Chat with us, powered by LiveChat

The ‘False Positives’ in Threat Intelligence

Threat intelligence is a big buzzword in the information security space these days, yet the term is starting to get thrown around very loosely.  In a space of so much unpredictability and vulnerability, intelligence is such a critical tool to gain insights on the threat landscape and provide guidance and forecasts to the why and what’s next of security.

Here is a brief overview to understanding what threat intelligence is not, what intelligence is, and how it can be a tremendous asset to your information security arsenal.

Intelligence is not…

Intelligence is not just a product or a list of indicators. The truth is that “bad IP” lists are valuable information, but they are not intelligence and lack context. You have to get to the context of what the information is, what it means and how timely it is. TTPs (Tactics, Techniques, and Procedures) are relevant information, but they are not intelligence. You have to deduce if the TTPs are related to a specific adversary that is pertinent for a specific organization or industry.

Intelligence is not the canary in the coal mineThe etymology expressing an allusion to caged canaries (birds) that miners would carry down into the mine tunnels with them. If dangerous gases such as carbon monoxide collected in the mine, the gases would kill the canary before killing the miners, thus providing a warning to exit the tunnels immediately. [1] TTPs and other indicators, although useful, are not intelligence. Intelligence is part of the detection process, and should also drive policies.

Intelligence is not linear. There are three essential levels of intelligence, and these levels overlap within analysis protocol. Intelligence products should be produced to support decisions at each level, with specific content based on goals and objectives at each level.
⁃ Strategic level: Supports long-term organizational objectives, planning, decision-making and policy-making
⁃ Operational level: Supports day-to-day operations and decisions
⁃ Tactical level: Supports monitoring and defense, detection, incident response, and the use of TTPs

Intelligence is not static. Intelligence extends well beyond an isolated environment. Defense in depth and layers of security come into play. Intelligence works in layers, supporting each layer of security. Intelligence must be adaptive and flexible as it evolves.

Intelligence cannot make predictions. A prediction is considered absolute, i.e. “this will not happen,” or “this will happen at this time.” Forecasts are used to provide a range of possibilities along with the measure of certainty for each, i.e. “there is a 75% chance of rain today.”

Intelligence is not just about having more data. For example, let’s consider a signal-to-noise ratio (SNR). SNR is defined as the ratio of the power of a signal (meaningful information) and the power of background noise (unwanted signal).  In this instance it can be utilized to refer to the ratio of useful information to false or irrelevant data in a conversation or exchange. [2] Although data collections is vital to the intelligence cycle, just collecting more data “just in case” reduces the value of the data collected and requires increased processing and analyses efforts.

Furthermore, collections management should focus on specific data sources based on intent and intelligence objectives. All data sources should be assessed for credibility and reliability, and all information should be evaluated for relevancy and accuracy.

Intelligence is…

Intelligence is polished. It must be clear, concise and direct. A formal writing style should be used (where applicable), with no slang or other language that could be misinterpreted, and any technical terms should be precisely explained.

Intelligence is actionable. Intelligence should support action, decision-making or policy creation. It is not just informative, but should be useful to decision makers.

Intelligence is relevant. Intelligence should be applicable, pertinent and significant to the consumer.

Intelligence is timely. Intelligence is proactive, based on current events and supportive to current or future decisions. Although case studies and post-mortem analyses can be valuable sources of information, they are not necessarily intelligence.

Intelligence is accurate. Intelligence should be based on vetted data and information with confidence.  The credibility and reliability of the source should be considered, and analyses should be objective to help maintain accuracy.

Intelligence is the personnel. The analysts. Analysts should be technically proficient, understand critical thinking, be familiar with identifying problem types and how to exercise structured analytic techniques to approach problem solving, and thoroughly understand cognitive biases and the techniques in which to overcome these biases.

Regardless of how much data is available, or what tools are being used to process and exploit the data, the analysts (people) are key to the intelligence cycle.  They are the ones that perform analysis on the data and information in order to create intelligence products; request that more or different data be collected, that additional processing occur; and utilize feedback from consumers to improve intelligence products and results.

Threat Intelligence is a product resulting from the collection, processing, exploitation, analyses dissemination and feedback of information that is used to support decision making by reducing uncertainty. Intelligence must be actionable, relevant and timely. Blacklists do not provide context with respect to industries, attacker TTP’s, or the ability to identify trends or forecast threats. Intelligence does. It helps determine Why?, So what? and What next?, among many other insights.


Intelligence provided by Rob Nunley, senior security architect and cyber intelligence innovator at Quadrant Information Security. 

Citations and Knowledge Share:

[1] Wiktionary,, June 27 2015.
[2],, June 15 2015

Smackronym Guide:

TTP = Tactics, Techniques, and Procedures
SIEM = Security information and event management (SIEM) is a term for software products and services combining security information management (SIM) and security event management (SEM). SIEM technology provides real-time analysis of security alerts generated by network hardware and applications.
SNR = signal-to-noise ratio

We have updated our Privacy Policy to include GDPR and the use of cookies. Click "Accept" to continue.