Principles of Predictive Threat Intelligence
Deliver high-quality predictive intelligence using these four principles.
Introduction
Predictive intelligence is emerging as a critical component of proactive defense strategies, as noted by authorities like MITRE, GARTNER, and others, offering the capability to anticipate, prepare for, and mitigate threats before they fully materialize. As with any emerging field, there is no agreed-upon definition of what predictive intelligence should look like. As a result, predictive threat intelligence reports in the industry vary widely, making it more difficult for consumers to operationalize them.
To address this issue, this post proposes four principles deemed essential for making high-quality predictions. These principles are encapsulated in the acronym PART: Probabilistic, Actionable, Responsive and Time-bound.
Now let’s break down these principles and explore how they should be implemented.
1. Probabilistic
When performing predictive analysis, we must evaluate the likelihood of each scenario that is being considered. A high-quality product must assign probabilities or confidence levels to those forecasts.
Probabilistic models can leverage statistical methods, machine learning, and historical data. Confidence levels in the end product can be quantitative (“There is a 70% chance of a ransomware attack”) as well as categorical (“High likelihood”) depending on the case. Through this, decision-makers will be able to allocate resources more effectively.
Take a look at the following example from the above post, notice the quantitative probability attached to it:
If accounts belonging to our organization or our customers have been leaked in publicly shared Infostealer logs (and data breaches), there is a 40% probability that a DDoS/credential stuffing attack will occur within two weeks.
This insight was derived from observing a moderate correlation between events from two data sources: SIEM and identity intelligence.
Furthermore, you can watch the “Infostealer infections” section from one of our talks to learn how probabilistic and evaluable models can be developed. Pay attention to the defined metrics used to validate the model's effectiveness and how historical back-testing was done using the available data.
2. Actionable
Predictive analysis is a complex and resource-intensive process. Therefore, analyses should be done while keeping defensive capabilities in mind. There is no meaning in making predictions, if no defensive actions can be taken based on them. In your end product, pair each prediction with a set of tailored mitigation steps, such as patch recommendations, system configurations, or user awareness initiatives.
For example, take a look at the proactive countermeasures plan below:
You can check out the following post to learn what a Proactive Countermeasure Plan is.
3. Responsive
Forecasts often depend on specific conditions or triggers. A predictive intelligence product should articulate the conditions under which a prediction is valid and describe how changes in those conditions might alter the outcome. Decision-makers should have a clear view of the factors influencing an outcome and the reasoning behind the prediction. This way, our predictive models will be responsive to the changing circumstances.
As an example, take a look at the future scenarios outlined in the post above, which describe various policy changes Turkey could adopt during the Russia-Ukraine war, along with the implications of each scenario on cyber threats to Turkey.
4. Time-bound
A prediction without a temporal scope lacks utility. Predictive intelligence must specify when the threat is expected to materialize, whether in days, weeks, or longer. Use clear time frames in all outputs, and allow decision-makers to filter predictions by urgency to focus on imminent risks. For instance, a prediction about a potential attack during a high-profile event in the next 72 hours demands immediate attention and response.
Additionally, include success metrics and post-mortem analysis features to track prediction outcomes and refine models based on real-world results. This evaluability provides a feedback loop for continuous improvement and it also underscores the importance of ensuring predictions are data-driven rather than based on intuition or unverified reports.
Conclusion
The four principles outlined in this post intends to be a guideline to creating high-quality predictive intelligence reports. It is important to remember that predictive analysis is not a one-time effort but an ongoing process that requires continuous improvement.