Actionable intelligence — Is it a capability problem or does your intelligence provider suck?

Note: This was originally posted on Feb 9, 2016.

Significant numbers of security and threat intelligence vendors spruik their intelligence or data as being the most actionable but is it? In this post I’ll hope to make the argument that whether intelligence is actionable or not is really up to the consumer of said intelligence, not the producer.

Let’s start with an example:

Intelligence is passed to XYZ Corporation, which is a United States based bank, that they will be targeted by an attack from a well known cyber espionage group tomorrow that has previously targeted executives of other banks. The attacker group is known as Team Panda and APT Group 10 and is known to use the PlugX trojan that is delivered via spear-phished emails with .xls (Microsoft Excel) attachments. This attack, due tomorrow, will use the domain teampanda10.com as their malware command and control server.

In the above example, one would say that there’s a number of elements of the above intelligence that could lead to it being actionable in most organizations today in the banking sector. Let’s list some of those elements:

  • Time of attack (tomorrow)
  • Likely targets (executives)
  • Trojan to be used (PlugX)
  • Method of dropping the trojan (spear-phished .xls file)
  • Command and control server used (teampanda10.com)

Now let’s rewind the clock back ten years to 2006 and change the target organization. Using the same above example, the target is now ABC Corporation, which is an Italian e-commerce company and this warning was sent in 2006 for an attack that was to occur the following day. At that time, ABC Corporation did not have any capability to block IP addresses, let alone the ability to seek to block suspicious .xls attachments in emails. What we effectively have here is great intelligence but little to no capability to act upon it.

If at this point we accept that intelligence is actionable based on the organization consuming it, it brings us to the next issue: how does one measure the effectiveness or not of vendors that provide intelligence or intelligence information/data. If you recall a previous blog post I wrote on writing intelligence requirements for your cyber threat intelligence program, you will see that the success or not of your intelligence program is directly linked to how your intelligence program supports the priorities of your business and the risks against it.

Based on the above points, evaluating threat intelligence providers should be based on your intelligence requirements and how intelligence providers measure up against these requirements. Some intelligence providers may simply be providing intelligence or intelligence information that you are not yet able to action. Additionally, some intelligence providers may be geared towards supporting the requirements of different verticals to your own.

Whether intelligence is actionable or not is really a reflection of an organization’s capability, not a quantitative metric for an intelligence producer.

Actionability is often a reflection of capability.