Intelligence Requirements in Cyber Threat Intelligence
The cyber threat intelligence cycle starts with planning and direction, which includes defining intelligence requirements (IRs). These are the goals that define the intelligence that must be collected or produced. They’re the questions that must be answered. They guide all efforts within the cyber threat intelligence cycle.
Intelligence Requirements in the CTI Cycle
- Planning & Direction: define the IRs
- Collection: gather data relevant to the IRs
- Processing: make data ready to analyze for relevance to the IRs
- Analysis & Production: assess the meaning of the data relevant to the IRs
- Dissemination/Distribution: share intel relevant to the IRs
- Feedback: gather input about how well the intel matched the IRs
IRs are often defined by an organization’s senior leaders, but can also be defined by security teams (such as the SOC or incident response team).
Example Intelligence Requirements
- What vulnerabilities are being exploited?
- What vulnerabilities can we detect?
- What exploits can do we need to watch for?
- What exploits can we defend against?
- What vulnerabilities are threat actors targeting?
- What assets do we need to defend?
- What threat actors do we need to watch for?
- What threats is our industry facing?
- What threats is our geographic area facing?
- What security concerns keep executives up at night?
Some of these are quite broad; the more specific IRs are, the better.
These aren’t mere curiosities; the answers to these questions will provide information that defenders can act on to improve organizational security, which contributes to the organization’s survival and success.
Prioritizing Intelligence Requirements
As you can imagine, the list of IRs can quickly become very long. Even organizations that have large CTI teams still have a limited amount of time they can put into CTI efforts. IRs must be prioritized so that analysts know how to allocate their time and energy.
Types of Intelligence Requirements
- General Intelligence Requirements (GIRs): Most granular. Operational, tactical; focused on specific facts and activities. Often related to specific attributes of attack or threat actor. Very short-term. Example: Describe the specific attributes associated with all REvil ransomware binaries observed in incidents today.
- Priority Intelligence Requirements (PIRs): Less granular than SIRs, more granular than GIRs. Determine and outline priority of IRs. Time-based. Focus on specific activity/event. Example: Where along the perimeter will the adversary attack?
- Specific Intelligence Requirements (SIRs): Most general. Example: How is ransomware being hosted, distributed, and installed?
Benefits of Intelligence Requirements
- By focusing efforts, IRs enable more efficient use of InfoSec resources.
- By setting clear requirements, IRs make it easier to measure the success of CTI.
- By enabling the measurement of CTI success, IRs make it easier to justify the expense of CTI operations.