Cybersecurity and the Intelligence Cycle
Any organization seeking to incorporate threat intelligence into its cybersecurity efforts should focus on process over product — that was the key takeaway from a recent Recorded Future webinar, where host Chris Pace was joined by Vince Peeler and Lauren Zabierek, two experts in the field, in a discussion focused on the history and lifecycle of threat intelligence and how intelligence fits into the world of modern cybersecurity.
Vince Peeler, manager of intelligence services at Optum, a health services and innovation company, previously served in the United States Navy, first as a naval flight officer and then a member of naval intelligence. Lauren Zabierek previously served in the United States Air Force and worked at the National Geospatial-Intelligence Agency in a counterterrorism role for six years before joining the Recorded Future team as a senior intelligence analyst and manager of the U.S. public sector intelligence services team.
Both Peeler and Zabierek emphasized that although the intelligence cycle of today resembles the intelligence cycle of the pre-internet era in many ways, the process has been deeply affected by two factors unique to the present day: the growing availability of raw data, and the relative lack of clarity about where threats are coming from. Threat actors have various motivations, levels of experience, and resources at their disposal — some are even hiding in plain sight. One of the first goals of any intelligence operation, Zabierek says, is to identify what you don’t know.
Because of this, both speakers argued that the development of threat intelligence should be understood as a more fluid, nebulous process. To explain why, they went into detail about the five stages of intelligence production:
- Planning and direction
- Processing and exploitation
- Analysis and production
- Dissemination and evaluation
Planning and Direction
The planning and direction phase of the intelligence cycle is foundational — the leaders of any organization undertaking an intelligence operation must set goals and boundaries that are informed by policy, determine what resources are available, develop a timeline, understand how much risk the organization is willing to accept, and so on, in order to set the tone for the whole operation. “Otherwise,” Zabierek says, “you’re just doing intelligence for intelligence’s sake — and especially in a corporate world, that costs time and money.” More than anything, leadership must understand the value of intelligence to properly define the goals of an intelligence operation. That means the intelligence operatives who will actually carry out the work should have a seat at the table — in a corporate setting, that might mean easy access to the leaders of an organization — but to deserve this, they must be able to justify the value of their work.
That’s not always easy. In both Peeler’s and Zabierek’s experiences, many corporate leaders struggle to fully understand the value of intelligence. Part of that is a failure on the part of analysts to communicate effectively. One of the best ways to make the case for producing intelligence, Peeler says, is to “just have conversations” with members of senior management — direct conversations that aren’t filled with jargon like, “What are your critical information requirements?” Talk that way, and you’ll get a “deer-in-the-headlight kind of look,” he says. Instead, make broader points like, “What keeps you up at night?” Even broad questions like these will give clarity and unity of vision.
The next phase in the intelligence lifecycle is the collection of data. Data, of course, is the precursor to any intelligence analysis — the raw material from which all further developments are derived. But data itself is not intelligence. In past eras of intelligence gathering, targets and sources of data were generally already known, and a cycle of intelligence production was carefully planned around them. For example, intelligence operatives in the field might identify a specific individual or group that they wanted to surveill, and all of the data collected in a particular cycle of intelligence production was targeted toward them.
But in cybersecurity today, it’s often the case that targets are hidden among a general population — markers of a threat lie buried within a vast plain of raw data. That makes the collection of data today much more of a knowledge management issue.
Processing and Exploitation
For that reason, the next phase, where the data is processed and exploited, has taken on even greater importance today. In short, processing and exploiting data means turning the raw information into something that an analyst can understand, identify patterns and draw conclusions from, and ultimately, take action.
But because of the much greater amounts of data that intelligence operations deal with today, Zabierek argues that the traditional wisdom of past intelligence operations no longer applies. “You don’t have to exploit the data simply because it was collected,” she says. “Because we have so much data now, we’ll never have enough people to exploit every single thing.” Often, analysts are burdened with meeting production quotas — intelligence for intelligence’s sake. Zabierek advocates for letting analysts “go down rabbit holes,” making connections and discoveries that might pay off in the future instead of worrying about weekly reports that might not have much to say.
Peeler agrees, saying that good intelligence needs to be “usable,” not actionable. The common wisdom is that all intelligence needs to drive some actionable goal, but it is vitally important to first build up a knowledge base that gives analysts a bigger picture to work with.
Building up an effective knowledge base means both collecting and processing vast amounts of data, which these days can only be done effectively with automated systems. Get machines involved, advises Zabierek. Translate data from feeds, vendor reports, image and text extraction, and network log files into something more workable. Make sure the process is repeatable. Because every organization has its own needs, that process might not look the same from one group to another, but each organization should follow a consistent cycle defined by its own goals. Organize that data by indexing it with consistent and clear metadata, cluster and link data together so it’s more searchable, and set up indicators and alerts that are relevant and won’t overwhelm your analysts.
Proper organization at this stage helps drive the “big-picture” thinking that Peeler and Zabierek emphasized throughout the talk. Good indexing makes data easy to sort and understand no matter when or where it came from. Trends become easier to identify over time, and analysts grow in their capacity to make informed predictions.
Analysis and Production
In support of his point that much of the hard work of intelligence production today has to do with effective knowledge management, Peeler discussed the knowledge spiral model, a theory originally proposed by Japanese business experts Ikujiro Nonaka and Hirotaka Takeuchi.
Tacit knowledge, he explains, is “intangible, internal, experiential, and intuitive knowledge,” the sort of information that might be shared through storytelling rather than codified into more explicit forms, like the language of mathematics. Explicit knowledge, by contrast, is the sort contained in manuals and procedures and passed along through formal language and structures.
Forms of tacit knowledge — the kind of intuitions that a veteran security analyst may have that gives them the ability to quickly identify patterns and make predictions, for example — begin to be codified into explicit knowledge through the development of models and mental frameworks. In this transition stage, analysts begin to generate hypotheses that will guide their data collection and organization.
In the next stage — explicit to explicit — data and knowledge is combined into a form that can be processed by humans and computers. This is the stage of indexing and structuring data.
Finally, the knowledge becomes internalized, moving from explicit to tacit. It becomes usable, driving both predictions and the planning and direction of future intelligence operations. According to Peeler, this model illustrates how intelligence is “a continuous cycle of developing insights and knowledge and understanding.” The emphasis is on process, not product: “You’re not driving to the product, you’re driving to the understanding,” he says. “The product is there to help others understand what you’re beginning to know.”
Dissemination and Evaluation
The final stage of the intelligence cycle, that of dissemination and evaluation, then drives further refinements of the cycle. It’s at this stage that tacit knowledge and experience are the most valuable, and these are qualities that are the strengths of human analysts far more than computers. It’s often difficult to evaluate intelligence on its “face” validity. Zabierek advises analysts to look behind the surface evaluation and ask questions about the techniques used in analysis, the sources, and the underlying goals that drove the development of any particular set of intelligence.
To learn more about the intelligence cycle and how it fits into cybersecurity, view a recording of the webinar here.