Intelligence Life Cycle-Requirements PDF
Document Details
Uploaded by CooperativeJacksonville
Nanyang Technological University
Sharon Fladograf
Tags
Summary
This document provides a comprehensive overview of intelligence life cycle requirements. It emphasizes the planning phase, stakeholder identification, and the development of intelligence requirements. The document also touches on mission scope, threats, and the importance of understanding the network.
Full Transcript
Intelligence Life Cycle-Requirements And welcome to the requirements and planning module in the Cyber Threat Intelligence Lifecycle course. I'm Sharon Fladograf and I'll be your instructor. The goal of this module is to provide students with an overview of how the initial phase of the intelligence c...
Intelligence Life Cycle-Requirements And welcome to the requirements and planning module in the Cyber Threat Intelligence Lifecycle course. I'm Sharon Fladograf and I'll be your instructor. The goal of this module is to provide students with an overview of how the initial phase of the intelligence cycle, namely the planning and requirements phase, is the step within the intelligence cycle where new intelligence requirements are generated and strategies for satisfying those requirements are planned. By the end of this module, students will gain an understanding of the importance of intelligence planning, be able to identify their key stakeholders, the types of intelligence requirements, and how to develop these requirements. We will be covering the importance of intelligence planning, understanding key stakeholders and mission parameters, and developing intelligence requirements. Then, I will walk you through a practical exercise on how to craft your own intelligence requirements. So let's dive in. Here's where we are in the intelligence life cycle. As the cycle itself is iterative, you can see that requirements and planning is both the first and the last step of the cycle. If you're starting from scratch, meaning you've been asked to stand up a new team or engage in something called threat-informed defense, which relies on a deep understanding of who your adversary is and how they operate to improve your cyber network defenses, then, of course, the first time you engage in requirements planning will be a bit more labor-intensive as you establish a baseline for your requirements. But once you start putting out intelligence products, you can't just rest on your laurels. You have to incorporate the feedback from your stakeholders and go back and refine your requirements or create new ones. Based on this, you can understand why the requirements and planning phase is used to establish mission scope and intelligence requirements, which will directly influence all other phases of the intelligence cycle. The mission scope is a statement of the parameters of a cyber threat intelligence program's area of responsibility. Intelligence requirements, or IRs, are the overarching analytic questions an intelligence team will attempt to answer through its products and services. Mission scope should generally remain static, while IRs should be adjusted regularly based on stakeholder feedback and periodic reviews. Intelligence plays a central role in planning and executing ongoing strategic and operational goals for an organization. By better understanding the obstacles, vulnerabilities, and threats presented to us, we can be confident that we are reaching informed conclusions about how to proceed and where to expend our resources. The process of generating a good intelligence product starts with sound planning. A vague or poorly defined mission or requirement will usually result in poor intelligence. Intelligence planning is the beginning and the end of the intelligence cycle. The beginning, because it involves drawing up specific collection requirements, and the end, because finished intelligence supports business decisions, which will then generate new intelligence requirements. During this phase, intelligence requirements are established, goals and objectives are set, and resources are allocated. But in order to gain a comprehensive understanding of the problem at hand, you're going to have to gather your squad, otherwise known as your stakeholders. Your squad should include personnel from different access points and interests within your company's network and business units. For instance, network operational centers or security operational center personnel, incident response personnel, chief information security officer, business security officers, and business unit managers from various units across your company. They will all have unique requirements based upon their access and relationship to the network and how they make market-facing decisions on behalf of your company's business strategies. During this phase, the intelligence team must also identify potential risks and threats that may impact the success of the intelligence effort. This requires a deep understanding of how your business operates, its attack surface, as well as an understanding of the capabilities and intentions of potential adversaries. Understanding who you are providing intelligence to and why you are providing it to them is the first step in sound intelligence planning. The universe of online threats is constantly growing, as are the available tools and techniques used by cyber adversaries. By seeking to answer key questions, threat intelligence can enhance the network defender's ability to employ their defenses in the most effective and efficient manner. However, if the analyst does not understand their organization's own network, then they cannot decide whether information is relevant or not. They can waste valuable time researching a threat actor or vulnerability only to find out that it doesn't affect their organization. Likewise, if the analyst does not know who their report is going to, they cannot tailor their intelligence, which could then be too technical or not technical enough. If the stakeholder cannot utilize the intelligence to help them prioritize their tasks or inform their decisions, then the intelligence analyst has failed to achieve their goal. You should remain flexible in your thinking throughout the planning process. Intelligence requirements can change rapidly based on evolving situations. Also, since the intelligence life cycle is an iterative process, as we mentioned before, you should expect to continually assess the effectiveness of the requirements and adjust as necessary. Periodic review will be necessary to update requirements and adapt to changing needs and environments. So, what is an intelligence requirement? Well, according to the dictionary, it is 1. Any subject, general or specific, upon which there is a need for the collection of information or the production of intelligence. 2. A requirement for intelligence to fill a gap in the command's knowledge or understanding of the operational environment or threat forces. The concept of intelligence requirements originated from the military, and while you won't be charging into battle, we can easily adapt its uses for the corporate environment. During the process of generating requirements, both intelligence analysts and their stakeholders should be encouraged to contribute. Each side of the process has a unique knowledge of the network and the threat landscape that may inform the other. Requirements can largely be generated by responses to the baseline assessment, although there is no time that requirements stop being generated. When standing up a threat intelligence program, this will generate many of the backbone requirements that will be periodically revisited. After prioritization of the assets has been completed, analysts that generate requirements may use a threat model as a starting point to determine what kinds of questions should be answered, such as the identities or class of potential adversaries, how adversaries are targeting the business's digital assets, potential vulnerabilities that are targeting critical network infrastructure, how the business risks present as cyber risks, for instance, bringing new business into a new country or region, or a merger, perhaps. There are two different levels of intelligence requirements. Priority intelligence requirements, PIRs, and intelligence requirements, IRs. PIRs are requirements that stem directly from the project planner. PIRs take priority because until they are answered, the project cannot move forward. Often, PIRs define the mission parameters and are the key analytic questions for which an intelligence team should be providing assessments or judgments to stakeholders. IRs are overarching requirements that are desired to support mission success. Often, they are strategic in nature and relate to longer-term routine aspects of business operation. However, there aren't hard and fast rules about the differences between IRs and PIRs. The terms are often used interchangeably. EEIs, or essential elements of information, are any critical intelligence information required by intelligence consumers to perform their mission. The EEIs are specific to a particular event, thing, or other target individuals. As such, EEIs fall under IR or PIRs. The EEI is written out in advance as a question by consumers of the EEI information. Then, the EEI questions are used by collectors of the information that may not be in direct contact with the consumer at the time the information is collected. A specific set of EEIs are used by collectors to develop a collection plan to find the answers to the questions in the EEIs. Collection requirements are statements of the types of information or data that should be collected to meet one or more of the EEIs. You will learn more about collection requirements in the next module. In the case of an intelligence requirement, you should adhere to several key principles. Clarity. Requirements must be specific and unambiguous to avoid misinterpretations. Relevance. They should align closely with the strategic objectives and operational needs. Prioritization. Determine which requirements are most critical and prioritize them accordingly. Just like writing work objectives, a best practice is to use the SMART formula. Your requirements should be specific, measurable, achievable, relevant, and time-bound. Let's write some intelligence requirements. Your chief information security officer, or CISO, has tapped you to start a cyber threat intelligence program. He tells you to just give him all the intel. This is kind of a vague request. Does he only care about threats targeting your specific company, your industry, your country? Is he talking about the threat actors themselves, the who, the campaigns, the what, or the attack techniques, the how, or maybe all three? After meeting with him to discuss your organization's priorities and business operations, you think you have a better idea about the type of information he's looking for. One priority for this year is that your company needs to provide some capabilities, like a call center, in several overseas locations, and they're not sure if they should outsource it or keep it in-house. So, our overarching collection requirement would be, what information do we have about outsourcing or third parties? That tells us that we have to start looking for resources and information about other companies who have outsourced similar capabilities and what their experiences have been so far, maybe what threats they have faced. Next, we have to define the question we are trying to answer. Outsourcing is a big topic. What specifically about outsourcing do we want to know? Well, for starters, we want to know about U.S. companies who have used third-party vendors overseas. We also want to know who is targeting the third-party dependencies. Now, under this IR, we can have several PIRs. For example, we want to know about the known threats to vendors and third-party providers used by American companies operating in Asia. Our second PIR could ask the same question, but for American companies operating in Europe, and so on and so forth. For every PIR, we then get really specific with EEIs. So, for our first EEI, we're going to ask threats to outsourced call centers that others in my industry are seeing. We could have a second EEI that asks the same question, but about outsourced operational centers as opposed to call centers. And again, these would all fall under for those American companies operating in Asia. For our second PIR, we would have similar EEIs specifically for Europe. It might seem tedious, but documenting everything out like this, you can clearly define what you are and are not responsible for investigating. In the future, you will start to see patterns where there are certain PIRs and EEIs that you can't answer. That will tell you where you have a collection gap and perhaps need to acquire new sources and visibility. Your requirements can also tell you what you aren't asking about, which might uncover something important that your stakeholders have overlooked. For example, your CISO wants to know about known threats, but what about emerging threats? What about the threat actors themselves behind the threats? Well, these questions might seem obvious and important to a threat intelligence analyst. They may not be so obvious to your stakeholders. It's your job as the intel analyst to draw out these details and guide your stakeholders to think about all possible scenarios. Here is a sample collection framework in Excel that we can use to document our previous example. Excel is a really good way to document out and have a record of all your PIRs and EEIs, and then it can be a shared document that your team can update periodically. We know that our overarching intelligence requirement is how are threat actors targeting American companies overseas via vendors and third-party dependencies? Our first priority intelligence requirement, or PIR1, is typed in the blue box. So, we would type in what are the known threats to vendors and third-party providers used by the American companies operating in Asia? From there, we enter our essential elements of information, or EEIs, in the green box. So, EEI 1.1 is are there any known threats, insider threats, or vulnerabilities involving outsourcing call centers in my industry? EEI 1.2 could be are there any known threats, insider threats, or vulnerabilities involving outsourcing operation centers in my industry? Now that we have our questions for each EEI, we have to decide how we will go about collecting the information that answers each question. Where will we find the answers? This will be covered in depth in the collection module, but examples include dark web sources, vendor reports, open source information, and malware analysis. Then, you notate down in the collection area what EEI is fulfilled by each type of collection. Once that is completed, we would start the exercise all over again with our second PIR, and so forth. This concludes the requirements and planning module. You should now have an understanding of the importance of intelligence planning, be able to identify key stakeholders, and the various types of requirements. You should also be ready to dive in and create your own collection management framework. Please complete the following post-lecture reading and podcast for additional insight into requirements and planning. The links to these resources are in your module folder. Information from these resources will be included on the final exam. To complete your required readings, you should start on your course assignment, which is detailed in the next video. If you have any questions about this topic, please feel free to contact me at the email on the screen. Thank you so much, and I hope you enjoyed your requirements and planning module.