Lesson 1: Data is Not Intelligence

By Mike Mimoso

One thing we’re good at in information security is conflating terms—and there are no shortage of mistakes on this front. For example, vulnerabilities are not exploits, worms are not viruses, and data is not intelligence.

Data in the context of threat intelligence is just that: raw and often voluminous. It’s typically collected in an automated fashion from relevant sources according to an organization’s intelligence requirements and stands as the bedrock of an intel program.

Data on its own, however, isn’t of much value to an enterprise security decision maker without some threads of context sewing it together to find a solution to a problem. IP addresses, malware hashes, and other indicators of compromise (IOCs) are invaluable data points, but without understanding how they connect to a threat actor—or how they point to the next potential target—they aren’t much more than IOCs on a spreadsheet.

A human analyst and a machine learning engine are the quickest paths to turning that data into an actionable piece of intelligence. An experienced subject-matter expert with extensive information security and/or military know-how will best understand how to connect subtle dots in relevant data points to arrive at an optimal conclusion.

A malicious domain, for example, may fire off an alert in a security information and event management (SIEM) platform, but you’ll need more than an urgent email or text message to know that domain has been linked to other attacks against peers in your industry. You’ll need to ask questions of the data to turn it into intelligence: is the domain a first- or second-stage launching pad in an attack? Is the malicious activity happening during only certain hours of the day (i.e., during the normal work day in China)? What vulnerabilities are being exploited? What exploits are being deployed? Are they exfiltrating data from compromised machines? If so, what kind of data? Is this a targeted attack against your organization? Or are others in your industry seeing the same thing?

All of this data goes into a virtual blender and is processed to arrive at a conclusion about an adversary or threatening scenario. The outcome is intelligence, and that’s what informs decisions about risk.

Data should never be conflated with intelligence, because the latter requires an enormous amount of cross-examination and interpretation to cook up an actionable, finished product. And this applies to all facets of business risk—beyond cyber—that require intelligence, encompassing fraud, insider threat, executive protection, and other facets of physical and corporate security.

People are at the core of finished intelligence, providing the nuance, logic, experience, and understanding needed to derive actionable insight and solve complex problems. No machine can mimic the tradecraft necessary to access a closed-source illicit community. No algorithm can understand and communicate with regional and language-specific slang when engaging in conversation with an adversary. Automation can and does reduce the time it takes to collect technical indicators, but intelligence requires patience with data to effectively inform an appropriate course of action.

Data and intelligence are very different things. Data is often unstructured and almost always represents a simple declaration of facts: an IP address or a malicious domain address, for example. To arrive at finished intelligence, data must be given structure and therefore evolve into relevant information that, when given additional analysis and context, can be used to inform decisions about risk.