Threat Intelligence: The Delivery
The best thing an intelligence analyst can provide to his customer is a finished product which is actionable and well laid out. The analyst needs to be a trusted source for intelligence information so that the consumers will listen and act on the information received.
There needs to be a takeaway for the operations component of any organization that initiates some form of action. In the military world, this may be a location of enemy fighters that needs to be targeted with munitions from either the air or ground. Or it may be a specific geographic area that needs to be secured, causing friendly forces to move to that space. In the information security world, it should be a set of recommendations used to protect against a known threat or attack based on best practices or the implementation of new signatures, custom alerts or device management rule changes. Well laid out simply means that it is in a format that is easily consumed by the end user to allow for the analysis to be interpreted and trusted.
With consumers at all levels within the organization, it is crucial that the product be formatted appropriately. Utilizing a common reporting structure that includes an executive summary, as well as a technical analysis and conclusion sections provides the necessary information to satisfy both the decision makers and the operators in the organization.
The product should lead with a good, concise executive summary that condenses the findings for senior leadership and executive management. This allows for them to quickly read the finding up front and be able to move on, knowing that his organization is being proactive against the threat. They generally do not have the time necessary to dive deep in to the analytical methodology or findings.
The main body is where the analyst will present his or her examination and analysis of the subject matter. The analyst should walk the reader through the findings, such as the breakdown of how a particular piece of malware works and the indicators derived, or possibly trended analysis of how a specific or individual indicator has morphed over a given period of time. This section is obviously dependent upon the subject of the product and the analytical methodology used, but will present the reader with the necessary evidence leading in to a conclusion and why the implementation of the recommendations is needed. The analyst can provide graphs, timelines, or networked analysis images to show how he reached his conclusions and provide for the visual representation of his finding.
The above sections should then be bundled into a conclusions portion that is similar but more in depth than the executive summary. It should include the analyst’s opinions and recommendations, up to and including the technical signatures and custom rules to be implemented. It should be worded in a way that spurs action by operations and understanding for executive leadership.
Remember, the goal of the intelligence analyst is to be a trusted source of intelligence information and to be relied on as the subject matter expert in the organization. By having an informative finished product that is technically proficient, easily consumed and leads to engagement from operations satisfies the intelligence support requirement of the information security program.
For more about threat intelligence best practices for your organization, download the white paper.