It is common to ask whether a blog or whitepaper by a cybersecurity company is marketing FUD (fear, uncertainty, doubt) or valuable threat intelligence. Funding bias is a real issue. Particularly in funded research studies. Funding bias (or sponsorship bias) is more subtle in cyber threat intelligence because private cybersecurity companies rely on customers to stay in business and employ their staff. It is common for companies to use threat intelligence as a component of marketing. Let’s first put this to rest: on principle this is not wrong.
The real issue for customers, readers, users, analysts, etc. is to find out if a company’s ‘intelligence’ posting has actual intelligence value or whether it is intelligence disguised as a marketing or sales generator.
In my 20 years of experience with years of working alongside marketing and sales while managing and operating intelligence teams, I have some unique insight into this problem. It’s not easy and it’s always a balance. On one hand, you want to publish the absolute best intelligence possible AND you want everyone to know about it – this is where marketing and sales comes in. The more people know about useful intelligence the more useful it becomes. We cannot ignore that unique value proposition to cyber defense. On the other hand, I want to stay employed and continue to employ others doing great work – and we need sales and marketing support to do that. Cyber threat intelligence at scale cannot be a volunteer effort, and as we should expect to pay people for their time and skills, we should expect intelligence analysts to get paid as well.
Therefore, every public release of intelligence from a private company is necessarily part of sales and marketing – even if unintentional. But, it’s not binary either, as every public intelligence release is neither “only sales” nor “only intelligence.” So, we need to find a way to distinguish when a piece of content is more marketing or more intelligence.
I’ve developed this simple rubric that I use daily in both the production of intel (to prevent falling into traps) as well as the consumption of intel (to help quickly identify useful intelligence).
This rubric I call the ADEPT Model to evaluate threat intelligence and marketing.
It is very simple. The ADEPT model has five elements: Avoidance, Defenses, Emphasis, Pitch, and Technicality. Every piece of public threat intelligence content can be evaluated on whether it has the element or not: giving it a 1 or 0 score for that element. Simply add up all the points across the five elements and the more ADEPT (points) a piece of content receives the more intelligence value it likely contains. As an analyst I must always preface that all models are bad, but some are useful. I also consider this model terrible, but at the same time useful 🙂
The 5 ADEPT Elements
- Avoids mentioning product categories, product names, or buzzwords: words like ‘orchestration’ or other buzzwords in threat intelligence is inappropriate.
- Defenses a reader can take themselves regardless of product: good intelligence will always provide useful defensive action regardless of product.
- Emphasis on the activity, instead of the product responsible for finding it: most marketing will focus on the business case, while intelligence will focus on the activity.
- Pitch for a product or service is left to the end: businesses must pitch their products or services, but these must be at the end or clearly differentiated from the intelligence.
- Technically competent material: while threat intelligence should try to avoid ‘jargon’ it won’t hide from accuracy.
ADEPT Example: Intelligence vs Marketing
Learn ADEPT and the whole practice of Cyber Threat Intelligence here at the Threat Intelligence Academy! (see what I did there?)