One of the most jarring parts of the “Intelligence Revolution” is how we all became unwitting participants in it. While chatbots and image generators grabbed headlines and thrust AI into the general discourse, the real truth is that AI has been affecting our day-to-day lives for years already. Most people just didn’t know it.
Never before have we placed a higher value on intelligence in any form it takes. We are reframing our work and lives around it. We are making art with it. We are fighting wars with it—both in the analog and digital realms. All of this is happening while we are also still trying to scaffold the rules and ethics around largescale access to it at breakneck speeds. (It’s no wonder we’re obsessed with it.)
However, as valuable as intelligence has now become, it has also become a fixed reality. We must now find ways to leverage the latest intelligence while also shielding ourselves from the harshest consequences of early adoption. In the world of cybersecurity, these consequences can be dire if a hospital or public service falls victim to an attack.
One of the oldest idioms in computing is the idea of “garbage in, garbage out,” meaning that inaccurate or bad input data will inevitably lead to bad outputs from a computer. In cybersecurity, the same principle applies, only it might better be framed as “garbage intelligence, garbage enforcement.”
If we want to score better than “garbage” on our use of cyber intelligence in this fight against threat actors who are alsoarmed with their own intelligence, we have to think first about what cyber intelligence is—and what it isn’t—and how we can start to leverage it to its full potential.
What Is Cyber Intelligence?
Cyber intelligence refers to the data that is collected and curated by anyone in the cyber intelligence “community.” This community is composed of government/public agencies, open-source groups and private/enterprise cyber intelligence researchers who either use their own proprietary intelligence for their solutions or sell their cyber intelligence. It can then be used by other tools and technologies to either prevent attacks on the network or minimize the damage of a successful breach.
Various technologies leverage different types of cyber intelligence. Some of it focuses on the “what” of an attack (i.e., the threat itself—obfuscation techniques, code, vectors, etc.). However, the “who” of the attack—who is perpetrating it and who the data is going back to—is a much more stable source of intelligence for technologies to leverage, yet it goes wildly underused.
If we imagine cyberattacks such as ransomware, data exfiltration and DDoS as wasps, the threat actors are the hive. As we all know, unless you neutralize the hive, the wasps will just keep coming. The same is true of threat actors. Unless we focus on the source of the attacks, battling the attacks themselves is a devastating exercise in futility.
A Better (And Safer) Way To Harness Cyber Intelligence
Threat actors have proved they can continuously adapt their attacks and attack vectors, which means we have to become more strategic about how we use cyber intelligence. For every attack we find, they devise another layer of obfuscation or way in—exploiting unpatched systems, buying access or credentials and staying one step ahead of the cybersecurity community with these ever-evolving threats.
Intelligence on these threats is, by its very nature, limited since threat actors can constantly change and adapt them against our newfound protections. If it feels like we’re always a few steps behind, it’s because we are. The result of using limited intelligence is limited enforcement.
Another way we must rethink how to leverage cyber intelligence past what kind we can harness is where we’re using it in the security stack. The vast majority of cyber intelligence is used to minimize the effects of a breach that has already occurred. While this is a profoundly important use of this information, we should also be leveraging the full power of this data to prevent a breach in the first place. Having all of the skills and tools to minimize a breach is good, but not having to practice them as often is much, much better.
I fully believe the push toward intelligence-driven solutions is an exciting one, even though it often feels like we are being asked to install new wings on an airplane mid-flight. This is why, in our rethinking of how to better use cyber intelligence, we don’t jump straight into untested intelligence waters and expose ourselves to the security risks of early adoption—as some companies are learning the hard way.
Cybersecurity strategies are built on overlapping layers of protection. “Defense in depth” is a refrain heard over and over again; no single point should lead to a full failure. As we leverage cyber intelligence, AI or not, this rule should still apply. We must find ways to collect and leverage this intelligence without also exposing ourselves to further risk. We do this by creating layers of protection and policies between the network and new threat vectors from intelligence ingestion, asking constantly as we take intelligence in: What are we giving in return? Where is it going?
Understanding how to leverage cyber intelligence requires us to, first and foremost, be strategic. However, the opportunities we have in front of us are immense to expand both how and where we use this data to secure our most important digital assets. It’s up to us whether we take them.