Written by Mike Mimoso, Editorial Director, Flashpoint
To state the obvious, proper intelligence requirements must be in place before data collection, analysis, and consumption of intel can happen. These requirements are critical because they enable an organisation to choose and prioritise its intelligence goals, determine what information it needs to collect and from what sources to achieve those goals, establish how it will process this information, and identify which dissemination methods are most appropriate for the finished intelligence it produces.
Intelligence requirements mandate some initial groundwork, however. The commercial sector, for example, has a much different starting point than its public-sector counterparts; a government agency may want to know all it can about an adversary targeting its network, while a financial services organisation may be primarily concerned about getting those bad guys off its network—whomever they may be—and keeping them off.
This approach will guide how intelligence requirements are formulated as organisations attempt to understand and protect their infrastructure, lessen the attack surface a threat actor may target, and reduce exposure to risk.
Assets and Exposure
Building intelligence requirements that work for your organisation requires a deep understanding of available assets and exposure through a comprehensive asset inventory and threat-profiling exercise, more so than a debate about how much software and people hours you will need to invest in order to address a threat. A much more fruitful discussion should be had about the specific information you need to collect to satisfy specific intel requirements.
For the commercial sector, this type of asset inventory and evaluation of internal assets and exposure in the context of adversaries’ tactics, techniques, and procedures must also include an understanding of threats to others in your industry, and tangentially against your supply chain, or others who store and execute upon the same types of data as your company. Being solely reactive puts organisations at an immediate disadvantage, not only with regard to incident response, but also with communicating potential risk to intelligence consumers and decision makers.
The More You Know…
Looking at this from a commercial business risk intelligence (BRI) perspective, intelligence requirements are derived from questions that need to be answered, and those questions should be formulated by those who will consume the subsequent intelligence, such as business leaders or analysts in a security operations centre.
It’s too broad a question to ask whether there are hackers a business needs to be concerned with, because properly answering that question would require extensive, time-consuming data collection and profiling of active threat actors and could easily be over-taxing for analysts already overburdened with alerts. A more focused approach would be to first identify which systems are core to the business. Next, determine whether there are publicly disclosed vulnerabilities and/or attacks targeting those systems, understand the consequences of a breach of the data on those systems, and find out whether attackers are targeting others in your industry.
This level of insight can help an organisation narrow its open web or Deep & Dark Web sources of information and focus only on core areas of concern, such as cybercrime, fraud-loss avoidance, emergent malware, disruptive attacks, or public exploits, for example. It also puts security analysts and decision makers in a position to be proactive about future threats and inform risk-based decisions.
Once there is an understanding of assets and exposure based on such specific and tailored questions, work on equally narrow intelligence requirements may begin. In the above examples, an organisation may establish a requirement that certain threat-actor profiles be developed, or intelligence on only a handful of pertinent vulnerabilities and exploits be produced. If threat actors have used a zero-day attack against organisations running a previously undisclosed Adobe Flash vulnerability, and you’ve blocked Flash usage on employee devices, these incidents have little bearing on your operation.
This is the type of tactical, operational, or strategic intelligence organisations require to inform decisions and lessen risk. It all begins with intelligence requirements, and going a layer higher, the legwork required to support the development of viable intelligence requirements is challenging. It’s also worthwhile and supports the ultimate outcome for any security and risk team: preserve an organisation’s resiliency and operational continuity.