Intelligence Requirements in Cyber Threat Intelligence
The cyber threat intelligence cycle starts with planning and direction, which includes defining intelligence requirements (IRs). These are the goals that define the intelligence that must be collected or produced. They’re the questions that must be answered. They guide all efforts within the cyber threat intelligence cycle.
Intelligence Requirements in the CTI Cycle
- Planning & Direction: define the IRs
- Collection: gather data relevant to the IRs
- Processing: make data ready to analyze for relevance to the IRs
- Analysis & Production: assess the meaning of the data relevant to the IRs
- Dissemination/Distribution: share intel relevant to the IRs
- Feedback: gather input about how well the intel matched the IRs
IRs are often defined by an organization’s senior leaders, but can also be defined by security teams (such as the SOC or incident response team).
Example Intelligence Requirements
- What vulnerabilities are being exploited?
- What vulnerabilities can we detect?
- What exploits can do we need to watch for?
- What exploits can we defend against?
- What vulnerabilities are threat actors targeting?
- What assets do we need to defend?
- What threat actors do we need to watch for?
- What threats is our industry facing?
- What threats is our geographic area facing?
- What security concerns keep executives up at night?
Some of these are quite broad; the more specific IRs are, the better.
These aren’t mere curiosities; the answers to these questions will provide information that defenders can act on to improve organizational security, which contributes to the organization’s survival and success.
Prioritizing Intelligence Requirements
As you can imagine, the list of IRs can quickly become very long. Even organizations that have large CTI teams still have a limited amount of time they can put into CTI efforts. IRs must be prioritized so that analysts know how to allocate their time and energy.
Types of Intelligence Requirements
- General Intelligence Requirements (GIRs): Most granular. Operational, tactical; focused on specific facts and activities. Often related to specific attributes of attack or threat actor. Very short-term. Example: Describe the specific attributes associated with all REvil ransomware binaries observed in incidents today.
- Priority Intelligence Requirements (PIRs): Less granular than SIRs, more granular than GIRs. Determine and outline priority of IRs. Time-based. Focus on specific activity/event. Example: Where along the perimeter will the adversary attack?
- Specific Intelligence Requirements (SIRs): Most general. Example: How is ransomware being hosted, distributed, and installed?
Benefits of Intelligence Requirements
- By focusing efforts, IRs enable more efficient use of InfoSec resources.
- By setting clear requirements, IRs make it easier to measure the success of CTI.
- By enabling the measurement of CTI success, IRs make it easier to justify the expense of CTI operations.
Cyber threat intelligence requirements: What are they, what are they...
There are many definitions of what is an intelligence requirement but the definition to me that is most accurate is…
Threat Analyst Insights: How to Develop Effective Intelligence Requirements | Recorded Future
As business executives are gradually becoming more aware of the impact that cybersecurity has on day-to-day business…
Let's Talk About Intel Requirements | Digital Shadows
At Digital Shadows we get excited about intelligence. In fact, we've talked about it more than once before. One of the…
How to Establish Effective Intelligence Requirements | SecurityWeek.Com
Intelligence requirements (IRs) lay the foundation and set the direction of an intelligence operation, and enable teams…
Intelligence requirements: Moving from concept to practice
Our industry talks a lot about intelligence requirements. Yet I've noticed over the years a lack of practical advice…
Establishing an Intelligence Requirements Process
BLOG by Brian Warehime Whether you are starting out a threat intelligence program or have an existing program already…