Back in 2011, market research companies like IDC, Forrester and Frost & Sullivan were making market analysis about the growth of cyber threat intelligence services and alike. Their analysis stated a double digit growth year of year. Their projections seem reasonable and their current estimations continue in this trajectory. Nowadays, cyber threat intelligence continues to gain a lot of traction and hype across IT security. However, as many other cases in the IT security, the industry is adopting the jargon used across government agencies and military forces. That being said I wanted to write about cyber threat intelligence. But I thought would be good to first read and understand what intelligence means across the intelligence agencies and military domains in order to have good foundation before applying it to cyber. Below short summary I made on what intelligence is and what the 5 steps of the intelligence are.
What is Intelligence?
Intelligence is the product that results from a set of actions that are performed to information. Traditionally, used across governmental organizations for the purpose of national security. The actions are collect, analyze, integrate, interpret and disseminate. The final product of intelligence gives value-added, tailed information that provides an organization or its adversary, the ability to make conclusions. For the enterprise the information product might be to seek information about the threat actors means, motive and capabilities. On the other hand the adversary might want to seek information about intellectual property (patents, copyrights, trademarks, trade secrets, etc) from your company in order to gain economical advantage or to subvert its interests. In any of the cases the information produced gives an edge, a competitive advantage to you or to your adversary.
The information produced contains facts, findings and forecasts that supports yours or the adversary goals. There are two categories of Intelligence. One is strategic and the other is operational. Strategic intelligence means information produced to support well informed decisions of long-lasting importance. Strategic intelligence is broader and often requires information concerning different fields. Operational intelligence is of limited life span and it to be used rapidly and is concerned with current events and capability.
What are the 5 steps of the Intelligence cycle?
Planning and direction – This is the first step. It’s here were the requirements and priorities are set. The capabilities to produce Intel are limited as any other resource which means we want to maximize its production with a constant number of resources. Among others, a methodology to define the requirements might be using the “Five W’s”. It’s also in this step where we define which areas the intelligence produced will have the most impact and make to most contribution. During the planning is fundamental to specify which categories of Intelligence will be gathered i.e. OSINT (Open Source Intelligence). In addition, the processes, people and technology to support the different steps in the cycle need to be established with clear roles and responsibilities.
Collection – The second step includes all the different activities, mainly research, that involves the collection of data to satisfy the requirements that were defined. The collection can be done either via technical or human means and involves gathering data from a variety of sources. In the military and intelligence community the sources normally used are people, objects, emanations, records. These sources span the different collection disciplines named as HUMINT, IMINT, MASINT, SIGNT, OSINT and others. Once collected, information is correlated and forwarded for processing and production.
Processing and exploitation – Third step, the collected raw data starts to be interpreted, translated and converted into a form suitable for the consumers of the intelligence. The raw data becomes information.
Analysis and production – The refinement of the information that was produced in the previous step. The fusion of the different information that was processed from the different intelligence disciplines. These are key tasks performed during this step. The analysis consists of facts, findings and forecasts that describe the element of study and allow the estimation and anticipation of events and outcomes. The analysis should be objective, timely, and most importantly accurate. To produce intelligence objectively, the analysts apply four basic types of reasoning. Induction, deduction, abduction and the scientific method. Furthermore, because bias and misperceptions can influence the analysis the analyst should be aware of the different analytical pitfalls. The outcome is value-added actionable information tailored to a specific need. For example, in the United States, creating finished intelligence for national and military purposes is the role of the CIA.
Dissemination and Integration – Essentially, this step consists in delivering the finished product to the consumers who requested the information. This can be done using a wide range of formats and in a manual or automated manner.