Here at Reqfast, we have three axioms the act as our guiding principles when we develop our products and services.
- Intelligence is decision support.
- The intelligence function is about customer service.
- Intelligence is “Actionable” when used by the decision-maker to make a decision.
In this article, we discuss how these three statements not only define what intelligence is and is not, but provide the framework we feel is often lacking when Cyber Threat Intelligence teams are formed.
#1 – Intelligence is Decision Support
“Decision Support is the only acceptable mission for intelligence.” – R.D. Steele
This statement – this concept – is critical to understanding the proper role and mission of any intelligence team; it also clearly outlines what should be expected from an intelligence information vendor. Existing threat intelligence vendors in this crowded space are very good at acquiring massive amounts of data from disparate sources, quickly parsing it to find the most relevant data points, and then rapidly disseminating the information that may or may not be useful to the customer. That information cannot be considered “intelligence” until the intelligence producer (the vendor) is given specifics around what the intelligence consumer (the customer) intends to do with the identified data. Put differently, can an intelligence provider really provide bona fide intelligence without insight into the decisions that may be made from its intended use?
To answer this question, let’s demonstrate using a core decision every Chief Information Security Officer (CISO) must make for his or her organization: how best to allocate resources and money for next year’s budget planning purposes. In this example, we’ll assume the Intelligence Team reports to the CISO. An effective intelligence team should be able to develop sub-questions to generate the necessary information needed to empower the CISO to make his or her budgeting decisions. Such questions might include asking: “What is our current risk posture? Does the organization currently have a method to assess this? What are our most critical assets?” Alternatively, the intel team could ask, “Which system(s) going offline would bring about the most negative impact to our business ?” A logical follow up question to this might be, “Of those known systems, which are most likely to be targeted by external threat actors and are there known exploits that could be used by those threat actors?” But let us not forget, the answers to those questions should help leadership choose what course action to take. In this case, looking at the known systems at risk, and then deciding to upgrade, remove, or replace.
#2 – The Intelligence function, at its core, is about customer service
“In the information age, ‘intelligence’ is less a matter of penetrating secrets, and more a matter of separating useful information from the flood of open information that is available legally and cheaply, in order to provide ‘just in time’ decision-support to the consumer.” – R.D. Steele
In any business activity, understanding your customers’ needs and problems and providing the best possible solution is the key to customer satisfaction. A threat intelligence team, whose primary customer is usually the CISO, is no different. The current volume of available, ‘relevant’ information, concerning threats or otherwise, is beyond true human comprehension. Information security and business leaders need help to navigate this deluge of data to plot the best course for their organization. Putting aside US government intelligence community jargon and military acronyms, intelligence is about supporting the customer’s decision making process. It is about understanding your customer, working with them to define and articulate the problem to be solved, then coming up with solutions and specific information that is relevant to the customer’s decision set (not just relevant by way of keyword match or company name). The method for codifying the customer’s intelligence needs is documenting their requirements – the key to understanding and providing that excellent customer service.
#3 – Intelligence is “Actionable” when used by the Decision Maker to make a decision
Often we hear that good intelligence is “actionable.” In the military, that connotation was pretty clear. If the intelligence team was confident it acquired a home address of a wanted bad guy, the infantry unit could “action” on that intelligence and go knock on the door. In cyber security, the meaning of “actionable” is a lot less clear (or exciting). The intelligence team may receive a list of file hashes know to be bad. In this case the “action” is passing that list (hopefully in automated fashion) to the AV or SIEM team. “Action” now seems a bit…. Glorified? However, if you look at intelligence as “decision support” then that brings in a different point of view. A vulnerability team may be wondering how best to prioritize their patching operations. Working with the intelligence team, they determine which assets are the most critical and whether or the known threats are targeting those assets. In that way, when the intel team passes along information, it’s now passed with a purpose and intent. “Here is this list of IOCs – targeting mid-level applications, low threat activity” – A bit more useful and relevant! So in private enterprise, information becomes “actionable” when it is actually being used by the receiving decision-maker.
It is very common to find intelligence teams, when asked to define their intelligence requirements, to come up with questions such as “What threat actors are targeting our company?” In almost all cases, that question was created in isolation from other information security teams, the business, and leadership. So it is no wonder when the threat intelligence team submits a report saying, “Hey, we found threat actor X and they are targeting our company!” the report is met with less-than-enthusiastic response. “So what?” is the usual response, in fact.
However, if the the requirements are developed within the understanding of what decision their leadership or other team is needing to make, the intelligence team is no longer disseminating information without context but rather, they are providing intelligence with a purpose.
Today we discussed the three axioms of intelligence that guide Reqfast on how we produce and refine our product sets. We discussed intelligence as decision support, where the information provided by intelligence teams needs to support a leader’s decision. We also said intelligence work is about customer service and the customers are the decision-makers the intelligence team supports. Identifying the customer’s needs, documenting those requirements, and producing the relevant information they asked for is the key to providing excellent customer service. The extension of this thought then is that intelligence information is information with a purpose and only becomes actionable when used by the consumer. Though seemingly simple in concept, as most in the threat intelligence industry know, the implementation of these axioms is quite difficult. But if done so with careful planning and dedication, it can be achieved.
Robert D. Steele (1996) “Private Enterprise Intelligence: Its Potential Contribution to National Security” David A. Charters, Editor. Intelligence Analysis and Assessment (Studies in Intelligence) . Taylor and Francis. Kindle Edition. ISBN 0-7146-4249-5