The post truth of “threat intelligence”

By EDRi · November 30, 2016

In the context of identifying the root cause of security breaches or attacks, we often see the threats emerging from weapons such as botnets, viruses, malware, etc. However, the biggest network security threats can also reside within a company. For this reason, modern techniques of network security forensics – the process of identifying the root cause of network-based crimes – rely on threat intelligence. Threat intelligence facilitates the implementation of a range of preventive measures. Let’s have a look into one of the many definitions of this term.

Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.


With the increase of attacks on the internet and the supporting infrastructure, the efforts to make these systems more secure has seen a rapid rise. The cyber security industry is shifting from the traditional “detect and improve” approaches towards “predict and prevent” methodologies, as they aim to build fail-safe security solutions. The advancements in the fields of machine learning, artificial intelligence, data mining, and pattern matching had contributed substantially to predict the future attacks based on the previous failures of the system when they were attacked and compromised. Undoubtedly, these technologies have provided new dimensions of protecting any internet companies’ assets, which the classical cryptography failed to address. Indeed, the “predict and prevent” methodologies of securing internet businesses is a must have weapon to survive in the constant arms race of the internet.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

The network security companies selling threat intelligence products rely on many machine learning techniques to intelligently predict the future occurrence of security breaches. The expression threat intelligence is not only trendingin the world of internet jargon, it has also made its way to the most frequently used word everywhere in the sales pitches of the security industry. This fancy buzzword may attract more customers (mainly big corporations) to adapt the threat intelligence products within their systems. However, it raises some privacy concerns from an end-user point of view.

Traditional threat intelligence software includes honeypots, firewall policies, and various pattern recognition techniques. However, due to the increased demand for addressing insider threats, modern software is very much focused on recording and recognising anomalous human behaviour. In simpler words, nothing but the software could monitor people’s computers (mainly desktops) and present insightful analytics in a very sophisticated manner. Not so surprisingly, some of these companies can be found in the Surveillance Industry Index (SII) built by Privacy International and Transparency Kit.

A recently published exploratory analysis investigates the modus operandi of Modern Threat Intelligence Software (MTIS) to highlight the privacy risks associated with it. It is based on live demos, information in brochures and websites, and individual interactions. Read the full analysis here:

Privacy International: Surveillance Industry Index (SII)

Transparency Kit

(Contribution by Siddharth Rao, Ford-Mozilla Open Web Fellow, EDRi)