Defining Cyber Threat Intelligence

As I worked through my massive mental back-log of un-shared thoughts, I realized it might first behoove me to share some insight into how I’ve come think about intelligence in the first place.  It’s this basis that underpins how I see the discipline of CTI, so before I go on about why strategic intelligence is important, how to conduct tactical collection, etc etc etc, I feel compelled to offer my own perspective.

What is Intelligence?

Many definitions exist for the term intelligence, none of which seem to satisfy my own Artificial-intelligence-elon-musk-hawking-smexperiences in leveraging Cyber Threat Intelligence throughout my career.  The majority focus on countries and governments, are bound by some technique, and focus on influencing national policy.  Although this may be true for nation-states, such definitions are overly narrow for use in a domain that includes the employment of intelligence for – among other things – threats facing businesses.  Even in the narrower contexts I’ve found, governments have struggled to properly characterize this term.

In 1995, Bimfort discussed the challenges of defining intelligence in a publication on the CIA’s Center for the Study of Intelligence (CSI) library, ending with the following:

Intelligence is the collecting and processing of that information about foreign countries and their agents which is needed by a government for its foreign policy and for national security, the conduct of non-attributable activities abroad to facilitate the implementation of foreign policy, and the protection of both process and product, as well as persons and organizations concerned with these, against unauthorized disclosure. (Bimfort, 1995)

While his definition addresses a number of deficiencies he observed (including the consistent failure to factor in counterintelligence), it has an undeniably government, and human, slant – no surprise coming from one of the world’s most storied government human intelligence agencies.  It’s also quite a mouthful.  My experience tells me that simple elegance makes for the most useful definitions.  The chronic problem in trying to wrangle a definition of intelligence is perhaps best characterized by the CIA Staff Historian Dr. Michael Warner:

The term is defined anew by each author who addresses it, and these definitions rarely refer to one another or build off what has been written before. (Warner, 2007)

Dr. Warner’s subtext is a challenge to use existing definitions for intelligence, rather than continuously re-inventing them.  He goes on to provide a far more comprehensive selection of definitions (including Bimfort’s) selects one, and slightly re-phrases it as follows:

Intelligence is secret, state activity to understand or influence foreign entities. (Warner, 2007)

However well-reasoned this definition was (and it was), it still well misses the mark as a broader term upon which Cyber Threat Intelligence can be defined in my extensive experience.  Again one can easily the issue is the scoping of the term to “state activity.”

Lying within many of the attempts I’ve found to define “intelligence” more broadly is a bias toward a particular type of intelligence, and they continue to overwhelmingly focus on geopolitical outcomes.  I feel intelligence is more broad than this.  “Business intelligence” is a good example of one such use of “intelligence” that has nothing directly to do with nation-state objectives.  In all the definitions I’ve seen, there seems to be a suggestion that intelligence is interpreted information and an implication of the use of some form of assessment (or maybe prediction) from this information so as to advance one’s own interests (or that of a group).  While that may suffice as a definition for intelligence more broadly, I will not muddy the waters with yet another definition of that word alone.  In the end, I feel “intelligence” is too broad by itself to truly capture an art, or discipline.  Indeed, I feel it is in the typification of intelligence where the utility of the definition in scoping a field of study is most useful.

Which brings us to “cyber”

Let me make one thing absolutely clear: I have always hated the word “cyber.”  I am not alone in this.  My former LM-CIRT colleague Dr. Charles Smutz was so frustrated with the egregious use of this prefix, that he expressed his disdain the primary way computer scientists are wont to do – in code: he wrote a tool to calculate the “cyber prefixation score” of a given news article or publication.  My own code outlet was in a simple sed script that prefixed cyberevery cyberword cyberwith cybera cybercyber:


Such was my disdain for “cyber,” that in our initial discussions on the topic of developing a class around this je ne sais qoia that was clearly a turning point for information security more broadly, I fought hard to convince SANS’s Rob Lee to adopt “Intel-driven CND” rather than “Cyber Threat Intelligence.” Eventually I caved to Rob’s deeper experience in security more broadly, feeling he was on to something – besides, it was much more accessible a term for practitioners.  And so, in 2012 “Cyber Threat Intelligence” was born, and eventually (mercifully, years later) the FOR578 Cyber Threat Intelligence course debuted.

Rob was right.  I can’t recall if we explicitly discussed these models and ideas as the emergence of a new type of intelligence analysis, but it became clear in time that that’s almost exactly what it was.  In reality, what we were discussing at the time was Cyber Threat Counterintelligence – and this is what most people today are actually speaking of when they talk about CTI.  But when one speaks of counterintelligence, it is self-evident there is  intelligence as well… whatever that might be.

In any case, it’s clear today that conducting operations to compete over information protection and disclosure in cyberspace (i.e. through the internet) is by its very nature different than other intelligence disciplines.  It is, however – by just about any definition – “intelligence.”  The only remaining question is how do we articulate all of that?

To the point of a definition

While it may be easy to avoid defining CTI at all, I have seen so many clear manipulations of it by those seeking profit that I am unwilling to let this domain we’ve worked so hard to build be perverted into some unprovably useful (yet highly profitable) bits of useless drivel exploiting that lack of clarity.  And while a universal definition of intelligence may forever evade our collective agreement, it is clear that it comes in many forms that are better defined separately.   Nevertheless, these forms do carry some common, if undefined, characteristics, approaches and methodologies that transcend these distinctions.

And with all of that finally being said, I offer the following characteristically unconventional definitions:

  • I define Cyber Threat Intelligence Operations as actions taken in cyberspace to compromise and defend protected information and capabilities available in that domain;
  • I define Cyber Threat Intelligence Analysis as the analysis of those actions and the actors, tools, and techniques behind them so as to support Operations;
  • and I define the Cyber Threat Intelligence domain as the union of Cyber Threat Intelligence Operations and Analysis.

This blog will discuss the study of that field, in theory and practice, at every level of abstraction (to be covered in my next post), and any immediately-related topics.



(2016-10-02) This post generated some great discussion on Twitter and, in particular, by two of my respected colleagues, Robert M. Lee and Sergio Caltigarone.  Sergio states, in short, that “traditional definitions of intelligence are applicable by simply broadening them outside of their state-only constraint,” and a separate definition for CTI isn’t strictly necessary.  Robert offers his own (impressively researched and argued) definition: “the process and product resulting from the interpretation of raw data into information that meets a requirement as it relates to the adversaries that have the intent, opportunity and capability to do harm.”  We all seem to agree that none of our definitions are exclusive of each other, and are in fact complimentary.

While a new definition may not be necessary, as Sergio suggests, I think a simplified clarification is helpful, particularly in making our field accessible to those less familiar with it (or in defending its bounds to those seeking to exploit ambiguity).  Both he and Robert include in their definition both the what and the why.  For the sake of simplicity and brevity, I deliberately left this out of mine.  I hope to cover the subject of why in a future blog post.

3 thoughts on “Defining Cyber Threat Intelligence

  1. ‘Intelligence’ is usually defined by the source from which it is collected but, as I think you were suggesting, definition challenges abound when multiple sources are used.

    I have attended the FOR 572 course and found it to have a decidedly (to use your defintion) Cyber Threat Intelligence Operations feel about it. As such it did not seem to meet most of the expectations I had of a course related to Intelligence, it was distictly counter-intelligence.

    Could you further elaborate on your definitions?
    Perhaps suggest what responsibilities would be expected of each, eg signature writing(yarra, snort, etc) and report generation.
    Would the Cyber Threat Intelligence Operations responsibility fall within current monitoring and detection teams or does it require dedicated personel?


  2. I am currently conducting a research project on threat intelligence. Very early on in the project, we identified that everyone we talked had different views on what threat intelligence is and this was hampering more in-depth discussion of the topic, so we’ve been working on a definition too!

    During our research we found three definitions of intelligence that we thought identified useful and relevant aspects of intelligence.

    1) Intelligence is: the product resulting from the collection, processing, integration, analysis, evaluation, and interpretation of available information… about an adversary. (US DoD)

    Aspect 1: intelligence is the outcome of an analytical process of available information.

    2) (Foreign) intelligence is: information relating to the capabilities, intentions or activities of foreign governments or elements thereof, foreign organisations, or foreign persons. (US National Security Act, 1947)

    Aspect 2: intelligence tells you about the capabilities intentions and activities of adversarial threats (those trying to do you harm)

    3) Intelligence is: knowledge and foreknowledge of the world around us — the prelude to decision and action by US policymakers. (US Central Intelligence Agency (Office of Public Affairs), A Consumer’s Guide to Intelligence)

    Aspect 3: intelligence enables you to make better decisions and therefore take better actions.

    So we’ve drafted this definition to draw these together:

    ‘Threat intelligence is the product resulting from the analysis of available information about adversarial threats’ capabilities, intentions or activities – the prelude to decision or action.’

    It’s the last aspect that we’re particularly interested in, how organisations use threat intelligence to make better decisions and take action. Whilst many organisations do use threat intelligence to support their cyber operations, that’s not the only use. We have also found organisations are using to support information risk management too.

    I’ve found these thoughts and discussions really useful. Thanks!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s