The Human Element of Threat Intelligence

The Human Element of Threat Intelligence
5 minute read

Cybersecurity is an art as much as a science. While some things are laid out, some require nuance, experience, and a dash of human intelligence. When solving the most perplexing cybersecurity Whodunnits, AI alone cannot be trusted to think about a problem in the way an intelligence analyst would.

ChatGPT would tell you, “ChatGPT should be seen as a tool that complements the skills and expertise of human intelligence analysts rather than replacing them entirely.” This is especially true as cybersecurity complexity increasingly requires a holistic approach to problem-solving and a "head for the game", especially regarding external threat intelligence.

The Role of Human Intelligence Analysts

Within a security context, Human Intelligence (HUMINT) is defined as “the gathering of political or military intelligence through secret agents.” This definition alone sets out the value add of individuals as vastly different than what can be imitated by machines. 

First, it is important to recognize that cybersecurity has two sides. One is the clinical, clean side focusing on high-tech gadgets, AI-driven technology, next-gen firewalls, etc. That is a crucial aspect, but it is not the only aspect. 

The other side is a bit darker. It is keeping in mind that humans launch exploits and that behind every ransomware campaign is a person sitting at their computer, hoping you’ll pay the ransom and that they won’t get caught. Or it’s a malware gang ready to publish the PII of thousands of innocent breach clients on a dark web forum online. 

Skills and expertise are required for effective intelligence analysis, and many of those are primarily soft skills that require humans at the helm. Human beings bring traits such as business acumen, creative problem-solving, and psychological and emotional intelligence to a field where the masterminds are themselves human. Who better to catch a criminal than a person that can think like one? To be able to have this level of existential thought requires something ChatGPT and automation cannot give.

External Threat Intelligence

One of the primary plays for human intelligence in cybersecurity is within External Threat Intelligence. An external cybersecurity threat originates beyond the corporate network and can include social media impersonations, spoofed domains, fraudulent job postings, and other threats on digital platforms not under the traditional security purview of the company.

If enterprises are to stay safe, they must account for the threats in that gray space, the external attack surface, where “digital innovation happens, customers engage, and threat actors lurk.” However, this is an area not typically within the expertise of most SOCs. Consequently, as external threats have risen, so has the popularity of External Threat Intelligence Services.

These services include:

And more.

These are intelligence activities that require specialized knowledge and tradecraft. A firewall cannot search out and remove domains impersonating your company. No matter how savvy, an XDR platform cannot scan ZipRecruiter and LinkedIn for illegal postings under executives’ names. And no amount of AI can dive into the dark web and negotiate for the return of stolen databases.

These threats often require a human touch, human problem-solving, and creative measures to understand threat actor motivations and determine the right course of action. External attacks are largely ploys designed to outsmart the consumer, even if they are executed at the final stage by bots. Rooting them out requires outfoxing the humans behind the attacks – not shooting the proverbial tech messenger.

Challenges in Running an Effective Intelligence Program With Tech Alone

While this is a challenge many organizations would like to meet in-house, it's more challenging than that. If Company A wants a qualified security architect, there are people with resumes to match. If they want a PKI expert, a penetration tester, or a cryptography specialist, there are clear qualifications for which to search. However, finding a team of scrappy professionals that can navigate the seedy underbelly of the underground economy and outmaneuver career hackers at their own game might be more challenging to find with a job posting. 

These are mainly new and innovative challenges, and the fact of the matter is that most organizations don't have the skill sets needed, or even the access to these forums to collect intelligence and conduct analysis. Even if they were to start cross-training new hires, staff turnover problems and training and retaining cybersecurity professionals would eventually rear their ugly heads. 

Safely performing these tasks would also require the involvement of other areas of the organization, as safeguarding privacy and respecting legal boundaries are of primary concern. These jobs just can't be "handled"; they need to be handled with care and by experts who know – and can avoid – the pitfalls. Otherwise, the cure might leave a company in worse shape than the disease.


Not only does external cybersecurity require specialized attention, but it also requires the kind of attention only a human can give. And it involves the type of expertise only a very uniquely qualified human can provide, at that.

Combating cutting-edge exploits in the digital gray space of N minus the network is a creative, think-on-your-feet endeavor unsuitable for programmable operations. There is no map, and while teams of experts utilize best-in-class technology, the earned savvy behind using those technologies is where the distinction lies.

Humans and technology must work together to combat the challenges of modern-day threats. However, in the rush to adopt one, the other must not be forgotten. So long as human beings are behind the online schemes, it will ultimately take human beings to root them out.

Tags: Threat Intelligence

See ZeroFox in action