Security Experts:

How to Establish Effective Intelligence Requirements

Behind every successful intelligence operation is a set of well-curated intelligence requirements (IRs). Not only do IRs lay the foundation and set the direction of an intelligence operation, they enable teams to prioritize needs, allocate resources, determine data sources, and establish the types of analysis and expertise required to process that data into intelligence. Yet with so many intelligence teams blinded by vast amounts of data and an overwhelmingly complex threat landscape, establishing the right IRs can be challenging. The following tips can help:

Start With Your Assets

The overarching goal of a commercial-sector intelligence operation is to help protect a business from adversaries and the threats they pose. But in order to determine the types of adversaries and threats on which your intelligence operation and requirements should focus, you need to identify and prioritize the assets that could make your business a target for malicious activity. 

The primary challenge with evaluating assets is that they are numerous and exist throughout all lines of business. Assets can be cyber or physical, tangible or intangible, replaceable or irreplaceable, and critical or not critical. One way to help identify your business’s assets is to ask: What does my business have that would be worth stealing and/or disrupting?

Adversaries generally consider critical assets to be of the highest value. These are assets on which a business and its operational continuity rely; if they were to be compromised, the ramifications for the business would substantial. Critical assets can range from intellectual property and product road maps, to physical and technical infrastructure, to proprietary data and information, to employees, stakeholders, and shareholders. Once you’ve identified your business’s assets, you need to prioritize them. Few intelligence operations have limitless resources, so prioritizing the assets that are most critical to your business can help you allocate your resources more effectively.

Evaluate the Relevance of Potential Threats and Adversaries 

It’s important to consider that adversaries will not target all assets. So after you’ve identified and prioritized your business’s assets, you need to consider what types of threats and adversaries could be motivated to compromise them and why. To start, it can be helpful to consider the following questions:

● Are you aware of any threats and/or adversaries that have previously targeted your business’s assets?

● Are you aware of any threats and/or adversaries that have previously targeted other, similar businesses and/or assets?

● Has your business previously experienced any security incidents or breaches? If so, what assets were compromised, how, and by whom?

Cybercriminals and fraudsters, for example, are usually financially motivated and known to seek personally identifiable information (PII), financial information, login credentials, and other types of relatively common assets to be monetized within various schemes. Insider threats, meanwhile, are commonly motivated by revenge, ideology, coercion, or ego. In any case, the more you know about the extent to which your business’s assets could potentially be targeted and why, the more focused and successful your IRs and resulting intelligence operation are likely to be.

Narrow Your Focus 

The most effective IRs are curtailed to identify specific information that might reveal targeting of your most valuable assets. After evaluating your business’s assets and determining the types of threats and adversaries by which they could potentially be targeted, you can use this information to construct a narrowly focused and tightly defined IR. Keep in mind that IRs are typically framed as questions your intelligence operation should be designed to answer. 

Let’s say, for example, your business has suffered substantial financial losses following numerous successful business email compromise (BEC) scams. As a result, you wish to establish an IR to help combat future BEC scams. The asset in this situation would be the funds the employees had mistakenly wired to BEC scammers, whereas the means of successful exploitation would be the targeted employees’ inability to identify the BEC emails as such. 

Within this context, a properly focused IR could look like the following:

● What types of social engineering tactics are most likely to result in a successful BEC scam?

● What types of employee training initiatives could help prevent future BEC scams from being successful?

Another key consideration is how an IR will influence the outcome of an intelligence operation. More specifically, the BEC IR examples above would likely result in intelligence pertaining to BEC social engineering tactics and additional insights that could be used to inform employee training initiatives and ultimately help combat future BEC scams. This also means that if the anticipated answer to any IR does not appear as if it will provide value to the business, it should be revised accordingly and before continuing with the intelligence operation.

It’s important to remember that IRs, though truly essential, are only one component of an intelligence operation. The outcome of any such operation also depends on the quality of its data sources, the expertise and skill-sets of its analysts, as well as the relevance, actionability, and timeliness of the resulting intelligence, among other factors. Intelligence operations can be extremely complex and difficult to navigate for even highly sophisticated teams, which is why it can be beneficial for businesses to seek third-party support from intelligence vendors, information-sharing communities, and other trusted partners as necessary.

view counter
Josh Lefkowitz is the CEO of Flashpoint, the global leader in Business Risk Intelligence (BRI) from the Deep & Dark Web. He has worked extensively with authorities to track and analyze terrorist groups. Lefkowitz also served as a consultant to the FBI's senior management team and worked for a top tier, global investment bank. Lefkowitz holds an MBA from Harvard University and a BA from Williams College.