Cyber threat intelligence (CTI) can be hard. There are hundreds of terms flying around that, to the untrained, could mean almost anything. If you want to jump into this area of cyber security or gain more value from it, you need a clear understanding of what CTI analysts mean when they share threat intelligence with you.
This is the first article in a whole series on CTI definitions and key concepts. The series is designed to be a reference guide for whenever you encounter a word or term you are unfamiliar with or are trying to better understand where someone is coming from.
In this installment, you will learn why clear definitions are vital in the threat intelligence world and enable the process of gathering, analyzing, and disseminating intelligence to run smoothly. Let’s begin!
Why Clear Definitions are Important
Clear definitions are important in many areas of cyber security. You need to know what a network packet is, what it contains, and how it fits into the overall networking concept if you want to secure a network. Threat intelligence is no different.
If you want to become a CTI analyst, better understand the CTI process, or gain more value from the intelligence being shared with you, you need to know the terminology used and the key concepts that aid the threat intelligence process.
For instance, you need to be able to answer the following:
- What is cyber threat intelligence, and how can I gain value from it?
- What is the difference between the threat intelligence lifecycle and the indicator lifecycle?
- What is attribution?
- What is an activity group versus a threat group?
- How are Sigma rules, YARA rules, and STIX/TAXII used?
If you don’t know the answer to these questions, don’t worry. This series on Definitions and Key Concepts has you covered. But why is it so important you know all these things? Let’s look at some reasons.
Not all of these reasons are exclusive to CTI. Cyber security is a complex topic with a vast terminology and models for all sorts of things. Many of the reasons for clear definitions are important for all areas of cyber security.
Reason #1: Common Understanding
Clear definitions help establish a common understanding of terms and concepts within the CTI community and the wider cyber security community. This is essential for effective communication and collaboration between CTI analysts and other security professionals, organizations, and stakeholders.
Reason #2: Consistency
Consistent use of terminology ensures that information and intelligence are accurately shared and interpreted. This consistency is vital for creating a unified and standardized approach to understanding and using cyber threat intelligence effectively.
Reason #3: Interoperability
Cyber security tools and threat intelligence sharing platforms need clear definitions to support interoperability. When everyone adheres to the same definitions and standards, different organizations and systems can more seamlessly exchange threat data.
Reason #4: Analysis and Decision-Making
CTI analysts rely on precise definitions to conduct accurate assessments and analyses of threats. Ambiguous or vague terms can lead to misinterpretations, potentially resulting in incorrect threat assessments and poor decision-making.
Reason #5: Efficient Incident Response
CTI and incident response share a closely coupled relationship that requires clear definitions to facilitate a swift and effective response when an incident arises. This allows the wider security team to quickly identify and understand the nature of threats, enabling them to implement appropriate countermeasures and mitigate risks.
Reason #6: Training and Skill Development
Clear definitions are fundamental for training programs across cyber security. Newcomers to the field and seasoned professionals need to understand the terminology to enhance their skills, contribute effectively, and stay updated on the latest threat landscape.
Reason #7: Regulatory Compliance
Many industries and regions have specific regulations and compliance requirements related to cyber security. Clear definitions help organizations align with these requirements, ensuring they accurately report and address security incidents and share intelligence as regulations mandate.
Reason #8: Communication with Stakeholders
When communicating threat intelligence to non-technical stakeholders, such as executives or managers, clear definitions are essential. This ensures that complex technical information is presented in a comprehensible manner, enabling informed decision-making at all levels of the organization.
Reason #9: Research and Development
Clear definitions are essential for researchers and developers working on innovative cyber security solutions. They provide a foundation for creating effective tools, technologies, and methodologies to combat evolving cyber threats that CTI informs them about.
When Definitions Don’t Match
Not everyone’s use of terminology will be the same. It is very likely that other people will define things differently from you or use synonyms you are unaware of. This is fine. What is important is that your definitions are close enough that important information is conveyed in a way both parties can use.
For instance, I may define a threat as anything impacting an organization’s computer systems. You may say it is anything that deliberately has a negative impact on an organization’s computer systems. If I say you need to watch out for APT29, the intention of their actions is implied (e.g., they are a threat actor looking to benefit by doing you harm). We can both recognize they are a threat and categorize them as such.
Our definitions may fall apart when a company employee accidentally causes harm to their organization’s computer systems (e.g., accidentally deleting a file). I would define this as a threat. You may not, as your definition includes the “deliberately” part. As such, when discussing threats, we must clearly state how we define a threat so that we can reach a common understanding.
When you say you define threats as causing a negative impact “deliberately,” we can discuss if this is always the case, and I can explain how I see threats because we both have clear definitions we can compare. Despite our small differences in definitions, we can still communicate with each other, and only edge cases, like clumsy employees, require us to expand on our definitions.
It is far more important to have a clear definition that aligns mostly with the consensus of others than it is to match exactly what everyone is saying (probably an impossible task). Then you have the ability to explain your definition and quickly understand where a person is coming from with their definition.
The Aim of This Series
This series aims to help you form a clear definition of CTI terms by providing you with explanations of the key terminology and models used in the industry. It will highlight important definitions you should be aware of so you can quickly speak the lingo and understand what others mean when they talk about threats, the CTI lifecycle, Sigma rules, and more.
It is your reference guide to the world of CTI, like the Hitchhikers Guide to the Galaxy (probably a dated reference at this point).
In the next installment of this series, you will learn what cyber threat intelligence is and how it is used to bolster the cyber security posture of organizations worldwide!
Discover more in the Definitions and Key Concepts series!
Frequently Asked Questions
Why are definitions important in CTI?
Clear definitions play a crucial role in Cyber Threat Intelligence (CTI). They allow practitioners and cyber security tools to communicate findings using a common language, promote consistency in reporting, and ultimately enable information to be accurately interpreted and used efficiently.
Is it always important to match definitions with someone?
No always. The 80/20 rule is a good rule to follow for definitions. So long as you and the person you are communicating with can agree on 80% of the stuff contained within the definition, you can work out the other 20%. It is more important that you get the general gist and understand where a person is coming from rather than agreeing with their definition in its entirety.
That said, if a strong definition is used throughout the industry. Try to use this one and assume most people will follow suit.
What will I get out of this series by following along?
This series covers key terminology and models used in the industry so that you can quickly get to grips with the conversation. You will gain an understanding of the CTI process, learn about the CTI lifecycle, and discover key technical concepts used within the industry, like YARA and Sigma rules. The series is intended to act as a reference guide for you throughout your CTI journey.
