Rethinking CTI

The phrase “Cyber Threat Intelligence” (CTI) has recently made its way into the InfoSec realm, where it became a buzzword signifying a sort of silver bullet approach to security. As with so many of the previous buzzwords, it makes for a potentially interesting concept, but lacks a clear, meaningful and actionable definition and methodology.

A survey of CTI vendors and consultants reveals a disturbing lack of coherent or unified ideas as to what is and is not part of CTI, what CTI entails, unified concept of actionable ideas, and even a lack of shared metrics in determining CTI or Indicators of Compromise (IoC). Consequently, it is no surprise that CTI has not delivered on the promise of revolutionizing the field of information security. What can be gleaned from the various efforts, is that CTI is intended to be some kind of a model of security that relies heavily on data gathering and analysis, as a means of getting ahead of the standard reactionary models – such as pen-tests.

CTI can, and should, be considered in terms of war (and often is).The implications and consequences of cyber-attacks on states, corporations, and major institutions do actually have a strong analogy with more traditional acts of war. The differences between the two are the product of the differences in the medium where war is waged – not in whether the actions qualify as a form of war. Similarly, we can see a difference between land-based and maritime war – but recognize the differences as stemming from their medium, rather than difference in the activity.

The primary problem for CTI, and cyber warfare in general, comes from the way military methods have traditionally been developed, and thus in how we tend to treat issues associated with war. In essence, traditional and cyber-warfare mediums are so radically different as to be entirely incommensurate – i.e. incapable of meaningfully sharing ideas and communicating. By way of demonstrating this issue, we will consider deterrence (a cornerstone of traditional war), and see how it holds up in the cyber-war medium. The implications of this comparison are particularly important for CTI, since cyber-war is not waged with physical bombs but with data; making CTI the cornerstone of cyber-war (even if the term is fairly new). If the comparison between traditional war and CTI fails, then the main elements of traditional and CTI are incompatible – and we will need a new model for understanding CTI, and cyber-war in general.

For our purposes, we will focus exclusively on the defensive and responsive aspects of war and CTI. That is, we are concerned with information security, not with hacking.


The idea of deterrence as a functional defensive military strategy has been around since man first realized the implications of numerical advantage in a fight. This was quickly followed by fortifications as deterrents – against man and beast. While imperfect, strong defenses simply made the prospect of attacking more difficult. Deterrence soon incorporated the two models, resulting in a combination of successful defense of a fortified position, as well as the defender’s ability to severely punish any attempted attacks by retaliation. The tactic quickly caught on, and finally resulted in the most famous example of deterrence in the Cold War standoff, based on mutually assured destruction (MAD). This technique remains in effect today, and heavy national military investments are seen as a means of preventing war – by deterring any would-be aggressors.

The concept of deterrence is based on three assumptions:

  1. Impenetrable defense: making military assault against a stronger enemy untenable, especially through inability to take out the defender in a single blow;
  2. Clear attribution: the ability to correctly identify the attacker;
  3. Retaliation: the ability to strike back at the would-be attacker with overwhelming force.

If the attacker cannot win in a single blow, the attribution of the attack exposes them to overwhelming retaliation by their victim. Even in cases of nuclear annihilation, the second-strike capability functions as a perpetual deterrent.


While the idea of deterrence has worked well for traditional war, it fails to connect in CTI. First, impenetrable defense is an untenable notion in InfoSec; there is simply no such thing as a perfectly secured system – as evidenced by the continuous work carried out by both the hackers and security forces.

Second, CTI also faces the problem of attribution. It is nearly impossible to actually discover the person behind cyber-attacks, so long as the attackers are the least bit competent. From DDoS attacks to IP Spoofing, the attackers have a distinct advantage of preserving anonymity, while the defenders are always known – and in a way, must be.

Third, CTI lacks the ability to retaliate, stemming from the fact that attack attribution is nearly impossible. The only viable retaliation option, where attribution is (somehow) possible, is to pursue the drawn out legal procedure, culminating in a trial, and possibly a conviction – assuming, of course attribution, proof, and a perpetrator within relevant legal jurisdiction.

Additionally, hacking does not require the monetary investments associated with traditional warfare. Many hacking tools are available free or cheap, and can be accessed by anyone with an internet connection. Bot nets are relatively easy to build, and are also available on the cheap – with a 10,000-strong bot-net running between $200-1,000.[i] Beyond the DIY approach, one can also hire hackers.[ii] With DIY sites, videos, and tools available for free or cheap, any 14-year old with an old laptop and a bit of spare time can be deadly force of hacking mayhem. Consequently, cyber-war is a highly asymmetric field – no longer about numbers of men, rifles, or bombs – or funds, for that matter. Instead, like corporate espionage, one person (any person) may inflict great harm onto a massive corporation, by means of a camera, or a USB drive. Consequently, the traditional position of national strength plays no serious part in this theater of war.

All these factors combine to make cyber-warfare a medium one where attacking is a no risk/high reward endeavor. With virtually no risk to the potential attacker, and possibly great rewards, there is no objective reason for them not to attack as many targets as possible and as often as possible.

By now, it should be clear that CTI and traditional warfare are radically different. Further, this difference is qualitative, and makes the two fields incommensurate. If CTI is incompatible with the main elements of traditional war, there is little use in attempting to translate other concepts – as most of them rely at least implicitly on the main elements. Attempting to do so is analogous to introducing military ideology into pacifism – when the shared basis of understanding is lacking, nothing ever seems to fit.

In the next article, we’ll compile a brief list of incompatibility problems, and consider how they can be used to give us a path towards a new model for understanding CTI.




3 thoughts on “Rethinking CTI”

Comments are closed.