Happy New Year to all, and let’s hope the year 2022 brings us good things. Unfortunately, 2021 was a bit hectic, which impacted my blog writing. So with this new year, I wanted to keep writing and start with one of my favourite topics – Intelligence.
The post (hopefully others) is to assist individuals or teams looking to start an in-house intelligence program. I will begin with Planning and Direction as the first part of the Intelligence Life Cycle. Intelligence analysts follow the Intelligence Cycle when a mission statement from senior/executive management is executed. This process ensures the analyst do their job accurately. These five steps are Planning & Direction, Collection, Processing, Analysis & Production, and Dissemination. Let’s take a closer look at each step:
- Planning and Direction: When TI analyst or team is tasked with a specific job, they begin planning what to do and how. As a team they should move in a specific direction to get the job done, listing what we know about the issue and what we need to find out. We discuss ways to gather the necessary intelligence. This is where we start with intelligence requirements.
- Collection: Based on requirements TI team collects information overtly (openly) and covertly (secretly/closed source). Reading public articles, newspapers and social media posts and blogs, listening to foreign radio, and watching overseas television broadcasts are examples of “overt” (or open) sources for us. Other information sources can be “covert” (or secret), such as information collected with sources on dark web forums, direct access to law enforcement etc. . For instance, TI analysts could actually become a part of a underground forum or a group discussing ways to target a bank.
- Processing: TI team takes all the information that they have collected and put it into an intelligence report. This information could be anything from a translated document to a description of a threat.
- Analysis and Production: During this step, TI team take a closer look at all the information and determine how it fits together, while concentrating on answering the original tasking (identified during intelligence gathering in planning phase). TI team is to assess what is happening, why it is happening, what might occur next, and how it affects banks interests.
- Dissemination: In this final step, TI team gives their final written analysis to a decision-makers (stakeholder). After reading the final analysis and learning the answer to the original question, the decision-makers may come back with more questions or act per recommendations if any. Then the whole process starts over again.
Planning and Direction is a phase where I strongly suggest considering human elements. Yes, I am talking about getting expertise, especially with an Intelligence background with a technical understanding of Cyber elements. Yes, giving a chance to fresh grads, fewer experienced individuals is ok, but still, seek out talented individuals who can assess an event thoroughly without bias and anchoring.
What are Intelligence Requirements and why are they required?
As per my LinkedIn post, Intelligence requirements are time-phased, mapped or tied with a single question and help make a decision.
Firstly, let’s understand what Intelligence requirements are, why we prioritise certain ones, and how they differentiate. For any Intelligence operations, an objective or, say, a mission statement (in the form of a question) is required, which helps determine requirements.
To have a working (different from successful), Intelligence program or, say, operations, a team or an organisation needs a way to measure it. One of the most crucial attributes of measuring the framework is the requirements. Once all these requirements get mapped and fulfilled, we can say that the Intelligence program is successful. With this blog article (first of many, hopefully), I hope to share what I know and how I believe an Intelligence program is established, starting with requirements gathering.
As we know, requirements typically come from decision-makers which may be mapped to some kind of mission statement. These requirements help them make a decision and help on a strategic level, usually towards reducing the organisation’s overall risk posture. However, I always had questions such as
- So how many decision-makers can be in an organisation?
- And do you ask each and every stakeholder?
Many teams do follow this path. Talk to all department heads and get multiple responses labelled as requirements. I would personally label them as “wants” rather than “needs” as they are mostly “I want to know all X targeting us”. The flaw here is that the answer to the question is precise to the unit or stream they manage. Converting them into something actionable that can defend the organisation becomes tedious, resulting in a non-effective intelligence program.
NOTE: Any vendors/organisations or entities who have already developed the program and are working should continue to do so. I am not saying they are wrong or not the way they should be. However, the following can be used as a reference or just a good read.
Here, you may see I have separated business and organisation as I believe their threats can be different and overlap. For example, consider a financial institution vs a government body. A financial institution has customers who use their commercial services, while a government body such as the one issues driving licenses are citizens and is not considered customers.
If the same exact type of cyber-attack (e.g. Denial of Service Attack) successfully takes the public-facing site of a financial institution and driving license site, it impacts
- Both organisations reputation that leads to trolling on social media, news articles etc which can impact company shares (for financial institution) if downtime is prolonged
- For financial institutions possibly loss of customers and in some cases investors if the event is not managed properly.
For financial institutions impact is more on customers due to their inability to access their data or account, which can channel into complaints, overload on technical support teams and complaints on social media. Yes, the organisation has to manage this; however, a business continuity plan kicks in this scenario.
Although the weapon of choice was the same, the impacts were different, and therefore, the responses were diverse. These responses are, in most cases, approved by decision-makers most likely influenced by the requirements mapped to their mission statement. It is highly likely, Intelligence team was not involved; however, a mission statement should be the same and can be taken as a priority intelligence requirement to begin the Intelligence cycle.
There is a possibility that a threat can impact both business and organisation, but I think threats can impact them individually. Therefore, these individual threats should be treated separately, and the underlying requirements that a business unit or an organisation requires should also be different. The following table is a rough representation of the type of threats and their impact.
|Threat||Impacts Business||Impacts Organisation|
|Denial of Service Attack against customer facing applications||Yes||Yes|
|Internal system compromise – Malware||No||Yes|
|Insider leaking information||Partially||Yes|
|Ransomware – depending on the extent of compromise||Yes||Yes|
Threats that can impact business and organisation
Based on the above table, decision-makers within a business unit or an organisation should align with their mission statement, which could be business continuity or protect the organisation from illegal activities.
Now, let’s dive into the type of questions that decision-makers should ask, which can assist the Intelligence team in assigning priority and initiating further steps of the Intelligence life cycle. Alternatively, a decision-maker can give a priority itself.
From Questions to Requirements – The What, The How and The Who
- What or where will a cyber-criminal target or attack? A decision-maker can ask this question which then can be categorised as a Priority Intelligence Requirement. The answer to the above question will most likely start with internet-facing applications/system, and therefore Intel team now have to rely on their Collection strategy.
- The corresponding Intelligence requirement follows that the Intelligence team either answers them or looks for more information, which is part of the collection phase discussed here.
I will end the blog as I want to keep it short and informative. I will be taking the further leap into phases of the Intelligence lifecycle in the coming blogs.
Take care and be safe!