Skip to main content
Download the Buyer’s Guide for Cyber Risk Quantification Solutions
Download Guide
Request a Demo

Create Intelligence Requirements in 5 Easy Steps

Create Intelligence Requirements in 5 Easy Steps Blog

How to Understand Intelligence Requirements

As threat landscapes morph, intelligence requirements have emerged as a vital tool for cyber threat research and analysis. These are topics or research questions centered on an organization’s cyber threat priorities. They guide the Security or Threat Intelligence Team’s research and analysis efforts, providing valuable insights into threats, vulnerabilities, and cybercriminal tactics.

Example requirements might include:

– What ransomware variants are being used against US-based financial institutions?

– What threat actor groups target energy companies in the United States and Saudi Arabia?

– What vulnerabilities exist in Microsoft Office 365?

Types of Intelligence Requirements

Intelligence requirements are often based on incident reports, geographical locations, industry sectors, technology used, and ad-hoc requests (RFIs). Those requirements can be further defined by organizing them into subtypes. Here at ThreatConnect, we’ve refined these into the following:

Intelligence Requirement (IR): Concerns threats facing the organization, such as cyber, fraud, and geopolitical/physical threats.

Priority Intelligence Requirement (PIR): Focuses on the motives, TTPs, targeting, impact, or attribution of threat actors related to IRs.

Specific Intelligence Requirement (SIR): References specific facts about threat activity, like indicators of compromise (IOCs).

Request for Information (RFI): This involves one-off requests for information relating to topics of interest to stakeholders.

Research Requirement (RR): This is a topic or an area of investigation of interest to a specific individual or group that doesn’t necessarily merit an entire intelligence requirement but does necessitate tracking of relevant information.

Developing Effective Intelligence Requirements: A 5-Step Best Practice Approach

Step 1: Collect Information from Stakeholders

The primary purpose of intelligence requirements is to provide the security organization with the necessary information for decision-making. The starting point in creating these requirements is identifying what’s important to your stakeholders. These could be representatives from each business unit, security team leaders, or your organization’s Chief Information Security Officer and/or Chief Information Officer.

The challenge here is often getting information from stakeholders, both regarding what the requirements should include and feedback on how well the provided information addresses the requirements.

Step 2: Identify Suitable Requirement Types

Most teams find it helpful to start with what they already know. For some, this means beginning with geographical and industry-focused requirements. For others, it means starting with requirements derived from incidents and alerts worked by other teams within the security organization.

Step 3: Draft Preliminary Requirements

Draft a preliminary set of requirements based on the information collected from stakeholders and the requirement types identified. It’s easier to refine a set of requirements than to create one from scratch, so don’t worry about getting it “right” the first time.

Step 4: Review Draft Requirements with Stakeholders

This step is crucial as it aligns the intelligence requirements with the business objectives. Scheduling regular meetings with stakeholders or using a survey-style approach can help collect additional information and get feedback.

Step 5: Update and Finalize Requirements based on Stakeholder Feedback

After reviewing the draft requirements, refine and finalize them based on stakeholder feedback. These can be captured and tracked using the new Intelligence Requirement feature in ThreatConnect.

What’s Next After Developing Your Intelligence Requirements?

Set a Review Schedule

It’s good practice to review and update requirements regularly, quarterly, bi-annually, or annually, depending on your team and business needs. This ensures that your team remains focused on investigating matters that will significantly impact the organization.

Create Collection Requirements

The next step involves creating collection requirements from your finalized intelligence requirements. These will guide your team’s resources in gathering the information needed to answer their intelligence requirements.

Use the Requirements to Focus Your Team’s Work

Having defined intelligence requirements helps to focus a team’s work. Most of the analysts’ time should be spent on things related to the requirements themselves. Assigning individual requirements to specific analysts is one way to ensure each team member knows their areas of responsibility.

In conclusion, understanding and effectively leveraging intelligence requirements is a powerful tool for any security organization. With ThreatConnect, you can confidently navigate the evolving threat landscape and ensure your organization’s cybersecurity is robust and responsive.

Explore Intelligence Requirements with our interactive demo

Other Resources:

About the Author

Marika Chauvin

Marika Chauvin is a Strategic Product Manager for Threat Intelligence and Risk at ThreatConnect. Prior to this role, Marika spent several years as a Senior Threat Intelligence Researcher on the ThreatConnect Research Team. Before joining ThreatConnect, Marika helped develop Chevron’s Cyber Intelligence Center, and worked as a contractor with the U.S. Department of State’s Cyber Threat Analysis Division. Marika is a non-state actor subject matter expert and has done extensive research on independent hacker groups. Marika lives in New Orleans with her husband, son, cats, and pup.