Understanding Intelligence Requirements
As threat landscapes morph, intelligence requirements have emerged as a vital tool for cyber threat research and analysis. These are topics or research questions centered on an organization’s cyber threat priorities. They guide the Security or Threat Intelligence Team’s research and analysis efforts, providing valuable insights into threats, vulnerabilities, and cybercriminal tactics.
Example requirements might include:
– What ransomware variants are being used against US-based financial institutions?
– What threat actor groups target energy companies in the United States and Saudi Arabia?
– What vulnerabilities exist in Microsoft Office 365?
Types of Intelligence Requirements
Intelligence requirements are often based on incident reports, geographical locations, industry sectors, technology used, and ad-hoc requests (RFIs). Those requirements can be further defined by organizing them into subtypes. Here at ThreatConnect, we’ve refined these into the following:
– Intelligence Requirement (IR): Concerns threats facing the organization, such as cyber, fraud, and geopolitical/physical threats.
– Priority Intelligence Requirement (PIR): Focuses on the motives, TTPs, targeting, impact, or attribution of threat actors related to IRs.
– Specific Intelligence Requirement (SIR): References specific facts about threat activity, like indicators of compromise (IOCs).
– Request for Information (RFI): This involves one-off requests for information relating to topics of interest to stakeholders.
– Research Requirement (RR): This is a topic or an area of investigation of interest to a specific individual or group that doesn’t necessarily merit an entire intelligence requirement but does necessitate tracking of relevant information.
Developing Effective Intelligence Requirements: A 5-Step Best Practice Approach
Step 1: Collect Information from Stakeholders
The primary purpose of intelligence requirements is to provide the security organization with the necessary information for decision-making. The starting point in creating these requirements is identifying what’s important to your stakeholders. These could be representatives from each business unit, security team leaders, or your organization’s Chief Information Security Officer and/or Chief Information Officer.
The challenge here is often getting information from stakeholders, both regarding what the requirements should include and feedback on how well the provided information addresses the requirements.
Step 2: Identify Suitable Requirement Types
Most teams find it helpful to start with what they already know. For some, this means beginning with geographical and industry-focused requirements. For others, it means starting with requirements derived from incidents and alerts worked by other teams within the security organization.
Step 3: Draft Preliminary Requirements
Draft a preliminary set of requirements based on the information collected from stakeholders and the requirement types identified. It’s easier to refine a set of requirements than to create one from scratch, so don’t worry about getting it “right” the first time.
Step 4: Review Draft Requirements with Stakeholders
This step is crucial as it aligns the intelligence requirements with the business objectives. Scheduling regular meetings with stakeholders or using a survey-style approach can help collect additional information and get feedback.
Step 5: Update and Finalize Requirements based on Stakeholder Feedback
After reviewing the draft requirements, refine and finalize them based on stakeholder feedback. These can be captured and tracked using the new Intelligence Requirement feature in ThreatConnect.
What’s Next After Developing Your Intelligence Requirements?
Set a Review Schedule
It’s good practice to review and update requirements regularly, quarterly, bi-annually, or annually, depending on your team and business needs. This ensures that your team remains focused on investigating matters that will significantly impact the organization.
Create Collection Requirements
The next step involves creating collection requirements from your finalized intelligence requirements. These will guide your team’s resources in gathering the information needed to answer their intelligence requirements.
Use the Requirements to Focus Your Team’s Work
Having defined intelligence requirements helps to focus a team’s work. Most of the analysts’ time should be spent on things related to the requirements themselves. Assigning individual requirements to specific analysts is one way to ensure each team member knows their areas of responsibility.
In conclusion, understanding and effectively leveraging intelligence requirements is a powerful tool for any security organization. With ThreatConnect, you can confidently navigate the evolving threat landscape and ensure your organization’s cybersecurity is robust and responsive.