The illusion of ‘real time’ & ‘intelligence’ collection


Over the past year there has been an explosion of services being offered in the threat intelligence space. These services for the most part focus on the cyber security market.

Over this time WorldStack has noticed a growing trend with services claiming to offer “real time” cyber threat intelligence and products and/or services that provide “intelligence collection”. The use of the terms “real time” and “intelligence collection” in these contexts as we see it are being used as nothing more than a marketing ploys by companies claiming to offer such services using these as buzz words.

This is doing real intelligence and the benefits it can provide to clients a great disservice.

The Issues

The terms real time and intelligence do not go together. By its nature intelligence is a product, and the creation of intelligence product takes time. The length of time depends on a number of factors such as the level of detail required by the end user and whether you are looking at Strategic, Operational or Tactical intelligence.

Even at its simplest form the intelligence cycle consists of steps, generally these steps would be Planning, Collection, Collation, Analysis and Dissemination. By its nature it is a process that takes time, as can be seen there are three steps that need to be undertaken before you can actually provide a client with an intelligence product.

Likewise stating that you collect intelligence or you have a product that collects intelligence is a great misuse of the term intelligence.

At the collection stage in the intelligence cycle what is actually being collected is raw data or information. That is unless you are accessing already finished intelligence products.

The raw data collected then needs to be assessed, information verified and validated and analysed to determine what that actually means, if anything for a client. Without this process the raw information provides little if any value to an end user.

What constitutes intelligence?

There are many services and products that claim to provide threat intelligence. But what constitutes threat intelligence?

Many products and services provide information such as known bad IP addresses or URLs, to be blacklisted by a client’s network to protect the network against infection from malware and other forms of attacks and intrusions.

However, is a bad IP address or URL Intelligence? We would argue it is not. At least not on its own. On its own it is a piece of information, granted it is a piece of information that can help protect a network, however it is not intelligence, not in the true sense.

In order for a known bad IP address or URL to be called intelligence there needs to be some insight into why it is bad, what that means for the client it is being provided to. This means the who, what when, where and why need to be analysed in relation to the IP address or URL…Click HERE to find out more about this article