Introduction

Cybersecurity is often referred to as offense dominant,meaning that the domain generally favors the attacker [67, 65]. The reasoning behind this is simple: a successful defense must block all pathways to a system while a successful attack requires only one. As the old hacker adage goes: “the defender must always be right—the attacker only needs to be right once.” This notion of an offense dominant cybersecurity stems directly from “best practices” in the field. These methods primarily rely on technical measures to improve defense. Traditionally these have included variations on patch management, firewall usage, intrusion detection, and antivirus. However, an adversary particularly keen on gaining access to a system can study such defenses with the goal of finding the gaps. These actions are not limited to nation states or large criminal enterprises. The community of malicious hackers is a key enabler for these activities. While important, technical defense measures alone are unlikely to halt attackers and the offense will have the advantage in this case. This chapter explores the use of cyber threat intelligence to address this problem. By gaining insights on the adversary's behavior, we can better address the offense-dominant problem inherent in cybersecurity. The new market for cyber threat intelligence has emerged in recent years due to the realization that technical defensivemeasures, by themselves, are insufficient to address cybersecurity.

Consider the Threat

Central to the idea of cyber threat intelligence (in its current incarnation) is the sharing of information on the latest observed threats. Such data may be collected by a third party (i.e., a company that specializes in incident response or network monitoring), shared directly between organizations, or shared through a group of organizations (i.e., the various Information Sharing and Analysis Centers or ISACs). Certainly, distribution in a manner that best maximizes such information sharing while respecting the privacy of organizations and individuals is a key concern here, as is the role of government in such arrangements. These are some of several short-term problems that are being addressed by threat intelligence firms today: big data management; identification of attack patterns; sanitization/dissemination of information; knowledge extraction; and others. However, these are all relatively short-term problems. This chapter focuses on a larger, more systemic issue with cyber threat intelligence as it stands today: the vast majority of it is inherently reactive.