Intelligence exists as a supporting function. It always has a purpose – to inform decision making and drive action. In the government this is inherently understood and the value of intelligence is easy to derive. However, businesses often struggle to determine the value of their threat intelligence team/organization/processes/tools. The terminology of Threat Intelligence (TI) is usually not compatible with the business lexicon, leading to misunderstanding of the purpose and value of TI. There are a few ways to address this, and we will look at one of them in the following post.
Within the government exists a policy that drives all intelligence operations; the National Intelligence Priority Framework (NIPF).
“The National Intelligence Priorities Framework (NIPF) is the primary mechanism to establish, disestablish, manage, and communicate national intelligence priorities. The NIPF reflects customers’ priorities for national intelligence support and ensures that enduring and emerging national intelligence issues are addressed.” (ICD 204, Part D Section 1)
This national-level document drives the development of objectives and helps define the scope of operations at intelligence agencies and within subordinate units. Without this framework, intelligence organizations are left with no guidance and most likely would answer the wrong questions and provide incomplete or inaccurate information. As you can imagine, a framework for your intelligence team is not only important—it is a requirement.
However, businesses do not have a NIPF or any sort of intelligence framework (usually). This leads to intelligence teams that lack focus and struggle with what information to provide to decision makers across all levels within the organization. While the business might not have a NIPF, they do have a generic, macro level set of priorities as can be seen below (not all inclusive):
This list can serve as a starter framework, as it outlines enduring issues businesses constantly seek to address. With these priorities in mind, the threat intelligence team can begin to derive objectives. There are some easily definable objectives that can directly support some of the above priorities.
Once the TI team understands the business objectives, they can align their operations and efforts to support the business. Not all of the business priorities will perfectly align with threat intelligence capabilities, and that’s okay. The first step is to get something in writing; even if it seems overly simplistic or too high-level. You can develop granularity and nuance as you build out your requirements. The following are a few thoughts for a new or young threat intelligence team on where to start and what questions to ask:
Sometimes you might get questions from executive leadership. Know how to respond - often they won’t ask the right question and you must be prepared to help them scope and rephrase in such a way that makes the ask achievable/answerable. Also, think about these ad hoc requests to see if there is a recurring theme; this may make for a good standing intelligence requirement.
As a former government intelligence analyst, my first job in the private sector was confusing and a bit daunting. However, I had good leadership that explicitly stated their requirements of the intelligence team and gave us a mission. Sadly, this won’t be the case in all organizations. New and seasoned threat intelligence analysts struggling to convey their value with executive leadership can take solace in the simple truth that they aren’t alone. The hard part is learning the business objectives and aligning your team’s activities with them. For the TI teams that can do this, their value and impact to the business will increase - as will the job satisfaction.
Reference “How to Define and Build an Effective Cyber Threat Intelligence Capability”, H. Dalziel
Justin Swisher is a Solutions Manager at Anomali. Building on more than twelve years of IT security experience with an emphasis in network security architecture and monitoring, Mr. Swisher has worked to develop new techniques to improve detection and threat hunting. After spending four years with the Air Force as an intelligence analyst, Mr. Swisher brought those analytical skills to leading cybersecurity vendors in an effort to improve network security detection and response.