Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

How to Establish Effective Intelligence Requirements

Behind every successful intelligence operation is a set of well-curated intelligence requirements (IRs). Not only do IRs lay the foundation and set the direction of an intelligence operation, they enable teams to prioritize needs, allocate resources, determine data sources, and establish the types of analysis and expertise required to process that data into intelligence.

Behind every successful intelligence operation is a set of well-curated intelligence requirements (IRs). Not only do IRs lay the foundation and set the direction of an intelligence operation, they enable teams to prioritize needs, allocate resources, determine data sources, and establish the types of analysis and expertise required to process that data into intelligence. Yet with so many intelligence teams blinded by vast amounts of data and an overwhelmingly complex threat landscape, establishing the right IRs can be challenging. The following tips can help:

Start With Your Assets

The overarching goal of a commercial-sector intelligence operation is to help protect a business from adversaries and the threats they pose. But in order to determine the types of adversaries and threats on which your intelligence operation and requirements should focus, you need to identify and prioritize the assets that could make your business a target for malicious activity. 

The primary challenge with evaluating assets is that they are numerous and exist throughout all lines of business. Assets can be cyber or physical, tangible or intangible, replaceable or irreplaceable, and critical or not critical. One way to help identify your business’s assets is to ask: What does my business have that would be worth stealing and/or disrupting?

Adversaries generally consider critical assets to be of the highest value. These are assets on which a business and its operational continuity rely; if they were to be compromised, the ramifications for the business would substantial. Critical assets can range from intellectual property and product road maps, to physical and technical infrastructure, to proprietary data and information, to employees, stakeholders, and shareholders. Once you’ve identified your business’s assets, you need to prioritize them. Few intelligence operations have limitless resources, so prioritizing the assets that are most critical to your business can help you allocate your resources more effectively.

Evaluate the Relevance of Potential Threats and Adversaries 

It’s important to consider that adversaries will not target all assets. So after you’ve identified and prioritized your business’s assets, you need to consider what types of threats and adversaries could be motivated to compromise them and why. To start, it can be helpful to consider the following questions:

● Are you aware of any threats and/or adversaries that have previously targeted your business’s assets?

● Are you aware of any threats and/or adversaries that have previously targeted other, similar businesses and/or assets?

● Has your business previously experienced any security incidents or breaches? If so, what assets were compromised, how, and by whom?

Cybercriminals and fraudsters, for example, are usually financially motivated and known to seek personally identifiable information (PII), financial information, login credentials, and other types of relatively common assets to be monetized within various schemes. Insider threats, meanwhile, are commonly motivated by revenge, ideology, coercion, or ego. In any case, the more you know about the extent to which your business’s assets could potentially be targeted and why, the more focused and successful your IRs and resulting intelligence operation are likely to be.

Narrow Your Focus 

The most effective IRs are curtailed to identify specific information that might reveal targeting of your most valuable assets. After evaluating your business’s assets and determining the types of threats and adversaries by which they could potentially be targeted, you can use this information to construct a narrowly focused and tightly defined IR. Keep in mind that IRs are typically framed as questions your intelligence operation should be designed to answer. 

Let’s say, for example, your business has suffered substantial financial losses following numerous successful business email compromise (BEC) scams. As a result, you wish to establish an IR to help combat future BEC scams. The asset in this situation would be the funds the employees had mistakenly wired to BEC scammers, whereas the means of successful exploitation would be the targeted employees’ inability to identify the BEC emails as such. 

Within this context, a properly focused IR could look like the following:

● What types of social engineering tactics are most likely to result in a successful BEC scam?

● What types of employee training initiatives could help prevent future BEC scams from being successful?

Another key consideration is how an IR will influence the outcome of an intelligence operation. More specifically, the BEC IR examples above would likely result in intelligence pertaining to BEC social engineering tactics and additional insights that could be used to inform employee training initiatives and ultimately help combat future BEC scams. This also means that if the anticipated answer to any IR does not appear as if it will provide value to the business, it should be revised accordingly and before continuing with the intelligence operation.

It’s important to remember that IRs, though truly essential, are only one component of an intelligence operation. The outcome of any such operation also depends on the quality of its data sources, the expertise and skill-sets of its analysts, as well as the relevance, actionability, and timeliness of the resulting intelligence, among other factors. Intelligence operations can be extremely complex and difficult to navigate for even highly sophisticated teams, which is why it can be beneficial for businesses to seek third-party support from intelligence vendors, information-sharing communities, and other trusted partners as necessary.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Funding/M&A

More than 4,000 internet-accessible Pulse Connect Secure hosts are impacted by at least one known vulnerability, attack surface management firm Censys warns.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem