Michael Cloppert, whom I hold in great esteem and friendship, argues for a new and unconventional definition of “cyber threat intelligence.”  His post is excellent and well-done.  His argument is simple: that the existing definitions of intelligence and cyber threat intelligence are lacking based on his professional experience of the domain and fail to capture its unique elements.   He offers several definitions:

Cyber threat operations as actions taken in cyberspace to compromise and defend protected information and capabilities available in that domain

Cyber Threat Intelligence Analysis as the analysis of those actions and the actors, tools, and techniques behind them so as to support Operations

I define the Cyber Threat Intelligence domain as the union of Cyber Threat Intelligence Operations and Analysis.

Michael Cloppert, Defining Cyber Threat Intelligence (2016)

I agree with his assessment that existing cyber threat intelligence definitions lack accuracy.  But, Mike’s definitions are too constrained by operations and lack inclusion of the key element of intelligence in any discipline: that intelligence serves to inform decision-making (whether that decision-making is of the technical/tactical nature such as in firewalls, or strategic at the executive level).  Intelligence doesn’t serve operations, intelligence serves decision-making which in turn drives operations to achieve policy outcomes.

Mike references some key CIA thought-pieces on their definitions of intelligence, namely by Martin T. Bimfort in A Definition of Intelligence. Mike is correct that taken at face value, Bimfort’s definition is too constrained with concern about national security to be of much value to cyber threat intelligence.

Intelligence is the collecting and processing of that information about foreign countries and their agents which is needed by a government for its foreign policy and for national security, the conduct of non-attributable activities abroad to facilitate the implementation of foreign policy, and the protection of both process and product, as well as persons and organizations concerned with these, against unauthorized disclosure.

Martin T. Bimfort’s definition of intelligence in A Definition of Intelligence

However, instead of taking Bimfort’s definition at face value, let’s instead look at its essence by removing the domain-specific (state-only) language.  By doing so, I arrive at the following revised definition:

Intelligence is the collecting and processing of that information about threats and their agents which is needed by an organization for its policy and for security, the conduct of non-attributable activities outside the organization’s boundaries to facilitate the implementation of policy, and the protection of both process and product, as well as persons and organizations concerned with these, against unauthorized disclosure.

This definition fits well what we do in cyber threat intelligence: we uncover the hidden threats to an organization (be it a company or country) to protect them against threats both attributable and non-attributable to enable their policy (which for a private company is to return value to shareholders), protect their operations, and prevent disclosure of secrets.

I propose that cyber threat intelligence is nothing more than the application of intelligence principles and tradecraft to information security.  Its outcome is nothing different from traditional intelligence: to inform and empower decision-making at all levels with knowledge of threats.  We don’t require a radical new definition of cyber threat intelligence, because the traditional definitions of intelligence are applicable by simply broadening them outside of their state-only constraint.

EDIT: Robert M. Lee blogged in response – “Intelligence Defined and its Impact on Cyber Threat Intelligence“.  He came to the conclusion that the definition is, “the process and product resulting from the interpretation of raw data into information that meets a requirement as it relates to the adversaries that have the intent, opportunity and capability to do harm.”