Kodama the Chameleon

Threat Intelligence and Other Contemplations…

   ___       __  _     __   
  / _ | ____/ /_(_)___/ /__ 
 / __ |/ __/ __/ / __/ / -_)
/_/ |_/_/  \__/_/\__/_/\__/

Watchman on the Wall

kodama

|

What is cyber threat intelligence (CTI)? The term is about as elusive as the color of my skin. CTI defies formal definitions as much if not more so then the term cybersecurity itself. Now, I image a few eyebrows rising as I toss out the idea that those CTI pros, Cyber Threat Analysts (CTAs), are basically modern-day prophets in disguise. Crazy, right?

Before you start picturing my crystal ball and flowing robes, let me dispel a few misconceptions. Some people only associate prophecy with predictions of the future, whether it’s the coming of the end of the world or your next lottery ticket. Most dictionaries seem to give the thumbs up to this idea too with simple definitions like “a prediction.” However, At it’s core prophēteia (Greek roots) is simply communicating revealed truth, and to quote St. Augustine, “All truth is God’s truth.” Kind of put’s a damper on our fantasies to think that prophecy can be something as simple as declaring water to be wet doesn’t it? But hold on, you might be thinking, “Kodama, get off your philosophical soap box and tell me what this has to do with cyber threat intelligence.” I’m getting there, and it has to do with a man named Ezekiel.

The word of the Lord came to me: “Son of man, speak to your people and say to them: ‘When I bring the sword against a land, and the people of the land choose one of their men and make him their watchman, and he sees the sword coming against the land and blows the trumpet to warn the people, then if anyone hears the trumpet but does not heed the warning and the sword comes and takes their life, their blood will be on their own head. Since they heard the sound of the trumpet but did not heed the warning, their blood will be on their own head. If they had heeded the warning, they would have saved themselves. But if the watchman sees the sword coming and does not blow the trumpet to warn the people and the sword comes and takes someone’s life, that person’s life will be taken because of their sin, but I will hold the watchman accountable for their blood.’ Ezekiel 33:1-6

This passage is from the Old Testament of the Bible. The prophet Ezekiel is told by God that he is to be a watchman for the house of Israel, warning the people of impending danger and sounding the alarm when he sees the sword coming upon the land. The watchman is responsible for warning the people of their sins and the consequences of their actions, so that they may repent and turn back to God. In this way, the watchman serves as a protector of the people, sounding the alarm when danger is near. Starting to connect the dots yet? No? Let me connect them for you just in case.

Just like prophets of old, the primary role of the CTA is to warn people of looming cyber threats. But let’s not think of it as just tossing up a digital flare. The cyber threat analyst examines the data for information which can be translated into ACTIONABLE intelligence. The ‘actionable’ part is the secret sauce that transforms information into intelligence. The call to action for Israel was to turn back towards God. The CTA’s gig? Deliver recommended actions at one or more levels of strategic, operational, tactical, or technical in order to protect people from cyber threats. The term “threat” itself can also be a bit arcane, but general consensus is the intent or indication to do harm. We can quantify threats by attempting to measure their capability, motivation, and opportunities. So, are we talking modern-day prophets here? Hold your camels though. Before you go snagging a turban and riding off into the desert, a word of caution.

Don’t be a phony prophet. If we’re all about this truth-telling prophecy business, then the simplest test of a prophet is if what they communicate comes true. To borrow once again from scripture:

You may say to yourselves, “How can we know when a message has not been spoken by the Lord?” If what a prophet proclaims in the name of the Lord does not take place or come true, that is a message the Lord has not spoken. That prophet has spoken presumptuously, so do not be alarmed. – Deuteronomy 18:21-22

Noise threatens to drown our daily lives. Possibly more so then ever before, information overload bogs us down as multiple entities compete for our precious attention. It’s like starving in a cage of crickets because you can’t decide which one to eat. If you are on the market for good threat intelligence, how often do their predictions actually hit the bullseye?. If you are a vendor of threat intelligence, are you speaking truth or just adding more noise? You decide.