The current status of cyber security lacks any judge of visitor intent. We are throwing out valuable intelligence available in the earliest stages of the cyber kill chain, instead choosing to react haphazardly in the later, more expensive stages. We fail to identify the digital bank robbers before they enter and create an expensive, drawn out, and potentially fatal hostage situation. If we were looking out, we could have just locked the door.
Up to this point organizations have chosen to immediately block attacks instead of using them as an opportunity to gather intelligence about their persistent adversary. It’s been a simple business decision because recording attack activity against an organization’s real infrastructure has an associated operational cost that is just too high to bear. But intent tells you a lot about your visitors, potentially allowing you to classify them into good/bad even before a breach occurs.
As an example, predictive policing is a concept that would fair a whole lot better in the cyber world than the real. Removed from the social concerns about profiling, we can fully use it as well as predictive analytics to identify malicious activity early, and then prioritize our human response to handle the truly advanced of the APTs.
Intent is equally important as pre-breach forensics to law enforcement and prosecutors. Being able to establish intent is the differentiator between some classes of crime in the real world, leading to different levels of severity in penalties. Without capturing valuable intelligence surrounding intent, a defendant can allege that their action was a crime of opportunity and not that of a concerted effort. Stalking or any other crime incorporating purposeful or repetitive behavior cannot even be identified in the cyber realm. Today we don’t look into the mindset of the attacker, and so either they’re not caught or they get off easy.