Intelligence is the enrichment of data or information, its classification and publication by experts within a field. The resultant output is ordinarily a qualitative assessment backed by quantitative metrics, or absolutes which formed part of the data or information it was derived from.

In terms of Cyber Threat Intelligence, this goes beyond the extraction of IOCs, strings, and the generation of cryptographic hashes, and fuzzy hashing – this is the correlation of events, actors, methods, and motives to generate Threat Intelligence which aims to describe the objectives, motives, capability and perhaps the identity of a threat actor.

The relationship between data, information and intelligence is largely heirarchial. Data exists in very large quantities and can generally be found everywhere, but not a lot of it is actually useful.

Information is generally a collection of data, but it contains meaningful data and states facts in terms of who, what, when, how for an action.

Intelligence is the interpretation of the information aimed at providing in-depth understanding and knowledge of the subject matter. This understanding and knowledge in this sense is used to support decision making and response actions.

Generally, as data becomes information, and information becomes intelligence, the volume of material which constitutes each layer becomes smaller and smaller, yet the value of the content becomes considerably more so.

This is generally where governments and organisations begin classifying their data, information and intelligence to appropriately protect the enrichment of this content to protect their investment in the process, but also protect the decision making rationale which was influenced by that intelligence.

In terms of Cyber Threat Intelligence, this process is aimed at converting unknown threats, into known threats, and identifying potential solutions and mitigation techniques to those now known threats.