The fundamental interplay of threats and the intelligence with which we respond to them has not really changed. One party strives to compromise another party — by stealing goods, money or information; by damaging assets; by using something (goods, customers, knowledge) as leverage and extorting the victim for gain. We thwart such efforts through intelligence — learning the tools and techniques of those who would do harm, listening for clues that attacks are being planned, looking for vulnerabilities that would facilitate the efforts of threat actors, and leveraging connections with others who are keeping an eye out for suspicious behavior.
What has changed, broadly speaking, is the size of the battlefield. The dark web provides many secret redoubts and spider holes in which bad actors can do business. It’s a challenge for cyber threat hunting teams to stay abreast. The expansion of the domain in which conversations take place and new attack plans appear means that the real threats can be hidden in that much more noise. Cyber threat intelligence providers have responded primarily with AI and big data tools that can scoop up and analyze that much more raw information.
Even more important than the introduction of AI and big data tools, though, has been the evolution of the role of human intelligence when it comes to cyber threat intelligence. That sounds counterintuitive, but it really isn’t. The AI and big data tools are not yet sophisticated enough to keep track of the expansion of this battlefield. They’re good at scooping up large data sets from known threat sources and analyzing it for known issues. But they are not so good at discovering where new conversations are emerging or of inferring motives and meaning when both are couched in coded terms. Key to the success of any cyber threat intelligence effort remains the ability to aggregate information from all the expanding threat sources, because tomorrow’s threats will not emerge solely from the same places they emerged yesterday or last month.
That’s where human intelligence augments AI and big data. Human intelligence experts enable the next stage of evolution in cyber threat intelligence. They can help guide the collection of intelligence and derive more contextual meaning and significance from the signals that the AI and big data systems are detecting in the noise. They can assess the character of those discovered signals and identify who is more likely to be vulnerable to the emerging threats.
This discernment is critical as the volume of noise increases. More signals will be found in the noise, but unless a cyber threat intelligence provider can effectively determine which signals pose real threats to which industries, companies, hardware users, and so on, the consumers of threat intelligence information will be left to sort it out for themselves — and they’ve been inundated for too many years with what might charitably be called unfinished information. If we, as cyber threat intelligence service providers, are doing our jobs right, then the consumers of cyber threat intelligence may generally be made aware of fewer threats because the threat information we can provide will be the finished threat information that really matters to them — which they can then act upon quickly in intelligent ways.