This month, ZeroFox has been on the road to help security professionals create a successful threat intelligence and external cybersecurity strategy. Most recently, I attended the FS-ISAC Europe Summit, and presented an expanded, more detailed Intelligence Cycle.
If you missed the event, read on for some key points I shared during the presentation. If you want to find out where you can catch the next event, check out our events page.
The Traditional Threat Intelligence Cycle
Threat Intelligence is not a ‘nice-to-have’ security control. It has been estimated that enterprises are spending anywhere from $2B-$5B annually on threat intelligence vendors. Those billions of dollars are overwhelmingly spent on vendors focused on the collection and analysis steps of the Intelligence Cycle – the process that has been used by NATO members and Western private sector firms for more than a decade.
Despite that non-trivial spend on threat intelligence, breaches have not slowed down. Ransomware attacks are causing tangible, real-world effects, including – but not limited to – major loss of business revenue. If we are ever to achieve intelligence-driven cybersecurity, we must move beyond the layperson’s knowledge of how intelligence is produced.
The original Intelligence Cycle dates back to at least World War II. However, it has become glaringly outdated with the addition of new technologies and the growth of the dark web. It hasn’t adapted for private sector business needs.
At FS-ISAC’s Europe Summit this month I presented an expanded, more detailed Intelligence Cycle based on a study from the late-1990s and adapted it for private sector businesses. The emphasis here is heavy on management functions, rather than a major focus on collection and analysis. It is my opinion that a lack of robust planning and management for threat intelligence operations is what holds security teams back from truly becoming a proactive, intelligence-driven function. It’s time for the Intelligence Cycle, and the way we think about it, to expand and evolve in order to adapt for business.
Why Do We Need the Expanded Intelligence Cycle?
Many stakeholders come to their vendors or internal intelligence teams and ask for ‘dark web.’ However, the dark web (or as we prefer to call it, The Underground Economy) is not a traditional intelligence requirement. A proper intelligence requirement is a question about a threat. The answer to that question drives a decision by a security stakeholder which reduces risk and uncertainty to the organization. Without an intelligence assessment of a threat, decision makers are left to react to a threat’s actions.
A set of good intelligence requirements drives everything else in intelligence management and operations. Requirements drive resources, production, collection, and systems architecture. Remember: the fastest way to exhaust any credibility a security team has is to waste the company’s money. Time and attention here are critical to ensure the success of an enterprise’s intelligence team.
Another aspect the original Intelligence Cycle lacks is in feedback. Before someone tweets me with the screenshot from JP 2-0, it’s not the absence of feedback that is the issue. It’s how feedback is tacked on as an afterthought. I often see the Intelligence Cycle presented without the feedback ring as shown from JP 2-0. Regardless, if you’re looking at the 2013 or 2022 version of JP 2-0, I am of the opinion that feedback is glossed over by the doctrine writers on the Joint Staff. This is likely due to the differences in business and government budgeting. Private sector intelligence teams have less room to argue, “The threat gets a vote. Please give me more money,” without showing results.
In this expanded Intelligence Cycle, the arrows are bidirectional in almost all cases. Feedback has to be baked into intelligence management and operations to quickly and efficiently answer our stakeholder’s requirements. For example, intelligence analysts must provide feedback to collectors (or vendors) to improve collection. This is not unlike the “Agile” concept with continuous feedback loops.
Lastly, if we don’t count things or write down our successes, it’s as if they didn’t happen and you’ll have a harder time justifying important resources. I break down metrics into measures of performance (things are working correctly) and measures of effectiveness (we’re doing the correct things). Performance metrics show that we’re ingesting data from our internal and external sources. Effectiveness metrics will tell us that intelligence is having an effect on the organization’s risk posture.
Next Steps for Threat Intelligence Success
Get closer to your stakeholders. Listen closely – empathetically – to what they say and infer the business areas where cyber threats could degrade or destroy. Then build their intelligence requirements from those observations and inferences. A successful threat intelligence program requires strategy and execution that can’t be done haphazardly. For more practical tips on how to implement an effective threat intelligence program, download the ZeroFox Threat Intelligence Buyer’s Guide.