Applying Government Intelligence Strategies to Commercial Organizations
By Chris Pace on January 18, 2018
Editor’s Note: The following blog post is a summary of an RFUN 2017 customer presentation featuring Roberto Sanchez, vice president of intelligence at GroupSense.
The “intelligence cycle” is a process which forms the basis of operations in government organizations like the CIA and the NSA. It very broadly outlines the stages of developing raw information into finished intelligence for policy makers to use in decision making.
Roberto Sanchez, vice president of intelligence at GroupSense, has a wealth of experience working in both the military and government organizations, as well as the private sector. In a recent presentation at Recorded Future’s annual user conference, he gave some insight into applying this government-originated concept for processing threat intelligence in the private sector.
There are actually a number of different ways that the intelligence cycle is interpreted and presented within the intelligence community, but the biggest challenge with these theoretical depictions is that they very often fail to define actual, practical applications. As Sanchez explains, “There’s really no information on how you actually apply this or how you can put this into a real-world context.” To add that context, Sanchez goes on to address each phase of the cycle and the value it can bring to private businesses.
Planning and Direction
The planning and direction phase in a commercial organization is directly tied to business need. Sanchez gives the example of a mergers and acquisitions scenario; the business need would be to understand who the company is actually acquiring, from the board members at the top, all the way down to the tactical level. Sanchez cites an example of a U.S. company looking to acquire a business in China. If intelligence gathered actually revealed that board members and senior executives were former Chinese Army Intelligence Officers, this would represent the potential of a significant conflict of interest.
Collection of relevant intelligence presents a significant challenge to intelligence teams in businesses, particularly international organizations with a very widespread geographic presence. To maximize the effectiveness of this part of the process, it’s important that businesses are focusing on collection from the right sources and then identifying gaps in coverage, along with the best way to fill them.
For Sanchez, this would often mean finding ways to increase budget or allocating the right human resources in the intelligence team. At this point, Sanchez highlights one of the key benefits in automating collection of intelligence: “If you’re fortunate to have a platform like Recorded Future, you can establish automated alerts. This is key, especially when you have a small team and you’ve got to cover a humongous footprint. If you establish alerts, that can be your force multiplier.”
Sifting through collected data to “filter out the noise” presents one of the most time-consuming components of the intelligence cycle. Sanchez suggests that a threat intelligence team working to speed up the processing and refine the available information without any technology will find it hard to be effective. He also points out that there are open source technologies that can help you work with sources, like forums or social media, but this is still a predominantly manual exercise.
Analysis and Production
Technologies are actually blurring the line between “processing” and “analysis and production” by making connections between references and employing techniques like natural language processing to comprehend words and their meanings. Traditionally, this step of the intelligence cycle is what Sanchez describes as the “off-source fusion of the different sources that you have” — these sources can be forums, blogs, or the dark web, as well as any internal telemetry that you have. The term “analysis” is used here to refer to the contextualizing of what you’re actually seeing on a day-to-day basis, and “production” means seeing information that can inform decision making in your business.
Dissemination and Feedback
At this stage, you have an “intelligence product” — it has value to your organization, but for it to be used to take action, it has to be effectively communicated. To ensure the success of this critical stage in the intelligence cycle, Sanchez suggests this simple and easily understood “Four Rights Rule”:
1. The Right Format
Choose to present your intelligence in a format that your stakeholders can consume and understand. For example, you may not need to include everything you discovered for decision making, so work on summarizing information.
2. The Right Hands
Intelligence can only be applied when made available to the correct people. Map types of intelligence not only to job titles, but to team responsibilities.
3. The Right Time
Even the most relevant intelligence can be rendered useless if it’s out of date. This means you need to balance the time it will take to produce intelligence with any action that needs to be taken.
4. The Right Medium
It’s not just what you communicate, but how. Choose communication methods that will reach your relevant stakeholders the most quickly and effectively.
Speed Up Collection and Analysis
In his presentation, Sanchez referred to the advantages of technology to speed up collection and analysis of intelligence. You can see this in action with Recorded Future’s free Cyber Daily email, a daily digest of the cyber threat landscape including trending technical indicators, the most targeted industries, active threat actors, suspicious IP addresses, and more.