I previously wrote about Cyber Threat Intelligence and why it's important to consume it in some form inside your cyber security programme. Without it, you're flying blind.
Before I got my start in cyber security, I worked in Military Intelligence, and Cyber Threat Intelligence runs using the same system as the Military Intelligence apparatus does. It's called: the Intelligence Cycle.
There are a few key steps to the Intelligence Cycle:
Let's break these steps down.
It all starts with identifying our intelligence needs. Decision-makers like military leaders, members of government and business executives act as our guides in this process and help us understand what information is necessary to make the best decisions.
Let's look at a military example: the head of the Army wants to deploy their troops. Here are some questions they'd want answers to:
- Who is the enemy?
- Where is the enemy?
- What are their objectives
- What tactics and equipment do they use?
All of these are crucial questions that must be answered before the Army can go anywhere.
Now we know what we're looking for, it's time to figure out where to find it. We'll also manage how we collect it. Using something called an Intelligence Collection Plan. This brings us to the Collection phase.
Armed with the direction from management, we have the green light to go and collect data and information.
We won't get into ICPs in too much depth at this stage, but essentially it's something like a spreadsheet with all the questions listed and every possible source of the answer listed. We'll cover it in a later post.
We are on the lookout now for the data and information we need to answer management's questions. There are two types of sources of information:
- Open Sources (publicly available) are also called OSINT or Open Source Intelligence.
- Closed Sources (not publicly available), these can be sources that are only available through paid means or by use of government authority.
And there are many different sources within these two types:
- Human intelligence (HUMINT), involves gathering information from humans. Talking to people in the know, interviewing people, and recruiting confidential informants.
- Signals intelligence (SIGINT), involves gathering information from electronic signals such as communications, radars, and other electronic devices. This source will typically be reserved for government actors as it ultimately boils down to wiretapping and hacking.
- Imagery intelligence (IMINT), is about gathering information from imagery such as photos and videos. Street view of a building, satellite imagery from Google or other sources, even sending someone into the field to take photographs.
There are many more types of sources but ultimately it's about finding the most reliable and timely sources. The cost and effort required to get these different bits of information can vary wildly.
These collection efforts will be managed and centrally coordinated by an Intelligence Collection Manager and they will use an Intelligence Collection Plan (ICP) - a blueprint for how to gather all the information.
Once the information has been collected, it needs to be analysed.
The analysis stage is where all the pieces of information come together and you create finished intelligence products.
There are a variety of techniques you can use to analyse information. Wikipedia has a great entry for analysis. You can read it here. How you analyse depends on what information you have gathered, but it can often require the use of dedicated software like data visualisation tools. The goal of the analysis stage is to turn raw data or information into actionable intelligence.
One of the key techniques used in the analysis stage is called fusion. Taking information from multiple sources and combining them to create a deeper understanding of the situation.
Analysis is an ongoing process and analysts must reassess and update their finished intelligence products to keep them relevant.
You can have all the intelligence in the world, but if you can't deliver it to the customer, it is irrelevant.
Sometimes we will have been requested to gather a specific piece of intelligence, other times we will be acting proactively. When we are being proactive, we need to consider carefully who should receive the intelligence. It should also be delivered in the appropriate format. This could be written reports, briefings, or other forms of communication. The goal is to make sure that the right people have the right information at the right time, so they can make informed decisions.
I hope I've made the Intelligence Cycle sound as interesting as it really is. It's a cycle that makes the world the way it is, for better or worse. If your team can learn to wield it, great things can come your way!