Académique Documents
Professionnel Documents
Culture Documents
Establishing
a Formal Cyber
Intelligence Capability
CONTENTS
Introduction 4
Preliminary Considerations
Direction 9
Collection 10
Analysis 13
Dissemination 15
Operationalizing Intelligence
Organizational Structures
Implementation and Deployment
Intelligence Maturity Model
17
17
19
22
best practices
25
conclusion 28
Appendix: RFI Template
28
Throughout
the
world,
organizations
are
After defining the teams mission and understanding the basic Intelligence Cycle,
the work of assembling resources and establishing a management plan can
begin. Since most teams are rarely able to fulfill their entire charter at an early
stage, prioritizing the most critical needs of the customer, and possibly the most
critical customers, will help the team establish a solid foundation.
Business Intelligence:
Detecting the Voice of
the Enemy
Business intelligence and
threat intelligence both
support decision makers
in an organization, but the
responsibilities of these
two functions differ greatly.
Business intelligence focuses
on assessing the market
conditions and business
competitors, whereas threat
intelligence gains knowledge
of malicious actors who can
damage the organizations
ability to provide services.
If business intelligence is
the voice of the customer,
then threat intelligence is the
voice of the enemy. iDefense
asserts that there is a logical
division between the types of
teams that conduct each of
these functions. This report
focuses primarily on threat
intelligence.
Even from outset, stakeholders should measure the intelligence team against a
model of effectiveness or maturity as a way of gauging current capabilities and
planning future efforts. The maturity model should assess the team or each subteam at each stage of the intelligence lifecycle, providing management personnel
with a means to produce overall assessments. The intelligence manager and other
stakeholders should assess the capabilities on a scale of informal to highly
repeatable and efficient, where the highest grade indicates well-documented
processes and communications, a high degree of automation, and the visibility
into the process that is necessary to identify and address insufficiencies in a
quantitative fashion.
Ultimately, its the job of intelligence teams to deliver useful and relevant intelligence
products (such as risk assessments, presentations and databases) that help
decision makers protect information, assets and people. Still, the true impact
of intelligence on decision making often remains unquantifiable and, as such,
immeasurable. By adhering to proven intelligence practices and applying the
appropriate management structure and oversight, any organization can develop a
successful intelligence capability.
Introduction
Information today is plentiful and inexpensive. But for corporate organizations
that make strategic and tactical decisions in an environment of uncertainty, a
simple information feed frequently isnt enough. Too often, torrents of information
lacking context and relevance overwhelm a decision maker. Intelligence analysis
addresses this issue through methodically collating data into information and then
turning information into intelligence. Many organizations recognize the need to
better understand their adversaries, the security threats those adversaries pose,
and their methods of attack. As a result, many organizations initially develop
informal, ad-hoc intelligence capabilities that before long show their weaknesses
or are simply outgrown. Eventually, the organization must consider how to establish
more formal intelligence operations.
Some organizations may still establish a formal intelligence team separate from
their security operation. But in a world where the thread landscape is constantly
changing, the view that intelligence and security demand separate sets of
personnel, training, technology and skill sets may be outdated. Increasingly,
intelligence and security are viewed as partners instead of separate stakeholders,
since the intelligence product is seen as an input to the security cycle.
This report lays out the fundamentals of intelligence both theoretical and practical
to help organizations create an intelligence team, while providing guidance
on how to evolve existing capabilities. It discusses the concepts that form the
foundation for establishing intelligence gathering and dissemination capabilities.
And it studies pre-intelligence steps that examine why companies commission others
to carry out the task of gathering and presenting intelligence in the first place.
Additionally, this paper seeks to define intelligence gathering, analysis and
dissemination as a practice one that moves away from guesswork toward a
testable and repeatable process. This overview begins with defining the teams
mission and customers, then presents the basics of the intelligence lifecycle and
then discusses how to construct a team and evaluate its capabilities. Finally,
the paper outlines some key best practices that should prove invaluable to any
organization trying to establish or improve a cyber intelligence capability.
Preliminary Considerations
The crucial first step in developing an intelligence capability is to determine
where it will fit in the organizations structure. This involves three activities may
occur in parallel:
1. Identifying both customers and consumers of intelligence products
2. Determining the customers intelligence needs and requirements
3. Defining and communicating the intelligence organizations
charter and mission
Work with partners. Regardless of where an intelligence team fits in the
organization, the team should foster key relationships with cross-functional
partners who may be consumers of the teams intelligence or even valuable
sources of input for intelligence products. For instance, there is an organizations
risk community (i.e., those departments responsible for managing different types
of risk, such as information security, business continuity or disaster recovery,
revenue assurance or fraud and physical security). Other areas, such as finance,
supply management, marketing, legal, human resources or internal auditing, may
also be worthy partners in the intelligence effort.
Understand the needs of customers. The intelligence team needs to clarify
the needs and requirements of primary customers. The team needs to know
whether customers require intelligence to inform decisions concerning strategy,
profitability, competitors, threats or something else, since each of these will
drive very different intelligence outcomes. The process to identify intelligence
requirements must incorporate an interactive dialogue between the intelligence
team and its primary customers. Interviewing key customers and decision makers
can be challenging, but it helps customers identify and define their intelligence
requirements. These steps sharpen a teams focus and priorities. And they help
establish the organizations intelligence capability requirements and identify the
resources necessary to meet the needs of customers. While collaborating with
customers to identify intelligence requirements, the intelligence team should be
sure to address a few specific topics that can cause confusion if not clarified.
How do customers see the role of the intelligence team and its products? Some
customers look for guidance from intelligence analysts assessments, while
others seek certainty.
Do customers expect the intelligence
making or to make decisions itself?
team
to
inform
decision
Its vital to clarify these points, especially because intelligence analysts typically
deal with ambiguous situations based on incomplete information.
Get everyone on the same page. Its difficult for intelligence teams to succeed
without a common understanding between all stakeholders, customers, consumers
and intelligence managers about the teams full scope of responsibilities. And
here, communicating limitations is just as important as specifying requirements.
For example, the intelligence team may not be able to meet all of the customers
needs due to legal, ethical or practical considerations, and disclosing those
limitations early in the process will appropriately set expectations that the team
can meet. This may lead to the customer looking to alternatives, such as external
parties, to provide what the intelligence team cannot. All these steps help define
the intelligence teams mission and charter, which are particularly important
because an enterprise can easily misunderstand the teams role.
The Intelligence Cycle
To successfully mount and implement an intelligence capability, its essential
to understand the intelligence lifecycle model. This section looks at the basic
Intelligence Cycle, a lifecycle model (see Exhibit 4-1) for the intelligence workflow,
and briefly mentions other models as a point of comparison. This is the first
stage, in which a senior decision maker formally tasks the intelligence team with
the essential facts and data that they need to collect. This is the stage where a
relationship is formed between the customer and the intelligence team. This stage
focuses on determining the customers requirements as intelligence requirements
(IRs) the product of the direction stage of the cycle.
Once IRs are defined, the team then collects and compiles raw information
into a specific format for later analysis. This is the first major checkpoint for the
Intelligence Cycle, as any mistakes in collection can cause a cascade of erroneous
data through the rest of the cycles process, resulting in the failure of the team
to fulfill the IRs. Drawing from this raw information, analysts build intelligence
throughout the analysis process. They use technical and non-technical methods
to extrapolate patterns, meanings and sequences from raw data. This is the
second point in the cycle, where failure is possible due to analyst bias, flawed
hypotheses, or other factors. The intelligence team then creates and distributes a
final intelligence product to the customer. This can take an innumerable number
of forms from a static document to a constant feed of information or an alwayscurrent database. In many ways, this is the answer phase of the Intelligence
Cycle. Rarely will an intelligence customer be satisfied with a single delivery;
receiving one product usually inspires additional intelligence tasks. This makes
carefully managing stakeholder expectations and priorities a constant imperative.
DISSEMINATION
DIRECTION
COLLECTION
ANALYSIS
Direction. This is the first stage, in which a senior decision maker formally tasks
the intelligence team with the essential facts and data that they need to collect.
This is the stage where a relationship is formed between the customer and the
intelligence team. This stage focuses on determining the customers requirements
as intelligence requirements (IRs) the product of the direction stage of the cycle.
Collection. Once IRs are defined, the team then collects and compiles raw
information into a specific format for later analysis. This is the first major checkpoint
for the Intelligence Cycle, as any mistakes in collection can cause a cascade of
erroneous data through the rest of the cycles process, resulting in the failure of
the team to fulfill the IRs.
Analysis. Drawing from this raw information, analysts build intelligence
throughout the analysis process. They use technical and non-technical methods
to extrapolate patterns, meanings and sequences from raw data. This is the
second point in the cycle, where failure is possible due to analyst bias, flawed
hypotheses, or other factors.
Dissemination. The intelligence team then creates and distributes a final
intelligence product to the customer. This can take an innumerable number of
forms from a static document to a constant feed of information or an alwayscurrent database. In many ways, this is the answer phase of the Intelligence Cycle.
Rarely will an intelligence customer be satisfied with a single delivery; receiving
one product usually inspires additional intelligence tasks. This makes carefully
managing stakeholder expectations and priorities a constant imperative.
CROSSCAT-V
The Intelligence Cycle model isnt the only guide for new intelligence teams. Several
useful principles are encapsulated in the acronym CROSSCAT-V (centralized
control, responsiveness, objectivity, source and methods protection, systematic
exploitation, continuous review, accessibility, timeliness and vision).
Centralized Control: A single point of control for intelligence team simplifies
interactions and eliminates duplication of effort.
Responsiveness: The team must answer the question the customer asked,
not the question the intelligence team wishes to answer.
Objectivity: An intelligence team should not pick sides, no matter how emotive
a subject.
Source and Methods Protection: Sources of information (both human
and non-human), an organizations technical capabilities and its operational
methodologies are the lifeblood of an intelligence team and must be protected.
Systematic Exploitation: Intelligence is a methodological practice of research
and review, using multiple sources and agencies.
Continuous Review: Intelligence has a shelf life, and the intelligence team must
carry out a periodic review of their product to ensure it remains relevant.
Accessibility: An intelligence team must constantly balance the risk of its
product falling into the wrong hands with the need for the customer to access
that product.
Timeliness: Delivering intelligence products to customers in a timely fashion is
central to the intelligence function.
Vision: The intelligence team must consider possibilities that are not immediately
obvious. Often, the vision of an intelligence analyst, combined with the moral
courage to voice an unconventional theory in an open forum, can make the
difference between operational failure and mission success.
F3EA
Another useful model is F3EA, a methodology used by special operations
forces in the US and UK militaries. F3EA stands for find, fix, finish, exploit and
analyze. This model can deliver an intelligence product sooner, but typically is
appropriate only for organizations with the authority and capability to act against
external adversaries. This largely limits F3EA applicability to military and law
enforcement agencies since enterprises lack the authority to apprehend human
or non-human assets and in many ways cannot even disrupt an adversarys
operations. Even those efforts can give rise to complex issues, such as the
difference between intelligence and evidence. Given both legal and operational
limitations, the assessments and mitigations that the standard Intelligence Cycle
produces are better suited for private sector organizations.
Direction
Direction is the first step in the Intelligence Cycle. It requires knowing who the
customer of the intelligence product is, which, in almost all cases, will be external
to the intelligence team. Their collective needs define the teams scope and
requirements. Here, customer organizations must decide if they require strategic
versus tactical information, business and market intelligence, or threat and security
intelligence, and if they need to produce legally recognized evidence or consume
the intelligence product internally.
Issuing directions and intelligence. Its rare for the customers themselves to
issue clear direction or provide actionable tasking orders. Instead, intelligence
managers work with customers to translate customer needs into actionable tasks.
Requirements generally fall into a loose hierarchy of critical information requirements
(CIRs), priority information requirements (PIRs) and requests for information (RFIs).
C
IRs are long-term, broadly defined categories that collectively set the scope of
the teams efforts and responsibilities. CIRs might persist for one or more years,
and should require approval from both customers and intelligence managers. If
a task does not pertain to an existing CIR, it is outside the teams scope.
PIRs are medium-term directives that often revolve around a particular topic
or project and are more specific than CIRs. Handled within weeks or months,
PIRs are not subject to the same change-control rigor that CIRs are, and the
intelligence team creates and closes them based on direct requests from a
customer or intelligence manager.
RFIs are tactical and narrower in scope, and may be generated by the
team in an ad-hoc fashion; they may also come directly from a customer.
RFIs are a critical component of the daily intelligence process. They may
directly support PIRs or CIRs, but must at least indirectly support one or
more CIRs. This paper includes an RFI template as an appendix.
Evaluating requests. When the intelligence team receives an RFI from a client,
the teams management should make a number of checks before embarking upon
any kind of work stream. The team manager should ask three essential questions
before initiating any kind of work stream:
What can the team do? A team should agree to work that fits well within its
scope and capacity to fulfill a clients request.
What can the team not do? Sometimes, work falls outside a teams capability
due to technical limitations, legal restrictions or a lack of time.
What will the team not do? A team may decline work that is outside its defined
scope, or tasks that violate the parent organizations code of ethics. Managers
should give a reason when declining these projects.
Accepting requests. The team should always give the customer a confirmation
that it received the request and will complete it within an established time frame.
Despite the risks of succumbing to hubris, which can lead to acting independently
and apart from stakeholder direction and oversight, intelligence teams must never
lose sight of their main function: customer service.
Collection
Collection is the bedrock of any intelligence operation. During the collection
stage, the intelligence team enjoys a significant amount of freedom. This can be
a double-edged sword, as the team also has the freedom to fail. Its rare that the
intelligence team has the opportunity, later in the Intelligence Cycle, to correct
mistakes made at the collection level.
Source types and associated risks. Data comes from a variety of sources
that naturally breaks down into a handful of basic categories, with their own
characteristics and associated risks:
Human Intelligence (HUMINT). Analysts can either overtly or covertly collect
human intelligence (intelligence derived from people using the relationship
between the agent and agent handler). While HUMINT is the easiest discipline
with which to start an intelligence-gathering operation, it is the hardest from which
to gain reliable, actionable intelligence. It takes a skilled agent-handler to manage
a covert human intelligence source (CHIS) collection, and the risks to all involved
can be extreme. Various intelligence teams use a number of models for conducting
HUMINT operations across industry sectors. Any may involve compensating the
source for the information provided:
Military and Intelligence Services. Intelligence teams conduct these operations
covertly with a classic agent handler and CHIS relationship, and all the features
of traditional spy craft. Risk levels are high for all involved parties. iDefense does
not recommend this model for private sector firms due to the potential reputational
risks from conducting covert operations.
Policing. Policing is done either overtly or covertly, and shares many of
the features of the military and intelligence services model. Overt activities
include elements of suspect interviewing and interaction with the public.
iDefense recommends that management instill the formality and rigor
of the wider process into a private sector intelligence teams daily functions.
Journalistic. This model is predominantly overt with some limited covert activities.
It replaces the agent handler and CHIS relationship with the interviewer and
interviewee model. The main difference: interviewers generally cannot coerce
interviewees. Its easier to combine this approach with viral marketing techniques
and population surveys. However, as the level of openness increases, the value
of the derived intelligence decreases. Nevertheless, iDefense recommends
the journalistic model as the preferable model for a private sector corporations
intelligence capability.
Signals Intelligence (SIGINT). SIGINT refers to technical collection capabilities,
such as mobile phone intercepts, and is arguably the most technically demanding
of the disciplines. But the time an organization invests in the creation of a SIGINTcollection capability is worthwhile, as data typically comes directly from its source
in the form of communication interception of data between actors. SIGINT also
allows the observer to sit on the outside and look in on his or her target set, unlike
HUMINT. SIGINT is by no means risk-free, with its main issue coming from the
legal pitfalls of collecting such data.
10
1. IMINT does not always produce a product that humans can interpret. Often, the image can comprise multiple
scanning technologies that require a large degree of processing to be of any value to the analyst.
11
A Strategic Approach to
Scanning for Threats
In a perfect world, an
organization would be
fully aware of the threats
against it at all times. But
no organization, public
or private, can achieve
100 percent situational
awareness. Still, many
intelligence customers
unreasonably expect that
the intelligence team is
fully aware of the threat
environment at all times. As a
result, the intelligence teams
daily functions are shaped
by managing customer
expectations and by adopting
a strategic approach
to how it scans the threat
environment.
12
13
3. A
wareness of the influence of cognitive bias and other
external factors on an analysts thinking.
4. An open mind regarding alternative models.
14
Mirror imaging occurs when intelligence analysts assume that the subject they
are studying thinks like the analysts.
Layering occurs when analysts base assumptions or judgments on previous
work that they have not updated or revalidated.
Groupthink refers to members of a cohesive group attempting to reach consensus
without critically evaluating ideas and assumptions.
All these highlight the need for an environment that encourages self-awareness,
peer review and questioning of existing procedures.
Dissemination
The final stage of the Intelligence Cycle, dissemination is the point at
which an intelligence team passes the product back to its customer in
response to that customers original direction. Excellent intelligence that
an intelligence team improperly presents will not effectively communicate
the findings to the customer, resulting in a failure to achieve the teams
task. As a result, dissemination is not a trivial matter. This final stage of the
intelligence process contains several factors that determine the quality of an
intelligence product and whether the customer base will accept it positively.
Superior intelligence products share certain key characteristics:
Brevity. Intelligence products should not be verbose. Executive summaries and
bulleted key facts at the start of an intelligence product are useful for conveying the
so what element of an intelligence report.
ccuracy. Intelligence reports should never contain subjective information
A
or the opinion of the intelligence analyst. The intelligence team should
be honest and disclose to the customer any intelligence gaps that
are in the product.
15
HIGH IMPACT
MEDIUM INTEREST
GENERAL BACKGROUND
INFORMATION / NEWS
16
Often the factor that determines the quality of the product is not the content of the
report but the presentation of the product. Ensuring that the final product reaches
the customer in an appropriate format for consumption formally completes the
intelligence process. When possible, the intelligence manager should engage
the customer to ensure the deliverable did in fact fulfill the customers request
and to collect any feedback or follow-up requests.
Operationalizing Intelligence
Turning intelligence theory into practice is a challenge that any organization wishing
to develop an effective intelligence capability must address. The initial stages of
an intelligence organizations life can often pose the most risk to the future viability
of the team, from either disinterest or misinterpretation of the teams roles and
capabilities by the host organizations senior management.
This section starts by examining some key concepts for the development of the
spirit of the team, both in its management structure and its outlook toward the
individual members of the team. From this general look, this report continues by
examining each job role in more detail, paying specific attention to roles that deal
with intelligence and roles that manage the individuals within those roles. From this
very practical focus, this section examines the higher-level concepts concerning
data flow and management within the team and the decision the team needs to
make between taking a passive or proactive operational stance.
Organizational Structures
Key to the success of any intelligence operation is a firm development of a
logical team structure. Team managers must choose between a hierarchical or
flat command structure within the team. From an operational perspective, there
are a number of advantages and disadvantages to both command structures.
Hierarchical versus flat model. A hierarchical team is the classic management
model. Its main advantage is its ability to respond quickly to senior management
due to the clear chain of command. With this model, its easy to swiftly cascade
direction through the team via the chain of command and make rapid strategic
changes. Yet, there is also a risk of losing intelligence between command
layers within the team. This loss can create delays and slow the analysis of new
information. Intelligence circles refer to this delay as blink potential.
To avoid this, the team can establish a flat management structure that allows team
members to easily pass data between peers. Establishing this unblinking eye of
operations reduces the risk of blink potential causing the loss of intelligence. The
downside of this organizational structure is a lack of control and oversight from
the teams management, which can have serious consequences, specifically in
areas such as team task-scope creep and coordination of operations.
17
When making the decision over what form the intelligence teams
management chain should look like, senior decision makers should
consider that:
A hierarchical system tends to support those new to the intelligence practice,
whereas more experienced members appreciate the freedom of a flat
management structure.
Management can control a hierarchy more easily but will have less flexibility
than with flat-structured teams.
A widely distributed team organization will find a hierarchical structure more of a
deterrent than a benefit for all levels of the team, though a large, flat organization
will require recruitment of senior-level members who require less supervision.
Team personnel. Intelligence teams can vary in size from one-man-band,
single individuals working under the direction and support of a host agency to
organizations comprising thousands of individuals, such as government agencies.
Specific to information security, and cyber security more vaguely, intelligence
teams typically consist of managers, analysts and operations specialists,
organized according to the phases of the intelligence process (collection,
analyzing, publishing) by categories of threat (malicious code, insiders, network
intrusions, etc.) or a combination thereof. Some of the specialists who are
frequently found in an enterprise security intelligence organization include:
Intelligence Manager, an authority figure may be a manager, director or vice
president depending on the organizations size and organizational culture. This
person acts as the primary interface for customers and other stakeholders and
is ultimately accountable for the teams successes and failures. The intelligence
team manager sets the direction according to the scope with the stakeholders
and ensures the team executes the development plan. He or she also translates
high-level strategic objectives into tangible tactical goals for the intelligence
team.
Operations Team, which handles administrative and coordination functions,
including working with customers to refine IRs, issuing requirements to teams,
and assigning ownership to RFIs and larger analytical projects. This team
shepherds tasks through the Intelligence Cycle and oversees the teams daily
operations, escalating issues to the manager as needed.
Publishing Team to ensure that final products adhere to the teams standards
of quality and formatting. Publishers also perform content reviews, evaluating
if the author presents the content clearly and comprehensively and if the final
product meets the customers requirements
18
Intelligence Generalists for cross-functional analysis and for leading interteam efforts. The people that make up these groups are intelligence generalists.
Small organizations may have only one pool of analysts that perform all collection
and analysis for the entire scope of responsibilities.
M
alware Engineer, who often reverses malicious code samples and/or monitors
their behavior inside a controlled environment to understand the risk the code
poses to the customer.
Network Engineer with a deep understanding of Internet protocols and
defense mechanisms to help security operators analyze traffic during security
events and assess the benefits of deploying next-generation technologies such
as IPv6 and Domain Name System Security Extensions (DNSSEC).
Social Scientist focused on social network analysis, individual profiling and
collecting information from HUMINT and open sources. Only senior analysts
should act as handlers of HUMINT sources due to the dangers of information
disclosure and reputational risk to a company. The social scientist helps
customers determine the risks associated with certain business activities by
understanding the capabilities of the attackers those activities may incite.
Implementation and Deployment
In developing the team, intelligence managers aim to shift between a
reactive to a proactive stance. In a reactive stance, the intelligence team
tells the customer what has happened in the past, whereas a proactive
team will be able to communicate what may happen in the future. This is
possibly only by building the foundation for new capabilities, primarily by
establishing assets and new job roles and assigning subject-matter specialists.
Three stages of implementation. A useful way to view intelligence team
implementation is to break it into early, mid and late stages. These stages
should be viewed more as maturity levels than fixed timescales, since
different organizations will move through the stages at different rates.
Following a logical order will streamline the process of establishing each
team post and achieving operational milestones. Exhibit 5-1 outlines the
focus and milestones for each stage of building an intelligence capability.
19
Team Focus
EARLY
MID
LATE
Team Stance
Exclusively
Reactive
Predominately
Reactive
D
eploy periodic reports on trends
and developments
Develop analytical specialities within the
team
Automate delivery of products through
Web services APIs and RSS
Balanced
between
Reactive and
Proactive
Each stage could take as little as a few weeks or last as long as several years.
Implementation times depend upon allocated resources, the sponsoring
organizations appetite for risk, and the speed at which the team develops.
Early Stage: Developing Core Capability
Early in development, attention faces inward as the team focuses on crafting
working procedures and developing a team identity. Initial deliverables
(usually inquiry responses consisting of background intelligence) may not fully
communicate a teams value, so support from senior management is essential.
The RFI form. Designing a formal RFI form and process is a necessary early step,
because it offers an effective way to identify customer requirements. Customers
have to adopt the RFI form for daily use, so its in the intelligence teams interest
to make it easy for customers to provide the data the team needs by:
Simplifying the request process and the form
Differentiating between what might be useful and what is truly required
Engaging other stakeholders and vigorously challenging
the value of each field and step
Focusing directly on how effectively the result captures the customers needs
20
Tracking and managing RFIs. The team should also implement a central
process to manage and track incoming RFIs and subsequent responses.
Without a formal process and centralized log, the intelligence manager
cannot sufficiently oversee team tasks as the volume and diversity of
requests increases. By gaining insight into the workflow and allocation
of resources, teams can better prioritize tasks and minimize the risk
of an unfulfilled request.
To this end, the team should establish a working database that records when an
RFI comes in and when the team answers that RFI. The intelligence team will likely
include additional database fields, such as the relevant CIR or PIR as required
by the customer. In addition to avoiding mishandled tasks, overseeing an RFI
database provides useful data for identifying capability gaps, resource needs and
quantifiable metrics regarding the teams workload and usefulness to individual
customers. The actual technical implementation of the database can be as simple
as a version-controlled spreadsheet or as complex as a multi-user national system.
21
22
Assessing maturity. When grading ones own organization, there will likely be
a tendency to summarize a teams overall capability. Some may try converting
maturity levels into numerical averages, which will usually provide a misleading
picture because the maturity levels listed above are ordinal values for which
mathematical operations are not valid, even if represented numerically. Instead, it
is useful to view the intelligence process as a system that is only as strong as its
weakest link. Excellent direction, collection and dissemination that rely on poor
analysis still yield a poor product. Insufficient direction accompanied by excellent
collection, analysis and dissemination capabilities almost certainly produces
an irrelevant result. Similarly, the capabilities of a team are only as mature as
the teams weakest point. Exhibit 5-2 is a sample assessment of an intelligence
organization that acts as a report card of intelligence capability. Customers
may have enough visibility into the workings of the team to provide this level of
feedback directly, but intelligence managers should produce a similar overview
at least annually, if not quarterly.
EXHIBIT 5-2: SAMPLE ASSESSMENT OF AN INTELLIGENCE ORGANIZATION
Team
Direction
Collection
Analysis
Dissemination
Overall
Capability
Management
Formal
N/A
N/A
N/A
Formal
Operations
Formal
N/A
N/A
Formal
Formal
Generalists
N/A
Ad Hoc
Formal
Formal
Ad Hoc
Malicious
Code
N/A
Proactive
Efficient
Efficient
Efficient
Network
Threats
N/A
Efficient
Efficient
Formal
Formal
23
Best Practices
Years of experience in the field has equipped iDefense with a list of best practices
that would bolster the efforts of organizations seeking to develop an internal cyber
intelligence capability.
Implement a consistent style. An in-house style establishes a brand identity
for the intelligence team and standardizes its products, thus making intelligence
products easier to recognize, digest and integrate into the decision-making
process. It makes it clear to customers that the intelligence team operates as an
integrated organization. Teams should look to word processing programs, web
portals, content management systems for templates and tools that help apply
internal standards.
Grade intelligence using the 5 by 5 by 5 system. Intelligence sources, value and
sensitivity can vary greatly even within the same type of intelligence source. The
process of grading intelligence helps convey clearly to the customer the assessed
level of truth or fallacy in the product. To grade the quality of information coming
from a HUMINT source, the intelligence community uses the 5 by 5 by 5 system.
This system grades the veracity of the source, the veracity of the information, and
how the processing organization should handle that information. An intelligence
team should not attempt to filter information into categories of truth or falsity.
Instead, the intelligence team should seek to communicate to the customer
its assessment of the degree of confidence it has in the intelligence based on
the reliability of the source and the credibility of the information the source has
provided. Exhibit 6-1 displays a standard grading system for intelligence.
Using the system in Exhibit 6-1, an analyst on the intelligence team could grade
a product based on source reliability (ranging from A to E) and information
credibility (ranging from 1 to 5). Any possible combination of grades is possible,
though extreme grades such as A5 and E1 are highly unlikely.
EXHIBIT 6-1: THE FIRST TWO 5 BY 5 BY 5 ELEMENTS
OF THE CLASSIC INTELLIGENCE GRADING SCHEME
SOURCE
A
Always Reliable
Mostly Reliable
Sometimes Reliable
Unreliable
Untested
INFORMATION
24
Known to be true
without reservation
Known personally
to source by
not to collector
Cannot be judged
Believed to be false
or malicious
Open source
no restrictions
Restricted to
clients only
Restricted to
specific clients
Restricted to specific
clients with conditions
No dissemination
without authority
25
Determine
Receive RFI
Log Request
in RFI DB
Send Response
Log Request
in RFI DB
26
27
CONCLUSION
Intelligence is not simply a data feed, nor is it purely information. The heart of
intelligence is an assessment of that data. Arming customers with insightful
intelligence products will better inform those customers, and it will improve
their ability to make informed decisions. By following the steps outlined in this
paper, an organization may establish an intelligence capability for the first time
or may formalize and refine existing operations with the confidence that the
direction of the team complements the needs of its customers. By outlining a
framework for understanding the fundamentals of intelligence along with proven
best practices, iDefense hopes it will help organizations establish an effective
intelligence capability.
28
Required Date:
Date by which the team has to return the
intelligence product to the customer to be effective.
Return Format:
Date by which the team has to return the
intelligence product to the customer to be effective.
Requested Organization:
The department or group initiating the request.
Point of Contact:
The department or group initiating the request.
Special Handling:
This section includes instructions indicating any exceptions to the standard RFI-handling process, such as
additional persons to include on the response or persons who should not have access to the request.
REQUEST
Background:
This section includes a description of the scenario that applies to the request, including what information
and sources of which the requestor is already aware. This may be a brief synopsis of events and reference
previous requests.
Information Requirements:
The main body of the request. The requestor should be as specific and direct as possible, preferably enumerating
specific questions (e.g. bulleted list) rather than writing a free flowing narrative.
29
VerisignInc.com
2012 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its
subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.
Verisign Public
201205