Much like deep & dark web (DDW) coverage and anti-fraud solutions, request for intelligence (RFI) services have quickly become both ubiquitous and prone to misleading claims in the threat intelligence market. Most of these services aim to help customers fill intelligence gaps by enabling them to ask specific questions and receive curated answers from a vendor’s analyst team. But while their objectives, operating models, and marketing tend to be similar, it’s important to recognize that different services can vary widely in terms of quality and value.
Asking these questions when evaluating RFI services can help you identify the best option for your needs:
Does the RFI service complement other intelligence offerings?
RFI responses are often packaged as finished intelligence reports, but they should never be the only type of intelligence you consume. The vendor should also provide its customers with regular intelligence reporting on a diverse assortment of topics that are timely, relevant to, and may even help shape your intelligence requirements (IRs). Contextualized alerts, regional and industry-specific studies, malware analysis, threat actor profiles, daily highlight summaries, and news flashes are among the many types of reporting, in addition to RFI responses, that are essential for a threat intelligence program.
And such reporting should occur frequently—daily or more often, if necessary, is ideal. Since the types of threats and adversaries on which many threat intelligence programs focus their IRs can be unpredictable and dangerous, new discoveries and developments warranting your attention can arise often and in abundance. Routinely consuming intelligence related to these and similar threats, adversaries, and the volatile environments in which they operate is a must for reducing blind spots and boosting preparation.
But if the majority or entirety of intelligence reporting a vendor provides is through its RFI service, this should signify a red flag. Researching and responding to an RFI may take several hours to several days depending on the request. As a result, relying solely or heavily on RFI responses for intelligence can be severely limiting and yield substantial blind spots. Only when the other intelligence you consume doesn’t fill an intelligence gap should you turn to an RFI.
And in most cases, these gaps should be highly specific to your organization and not possible to feasibly fill using your existing resources. Examples might include verifying a potential breach or other compromise, supporting the due diligence process for a merger or acquisition, investigating a suspected insider threat, or conducting a risk assessment prior to an upcoming event or business travel opportunity, among others.
Is the vendor’s collection strategy suitable for your intelligence requirements?
A vendor’s ability to respond to an RFI depends heavily on its collection strategy. If an accurate and thorough response requires data from sources to which the vendor doesn’t have access, then naturally, the response will be inadequate.
Of course it’s nearly impossible to anticipate all the intelligence gaps you will face, specific RFIs you will need to submit, and collection sources that will be necessary for responding to your RFIs. But nonetheless, if you choose a vendor whose collection strategy aligns well with your existing IRs, program objectives, organization’s risk posture, industry, and region, you’ll be less likely to receive inadequate responses to future RFIs. Vendors with the most robust and effective collection strategies generally cover the following types of sources:
● Closed sources including private or invite-only forums
● Chat services platforms
● Illicit marketplaces
● Payment card and account shops
● Paste sites
What types of expertise and experience do the vendor’s analysts have?
Vendors with even the most comprehensive collection strategies, however, will almost certainly produce suboptimal RFI responses if their analysts don’t have the proper skills and experience.
At a minimum, the vendor’s analyst team should have extensive linguistic skills, including fluency in languages such as Russian, Mandarin, Farsi, Arabic, Spanish, Portuguese, Korean, and French, as well as an intimate understanding of the slang and social norms unique to the illicit online communities covered by the vendor’s collection strategy.
Also crucial are advanced technical capabilities in areas such as malware analysis and reverse engineering, as well as ample experience in domains that align with your industry and IRs, whether they relate to fraud, cybersecurity, physical security, counterterrorism, insider threat, or third-party risk, to name a few.
Can the vendor support RFIs that require direct engagement with threat actors?
In some cases, filling certain intelligence gaps and thus responding to certain RFIs may warrant direct interaction with threat actors in the illicit online communities in which they operate. These types of RFI requests might pertain to highly consequential areas such as threat exposure assessments or incident response, for example. And in order to support these inherently difficult and risky engagements, a vendor must have the following:
● Analysts with extensive experience engaging directly with threat actors on behalf of customers
● Persona management and non-attributable infrastructure that facilitate these engagements safely
● Detailed playbooks that govern these engagements and document intelligence gains and losses
Does the RFI service sound too good to be true?
If you come across any RFI service that positions itself as a panacea of any sort, offers an unlimited number of RFIs at a low cost, or makes unreasonable promises regarding response time, domain expertise, or the depth or breadth of its collections coverage, proceed with caution. As with most things in security and intelligence, if a service sounds too good to be true, it probably is.