Maturing the Cyber Threat Intelligence Field into a Discipline
My background is in operational intelligence. I started my career as a naval intelligence officer working the dynamic problems of operational fleets in real-world, ours-vs-theirs situations. I later worked joint and allied military intelligence, but still in that operational side of the field, trying to figure out what might happen in chaotic situations where adversaries were trying to keep their intent secret. Later in my career I was able to apply those lessons to the new construct of intelligence support to cyber conflict. As the first director of intelligence to the first DoD cyber command, the Joint Task Force for Computer Network Defense, I was able to apply lessons of operational intelligence to the new world of continuous cyber operations.
I’ve very pleased to still be in the field, working to support clients via OODA LLC and our reporting to clients here at OODALoop.com (including the special cyber series by cyber threat intelligence pioneer Mike Tanji). But I’m even more pleased to have seen how the field matured around me. Cyber Threat Intelligence is becoming a professional discipline.
Evidence of the health of the emerging discipline of cyber threat intelligence abounds. There are many highly performing providers of cyber threat intelligence services in the business world, including data providers, analytical teams, and providers of unique technical tools for the cyber intelligence community. There are community-wide analytical efforts and teams that produce incredible analysis, many of which have been operating together for decades (consider, for example, the Verizon Data Breach Investigations Report). Most vendors in the cybersecurity space provide special reports on adversary activities, with some of such quality that they have been shaping broad community action for years (an exemplar here is the Feb 2013 Mandiant report on APT1). There are books on the subject (mine is here!), conferences, training courses, university courses and dynamic community interaction between and among practitioners in the growing field.
Standards for reporting on adversary behavior have also been maturing. When I started in this field we were lucky to find a taxonomy by the Carnegie Mellon University Software Engineering Institute called “A Common Language for Computer Security Incidents.” Now the community has matured standards on reporting adversary activity to the point where machines can help humans rapidly characterize, analyze and exchange insights on what adversaries are doing (examples include the MITRE ATT&CK framework, a globally accessible knowledge base of adversary tactics and techniques based on real world observations).
Further evidence of the maturity of the cyber threat intelligence community comes from the most recent study from Carnegie Mellon University Software Engineering Institute. I find it pleasing to think of how the same group that produced the study I referenced above in 1994 is still involved in moving the community forward in 2019). The new study is a report on cyber intelligence practices that was done on behalf of the U.S. Office of the Director of National Intelligence (ODNI).
The press release for the report reads:
Cyber intelligence—acquiring, processing, analyzing, and disseminating information that identifies, tracks, and predicts threats, risks, and opportunities in the cyber domain to enhance decision making—is a rapidly changing field. The report provides a snapshot in time of best practices and biggest challenges, and three how-to guides provide practical steps for implementing cyber intelligence with artificial intelligence, the internet of things, and public cyber threat frameworks.
I digested the entirety of their report. It is long, and took time to get through. I do NOT recommend it for executive reading. But it is a fantastic resource for practitioners and is a very important, well done reference and resource for the community. It is already informing my personal efforts and will shape our work here at OODAloop.com in many ways, including informing our research and reporting and shaping the best practice we advise clients to put in place.
I saw the study as a strong signal of a maturing community. As a profession we still have a long way to go, but studies like this one give us a cannon of knowledge to build upon.
For more see: Report on cyber intelligence practices