Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Why All Security Disciplines Should Use the Intelligence Cycle

The intelligence cycle is often underutilized in nearly every area of security. This iterative process through which data or information becomes intelligence can streamline, focus, and provide strategic guidance in myriad situations that extend far beyond the realm of traditional intelligence operations. But despite these benefits, in most cases (at least in the commercial sector), usage of the intelligence cycle is limited to threat intelligence programs. 

The intelligence cycle is often underutilized in nearly every area of security. This iterative process through which data or information becomes intelligence can streamline, focus, and provide strategic guidance in myriad situations that extend far beyond the realm of traditional intelligence operations. But despite these benefits, in most cases (at least in the commercial sector), usage of the intelligence cycle is limited to threat intelligence programs. 

Here’s a crash-course on the intelligence cycle and how you can apply and derive value from its core principles—no matter your role or security discipline:

1. Planning and direction

Arguably the most crucial step in the intelligence cycle, planning and direction is where you define an intelligence operation’s purpose and objectives, which are known as intelligence requirements (IRs). These IRs should reflect questions you will seek to answer in order to satisfy the purpose of the operation.

When applied more broadly, the requirements-driven approach catalyzed by planning and direction helps ensure alignment between all parties involved in an initiative, the purpose of the initiative, and what will need to happen to satisfy that purpose. This type of approach starkly contrasts with its “checkbox” counterpart, which can remain pervasive across security disciplines.

In the context of vulnerability management, for example, a checkbox approach could manifest as prioritizing patching based solely on CVSS scores. Meanwhile, a requirements-driven approach could align with an objective to prioritize patching based on risk. The IRs in this situation might include:

– Which vulnerabilities present within our systems are most likely to be exploited?

– If those vulnerabilities are exploited, how will they impact our organization?

Advertisement. Scroll to continue reading.

2. Collection

Collection entails identifying and collecting the data and information necessary to satisfy the IRs you defined in planning and direction. But more generally speaking, this step is about figuring out which assets you’ll need and how you’ll obtain them in order to fulfill the requirements of a given initiative.

For instance, suppose an executive protection team is tasked with safeguarding a high-profile CEO during an upcoming business trip abroad. The team’s primary objective is to identify and mitigate any credible physical threats to the CEO posed by adversaries in the region. As such, their collection activities include seeking insights from local law enforcement and other trusted contacts in the region, as well as monitoring online forums known to be frequented by physical threat actors in the region.

3. Processing

Processing is all about preparing the assets you obtained during the previous step for the purpose you will need them to serve in order to fulfill your requirements. In the context of an intelligence operation, this step is where you synthesize the data and information you collected and then refine and structure it to make it suitable for further analysis. 

Processing is especially important in situations where the assets at hand include large volumes of unstructured data. For fraud teams seeking to identify the common point of compromise of a recent breach, for example, a dump of card data might provide useful insights—but first it must be de-duplicated, evaluated for timeliness, and structured in a manner that would enable correlation with other datasets and integration with analytics tools.

4. Analysis and production

This step is where you analyze the assets you collected and processed to determine how it all fits together and, ultimately, the extent that it fulfills your requirements. You’ll then need to compile this analysis into the right format for it to be communicated, understood, and appropriately actioned by its intended consumer. 

For example, let’s say we have an insider threat program (ITP) looking to determine whether any current employees are abusing their access to company assets. After collecting data from internal logs and user-behavior analytics tools, the ITP flagged several instances of unusual activity. But upon further investigation, the ITP concluded that the activity in question was part of a legitimate penetration test carried out by the company’s red team and thus warranted no further investigation. 

The ITP then communicated these results, including the behavioral indicators associated with the penetration test, in a succinct report for the stakeholders on the company’s corporate and network security teams that had initially requested the investigation. 

5. Dissemination and feedback

During dissemination and feedback, the final step of the intelligence cycle, the reporting produced in the previous step is sent to the appropriate stakeholders, who then have two important jobs: 1) to provide feedback on the report; and 2) to action it accordingly. In many cases, feedback leads to reiterations of previous steps of the intelligence cycle until the stakeholders’ desired outcome is achieved and IRs fulfilled. 

Though easily outlined in just 5 steps, this continuous feedback loop is integral to the success of any security initiative and also reinforces that security in itself—much like the intelligence cycle—is a continuous process that requires thoughtful planning, clear objectives, and proper alignment above all else.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...