At the end of 2019, I came to two realizations…
The first: There has never been a better time to be a cybercriminal. The second: Only teams of defenders that are focused on proactively disrupting adversaries will win.
In the months that followed, both theories have proven to be correct. Anyone with a desire to do harm can put an organization’s most sensitive data at risk by purchasing off-the-shelf tools and easily accessing underground, illicit marketplaces. Legacy vulnerabilities, lack of secure code development processes, explosive growth of connected devices, and the absolute decimation of organizational perimeters have put security teams on their heels — if they’re still on their feet at all.
In March of 2020, the COVID-19 pandemic forced organizations to send home their workforces for months on end, with little-to-no ability to implement security controls from afar.
To make matters more complicated, there are no government bodies — no unified front — protecting the interests of organizations against threat actors, from your run-of-the-mill bad guys to nation-state attackers.
So, how do your security teams survive and continue to defend your organization in times like these?
Security intelligence is an outcomes-centric approach to reducing risk that fuses internal and external threat, security, and business insights across an entire organization. It easily scales up and down to match the organization’s size, maturity, and specific needs. At Recorded Future, our ability to collect, structure, analyze, and deliver all relevant security information on the internet is what has set us apart since the very
beginning. We’ve now taken that ability and segmented it to meet the specific needs of each security solution. In September of 2020, Recorded Future announced the tailoring of our Security Intelligence Platform to meet the intelligence challenges across every security function. Providing a single authoritative source for intelligence, the six individual modules we provide deliver actionable, customized intelligence that enables users to stay nimble and precise in their security decision-making. Based on their role, target use cases, and focused outcomes, these solutions include the Brand Intelligence Module, SecOps Intelligence Module, Threat Intelligence Module, Vulnerability Intelligence Module, Third-Party Intelligence Module, and Geopolitical Intelligence Module.
Geopolitical intelligence is the latest innovation to be added to the Recorded Future Security Intelligence Platform. This solution accelerates critical decision-making with contextual opensource intelligence (OSINT) on geopolitical threats and trends — empowering users to protect assets and understand shifting
dynamics in the geographic areas relevant to their organizations.
Eliminating manual research and surfacing intelligence in real time enables users to defend assets anywhere in the world with a comprehensive view of their organization’s cyber and physical threat landscape. In late 2019, we introduced the three principles of effective security intelligence. In 2020, we added a fourth. It has quickly moved to number one on our list:
- You must focus on disrupting the adversaries most likely to target you — and make their lives as challenging as possible. Security intelligence is the most effective way to do this.
- Security intelligence must provide the timely, clear, and actionable context required to make fast, informed decisions and take effective action as it applies to each security challenge.
Intelligence has to come at the right time, in a form that is understandable, and it must amplify the impact of existing solutions. It needs to enrich your knowledge, not complicate the decision-making process, and it must put everybody in your organization on the same page.
- People and machines work better together. Machines are capable of processing and categorizing raw data exponentially faster than humans. On the other hand, humans are much better equipped to perform intuitive, big-picture analysis than any artificial intelligence — as long as they’re not overwhelmed with sorting through huge data sets and performing endless research. When people and machines are paired, each works smarter, saving time and money, reducing human burnout, and improving security overall.
- Security intelligence is for everyone. No matter what security role you play, intelligence enables better, faster decisions. It’s not a separate domain of security — it’s the context that empowers you to work smarter, whether you’re staffing a SOC, managing vulnerabilities, or making high-level business decisions. To make things easier, not harder, effective security intelligence must integrate with the solutions and workflows on which you already rely — and it has to be easy to implement.
At Recorded Future, we believe wholeheartedly in these core principles, and our approach has been validated in the years since the first edition of this handbook was released. Our intelligence is stopping threats in the security departments of 99 of the Fortune 100 top companies in the United States —
not to mention countless organizations of all sizes, as well as government institutions around the world. And we’ve grown to more than 500 employees from 40 countries.
We hope this handbook will play its part by offering practical information and advice that you can apply today to disrupt the adversaries your organization faces. I am grateful to everyone who has contributed to the contents of this handbook: Our users and clients, industry experts, and the Recorded Future team. Hopefully you will find this third edition of our handbook to be an informative companion as you integrate security intelligence across your security ecosystem.
Christopher Ahlberg, Ph.D.
Co-Founder and CEO
Recorded Future
Introduction
A Complete Picture of Security Intelligence.
Like the blind people surveying the elephant in the fable, most people have only a limited understanding of security intelligence because they have only come into contact with one aspect of it.
You might have heard that security intelligence involves collecting data from a wide variety of sources, including the dark web. You may know that it combines that data with insights from cybersecurity experts, and distills the data and insights into intelligence for IT security professionals.
You might work with threat feeds or weekly reports about attacks on the network, or even expert analysis of cyber risks. However, it’s unlikely that you entirely appreciate the wide range of roles and functions that security intelligence supports, all of the ways it protects organizations and their assets, or its full potential for reducing risk.
This handbook will give you a complete picture of the elephant. The beginning provides an overview of security intelligence and the phases of the security intelligence lifecycle. The middle of the book examines the specific ways that security intelligence strengthens six critical security functions and their workflows. The final chapters deal with management and implementation issues, like using security intelligence to evaluate risk and justify investments, and how to build a security intelligence team.
By the end, you will understand how security intelligence amplifies the effectiveness of security teams and security leaders by exposing unknown threats, clarifying priorities, providing data to make better, faster decisions, and driving a common understanding of risk reduction across the organization.