ? Can we have it more than we need ?
Sometimes cyber intelligence may damage your institution especially when it is not truly competent. Reporting of an irrelevant data of deep dark web may cause panic and waste hundreds of hours of work within an institution. Therefore an exited newcomer may cause serious damage while they are trying to protect your institution.
This article has been written with the aim of explaining to those who do not know much about cyber intelligence and also to guide CTI and cyber intelligence firms which are rapidly developing in the sector. We have been continuously investing in our research and development activities for the last six years and we will continue to inform our members against any cyber threats.
In order to acknowledge the true capabilities of GPACT, download our Turkey Cyber Security Report here