As a recap, let’s quickly define what threat intelligence is in the context of cyber-security. Threat intelligence is created by a process which takes raw data and information from a variety of sources and turns it in to strategically, tactically, or operationally valuable information.
The collected raw data and information is then categorised, analysed further, and given context and meaning, producing threat intelligence.
This intelligence is then used by an organisation to ensure its governance, risk and operational functions understand what threats they face and can make informed decisions in response.
Automated processing: how we do it, its value and limitations
As an industry we have at our disposal a plethora of cyber-domain-specific and generic computer science approaches to automate or semi-automate data and information processing. The purpose of this automation is to aid in the discovery, analysis and ultimate production of threat intelligence. At a high level the most common approaches today include:
Systems for the automated collection, processing, and storage of data that is big or small and may be either generic (network traffic collection) or problem-specific (e.g. malware analysis) in nature; basic patterns, such as regular expressions to identify data that is or is not of interest; statistical or probability algorithms, to identify things which are or are not similar; machine learning algorithms, to provide statistical classification around what is or is not normal or expected; and natural language processing of human-produced text, to extract sentiment, intent, purpose, target, or topic.
However, while these solutions are tremendous work reduction aids when processing huge amounts of data or looking for things that might be interesting, they aren’t a panacea.
Even with machine learning and expert systems (an implementation of artificial intelligence) there is still today no replacement for the human analyst, and thus there is no fully automated way to produce high quality tailored threat intelligence.
The limitations of automation often start to become evident where we have new types of events, techniques or other things we previously didn’t understand. In these situations gaps can appear in the automated system’s ability to collect, consume, process or otherwise classify its inputs or outputs.
When these systems start to stumble in this way we often see them come to incorrect conclusions and thus devalue or derail the resultant information.
Human processing: the power of adaptive reasoning
In threat intelligence there is a confidence scale that goes from the fully qualified ('this is the threat to your organization because of xyz facts which are supported by def with this level of certainty') through to the unqualified ('we cannot say this is a threat or not at this time because of abc unknowns or contradictions'), with varying degrees of confidence, caveats and assertions in between.
Threat intelligence may also need additional context relating to the organisation consuming it in order to be of value, or there may be small print that is important when making decisions based on it.
It is for these reasons, among others, that human threat intelligence analysts are critical in providing the required narrative, context, and meaning to ensure the quality one would expect from such intelligence if it is expected to be actioned.
This reliance on humans as part of the process arises from a unique trait that we have over computers – our ability for adaptive reasoning, or in other words our ability for problem solving and our ability to think laterally.
Unlike today’s algorithms or childlike artificial intelligence, an adult human has an amazing ability for logical thought, challenging assumptions, explanation, and justification.
These abilities, combined with being able to think at a conceptual level and inferring approximate meanings and likely relationships very quickly, mean we are able to make huge leaps where a computer may not.
These advantages mean a human analyst can quickly draw a likely correlation between, for example, a piece of malicious code, a set of events, and a likely set of threat actors, and can come up with an interpretation of the threat actors’ likely motivations.
This likely correlation can then be either supported, questioned or dismissed based on the available data and information. Even with the risk of confirmation bias, a good threat intelligence analysis function with appropriate quality and oversight controls will outperform its competitors.
As a result, threat intelligence analysts are able to go beyond what any fully-automated system can do today in terms of finding related events, observables, tactics, techniques, procedures, and actors, while also providing valuable context and meaning to the business.
The business value of human analysis and interpretation of intelligence
While humans are impressive, we are not infallible when identifying casual relationships due to, as already mentioned, tendancies for such confirmation bias or causation. We need no clearer example of this frailty than the attribution of Internet-based threat actors.
Today there is a tendency to point to certain countries as the originators. However, as their tactics, techniques, and procedures become increasingly scrutinised, well understood and publicised, it is also arguably getting easier to replicate their techniques and thus appear to be them.
This is a good example of an assumption that should be challenged, and a good analyst will provide further evidence or appropriate caveats when making such an assumption in their analysis.
This analysis and interpretation of the data and information to form the threat intelligence and associated nuance is a good example of why humans are critical in providing the context and meaning before important strategic, tactical, or operational decisions are made based on it.
History and fiction is littered with examples of unintended consequences when computers are left to make their own decisions.
So while cyber threat intelligence providers invest heavily in technology and intellectual property development, we also place a strong emphasis on having a suitable-sized team comprised of diverse and experienced threat intelligence analysts.
These analysts, if you hadn’t already guessed, are the ones who are able to interpret the data and validate whilst providing the required context and meaning.
In short, humans are still unique in their efficiency and abilities and we won’t be replacing them yet in our provision of high quality cyber threat intelligence to clients.
Sourced from Ollie Whitehouse, technical director, NCC Group