Security Experts:

Why All Security Disciplines Should Use the Intelligence Cycle

The intelligence cycle is often underutilized in nearly every area of security. This iterative process through which data or information becomes intelligence can streamline, focus, and provide strategic guidance in myriad situations that extend far beyond the realm of traditional intelligence operations. But despite these benefits, in most cases (at least in the commercial sector), usage of the intelligence cycle is limited to threat intelligence programs. 

Here’s a crash-course on the intelligence cycle and how you can apply and derive value from its core principles—no matter your role or security discipline:

1. Planning and direction

Arguably the most crucial step in the intelligence cycle, planning and direction is where you define an intelligence operation’s purpose and objectives, which are known as intelligence requirements (IRs). These IRs should reflect questions you will seek to answer in order to satisfy the purpose of the operation.

When applied more broadly, the requirements-driven approach catalyzed by planning and direction helps ensure alignment between all parties involved in an initiative, the purpose of the initiative, and what will need to happen to satisfy that purpose. This type of approach starkly contrasts with its “checkbox” counterpart, which can remain pervasive across security disciplines.

In the context of vulnerability management, for example, a checkbox approach could manifest as prioritizing patching based solely on CVSS scores. Meanwhile, a requirements-driven approach could align with an objective to prioritize patching based on risk. The IRs in this situation might include:

- Which vulnerabilities present within our systems are most likely to be exploited?

- If those vulnerabilities are exploited, how will they impact our organization?

2. Collection

Collection entails identifying and collecting the data and information necessary to satisfy the IRs you defined in planning and direction. But more generally speaking, this step is about figuring out which assets you’ll need and how you’ll obtain them in order to fulfill the requirements of a given initiative.

For instance, suppose an executive protection team is tasked with safeguarding a high-profile CEO during an upcoming business trip abroad. The team’s primary objective is to identify and mitigate any credible physical threats to the CEO posed by adversaries in the region. As such, their collection activities include seeking insights from local law enforcement and other trusted contacts in the region, as well as monitoring online forums known to be frequented by physical threat actors in the region.

3. Processing

Processing is all about preparing the assets you obtained during the previous step for the purpose you will need them to serve in order to fulfill your requirements. In the context of an intelligence operation, this step is where you synthesize the data and information you collected and then refine and structure it to make it suitable for further analysis. 

Processing is especially important in situations where the assets at hand include large volumes of unstructured data. For fraud teams seeking to identify the common point of compromise of a recent breach, for example, a dump of card data might provide useful insights—but first it must be de-duplicated, evaluated for timeliness, and structured in a manner that would enable correlation with other datasets and integration with analytics tools.

4. Analysis and production

This step is where you analyze the assets you collected and processed to determine how it all fits together and, ultimately, the extent that it fulfills your requirements. You’ll then need to compile this analysis into the right format for it to be communicated, understood, and appropriately actioned by its intended consumer. 

For example, let’s say we have an insider threat program (ITP) looking to determine whether any current employees are abusing their access to company assets. After collecting data from internal logs and user-behavior analytics tools, the ITP flagged several instances of unusual activity. But upon further investigation, the ITP concluded that the activity in question was part of a legitimate penetration test carried out by the company’s red team and thus warranted no further investigation. 

The ITP then communicated these results, including the behavioral indicators associated with the penetration test, in a succinct report for the stakeholders on the company’s corporate and network security teams that had initially requested the investigation. 

5. Dissemination and feedback

During dissemination and feedback, the final step of the intelligence cycle, the reporting produced in the previous step is sent to the appropriate stakeholders, who then have two important jobs: 1) to provide feedback on the report; and 2) to action it accordingly. In many cases, feedback leads to reiterations of previous steps of the intelligence cycle until the stakeholders’ desired outcome is achieved and IRs fulfilled. 

Though easily outlined in just 5 steps, this continuous feedback loop is integral to the success of any security initiative and also reinforces that security in itself—much like the intelligence cycle—is a continuous process that requires thoughtful planning, clear objectives, and proper alignment above all else.

view counter
Josh Lefkowitz is the CEO of Flashpoint, which delivers Business Risk Intelligence (BRI) to empower organizations worldwide with meaningful intelligence and information that combats threats and adversaries. Lefkowitz has worked extensively with authorities to track and analyze terrorist groups. He has also served as a consultant to the FBI's senior management team and worked for a top tier, global investment bank. Lefkowitz holds an MBA from Harvard University and a BA from Williams College.