Almost every organization in the world could benefit from the better informed decisions within the context of managing risk. To do that, most rely on data and manipulate data in a large variety of ways to arrive at actionable insights. Threat intelligence in essence is a way of working with data. In many organizations, there can be some confusion when it comes to differentiating data, information and intelligence. While those lines can become blurred, it's important to clarify how data, information and intelligence are separate sets. Data is a collection of factual points that were recorded at a given point in time. We have data everywhere around us. A simple example of a data point is the external temperature in Atlanta Georgia on May 30th, 2021 at 12 PM was 100 degrees Fahrenheit. Data is therefore objective and it's binary. It could be either true or false. Information can be partly factual but not always factual in its entirety. It can be collected in an unstructured manner. It can be combined, it can be influenced by bias and opinion and can become rather subjective. Both data and information are inherently historical. Intelligence is the analysis of data and information and is an inference of conclusions for future use. We use intelligence to make better informed decisions in the future. Gartner's definition of threat intelligence is a good starting point. Threat intelligence is evidence based knowledge including context, mechanisms, indicators, implications and actionable advice about an existing or emerging minister hazard. To assets that can be used to inform decisions regarding the subject's response to that menace or hazard. So as we see here, intelligence can include associated context. It could be evidence based, maybe a product resulting from collection, processing, integration, evaluation, analysis and interpretation of available information. Which may include mechanisms, IOC's, indicators of compromise, the impact, actionable advice on mitigation and others. Let's go over a few examples of information and data that we use in the process of creating threat intelligence. We have facts which are verified truths, direct information which is processed, concrete and readily verifiable. Indirect information, it may or may not be factual and there could be some doubt reflecting the source reliability, direct access or character. Direct data which could be raw records or observations can provide context for evaluating fact. The sources are readily verifiable, probably something you own or that is within your control. Indirect data is similar to direct data but from a source that has some doubt about it, about its reliability. Maybe we can't access it, maybe we have to receive it and have no way of verifying whether or not it was edited. We don't know for sure it's level of integrity. Let's look at a few examples, let's say for fact we could have security updates, those are factual, we can see the information, we can see the code. Direct information, identification of known vulnerable appliances is one example. Indirect information, F5 BigIP exploits in the wild. Direct data like sandbox analysis or related malware and communication we own a sandbox, we can see what the malware is doing, this is very direct. Indirect data that could be a list of reported malicious communications. It will depend on the source of the report of how much we're able to trust it. We can use these definitions to organize data for ourselves, data and information and put them into the tears of reliability that we can go through later in our analysis. So we can have the facts with different examples here that you see, that's verifiable information. We have direct info, indirect info and then as well direct and indirect data. This organization of the information that is in front of us can help us later on in analysis phase. To recap, there is a relationship between these three terms. We collect data and we turn it into information. We analyze information and we can turn it into intelligence. With the products of intelligence, we can make better future decisions about threats and risk. Another aspect of these terms is hierarchy. We will have a lot of data at first, which will become a smaller volume of information, which will be analyzed to result in a small volume of intelligence. Here is the bird's eye view of the life cycle of threat intelligence. We begin by collecting, we process information, we analyze it and come away with the product. Then the products are disseminated to all the relevant parties and they allow stakeholders to plan, make better decisions and define direction, this is a continuous process. As the threat landscape is ever evolving, so does the collection of information that feeds this lifecycle perpetually.
