Threat Analyst Insights: How to Develop Effective Intelligence Requirements

November 7, 2018 • Parker Crucq

As business executives are gradually becoming more aware of the impact that cybersecurity has on day-to-day business operations, threat intelligence programs are becoming recognized as an essential component of any company’s security operation in order to inform and reduce risk.

Effective threat intelligence programs address the management of sources while establishing a clear set of goals for multiple audiences — not just for security teams. Raw information must be collected through established intelligence requirements that adhere to organizational goals and procedures. Without intelligence requirements that ensure the information being processed by an organization’s threat intelligence team or service will be of interest to your readers, you waste time and resources that could have been better leveraged elsewhere.

Data breaches that have often resulted in millions of dollars of corporate loss have placed the spotlight on corporate leadership to protect both employee and customer information as threat actors demonstrate a growing level of technical sophistication. Prominent events such as the 2017 Equifax data breach have raised the stakes for organizations seeking to protect themselves against potential fallout damage to their company brands resulting from weak security practices or a general lack of information — which is where threat intelligence teams come into play.

Identification of Cyber Threat Intelligence Requirements

One of the primary functions of any threat intelligence team should be the successful establishment and fulfillment of individual priority intelligence requirements (PIRs):

  • What are your threat intelligence goals?
  • What assets does your organization need to safeguard?
  • What threat actors and/or exploits are you looking out for?
  • Ultimately, what security concerns keep your organization’s executive leadership up at night?

Threat intelligence must be able to answer these questions with actionable responses, enabling analysts to divide resources where they are most needed in a timely manner. For example, a list of indicators of compromise would have little value to an executive figure making strategic business decisions, but it would more likely be useful to a team of SOC analysts who can immediately act on the information. To quote Gartner’s definition of threat intelligence:

When discussing intelligence requirements within a business, it’s the concept of identification that needs to get placed under the microscope — the identification of relevant threats (both internal and external) and their potential interest in assets controlled by your company alone. Any organization that engages in the collection of data to satisfy requirements typically has its own internal system with unique terminologies and priorities, making it difficult for those less familiar with threat intelligence to adopt the requirements or procedures of trusted colleagues or partners.

Intelligence Requirements in Action

In order to protect your business from the many tools available to online adversaries, the first concern that needs to be addressed is what these threat actors would be interested in stealing from your company in the first place.

The reason that we, as intelligence analysts, work to study the underlying motivations and techniques used by threat actors is to predict future targets, assisting executive leadership in making the right business decisions to mitigate those threats. Intelligence requirements must support your business’s strategic goals, matching the dynamic pace of the cyber threat landscape and the new threats observed regularly.

Once these priority intelligence requirements have been set, analysts will be in a better position to identify focused information sources for collection. Like raw information, intelligence requirements will also need to be prioritized, focusing on characteristics unique to your organization, such as:

  • What are the emerging threats to my company’s industry (finance, healthcare, etc.)?
  • What are the ongoing cyber threats to the geographic location my company operates out of (North America, Asia, etc.)?
  • What types of adversaries have historically expressed interest in my organization (nation-state actors, hacktivists, etc.)?

At this point, the experience and technical expertise of the analyst plays a major role in collection, filtering out unwanted data that is untrustworthy or in no position to be acted upon. An important side note is that organizations must also have the capability to store raw data for future reference, even if it’s just for situational awareness purposes.

Continuing Your Threat Intelligence Journey

In Recorded Future’s newly published Threat Intelligence Handbook, we discuss how the identification of the specific consumer of produced threat intelligence rounds out this intelligence requirement process. It’s essential for any fledgling threat intelligence program to ensure that requirements are reviewed on an ongoing basis as the internal infrastructure of the organization changes.

Relationship building is critical as employees enter and leave your threat intelligence team. It’s often helpful to establish requirements that draw on the expertise of outside consultants capable of empowering your organization to get the most from threat intelligence. When determining how to move your intelligence strategy forward, requirements within the program can often be fulfilled by working with these consultants. This will ideally enable members of your organization to become threat intelligence experts in their own right, while still allowing room for them to grow in the future.

You can learn more about selecting the right threat intelligence solution by downloading “The Threat Intelligence Handbook.” It answers how threat intelligence can help everyone in cybersecurity anticipate problems, respond faster to attacks, and make better security decisions to reduce risk.

Parker Crucq

Parker Crucq is a threat intelligence analyst at Recorded Future.