1
Introduction

Everything has a beginning. Chapter 1 sets out to define cyber threat intelligence and chart the development of the concept from antiquity to the present day. Despite cyber threat intelligence being a recent concept, the need to characterise threats and to understand the intentions of enemies has ancient roots.

1.1 Definitions

'Cyber Threat Intelligence' is a term which is readily understandable, but not necessarily easy to define.

There are a variety of different perspectives and experiences which lead to different understandings of the term. For some, cyber threat intelligence refers to the collection of data. For others the term refers to teams of analysts and the processes required to analyse data. For many it is the name of a product to be commercialised and sold.

Cyber threat intelligence encompasses all these perspectives, and more. This book addresses the many facets of the term, ranging from the historical development of intelligence through to the modern application of cyber threat intelligence techniques.

One area of threat intelligence is purposefully omitted. The covert collection of intelligence from human agents (HUMINT), often obtained from participants within underground criminal forums is beyond the scope of this book. This domain and the associated techniques are a distinct specialism with their own risks and dangers which merits a separate book.

To define what is meant by cyber threat intelligence we must start by understanding the meanings of the constituent terms, 'intelligence' and 'cyber threat'.

1.1.1 Intelligence

To better understand the concept of intelligence, we can examine the domain from the viewpoints of the different practitioners.

The field of Intelligence is most commonly associated with the military. The multi-national military organisation, North Atlantic Treaty Organization (NATO) defines Intelligence as:

The product resulting from the directed collection and processing of information regarding the environment and the capabilities and intentions of actors, in order to identify threats and offer opportunities for exploitation by decision-makers.

(NATO 2017a)

Intelligence is not exclusively military in nature. Intelligence activities may be undertaken by non-military governmental organisations, the Central Intelligence Agency (CIA) being one such example. Despite having the term 'intelligence' as part of its name, the early years of the agency were marked by much discussion debating the nature of what is meant by intelligence (Warner 2002). One document reflecting the uncertainties of the time, succinctly defines intelligence as:

Intelligence is the official, secret collection and processing of information on foreign countries to aid in formulating and implementing foreign policy, and the conduct of covert activities abroad to facilitate the implementation of foreign policy.

(Bimfort 1958)

Intelligence is not the exclusive preserve of the state. The private sector also engages in intelligence activities, such as conducting competitive intelligence, which may be defined as:

. actionable recommendations arising from a systematic process involving planning, gathering, analyzing, and disseminating information on the external environment for opportunities, or developments that have the potential to affect a company's or country's competitive situation.

(Calof and Skinner 1998)

As with other forms of Intelligence, there is much debate regarding what is exactly meant by 'Competitive Intelligence'. Definitions range from those that could apply equally to military intelligence:

A process that increases marketplace competitiveness by analysing the capabilities and potential actions of individual competitors as well as the overall competitive situation of the firm in its industry and in the economy.

(Pellissier and Nenzhelele 2003)

Across the various disciplines and specialisations associated with the notion of 'intelligence', there are commonalities within definitions, namely:

• Intelligence is both a process and a product.
• The Intelligence process consists of gathering information, analysing this and synthesising it into an Intelligence product.
• Intelligence products are intended to be used by recipients in order to assist in decision making.

1.1.2 Cyber Threat

As a prefix, the term 'cyber' dates back to the 1940s, and was first used in the concept of 'cybernetics' relating to the communication and control interfaces between living things and machines (Coe 2015). Since this date the term has been used widely in the context of futuristic technology.

The term has undergone a rapid evolution. To Internet users of the mid to late 1990s, the term 'cyber' was used to describe the practice of conducting intimate relationships online (Newitz 2013). Yet in a relatively short time, the term has become closely associated with security and attacks against computing systems.

The origins of this evolution lie in the 1960s use of the term 'cyberspace' to refer to environments outside of normal experience (Ma et al. 2015; Strate 1999). Over time this notion of a separate domain came to be used to refer to the space created by the network of connected computing systems that comprises the Internet.

NATO defines cyberspace as:

The global domain consisting of all interconnected communication, information technology and other electronic systems, networks and their data, including those which are separated or independent, which process, store or transmit data.

(NATO 2017b)

Hence, the 'cyber domain' is a potentially contested space which is equivalent to the traditional militarily contested environments of the land, sea, and air (Crowther 2017). Following this logic, in the same way that there is an army to fight on land, a navy to fight on the sea, an air force for air battles, a cyber capability is required to defend and project national interests within this new domain (Ferdinando 2018; Emmott 2018).

Threats are to be found within the traditional domains of the land, sea, and air. These threats are diverse in nature, ranging from hostile adversaries who seek to cause harm, to adverse weather conditions which may damage ships or planes, or simply geographical features such as mountain ranges which might block routes.

A military commander wishing to operate in any of these domains must collect intelligence to understand the threats that may be encountered. This intelligence should be expected to describe where a threat is located, the specific danger that the threat may pose, and how the threat is changing over time.

In this respect, cyberspace is no different. Within this new domain hostile adversaries may be operating, physical features of the infrastructure may constrain operations, and software installations may change as frequently as the weather (Mavroeidis and Bromander 2017).

In order to operate in this cyber environment, we also must gather intelligence. Decision makers must remain abreast of the nature and risk posed by current threats so that an appropriate response can be orchestrated allowing everyday activities to be conducted safely and successfully.

1.1.3 Cyber Threat Intelligence

Clearly, cyber threat intelligence is the application of intelligence to threats that affect the cyber realm. This concept can be expressed in many different ways. The research organisation Gartner defines threat intelligence as several items that contribute to decision making:

Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.

(Gartner Research and McMillan 2003)

The Forum of Incident Response and Security Teams (FIRST) emphasises the informational aspect of threat intelligence.

Cyber Threat Intelligence is systematic collection, analysis and dissemination of information pertaining to a company's operation in cyberspace and to an extent physical space. It is designed to inform all levels of decision makers.

(FIRST 2018)

The Bank of England's framework for threat intelligence-led operations, CBEST, states that an intelligence-based approach to cyber security should have the following goals:

to prevent an attacker from successfully attacking;

to be able to recognise and respond effectively to an attack that has already happened.

(Bank of England 2016)

Again, we can see common threads between these definitions. A working definition of cyber threat intelligence should combine definitions from the realm of traditional intelligence, emphasise the application to the notion of 'cyber', and state the use of intelligence.

Throughout this book I use the following as my working definition of cyber threat intelligence:

The process and outcome of gathering and analysing information relating to threats that may cause damage to electronic networked devices, in order to assist decision making.

1.2 History...