Five Things to Consider for a Successful Intelligence Team - Part 5
September 04, 2014
#5 - Make it Operational
The previous four parts in this series have covered subjects necessary to make an intelligence staff a successful endeavor for an enterprise. In this final piece, I want to concentrate on how to pull it all together and make the team operational.
As stated in Part 1: Invest in the Proper People and Tools, “Threat intelligence in our industry is evolving. Going beyond vulnerability and threat feeds is a must.” The main takeaway is to bring context to your data. The best way to gain context is through analysis - human analysis. The analyst will be able to provide insights that a firewall, proxy or SIEM cannot. He or she will be able to discern if a threat is valid to an organization and provide an assessment that will enable judgment-based decisions. That is actionable, and that is what intelligence is all about. So how does an organization get to that point?
Levels of Intelligence
There are three roles of support that the intelligence function will deliver for the organization, known as the intelligence levels of effort. Each of these levels has a unique purpose when delivered and provides a well-rounded and comprehensive look at the overall threat landscape you face.
When first developing or instituting an intelligence capability within an organization, the main focus should be on strategic intelligence. This level of intelligence is tailored to deal with more long-term analysis of threats or problems that an organization will face based upon its size, industry vertical and current state of the information security program. It will also feed operations and senior leadership the necessary intelligence in the areas of policy, planning and resource allocation to complete the following two levels.
Operational intelligence is where the intelligence staff supports the daily processes of the security team. At this stage, the intelligence staff should concentrate on providing direct support for operations in the form of finished intelligence products that contribute to the protection of information and assets. This includes products on current and emerging threats and is delivered in the form of IDS/IPS signatures, YARA rules, threat actor profiles and up-to-date information stemming from malware analysis and industry trends.
Tactical intelligence is structured towards support for ongoing investigations and incident response in the case of an intrusion or breach of the organization. The intelligence team should provide current and time-sensitive intelligence surrounding the specifics of the incident, exploit or threat. The production of finished intelligence in this stage is limited to the Post-Incident Activity component of the incident response plan, and all intelligence communications to the incident response team should be tailored for quick consumption and action.
The Intelligence Cycle
If you are familiar with any of our previous articles, you will know that we always go back to the intelligence cycle. The intelligence cycle allows analysts to focus their collection and analysis on the specific threats that an organization faces. The great thing about it being a cycle is it can be instituted at all three of the “Intelligence Levels of Effort”.
Inside the intelligence cycle, we can see how the previous four parts can be applied.
- The proper people and tools will allow for sound requirements to be developed and enable analysis and production.
- DEVOPS will assist in collection and analysis as long as the right tools are appropriated or built.
- Open communication channels will assist in both requirements generation and proper dissemination of finished intelligence.
- Sharing among the community can hit all four parts.
Make It So
To end, if you have a security shop, odds are you currently perform intelligence operations. With some fine tuning on people, processes and technology covered in this series, you can embark on having intelligence-driven operations. Invest in your people and the tools they need. Encourage internal development. Allow them to communicate openly, both internally and externally. Adopt a proven methodology. Make it so!