Five Things to Consider for a Successful Intelligence Team - Part 3
#3 - Allow for Open Communication
Part 1 and Part 2 of this series concentrated on people, tools and encouraging DEVOPS. All of these are great considerations when building or beginning intelligence operations to support information security programs. They go a long way in establishing and providing support to Security Operations Centers, or security operations in any form, but to take it a step further an organization should allow for open communication of the intelligence staff.
As we all know, communication is imperative for any type of operation, whether it is in the information technology/security realm or standard business operations. But when dealing with the ever changing threat that we all face in today’s “internet of things” era, communication needs to be wider and more open for an intelligence team.
Using the intelligence cycle, we can see the importance of open communication. The intelligence cycle is a repeatable process used by an analyst or group of analysts to attack a specific problem or threat the organization faces. The end result should ultimately be a finished product to be disseminated throughout the organization. The Intelligence Requirement, found at the beginning of the cycle, is built around gaps in intelligence that need to be filled. To start building these requirements, the intelligence staff needs access to the separate lines of business within the organization from information technology and security, the overall user base (human resources, sales, marketing, etc…) and the C-level executives. Communication with key players in each of these respective divisions will allow for the information gathering required in developing intelligence requirements and will provide a conduit to collect information not normally seen within the security infrastructure.
With direct communication to internal IT and security staff, the intelligence team can gain critical data on successful and tried exploits, gathering data on attacker’s Tactics, Techniques and Procedures (TTPs) and Indicators of Compromise (IOC), while also providing assistance with remediation and hardening of attacked or exploited assets. Additionally, by having a conduit to executive staff and management, knowledge of upcoming shifts in operations, personnel and locations can be captured to develop a strategic assessment of how this could affect the threat footprint.
For example, if a new product is being designed or a new location is to be opened, there are several different vulnerabilities that can expose the organization to corporate espionage or geographic specific threats. These threats can be predicted, and countermeasures can be processed and disseminated to dampen the likelihood of compromise.
The insider threat is one that exists in every organization, regardless of the size or scope of the security program. By leveraging intelligence and having open lines of communication between the user base and the intelligence organization, it allows for enhanced training and situational awareness through security alerts and bulletins as current and emerging threats are discovered.
Pulling it together, you can see that opened lines of communication not only add to the ability to create sound intelligence requirements, but can also be a good means for collection from internal sources, outside of security appliances and devices. Dissemination of a final analytical product is self-explanatory, but needs to be mentioned because of the reach an intelligence staff should have within the organization to answer requirements.
Finally, the intelligence team should have access to external sources for information sharing and research purposes. These external sources could range from local and federal law enforcement to industry experts and research organizations to community groups centered on information security or industry specific.
- Part 1 - Invest in Proper People and Tools
- Part 2 - Encourage Internal Development (DEVOPS)
- Part 4 - Don't Shy Away from Sharing
- Part 5 - Make It Operational
Director, Cyber Threat Intelligence
Danny Pickens has more than fifteen years of experience in the fields of military intelligence, counterterrorism and cyber security. As the director of Optiv’s cyber threat intelligence (CTI) practice, Pickens is responsible for the direction and operations of a staff of CTI analysts and consultants charged with conducting research and analysis to support clients with strategic advisement and consulting in the area of intelligence for business alignment and decision advantage.