Applying Government Intelligence Strategies to Commercial Organizations

January 18, 2018 • Chris Pace

Editor’s Note: The following blog post is a summary of an RFUN 2017 customer presentation featuring Roberto Sanchez, vice president of intelligence at GroupSense.

The “intelligence cycle” is a process which forms the basis of operations in government organizations like the CIA and the NSA. It very broadly outlines the stages of developing raw information into finished intelligence for policy makers to use in decision making.

Roberto Sanchez, vice president of intelligence at GroupSense, has a wealth of experience working in both the military and government organizations, as well as the private sector. In a recent presentation at Recorded Future’s annual user conference, he gave some insight into applying this government-originated concept for processing threat intelligence in the private sector.

The Intelligence Cycle

There are actually a number of different ways that the intelligence cycle is interpreted and presented within the intelligence community, but the biggest challenge with these theoretical depictions is that they very often fail to define actual, practical applications. As Sanchez explains, “There’s really no information on how you actually apply this or how you can put this into a real-world context.” To add that context, Sanchez goes on to address each phase of the cycle and the value it can bring to private businesses.

Planning and Direction

The planning and direction phase in a commercial organization is directly tied to business need. Sanchez gives the example of a mergers and acquisitions scenario; the business need would be to understand who the company is actually acquiring, from the board members at the top, all the way down to the tactical level. Sanchez cites an example of a U.S. company looking to acquire a business in China. If intelligence gathered actually revealed that board members and senior executives were former Chinese Army Intelligence Officers, this would represent the potential of a significant conflict of interest.

Collection

Collection of relevant intelligence presents a significant challenge to intelligence teams in businesses, particularly international organizations with a very widespread geographic presence. To maximize the effectiveness of this part of the process, it’s important that businesses are focusing on collection from the right sources and then identifying gaps in coverage, along with the best way to fill them.

For Sanchez, this would often mean finding ways to increase budget or allocating the right human resources in the intelligence team. At this point, Sanchez highlights one of the key benefits in automating collection of intelligence: “If you’re fortunate to have a platform like Recorded Future, you can establish automated alerts. This is key, especially when you have a small team and you’ve got to cover a humongous footprint. If you establish alerts, that can be your force multiplier.”

Processing

Sifting through collected data to “filter out the noise” presents one of the most time-consuming components of the intelligence cycle. Sanchez suggests that a threat intelligence team working to speed up the processing and refine the available information without any technology will find it hard to be effective. He also points out that there are open source technologies that can help you work with sources, like forums or social media, but this is still a predominantly manual exercise.

Analysis and Production

Technologies are actually blurring the line between “processing” and “analysis and production” by making connections between references and employing techniques like natural language processing to comprehend words and their meanings. Traditionally, this step of the intelligence cycle is what Sanchez describes as the “off-source fusion of the different sources that you have” — these sources can be forums, blogs, or the dark web, as well as any internal telemetry that you have. The term “analysis” is used here to refer to the contextualizing of what you’re actually seeing on a day-to-day basis, and “production” means seeing information that can inform decision making in your business.

Dissemination and Feedback

At this stage, you have an “intelligence product” — it has value to your organization, but for it to be used to take action, it has to be effectively communicated. To ensure the success of this critical stage in the intelligence cycle, Sanchez suggests this simple and easily understood “Four Rights Rule”:

1. The Right Format

Choose to present your intelligence in a format that your stakeholders can consume and understand. For example, you may not need to include everything you discovered for decision making, so work on summarizing information.

2. The Right Hands

Intelligence can only be applied when made available to the correct people. Map types of intelligence not only to job titles, but to team responsibilities.

3. The Right Time

Even the most relevant intelligence can be rendered useless if it’s out of date. This means you need to balance the time it will take to produce intelligence with any action that needs to be taken.

4. The Right Medium

It’s not just what you communicate, but how. Choose communication methods that will reach your relevant stakeholders the most quickly and effectively.

Speed Up Collection and Analysis

In his presentation, Sanchez referred to the advantages of technology to speed up collection and analysis of intelligence. You can see this in action with Recorded Future’s free Cyber Daily email, a daily digest of the cyber threat landscape including trending technical indicators, the most targeted industries, active threat actors, suspicious IP addresses, and more.