The Value Proposition of Finished Intelligence

February 11, 2019 • Zane Pokorny

On today’s show, we take a closer look at finished intelligence. What are the best ways to define it, who’s the best audience for it, and how can you be sure you’re getting the best bang for your buck when you request it? And what’s the best plan for dialing in finished intelligence when it comes to managing resources and supplementing the other types of intelligence your organization may generate or consume?

Joining us to help answer these questions is David Carver, team lead for subscription services at Recorded Future. He’ll provide practical insights based on his experience collaborating with customers.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 94 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

On today’s show, we take a closer look at finished intelligence. What are the best ways to define it, who’s the best audience for it, and how can you be sure you’re getting the best bang for your buck when you request it? And what’s the best plan for dialing in finished intelligence when it comes to managing resources and supplementing the other types of intelligence your organization may generate or consume?

Joining us to help answer these questions is David Carver, team lead for subscription services at Recorded Future. He’ll provide practical insights based on his experience collaborating with customers. Stay with us.

David Carver:

Generally, we find that either the analyst requesting the report or some strategic leadership, either the CISO or any C-suite executive above the analyst, is the intended audience for the report, but we do have audiences all across the spectrum. It could be other people within either an incident response or fraud watch or intelligent services team within the company. Generally, finished intelligence tends to fit more within a strategic readership because, being finished, it’s designed to fit better within the briefing model that goes up the chain rather than down the chain, but we see it on both sides.

Dave Bittner:

Really, a kind of executive summary, is that a fair way to describe it?

David Carver:

Sometimes. A lot of the reports that I work on tend to focus more on that executive summary because, being on a recurring basis, the idea is to transmit information as quickly and efficiently as possible. Going into the weeds with information is going to be more the focus of a larger or a more comprehensive report. Finished intelligence — not to necessarily sell it short as just being for one aspect of a company — does apply all the way to a bit more technical analysis. I just find that the types of regular reports that I work on tend to be a bit more moving upwards, if that makes sense.

Dave Bittner:

Yeah, it absolutely does. I suppose you dial it in depending on what the needs are of any individual client that you’re working with.

David Carver:

Absolutely, yep.

Dave Bittner:

We want to talk about ways that customers can get the most out of these intelligence reports. What have you learned in terms of that? What’s your experience been?

David Carver:

That’s another great question, and it’s one that we are figuring out on a daily basis because the value that you can get out of a certain type of report today may not be the value you’re looking for later, or a report may need to change to bring somebody the same value. I found that there’s two types of major values for companies that they get out of finished intelligence. The first would be simply awareness. Either teams on the SOC side of things or intelligence collection side of things who may not have time to look into every single prominent event or dark web discussion. Having either a roll up piece or a deeper dive from a finished intelligence perspective is a way to bring awareness to things that certain teams just don’t have time for.

Then you’ve got on the other side, items that a team may already be aware of, but they either don’t have the time or the expertise to dedicate a bit more thorough analysis around it. Finished intelligence is a great way of organizing all of that additional and textural research and expertise into a finished format that’s easily accessible and that also provides very easy next steps or remediation measures, depending on the topic.

Dave Bittner:

How do you advise folks that you’re working with when they’re going to get the most bang for their buck when it comes to ordering up some finished intelligence versus doing it on their own?

David Carver:

We run into that question actually from customers quite a bit, where they’re looking to see when it’s worth requesting a report and when it’s worth going through other channels. Generally, the way that I respond to that is, if it’s pretty obvious from a first run-through that you’re in over your head in terms of the amount of information that’s there and trying to make sense of it, that’s a great starting point for requesting finished intelligence, because at least then, you understand that you need external help, both to make sense of the data and to organize it and analyze it correctly.

The other time that I advise people to move forward with a request is, they haven’t found a lot initially on their end. If the reason for that is that they just haven’t had a lot of time or they’re scrambling to get other reports done, or in the context of an incident, they’re just trying to respond to it purely on the level of making sure that bad actors are out of the system and that vulnerabilities are patched, that’s a great time to reach out for finished intelligence, because that’s an understanding that, whether or not there ends up being a lot of data there, you’re covering your tracks in a way that you’re not able to do because you have other pressing matters.

Really for both of those, it comes down to saving time. And that’s, in many ways, probably one of the biggest value-adds from finished intelligence — saving time so that teams can get down to other, more relevant work for their specific roles while still bringing in that analysis that’s needed to make certain tactical or strategic decisions.

Dave Bittner:

Yeah, and it strikes me as well that because it could serve as a bit of a reality check, that if I’m handling certain things internally, making my way through the intelligence that we’re getting. To have someone like the analysts that you have there take an independent look at these things to see if what we’re doing aligns with the conclusions that you all are coming up with.

David Carver:

Definitely, yeah. We have had a number of requests over the past year that fit pretty much exactly within that model where someone says, “I think that I’m 80 to 90 percent sure of what this means, either in terms of how much risk is involved or how much a threat is related to some new malware or attack vector,” but you still want that extra opinion. Either you want that second opinion because you need someone to follow through the analysis from A to Z and make sure that you haven’t had any gaps in your reasoning, or you need that extra opinion because maybe, especially if it comes down to a budgeting issue or some sort of a prioritization of other people’s time, it’s a little bit harder to go up the chain and say, “I need X amount of time, or I need X number of people for this.”

Having a second opinion is very good going into those meetings because it shows that this isn’t just your own individual analysis. I have others in a spot who take much more time and much more research who agree with me.

Dave Bittner:

Right, so when you’re running things up the flagpole or you’re meeting with the powers that be, your board of directors, the people above you, you have that verification that you’re on the right track.

David Carver:

Absolutely, yep.

Dave Bittner:

I want to talk a little bit about this notion of having analysts on demand, and how you dial that in. How does that typical engagement work with a client?

David Carver:

The most common way that gets put together is that usually we’ll have somebody reach out who either knows exactly what they want or who says, “We’ve been looking at this new thing that’s come up in the news, or we’ve had this thing hitting our network that we’re not really sure about, is this something that would make for a good analyst on demand report? Is this something that makes sense to have outside context and analysis?”

On the basis of that correspondence or phone call, we would set up a scoping call where we would sit down with the customer and go through exactly what is wanted in terms of what’s the time frame for turning around a report, what’s the topic itself, is there anything that’s special about our approach to the topic that it might not be second nature for us to do, if there’s any niche elements for analysis that need to be kept in mind, if there’s something the customer is already well aware of and doesn’t need further analysis on so there are these other items that have been less well-reported or less well-documented in either open or closed sources.

There’s a lot of those discussions that go on with that scoping call and then the end result of that would be a very clearly defined due date for a report, a very clearly defined metrics and scope for what their report is going to be about, then finally, a very clearly defined audience for who’s going to be the final readers for the report so that we understand how technical or non-technical we need to be. Then from there on our own end, we delegate based on expertise and time for the people to research and write the report. Once the report is in its first form, we do an initial peer review and then after having gone through peer review, it comes to senior review and either of those review cycles may involve several different cycles depending on how much work is needed to clean up and hone that analysis so that it’s actually reasonable and isn’t relying on any kind of false data or assumptions.

Dave Bittner:

I’m curious, can you take us through … What is the collaborative process like when you’re working with a client? I guess I’m coming at this from the other direction of you saying to them, “You know, this is … Yes, we’ll handle this finished intelligence for you, but here are some things that are probably going to be best off for you to handle internally.”

David Carver:

Yeah, that’s a good point. It comes down to, and this is straying a little bit from what our team does, I would say we work pretty closely with the consultant side or the intelligence services side of Recorded Future to make sure that we’re not just delivering a final report and then that’s the end of the discussion and there’s no more collaboration involved with the customer.

Usually even before we receive a request for a report, the customer has already talked to their intelligence services representative about either an issue or something that they want better alerting on, which means even while we’re working on a report, there’s a high probability that the representative is working with the company to tailor the alerts that they’re getting and some of the coverage that they’re receiving. Then after a customer receives a report, as opposed to it being just raw text without any further investigatory venues, all of the items that resulted from our use of either Recorded Future or other open source intelligence sources, would be added within the product, either as an appendix or with links directly in the report.

Meaning, as far as we’re concerned, we want that to be a living document, where once a customer gets it back, either in terms of patch prioritization or further investigation into some sort of threat actor, they can use that as a constantly updating starting point as opposed to it being frozen in time for that one request.

Dave Bittner:

What is your advice? What tips do you have for folks who are just starting on this journey and trying to figure out what the best way is to dial in this sort of thing? They think they may want to engage with you for finished intelligence, maybe some analyst on demand, how do you get started for that person who hasn’t done this before? Do you have any advice going in?

David Carver:

Sure. I think one of the most important pieces is to say, “Am I already creating some finished intelligence for my company?” Because if the answer is no, and if most of it is relying on other open source feeds or just copying and pasting from other journals, as reputable as they may be, I’d say there’s probably a lot of room for valuable collaborative work with something like an analyst on demand.

Where somebody or a team is already producing finished intelligence, I think one of the key questions to ask is, “What have we been able to write about and what do we just not have the time for?” Figuring out where their own data or their own expertise makes it more cost-effective or just more relevant to do it internally and then figuring out where external reports would buy more time for better deep dives.

For instance, with Recorded Future, generally, we’re working only with the data that customers provide to us if it’s something that has to do with their internal network. Anything else more internal than that, I’d say, it’s usually better for an internal team to be delving into and looking at it. Anything outside of that or anything that customers are comfortable sharing so that they can work on other things, that’s a great opportunity for finished intelligence.

Then thinking a bit more strategically, the other question that I would ask for people who are considering analysts on demand is, how is this going to help you fulfill your intelligence requirements? Even though that’s a larger question, it ends up forcing very practical, I would say, black and white questions around what are our intelligence requirements, and how do those align to what we do and do not need to be spending to keep our resources and our data and our personnel safe?

Even just asking the question about what would be worth having for a finished intelligence report or analyst on demand collaboration, that in itself is a perfect way for defining what the intelligence requirements, and even what the purpose of having threat intelligence is within an organization. Really be strict on that sense of finished, and by that I mean insofar as customers are requesting intelligence that has presumably deep dive analysis and really good research, and rational, well-considered, final conclusions, that’s something that customers or any company needs to hold their intelligence provider accountable for. Hold your intelligence providers to high standards because if you’re not getting finished intelligence that’s done with a certain amount of polish across every level, then it’s not providing to you the value that I think is necessary for having that external arm of your intelligence team.

Dave Bittner:

Our thanks to Recorded Future’s David Carver for joining us.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

Related Posts

Exploring the Future of Security Intelligence at RFUN: Predict 2019

Exploring the Future of Security Intelligence at RFUN: Predict 2019

December 5, 2019 • The Recorded Future Team

Just about a month ago on October 29 to 31, more than 600 Recorded Future partners, clients, and...

Threat Hunting, Mentoring, and Having a Presence

Threat Hunting, Mentoring, and Having a Presence

December 2, 2019 • Monica Todros

Our guest today is O’Shea Bowens He’s CEO of Null Hat Security and a SOC manager for Toast, a...

From Infamous Myspace Wormer to Open Source Advocate

From Infamous Myspace Wormer to Open Source Advocate

November 25, 2019 • Monica Todros

If you are of a certain age — an age where you may have spent a good bit of your time online...