WHITE PAPER

Establishing
a Formal Cyber
Intelligence Capability

from Verisign iDefense security

Intelligence services

CONTENTS

Introduction 4
Preliminary Considerations

The Intelligence Cycle

Direction 9
Collection 10
Analysis 13
Dissemination 15

Operationalizing Intelligence
Organizational Structures
Implementation and Deployment
Intelligence Maturity Model

17
17
19
22

best practices

25

conclusion 28
Appendix: RFI Template

28

Verisign Public | Establishing a Formal Cyber Intelligence Capability

Throughout

the

world,

organizations

are

realizing that advanced intelligence capabilities

consistently deliver substantial cost savings
with proactive insights on true threats, the
intelligence to avoid false alarms and the system
and application availability required to preserve
revenues and customer loyalty.
While the benefits are clear, achieving them requires organizations to establish
a formal cyber intelligence capability. The process involves carefully assessing
a vast array of strategic and tactical considerations, and then implementing
an intelligence model based on methodical, proven processes. Each decision
influences the next, so those engaged in this effort would be wise to follow proven
best practices. Over years of on-the-ground experience, Verisign iDefense has
tested and refined those practices. This paper is built from that knowledge. It has
been written to convey the fundamentals of intelligence operations, and will be
most helpful to organizations still in the planning or initial stages of establishing an
intelligence capability. Its content should also prove enlightening to organizations
that find themselves struggling with the development and evolution of their existing
intelligence capability.
This paper describes a proven, repeatable process with clearly established
steps. The process begins by defining who the customers of the intelligence
products will be. They will issue directives and receive the final products, so
their involvement up front is vital. And all stakeholders must share a common
understanding of the goals, capabilities and limitations of the intelligence effort.
All this is necessary even before selecting the intelligence team. Stakeholders also
must agree on whether the intelligence teams goal is to produce assessments
for internal use, for delivery to law enforcement or for use in judicial action.
This largely determines the approach and methods the team adopts.
Direction, where the intelligence team defines customer requirements
based upon an analysis of the customers core business.
Collection, one of the most complex elements of intelligence practice
and a process that is fraught with issues for intelligence teams.
Analysis, in which different opportunities and risks present themselves
as the teams analytical function seeks to convert raw data into a fused
intelligence product.
Dissemination, where the intelligence team delivers the product to the
customer, and can assess the success or failure of the operation.

Verisign Public | Establishing a Formal Cyber Intelligence Capability

After defining the teams mission and understanding the basic Intelligence Cycle,
the work of assembling resources and establishing a management plan can
begin. Since most teams are rarely able to fulfill their entire charter at an early
stage, prioritizing the most critical needs of the customer, and possibly the most
critical customers, will help the team establish a solid foundation.

Business Intelligence:
Detecting the Voice of
the Enemy
Business intelligence and
threat intelligence both
support decision makers
in an organization, but the
responsibilities of these
two functions differ greatly.
Business intelligence focuses
on assessing the market
conditions and business
competitors, whereas threat
intelligence gains knowledge
of malicious actors who can
damage the organizations
ability to provide services.
If business intelligence is
the voice of the customer,
then threat intelligence is the
voice of the enemy. iDefense
asserts that there is a logical
division between the types of
teams that conduct each of
these functions. This report
focuses primarily on threat
intelligence.

Even from outset, stakeholders should measure the intelligence team against a
model of effectiveness or maturity as a way of gauging current capabilities and
planning future efforts. The maturity model should assess the team or each subteam at each stage of the intelligence lifecycle, providing management personnel
with a means to produce overall assessments. The intelligence manager and other
stakeholders should assess the capabilities on a scale of informal to highly
repeatable and efficient, where the highest grade indicates well-documented
processes and communications, a high degree of automation, and the visibility
into the process that is necessary to identify and address insufficiencies in a
quantitative fashion.
Ultimately, its the job of intelligence teams to deliver useful and relevant intelligence
products (such as risk assessments, presentations and databases) that help
decision makers protect information, assets and people. Still, the true impact
of intelligence on decision making often remains unquantifiable and, as such,
immeasurable. By adhering to proven intelligence practices and applying the
appropriate management structure and oversight, any organization can develop a
successful intelligence capability.
Introduction
Information today is plentiful and inexpensive. But for corporate organizations
that make strategic and tactical decisions in an environment of uncertainty, a
simple information feed frequently isnt enough. Too often, torrents of information
lacking context and relevance overwhelm a decision maker. Intelligence analysis
addresses this issue through methodically collating data into information and then
turning information into intelligence. Many organizations recognize the need to
better understand their adversaries, the security threats those adversaries pose,
and their methods of attack. As a result, many organizations initially develop
informal, ad-hoc intelligence capabilities that before long show their weaknesses
or are simply outgrown. Eventually, the organization must consider how to establish
more formal intelligence operations.
Some organizations may still establish a formal intelligence team separate from
their security operation. But in a world where the thread landscape is constantly
changing, the view that intelligence and security demand separate sets of
personnel, training, technology and skill sets may be outdated. Increasingly,
intelligence and security are viewed as partners instead of separate stakeholders,
since the intelligence product is seen as an input to the security cycle.
This report lays out the fundamentals of intelligence both theoretical and practical
to help organizations create an intelligence team, while providing guidance
on how to evolve existing capabilities. It discusses the concepts that form the
foundation for establishing intelligence gathering and dissemination capabilities.

Verisign Public | Establishing a Formal Cyber Intelligence Capability

And it studies pre-intelligence steps that examine why companies commission others
to carry out the task of gathering and presenting intelligence in the first place.
Additionally, this paper seeks to define intelligence gathering, analysis and
dissemination as a practice one that moves away from guesswork toward a
testable and repeatable process. This overview begins with defining the teams
mission and customers, then presents the basics of the intelligence lifecycle and
then discusses how to construct a team and evaluate its capabilities. Finally,
the paper outlines some key best practices that should prove invaluable to any
organization trying to establish or improve a cyber intelligence capability.
Preliminary Considerations
The crucial first step in developing an intelligence capability is to determine
where it will fit in the organizations structure. This involves three activities may
occur in parallel:
1. Identifying both customers and consumers of intelligence products
2. Determining the customers intelligence needs and requirements
3. Defining and communicating the intelligence organizations
charter and mission
Work with partners. Regardless of where an intelligence team fits in the
organization, the team should foster key relationships with cross-functional
partners who may be consumers of the teams intelligence or even valuable
sources of input for intelligence products. For instance, there is an organizations
risk community (i.e., those departments responsible for managing different types
of risk, such as information security, business continuity or disaster recovery,
revenue assurance or fraud and physical security). Other areas, such as finance,
supply management, marketing, legal, human resources or internal auditing, may
also be worthy partners in the intelligence effort.
Understand the needs of customers. The intelligence team needs to clarify
the needs and requirements of primary customers. The team needs to know
whether customers require intelligence to inform decisions concerning strategy,
profitability, competitors, threats or something else, since each of these will
drive very different intelligence outcomes. The process to identify intelligence
requirements must incorporate an interactive dialogue between the intelligence
team and its primary customers. Interviewing key customers and decision makers
can be challenging, but it helps customers identify and define their intelligence
requirements. These steps sharpen a teams focus and priorities. And they help
establish the organizations intelligence capability requirements and identify the
resources necessary to meet the needs of customers. While collaborating with
customers to identify intelligence requirements, the intelligence team should be
sure to address a few specific topics that can cause confusion if not clarified.

In this paper, we define

intelligence customers
as those entities that
issue direction to an
intelligence team.
Intelligence consumers
are those who may receive
intelligence products but
do not necessarily issue
directions. An intelligence
teams customers reflect
where the intelligence team
sits organizationally, and
the company or agency
should give this careful
consideration, as it will
greatly affect how the broader
organization identifies and
manages threats. A team
will deliver vastly different
products and capabilities
depending on whether
it receives its primary
direction from a horizontal
customer (the department
of finance, information
security or physical security)
or a vertical customer (a
director or C-level executive
to which it reports).

Will the organization supply intelligence to law enforcement? If so, authorities

will require the production of evidence, which is significantly different from
intelligence, and will require different collection and analysis methods to address
relevant legal issues sufficiently.

Verisign Public | Establishing a Formal Cyber Intelligence Capability

 How do customers see the role of the intelligence team and its products? Some
customers look for guidance from intelligence analysts assessments, while
others seek certainty.
Do customers expect the intelligence
making or to make decisions itself?

team

to

inform

decision

Its vital to clarify these points, especially because intelligence analysts typically
deal with ambiguous situations based on incomplete information.

The mission should articulate

what organizational needs
the intelligence team
meets and how the team
accomplishes those needs.
The charter should clearly
articulate the purpose of
the intelligence team (which
should align with the teams
mission), organizational or
operational boundaries (i.e.,
scope), and endorsement
from senior management.

Get everyone on the same page. Its difficult for intelligence teams to succeed
without a common understanding between all stakeholders, customers, consumers
and intelligence managers about the teams full scope of responsibilities. And
here, communicating limitations is just as important as specifying requirements.
For example, the intelligence team may not be able to meet all of the customers
needs due to legal, ethical or practical considerations, and disclosing those
limitations early in the process will appropriately set expectations that the team
can meet. This may lead to the customer looking to alternatives, such as external
parties, to provide what the intelligence team cannot. All these steps help define
the intelligence teams mission and charter, which are particularly important
because an enterprise can easily misunderstand the teams role.
The Intelligence Cycle
To successfully mount and implement an intelligence capability, its essential
to understand the intelligence lifecycle model. This section looks at the basic
Intelligence Cycle, a lifecycle model (see Exhibit 4-1) for the intelligence workflow,
and briefly mentions other models as a point of comparison. This is the first
stage, in which a senior decision maker formally tasks the intelligence team with
the essential facts and data that they need to collect. This is the stage where a
relationship is formed between the customer and the intelligence team. This stage
focuses on determining the customers requirements as intelligence requirements
(IRs) the product of the direction stage of the cycle.
Once IRs are defined, the team then collects and compiles raw information
into a specific format for later analysis. This is the first major checkpoint for the
Intelligence Cycle, as any mistakes in collection can cause a cascade of erroneous
data through the rest of the cycles process, resulting in the failure of the team
to fulfill the IRs. Drawing from this raw information, analysts build intelligence
throughout the analysis process. They use technical and non-technical methods
to extrapolate patterns, meanings and sequences from raw data. This is the
second point in the cycle, where failure is possible due to analyst bias, flawed
hypotheses, or other factors. The intelligence team then creates and distributes a
final intelligence product to the customer. This can take an innumerable number
of forms from a static document to a constant feed of information or an alwayscurrent database. In many ways, this is the answer phase of the Intelligence
Cycle. Rarely will an intelligence customer be satisfied with a single delivery;
receiving one product usually inspires additional intelligence tasks. This makes
carefully managing stakeholder expectations and priorities a constant imperative.

Verisign Public | Establishing a Formal Cyber Intelligence Capability

EXHIBIT 4-1: THE INTELLIGENCE CYCLE

DISSEMINATION
DIRECTION
COLLECTION

ANALYSIS

Direction. This is the first stage, in which a senior decision maker formally tasks
the intelligence team with the essential facts and data that they need to collect.
This is the stage where a relationship is formed between the customer and the
intelligence team. This stage focuses on determining the customers requirements
as intelligence requirements (IRs) the product of the direction stage of the cycle.
Collection. Once IRs are defined, the team then collects and compiles raw
information into a specific format for later analysis. This is the first major checkpoint
for the Intelligence Cycle, as any mistakes in collection can cause a cascade of
erroneous data through the rest of the cycles process, resulting in the failure of
the team to fulfill the IRs.
Analysis. Drawing from this raw information, analysts build intelligence
throughout the analysis process. They use technical and non-technical methods
to extrapolate patterns, meanings and sequences from raw data. This is the
second point in the cycle, where failure is possible due to analyst bias, flawed
hypotheses, or other factors.
Dissemination. The intelligence team then creates and distributes a final
intelligence product to the customer. This can take an innumerable number of
forms from a static document to a constant feed of information or an alwayscurrent database. In many ways, this is the answer phase of the Intelligence Cycle.
Rarely will an intelligence customer be satisfied with a single delivery; receiving
one product usually inspires additional intelligence tasks. This makes carefully
managing stakeholder expectations and priorities a constant imperative.

Verisign Public | Establishing a Formal Cyber Intelligence Capability

CROSSCAT-V
The Intelligence Cycle model isnt the only guide for new intelligence teams. Several
useful principles are encapsulated in the acronym CROSSCAT-V (centralized
control, responsiveness, objectivity, source and methods protection, systematic
exploitation, continuous review, accessibility, timeliness and vision).
Centralized Control: A single point of control for intelligence team simplifies
interactions and eliminates duplication of effort.
Responsiveness: The team must answer the question the customer asked,
not the question the intelligence team wishes to answer.
Objectivity: An intelligence team should not pick sides, no matter how emotive
a subject.
Source and Methods Protection: Sources of information (both human
and non-human), an organizations technical capabilities and its operational
methodologies are the lifeblood of an intelligence team and must be protected.
Systematic Exploitation: Intelligence is a methodological practice of research
and review, using multiple sources and agencies.
Continuous Review: Intelligence has a shelf life, and the intelligence team must
carry out a periodic review of their product to ensure it remains relevant.
Accessibility: An intelligence team must constantly balance the risk of its
product falling into the wrong hands with the need for the customer to access
that product.
Timeliness: Delivering intelligence products to customers in a timely fashion is
central to the intelligence function.
Vision: The intelligence team must consider possibilities that are not immediately
obvious. Often, the vision of an intelligence analyst, combined with the moral
courage to voice an unconventional theory in an open forum, can make the
difference between operational failure and mission success.

F3EA
Another useful model is F3EA, a methodology used by special operations
forces in the US and UK militaries. F3EA stands for find, fix, finish, exploit and
analyze. This model can deliver an intelligence product sooner, but typically is
appropriate only for organizations with the authority and capability to act against
external adversaries. This largely limits F3EA applicability to military and law
enforcement agencies since enterprises lack the authority to apprehend human
or non-human assets and in many ways cannot even disrupt an adversarys
operations. Even those efforts can give rise to complex issues, such as the
difference between intelligence and evidence. Given both legal and operational
limitations, the assessments and mitigations that the standard Intelligence Cycle
produces are better suited for private sector organizations.

Verisign Public | Establishing a Formal Cyber Intelligence Capability

Direction
Direction is the first step in the Intelligence Cycle. It requires knowing who the
customer of the intelligence product is, which, in almost all cases, will be external
to the intelligence team. Their collective needs define the teams scope and
requirements. Here, customer organizations must decide if they require strategic
versus tactical information, business and market intelligence, or threat and security
intelligence, and if they need to produce legally recognized evidence or consume
the intelligence product internally.
Issuing directions and intelligence. Its rare for the customers themselves to
issue clear direction or provide actionable tasking orders. Instead, intelligence
managers work with customers to translate customer needs into actionable tasks.
Requirements generally fall into a loose hierarchy of critical information requirements
(CIRs), priority information requirements (PIRs) and requests for information (RFIs).
C
 IRs are long-term, broadly defined categories that collectively set the scope of
the teams efforts and responsibilities. CIRs might persist for one or more years,
and should require approval from both customers and intelligence managers. If
a task does not pertain to an existing CIR, it is outside the teams scope.
PIRs are medium-term directives that often revolve around a particular topic
or project and are more specific than CIRs. Handled within weeks or months,
PIRs are not subject to the same change-control rigor that CIRs are, and the
intelligence team creates and closes them based on direct requests from a
customer or intelligence manager.
RFIs are tactical and narrower in scope, and may be generated by the
team in an ad-hoc fashion; they may also come directly from a customer.
RFIs are a critical component of the daily intelligence process. They may
directly support PIRs or CIRs, but must at least indirectly support one or
more CIRs. This paper includes an RFI template as an appendix.
Evaluating requests. When the intelligence team receives an RFI from a client,
the teams management should make a number of checks before embarking upon
any kind of work stream. The team manager should ask three essential questions
before initiating any kind of work stream:
What can the team do? A team should agree to work that fits well within its
scope and capacity to fulfill a clients request.
What can the team not do? Sometimes, work falls outside a teams capability
due to technical limitations, legal restrictions or a lack of time.
What will the team not do? A team may decline work that is outside its defined
scope, or tasks that violate the parent organizations code of ethics. Managers
should give a reason when declining these projects.
Accepting requests. The team should always give the customer a confirmation
that it received the request and will complete it within an established time frame.
Despite the risks of succumbing to hubris, which can lead to acting independently
and apart from stakeholder direction and oversight, intelligence teams must never
lose sight of their main function: customer service.

Verisign Public | Establishing a Formal Cyber Intelligence Capability

Collection
Collection is the bedrock of any intelligence operation. During the collection
stage, the intelligence team enjoys a significant amount of freedom. This can be
a double-edged sword, as the team also has the freedom to fail. Its rare that the
intelligence team has the opportunity, later in the Intelligence Cycle, to correct
mistakes made at the collection level.
Source types and associated risks. Data comes from a variety of sources
that naturally breaks down into a handful of basic categories, with their own
characteristics and associated risks:
Human Intelligence (HUMINT). Analysts can either overtly or covertly collect
human intelligence (intelligence derived from people using the relationship
between the agent and agent handler). While HUMINT is the easiest discipline
with which to start an intelligence-gathering operation, it is the hardest from which
to gain reliable, actionable intelligence. It takes a skilled agent-handler to manage
a covert human intelligence source (CHIS) collection, and the risks to all involved
can be extreme. Various intelligence teams use a number of models for conducting
HUMINT operations across industry sectors. Any may involve compensating the
source for the information provided:
Military and Intelligence Services. Intelligence teams conduct these operations
covertly with a classic agent handler and CHIS relationship, and all the features
of traditional spy craft. Risk levels are high for all involved parties. iDefense does
not recommend this model for private sector firms due to the potential reputational
risks from conducting covert operations.
Policing. Policing is done either overtly or covertly, and shares many of
the features of the military and intelligence services model. Overt activities
include elements of suspect interviewing and interaction with the public.
iDefense recommends that management instill the formality and rigor
of the wider process into a private sector intelligence teams daily functions.
Journalistic. This model is predominantly overt with some limited covert activities.
It replaces the agent handler and CHIS relationship with the interviewer and
interviewee model. The main difference: interviewers generally cannot coerce
interviewees. Its easier to combine this approach with viral marketing techniques
and population surveys. However, as the level of openness increases, the value
of the derived intelligence decreases. Nevertheless, iDefense recommends
the journalistic model as the preferable model for a private sector corporations
intelligence capability.
Signals Intelligence (SIGINT). SIGINT refers to technical collection capabilities,
such as mobile phone intercepts, and is arguably the most technically demanding
of the disciplines. But the time an organization invests in the creation of a SIGINTcollection capability is worthwhile, as data typically comes directly from its source
in the form of communication interception of data between actors. SIGINT also
allows the observer to sit on the outside and look in on his or her target set, unlike
HUMINT. SIGINT is by no means risk-free, with its main issue coming from the
legal pitfalls of collecting such data.

10

Verisign Public | Establishing a Formal Cyber Intelligence Capability

Open-Source Intelligence (OSINT). OSINT are assessments that a team derives

from data that is available to the public. OSINT is easily the most accessible
form of information, though the abundance of data often makes it difficult to
distinguish noise from the actionable data. It can also be difficult to judge the
authenticity of OSINT data. Thought at first glance, OSINT appears to be a riskfree practice, the truth is collecting and analyzing fragmented data can present
both legal and ethical issues. The legality of OSINT practices also vary by country.
Imagery Intelligence (IMINT). IMINT is data derived primarily from photographic
sources or other forms of technology that produce images.1 IMINT is increasingly
becoming a sub-discipline of OSINT, and an intelligence agency should not
underestimate the potential value of this source. It is challenging, though
not impossible, to apply IMINT to most corporate intelligence applications.
Operational Intelligence (OPINT). Traditionally a military intelligence function
that seeks to predict the next operational move of the enemy, OPINT has
limited applicability to the private sector. Intelligence teams should view
OPINT as an essential function of intelligence practices, as this is typically
the forum in which analysis fuses the products of the other sub-disciplines
into one coherent intelligence product. An all-source or fusion cell intends
to connect separate strands of intelligence data. The function of a fusion
cell is not to eliminate conflict between separate collection groups. Instead, its
core mission is to produce a unique product comprising reporting from multiple
collection platforms.
Classifying sources is a precursor to establishing a collection grid and choosing
a scanning methodology. These processes determine the organizations ability to
cover the wide range of available information.

An almost infinite number of other intelligence subcategories

exist. One is technical intelligence (TECHINT), which examines
the function of systems, such as computer networks and missile
systems. Most high-tech companies already perform technical
analysis of rival products, and many security teams dissect the
inner workings of malicious code or other technology-based
attacks methods. The vast body of TECHINT activity does not
require any form of covert or underhand activity.

1. IMINT does not always produce a product that humans can interpret. Often, the image can comprise multiple
scanning technologies that require a large degree of processing to be of any value to the analyst.

Verisign Public | Establishing a Formal Cyber Intelligence Capability

11

Breadth vs. depth collection. For the modern intelligence professional,

the greater challenge isnt collecting data on a target but filtering the
volumes of data collected to provide actionable and relevant intelligence.
The intelligence team must often decide what is more important when
dealing with a threat environment: breadth of coverage or depth of
knowledge. Striking an appropriate balance between these two approaches
establishes the frequency with which the organization will survey its sources
and collect information, a process known as environmental scanning.
There are three standard approaches to environmental scanning:

A Strategic Approach to
Scanning for Threats
In a perfect world, an
organization would be
fully aware of the threats
against it at all times. But
no organization, public
or private, can achieve
100 percent situational
awareness. Still, many
intelligence customers
unreasonably expect that
the intelligence team is
fully aware of the threat
environment at all times. As a
result, the intelligence teams
daily functions are shaped
by managing customer
expectations and by adopting
a strategic approach
to how it scans the threat
environment.

Periodic scanning. The team scans the environment at an established frequency,

using any combination of even or staggered dates and timings ranging from
minutes to months or even years. The key point is not to ingest data outside
the set limits. In theory, this approach creates enough operational space for the
intelligence team to act fully on the available data. It is useful when dealing with a
relatively static threat landscape, where there are little or no game-changing shifts
or spikes of threat activity. In such an environment, the intelligence team will provide
the best value by fully analyzing the threat to provide the best mitigating strategy.
Ad-Hoc scanning. The team scans the environment without a formal schedule for
the event, which results in periodic blips in the volumes and depth of data that the
intelligence team is dealing with at any given time. Within this model, the processing
capacity of the team dictates the scanning frequency. This model can work well if the
team is dealing with a threat landscape, where it is difficult to quantify the danger each
individual threat poses without further investigation. Properly managed, this model
enables the intelligence team to maximize its productivity, as the team theoretically
never waits idly for the next scan. Yet, it also leaves the team open to strategic
surprises, if its members focus on processing a large scan and miss a major event.
Event-driven scanning. In this model, the intelligence team scans the environment
in response to a specific event within the threat landscape. This scan can be in
response to an event that has already occurred or in anticipation of a future event.
Though it can sacrifice flexibility, event-driven scanning can provide a tightlyfocused intelligence product that will center on fulfilling very specific customer
requirements. Generally, large, well-resourced intelligence teams can combine
scanning methodologies. For smaller teams, it is often preferable to limit the scanning
to a single approach to keep the operational tempo of the team manageable.
In both cases, the intelligence teams management must balance the risk of
strategic surprise against the risk of paralysis caused by excessive data volume.

Establishing a collection grid. The collection assets and coverage that an

intelligence organization has at its disposal is known as a collection grid. By
combining complementary collection sources, such as HUMINT, SIGINT and
IMINT, the team can create a comprehensive collection grid to fit the task.

12

Verisign Public | Establishing a Formal Cyber Intelligence Capability

When establishing a collection grid, the sponsoring organization must ensure

that it has oversight over its intelligence resources (transparency) and the ability
to configure those resources to fulfill organizational intelligence requirements
(control). And it must keep in mind that reliance on a single source will rarely fulfill
intelligence requirements.
The relationship between the grid and the organization is one of power
and control: Control must lie with the sponsoring organization and the
intelligence team must derive power, in the form of actionable data, from
the grid. Failure to effectively develop, maintain and control a collection
grid has proved, repeatedly, to be the source of intelligence failures. And
any mistake at this early stage cascades throughout the Intelligence Cycle.
Developing a collection plan. Using a collection plan, teams can apply the
Intelligence Cycle to the available intelligence. In this stage, organizations have two
main goals. First, they must create a collection grid that will provide the necessary
data for the analysis stage of the Intelligence Cycle. They must then develop the
grid as a tool they can leverage, instead of allowing the collection grid to drive the
organizations decision-making process. A number of factors, such as overreliance
on one source of data, misinterpretation of customer requirements and internal
conflict between intelligence teams, can create a flawed collection plan.
iDefense stresses that the development of a collection plan does not necessarily
produce a tangible product that will dictate a step-by-step guide to how an
organization should conduct an operation. Rather, the core objective is to help the
intelligence team manager understand how the team can best use the collection
assets available to fulfill its customers intelligence requirements. In developing the
plan, the manager must assess how situational limitations on the collection grid
may affect the teams final product. More often than not, an operation fails due
to incorrect analytical conclusions from the collected data or due to intelligence
collectors feeding incorrect data into the analysis process. The analysis section
of the Intelligence Cycle can address the latter error, but only an intelligence team
can mitigate the former error during the collection stage through the construction
of an effective collection plan. Modern intelligence practice is about making the
best assessment possible based on an imperfect data set.
analysis
Analysis sits at the core of the Intelligence Cycle and is a crucial checkpoint
of an intelligence team on the path to the completion of a project. Analysis is
a core function of the intelligence teams work. Simply put, faulty analysis
leads to project failure. Organizational culture, structure and process play
a key role in enabling effective intelligence analysis. This section focuses
on process, specifically on cognitive process as opposed to organizational
process. This cognitive process is the analytical mind set that enables
effective analysis, which results in better-informed decision making.

Verisign Public | Establishing a Formal Cyber Intelligence Capability

13

iDefenses own interpretation of analysis, which it has based on a number of years

of on-the-ground experience, is that it is a testable and repeatable process through
which raw data and information are structured into an intelligence product. Integral
to this interpretation is the use of the word process, which is truly at the heart of
what analysis really is from both a cognitive and organizational perspective.
Developing the analytical mind set. iDefense proposes that individual
analysts, and teams as a whole, must seek to develop an analytical mind set that
enables a genuine understanding of problems and threats to provide information in a
meaningful context. An intelligence team should use analytical tools to support rather
than replace the rigorous and disciplined cognitive aspect of intelligence analysis. At
the end of the day, the primary purpose of the analytical effort is to inform decision
makers and enhance the quality of the decision-making process.
In his book Analyzing Intelligence,2 Roger George proposes the idea of a
complete analyst and suggests five essential characteristics that the complete
analyst must possess.
1. Research methods to organize and evaluate data.
2. The imagination to generate and test hypothesis.

3. A
 wareness of the influence of cognitive bias and other
external factors on an analysts thinking.
4. An open mind regarding alternative models.

5. The self-confidence necessary to learn from errors.

Curiosity. In addition, analysts must possess a genuine sense of curiosity that
fosters deep research into topics. They must develop an understanding of a given
problem from opposing perspectives and be able to easily alternate between each
perspective as they identify new information and as they seek to determine how
that information impacts each perspective.
Perception. In his book Psychology of Intelligence Analysis, Richards Heuer
notes that peoples expectations largely drive what they ultimately perceive. That
is, intelligence analysts possess a set of assumptions and expectations, and they
tend to ignore or distort events that contradict these expectations. According to
Heuer, patterns of expectations tell analysts, subconsciously, what to look for, what
is important, and how to interpret what is seen.3
Context. Context tells readers that to comprehend fully an item of data, one must
view a piece of data within its contextual reference. For the discipline of intelligence
analysis, context is the environment from which an organization generates
intelligence datathat being the data that, while not directly related to the core
elements of a case, adds information to the case.
Common cognitive traps. Its equally important to understand some of the more
common cognitive traps that lead to faulty analysis.
2. George, Roger. Analyzing Intelligence: Origins, Obstacles, and Innovations. April 11, 2008. Georgetown
University Press.
3. Heuer, Richards. Psychology of Intelligence Analysis. 1999. Center for the Study of Intelligence: CIA. https://
www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/psychologyof-intelligence-analysis/index.html

14

Verisign Public | Establishing a Formal Cyber Intelligence Capability

 Mirror imaging occurs when intelligence analysts assume that the subject they
are studying thinks like the analysts.
Layering occurs when analysts base assumptions or judgments on previous
work that they have not updated or revalidated.
Groupthink refers to members of a cohesive group attempting to reach consensus
without critically evaluating ideas and assumptions.
All these highlight the need for an environment that encourages self-awareness,
peer review and questioning of existing procedures.

Dissemination
The final stage of the Intelligence Cycle, dissemination is the point at
which an intelligence team passes the product back to its customer in
response to that customers original direction. Excellent intelligence that
an intelligence team improperly presents will not effectively communicate
the findings to the customer, resulting in a failure to achieve the teams
task. As a result, dissemination is not a trivial matter. This final stage of the
intelligence process contains several factors that determine the quality of an
intelligence product and whether the customer base will accept it positively.
Superior intelligence products share certain key characteristics:
Brevity. Intelligence products should not be verbose. Executive summaries and
bulleted key facts at the start of an intelligence product are useful for conveying the
so what element of an intelligence report.
 ccuracy. Intelligence reports should never contain subjective information
A
or the opinion of the intelligence analyst. The intelligence team should
be honest and disclose to the customer any intelligence gaps that
are in the product.

In an ideal world, analysts

would have all the resources
and information they require
to complete a given task. But
in the real world, intelligence
analysts deal with highly
ambiguous situations that
require judgment on their
part before they know all
the facts. The successful
analyst will bring to bear a
combination of experience,
training, education,
enthusiasm and an ability to
think outside the box. An
individual with an analytical
mind set will be able to adapt
to new subject matters and
be able to produce cuttingedge products for any type of
threat environment.

 tandardization. Nothing distracts a customer more than one intelligence

S
organization producing several different products within the same product set to
different standards. Each product line should be uniform in format and style, and
any changes should be gradual.
 egularity. An intelligence team should avoid the feast or famine approach to
R
publishing its intelligence products. To make full use of the intelligence product,
the customer must incorporate an intelligence product into its own operational
battle rhythm. A predictable publishing cycle from an intelligence team will help
customers do this.
Security. An agreement between the customer and the intelligence team should
dictate that the intelligence products not leave the readership of the customer base.
Timeliness. As with all steps within the Intelligence Cycle, the product must be
on time to be of any use to the customer. Of all the factors that influence the
dissemination phase, timeliness is the most important.

Verisign Public | Establishing a Formal Cyber Intelligence Capability

15

 nalysis. The fundamental role of the intelligence product is to make assessments.

A
Analysts should attach an obvious assessment for every data element included
in the product.
Distribution. Over time, the intelligence team should build up a list
of customers and ensure that their contact details are up to date.

As a basic rule, intelligence products fit into one of three categories: high impact,
medium interest and general background, though many organizations implement
more granular segmentations of impact levels. A high-impact report will result
in immediate and dramatic changes to the customers actions. Medium-interest
reports will usually result in a dialog between the customer and the intelligence
team and the integration of the intelligence product into the customers operational
planning cycle. General background reports will build a picture for the customer
of the threat environment but will stimulate little if any reaction on the part of the
customer. Intelligence teams tend to generate reports within these categories
in the form of a pyramid, with the most common report category being general
background and the least common report category being high impact (see
Exhibit 4-6).
Naturally, the bulk of the material the team produces will likely contribute
to assessing long-term trends, such as the evolution of tactics, capabilities
and types of adversaries. This general background information
establishes a baseline understanding against which the team can assess
new developments to identify those that are of medium or high impact.
EXHIBIT 4-6: report impact levels
ACTIONABLE INTELLIGENCE

HIGH IMPACT

MEDIUM INTEREST
GENERAL BACKGROUND
INFORMATION / NEWS

16

Verisign Public | Establishing a Formal Cyber Intelligence Capability

Often the factor that determines the quality of the product is not the content of the
report but the presentation of the product. Ensuring that the final product reaches
the customer in an appropriate format for consumption formally completes the
intelligence process. When possible, the intelligence manager should engage
the customer to ensure the deliverable did in fact fulfill the customers request
and to collect any feedback or follow-up requests.

Operationalizing Intelligence
Turning intelligence theory into practice is a challenge that any organization wishing
to develop an effective intelligence capability must address. The initial stages of
an intelligence organizations life can often pose the most risk to the future viability
of the team, from either disinterest or misinterpretation of the teams roles and
capabilities by the host organizations senior management.
This section starts by examining some key concepts for the development of the
spirit of the team, both in its management structure and its outlook toward the
individual members of the team. From this general look, this report continues by
examining each job role in more detail, paying specific attention to roles that deal
with intelligence and roles that manage the individuals within those roles. From this
very practical focus, this section examines the higher-level concepts concerning
data flow and management within the team and the decision the team needs to
make between taking a passive or proactive operational stance.
Organizational Structures
Key to the success of any intelligence operation is a firm development of a
logical team structure. Team managers must choose between a hierarchical or
flat command structure within the team. From an operational perspective, there
are a number of advantages and disadvantages to both command structures.
Hierarchical versus flat model. A hierarchical team is the classic management
model. Its main advantage is its ability to respond quickly to senior management
due to the clear chain of command. With this model, its easy to swiftly cascade
direction through the team via the chain of command and make rapid strategic
changes. Yet, there is also a risk of losing intelligence between command
layers within the team. This loss can create delays and slow the analysis of new
information. Intelligence circles refer to this delay as blink potential.
To avoid this, the team can establish a flat management structure that allows team
members to easily pass data between peers. Establishing this unblinking eye of
operations reduces the risk of blink potential causing the loss of intelligence. The
downside of this organizational structure is a lack of control and oversight from
the teams management, which can have serious consequences, specifically in
areas such as team task-scope creep and coordination of operations.

Verisign Public | Establishing a Formal Cyber Intelligence Capability

17

When making the decision over what form the intelligence teams
management chain should look like, senior decision makers should
consider that:
A hierarchical system tends to support those new to the intelligence practice,
whereas more experienced members appreciate the freedom of a flat
management structure.
Management can control a hierarchy more easily but will have less flexibility
than with flat-structured teams.
A widely distributed team organization will find a hierarchical structure more of a
deterrent than a benefit for all levels of the team, though a large, flat organization
will require recruitment of senior-level members who require less supervision.
Team personnel. Intelligence teams can vary in size from one-man-band,
single individuals working under the direction and support of a host agency to
organizations comprising thousands of individuals, such as government agencies.
Specific to information security, and cyber security more vaguely, intelligence
teams typically consist of managers, analysts and operations specialists,
organized according to the phases of the intelligence process (collection,
analyzing, publishing) by categories of threat (malicious code, insiders, network
intrusions, etc.) or a combination thereof. Some of the specialists who are
frequently found in an enterprise security intelligence organization include:
Intelligence Manager, an authority figure may be a manager, director or vice
president depending on the organizations size and organizational culture. This
person acts as the primary interface for customers and other stakeholders and
is ultimately accountable for the teams successes and failures. The intelligence
team manager sets the direction according to the scope with the stakeholders
and ensures the team executes the development plan. He or she also translates
high-level strategic objectives into tangible tactical goals for the intelligence
team.
Operations Team, which handles administrative and coordination functions,
including working with customers to refine IRs, issuing requirements to teams,
and assigning ownership to RFIs and larger analytical projects. This team
shepherds tasks through the Intelligence Cycle and oversees the teams daily
operations, escalating issues to the manager as needed.
Publishing Team to ensure that final products adhere to the teams standards
of quality and formatting. Publishers also perform content reviews, evaluating
if the author presents the content clearly and comprehensively and if the final
product meets the customers requirements

18

Verisign Public | Establishing a Formal Cyber Intelligence Capability

 Intelligence Generalists for cross-functional analysis and for leading interteam efforts. The people that make up these groups are intelligence generalists.
Small organizations may have only one pool of analysts that perform all collection
and analysis for the entire scope of responsibilities.
M
 alware Engineer, who often reverses malicious code samples and/or monitors
their behavior inside a controlled environment to understand the risk the code
poses to the customer.
Network Engineer with a deep understanding of Internet protocols and
defense mechanisms to help security operators analyze traffic during security
events and assess the benefits of deploying next-generation technologies such
as IPv6 and Domain Name System Security Extensions (DNSSEC).
Social Scientist focused on social network analysis, individual profiling and
collecting information from HUMINT and open sources. Only senior analysts
should act as handlers of HUMINT sources due to the dangers of information
disclosure and reputational risk to a company. The social scientist helps
customers determine the risks associated with certain business activities by
understanding the capabilities of the attackers those activities may incite.
Implementation and Deployment
In developing the team, intelligence managers aim to shift between a
reactive to a proactive stance. In a reactive stance, the intelligence team
tells the customer what has happened in the past, whereas a proactive
team will be able to communicate what may happen in the future. This is
possibly only by building the foundation for new capabilities, primarily by
establishing assets and new job roles and assigning subject-matter specialists.
Three stages of implementation. A useful way to view intelligence team
implementation is to break it into early, mid and late stages. These stages
should be viewed more as maturity levels than fixed timescales, since
different organizations will move through the stages at different rates.
Following a logical order will streamline the process of establishing each
team post and achieving operational milestones. Exhibit 5-1 outlines the
focus and milestones for each stage of building an intelligence capability.

Verisign Public | Establishing a Formal Cyber Intelligence Capability

19

EXHIBIT 5-1: PROPOSED EARLY-TO-MATURE LIFE CYCLE STAGES

OF AN INTELLIGENCE TEAMS DEVELOPMENT
Stage

Team Focus

EARLY

Ensuring management support

of team, building customer
base and establishing core
processes and products.

MID

LATE

Team Stance

Milestones and Products

Exclusively
Reactive

Deploy standard RFI form and process

Develop and maintain a collection plan
Develop short-, mid- and long-term team
plans
Establish customer feedback process

Adjusting to customer needs

and feedback, refining
efficiency, and expanding
scope.

Predominately
Reactive

D
 eploy periodic reports on trends
and developments
Develop analytical specialities within the
team
Automate delivery of products through
Web services APIs and RSS

Anticipating customer needs

and optimizing processes and
capabilities.

Balanced
between
Reactive and
Proactive

Deploy forward-looking assessments

of emerging threats
Integrate products into customer processes
and tools

Each stage could take as little as a few weeks or last as long as several years.
Implementation times depend upon allocated resources, the sponsoring
organizations appetite for risk, and the speed at which the team develops.
Early Stage: Developing Core Capability
Early in development, attention faces inward as the team focuses on crafting
working procedures and developing a team identity. Initial deliverables
(usually inquiry responses consisting of background intelligence) may not fully
communicate a teams value, so support from senior management is essential.
The RFI form. Designing a formal RFI form and process is a necessary early step,
because it offers an effective way to identify customer requirements. Customers
have to adopt the RFI form for daily use, so its in the intelligence teams interest
to make it easy for customers to provide the data the team needs by:
Simplifying the request process and the form
Differentiating between what might be useful and what is truly required
Engaging other stakeholders and vigorously challenging
the value of each field and step
Focusing directly on how effectively the result captures the customers needs

20

Verisign Public | Establishing a Formal Cyber Intelligence Capability

Soliciting feedback. The intelligence manager should solicit feedback from

customers periodically, if not after delivering a response to each request.
This feedback is critical to providing course corrections and capability
assessments in the early stages and is necessary for the team to develop
additional capabilities in later stages. Preferably, the manager provides
a formal document template or even website for the customers to submit
feedback, but simple e-mail responses are sufficient in this early stage.
Mid Stage: Expanding Scope and Refining Operations
After forming a workable group and with an established set of products, the
team can focus on expanding its capabilities and consolidating its customer
base. Throughout the mid stage, the intelligence manager should use customer
feedback to ensure the team is aligned with customer needs. This may include
developing areas of specialty that require intense focus or where a capability
gap exists. Teams may recruit external talent, train existing personnel or simply
identify new sources of information.
Moving beyond the baseline. By now the team should have a sufficient
understanding of the security environment as it affects the organization. From
this baseline, it can begin to assess trends and changes in the environment and
provide assessments of their significance. Developing these internally-driven
reports is the first step in introducing forward-looking intelligence products and
transitioning from a purely reactive stance to a partially proactive posture.
Integrating output into customer workflows and tools. Providing the customer
with convenient access to the intelligence products improves adoption and makes
the team more useful to the customer. Of course, the availability of sensitive
information must always adhere to access control policies. The goal of providing
easy access to intelligence products should never outweigh confidentiality
requirements, as doing so would severely damage the customers trust in the
intelligence organization and make the customer less likely to engage it.

It is common for new

intelligence teams to issue
RFI forms as a fixed-format
text document that the
customer e-mails to the
intelligence team, although
this approach makes it
difficult due to high volumes
of requests. The Appendix
of this report provides an
example of a simple form
that a team could use.
Organizations will inevitably
develop more robust and
automated processes, such
as online RFI forms, as their
capabilities mature.

Tracking and managing RFIs. The team should also implement a central
process to manage and track incoming RFIs and subsequent responses.
Without a formal process and centralized log, the intelligence manager
cannot sufficiently oversee team tasks as the volume and diversity of
requests increases. By gaining insight into the workflow and allocation
of resources, teams can better prioritize tasks and minimize the risk
of an unfulfilled request.

To this end, the team should establish a working database that records when an
RFI comes in and when the team answers that RFI. The intelligence team will likely
include additional database fields, such as the relevant CIR or PIR as required
by the customer. In addition to avoiding mishandled tasks, overseeing an RFI
database provides useful data for identifying capability gaps, resource needs and
quantifiable metrics regarding the teams workload and usefulness to individual
customers. The actual technical implementation of the database can be as simple
as a version-controlled spreadsheet or as complex as a multi-user national system.

Verisign Public | Establishing a Formal Cyber Intelligence Capability

21

Late Stage: Becoming Proactive

Before entering the late stage of deployment, the team will have established
most of its positions and will have the product set well-defined through. But it is
when the team shifts from an inward-looking, reactive entity to an outward-facing,
proactive team that it becomes a fully mature intelligence organization.
Evolving the mind set. At this point, when members are regularly producing
top-level high-impact reports, the teams major change isnt in its structure but in
enhancing its competence. This is why there are so few tangible milestones in the
late stage of the model. All the pieces are now in place, but team members still
must change their mind sets. A mature intelligence team starts to identify emerging
trends and patterns. The team might even identify pieces of raw information that
are relevant to the clients request even before the customer inquires about them.
Engaging further with customers. Mature teams will observe the customer
becoming more dependent on the flow of intelligence that the team creates.
Intelligence products will become more tightly integrated with customer workflows,
with intelligence information (even raw, unanalyzed data) finding its way into
tools the customer uses daily via plug-ins or modules. Intelligence teams should
also explore other ways to remain engaged with customers, such as sharing
collaboration spaces and databases.
Intelligence Maturity Model
The maturity an organization demonstrates at each stage of the Intelligence Cycle
collectively defines the maturity of that organizations intelligence capability.
iDefense proposes the following levels of maturity that can be easily applied to
operating stance of a team at each stage of the Intelligence Cycle:
Ad Hoc. Organizations handle tasks manually with little or no defined process.
They may handle recurring tasks inconsistently.
Formal. Expectations, capabilities and processes are all documented and
understood. Tasks at this level are repeatable and have consistent outputs,
though they are largely handled manually.
Efficient. Automated processes streamline handling of tasks and data, including
prioritization. There is increased visibility into operations through reporting metrics.
Proactive. Organizations can identify intelligence gaps and anticipate
future needs.

22

Verisign Public | Establishing a Formal Cyber Intelligence Capability

Assessing maturity. When grading ones own organization, there will likely be
a tendency to summarize a teams overall capability. Some may try converting
maturity levels into numerical averages, which will usually provide a misleading
picture because the maturity levels listed above are ordinal values for which
mathematical operations are not valid, even if represented numerically. Instead, it
is useful to view the intelligence process as a system that is only as strong as its
weakest link. Excellent direction, collection and dissemination that rely on poor
analysis still yield a poor product. Insufficient direction accompanied by excellent
collection, analysis and dissemination capabilities almost certainly produces
an irrelevant result. Similarly, the capabilities of a team are only as mature as
the teams weakest point. Exhibit 5-2 is a sample assessment of an intelligence
organization that acts as a report card of intelligence capability. Customers
may have enough visibility into the workings of the team to provide this level of
feedback directly, but intelligence managers should produce a similar overview
at least annually, if not quarterly.
EXHIBIT 5-2: SAMPLE ASSESSMENT OF AN INTELLIGENCE ORGANIZATION
Team

Direction

Collection

Analysis

Dissemination

Overall
Capability

Management

Formal

N/A

N/A

N/A

Formal

Operations

Formal

N/A

N/A

Formal

Formal

Generalists

N/A

Ad Hoc

Formal

Formal

Ad Hoc

Malicious
Code

N/A

Proactive

Efficient

Efficient

Efficient

Network
Threats

N/A

Efficient

Efficient

Formal

Formal

Verisign Public | Establishing a Formal Cyber Intelligence Capability

23

Best Practices
Years of experience in the field has equipped iDefense with a list of best practices
that would bolster the efforts of organizations seeking to develop an internal cyber
intelligence capability.
Implement a consistent style. An in-house style establishes a brand identity
for the intelligence team and standardizes its products, thus making intelligence
products easier to recognize, digest and integrate into the decision-making
process. It makes it clear to customers that the intelligence team operates as an
integrated organization. Teams should look to word processing programs, web
portals, content management systems for templates and tools that help apply
internal standards.
Grade intelligence using the 5 by 5 by 5 system. Intelligence sources, value and
sensitivity can vary greatly even within the same type of intelligence source. The
process of grading intelligence helps convey clearly to the customer the assessed
level of truth or fallacy in the product. To grade the quality of information coming
from a HUMINT source, the intelligence community uses the 5 by 5 by 5 system.
This system grades the veracity of the source, the veracity of the information, and
how the processing organization should handle that information. An intelligence
team should not attempt to filter information into categories of truth or falsity.
Instead, the intelligence team should seek to communicate to the customer
its assessment of the degree of confidence it has in the intelligence based on
the reliability of the source and the credibility of the information the source has
provided. Exhibit 6-1 displays a standard grading system for intelligence.
Using the system in Exhibit 6-1, an analyst on the intelligence team could grade
a product based on source reliability (ranging from A to E) and information
credibility (ranging from 1 to 5). Any possible combination of grades is possible,
though extreme grades such as A5 and E1 are highly unlikely.
EXHIBIT 6-1: THE FIRST TWO 5 BY 5 BY 5 ELEMENTS
OF THE CLASSIC INTELLIGENCE GRADING SCHEME
SOURCE
A

Always Reliable

Mostly Reliable

Sometimes Reliable

Unreliable

Untested
INFORMATION

24

Known to be true
without reservation

Known personally
to source by
not to collector

Not personally known

to source
but corroborated

Cannot be judged

Believed to be false
or malicious

Verisign Public | Establishing a Formal Cyber Intelligence Capability

The factors that determine intelligence grading become particularly important

when an organization faces A4-categorized intelligence or unverifiable
information from a single trusted source. A4 intelligence can cause an inordinate
amount of stress to an intelligence team and a customer, especially if the
content of the report requires a rapid and dramatic response from a customer.
Before dismissing A4-categorized intelligence, the team should consider the
impact it would have, if verified. Potentially high-impact information, though
unconfirmed, may warrant additional corroboration. The final piece of the 5 by 5
by 5 system grades how the customer should handle the information.

EXHIBIT 6-2: THE FINAL ELEMENT OF THE 5 BY 5 BY 5 SYSTEM

HANDLING
1

Open source
no restrictions

Restricted to
clients only

Restricted to
specific clients

Restricted to specific
clients with conditions

No dissemination
without authority

Appoint a database manager. A critical element of maintaining a successful

operations management database is the appointment of a designated database
manager. The database manager should be the primary user of the intelligence
application and is responsible for ensuring that records are accurate and that
the team is processing tasks appropriately. Rather than a classic technical
administration role, the intelligence database manager combines the intelligence
teams database management with its operations management. This will allow
the database manager to allocate team members to each submitted RFI
efficiently, actively manage resources, and oversee activities. Clearly, this is
a senior role. The database manager needs an understanding of the teams
collection capabilities and its ability to meet RFIs. Being available to answer the
customers RFI is an essential qualification, in addition to assessing the teams
ability to complete RFIs. Exhibit 6-3 displays the complexity of the database
manager role by outlining the functions involved in answering an RFI.

Verisign Public | Establishing a Formal Cyber Intelligence Capability

25

EXHIBIT 6-3: ROLE AND RESPONSIBILITIES OF THE DATABASE

MANAGER AND THE MANAGERS RELATION TO THE ORGANIZATIONS
COLLECTION CAPABILITY

Determine
Receive RFI

Log Request
in RFI DB

Send Response

Log Request
in RFI DB

What data the request requires

Who is to look for the data and where
When the task is due to be complete

Take Data Collectors

Ensure response fulfills request

Monitors Task Progress

The database manager must form a relationship with the intelligence

customer that is:
Unambiguous. Any project that results from an RFI must have clear project
boundaries and, most importantly, a clear and mutually agreed upon
outcome.
Singular. The database management process ensures customers do not
submit redundant RFIs to the intelligence team, as any duplicated RFI wastes
time.
Feasible. Customers may ask the intelligence team to complete tasks that are
not feasible due to resource or time constraints, or both.
The database manager must carry the authority to delegate tasks and the
ability to regulate the flow of requests within the intelligence teams systems.
If the database manager is effective at overseeing the intelligence process
flow, he or she will succeed in laying the foundation not only for short-term
success but also for the long-term, sustainable growth of the intelligence team.
Establish relationships with key cross-functional partners. Developing
working relationships with key cross-functional partners greatly enhances the work
of an intelligence team. These ties can enhance intelligence collection efforts, better
evaluate threats, and minimize conflicts by improving the teams understanding of
business systems and processes. The obvious partners for the intelligence team
are those organizations that manage risk, assuming they are not already providing
direction to the intelligence team. An organizations risk community includes its
physical security team, information security group, and business continuity
personnel. Less obvious are groups that might help identify potential internal threats:
the internal audit group, supply management operation, or legal department.

26

Verisign Public | Establishing a Formal Cyber Intelligence Capability

Use an iterative interview process to define requirements. Intelligence

customers may not completely understand what they need from an intelligence
team, or what they need may not align with the role, resources or responsibility
of the team. An iterative interview process that encourages a two-way
feedback loop is an effective way to define requirements. Interview questions
should attempt to identify high-level areas of concern or needs, and then pull
out key decisions that require intelligence support. The team should group its
questions in a logical way, such as by threat areas (cyber, fraud, competitive,
regulatory, etc.), business units or objectives (market share, revenue, products, etc.),
business strategy (speed to market, investments, industry disruptors, geographic
regions, etc.), or business assets (employees, network, reputation, intellectual
property, supply chain, stores, customers, etc.). Conducted once or twice a year,
interviews help acquaint customers with the teams resources and capabilities.
Engage third-party vendors to address gaps. Particularly in the early going,
intelligence managers and other stakeholders will need to balance intelligence
priorities against available capabilities and resources. Using third-party vendors
can fill those gaps. A qualified third-party vendor can:
Serve as a force multiplier by augmenting an organizations existing staff.
Provide expertise for short-term projects.
Serve as sources for collection or assist in collection itself.
Assist in intelligence analysis, or in developing an analytical mind set.
Play the role of a red team or adversary to help
assess weaknesses.
Help teams develop an in-house style or co-brand products.
Develop a battle rhythm. When putting theory into practice, intelligence teams
face the risk of being overwhelmedeither by too much data or too many tasks.
As the stress of intelligence operations mounts, the team may become solely
responsive to the influx of new data. When this happens, the team tends to ignore
the data it has in hand and instead focus on new data feeds coming. The team is
paralyzed, and the operation fails.
A way to counter this is to develop a battle rhythm, a military management doctrine
which focuses on maintaining control over personnel and assets in extremely stressful
situations. This requires establishing working parameters for the management of data
flowing in and out of the team, and clarifying the role of each team member in the
process. This establishes a set of standard operating procedures (SOPs) for the
teamSOPs that can be learned, practiced, mastered and called upon in times
of stress. It also allows the teams management to assess the capacity at which the
team is running.

Verisign Public | Establishing a Formal Cyber Intelligence Capability

27

CONCLUSION
Intelligence is not simply a data feed, nor is it purely information. The heart of
intelligence is an assessment of that data. Arming customers with insightful
intelligence products will better inform those customers, and it will improve
their ability to make informed decisions. By following the steps outlined in this
paper, an organization may establish an intelligence capability for the first time
or may formalize and refine existing operations with the confidence that the
direction of the team complements the needs of its customers. By outlining a
framework for understanding the fundamentals of intelligence along with proven
best practices, iDefense hopes it will help organizations establish an effective
intelligence capability.

28

Verisign Public | Establishing a Formal Cyber Intelligence Capability

Appendix: RFI Template

Using a standard request format greatly simplifies the process of collecting
and interpreting customer requirements and ensures that the requestor
provides the information the intelligence team needs for an efficient
response. At right is a template for customers to submit requests to the
intelligence team. Other possible fields might cover priority, urgency,
CIR, etc. Internal information, such as submitted data, assignees, control number
and status, will aid in handling the request, though it is not advisable to include in
the RFI form the customer uses. All fields should have an explicit response, with
Not Specified or similar designation provided to indicate the customers lack
of preference or available information.

Required Date:
Date by which the team has to return the
intelligence product to the customer to be effective.

Return Format:
Date by which the team has to return the
intelligence product to the customer to be effective.

Requested Organization:
The department or group initiating the request.

Point of Contact:
The department or group initiating the request.

Special Handling:
This section includes instructions indicating any exceptions to the standard RFI-handling process, such as
additional persons to include on the response or persons who should not have access to the request.
REQUEST
Background:
This section includes a description of the scenario that applies to the request, including what information
and sources of which the requestor is already aware. This may be a brief synopsis of events and reference
previous requests.

Information Requirements:
The main body of the request. The requestor should be as specific and direct as possible, preferably enumerating
specific questions (e.g. bulleted list) rather than writing a free flowing narrative.

Verisign Public | Establishing a Formal Cyber Intelligence Capability

29

VerisignInc.com
2012 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its
subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.
Verisign Public

201205