Five Things to Consider for a Successful Intelligence Team - Part 1
#1 - Invest in Proper People and Tools
I’ve had the opportunity to travel a bit and “evangelize” about Intelligence - what it is and the basic methodology surrounding it. The “Take Away” portion covers five areas of consideration for organizations wanting to set up their own intelligence shop and be successful. I will be breaking these down in more detail over the course of this five part series.
Threat intelligence in our industry is evolving. Going beyond vulnerability and threat feeds is a must. To do so, you need dedicated resources that cover both personnel and hardware/software. These team members not only need to have an understanding of security, but they must also be able to provide analysis based on sound intelligence methodology.
PEOPLE: The Intelligence Analyst
An intelligence analyst identifies and retrieves pertinent information that has been collected and correlates that data against additional sources and research. The analyst, utilizing personal knowledge and expertise, then produces an assessment or finished product that is timely and action oriented.
Intelligence analysts should be critical thinkers who are known subject matter experts (SME) in their particular field. They should have the ability to draw conclusions from differing sources of information and to extract the appropriate information within.
Intelligence analysts are not easy to come by. Intelligence analysis can be a difficult concept to grasp without the proper training by intelligence professionals in a structured environment. For example, the Navy and Marine Corps Intelligence Training Center (NMITC) trains Navy and Marine Corps intelligence specialists, Counter Intelligence personnel, Ground Intelligence Officers and the like in this arena. This being the case, it is more practical to invest in recruiting and hiring these trained professionals once their service time is up, and then inundate them with industry training so they gain an understanding of the industry as well as infosec-specific skills.
TOOLS: Collection Management System & Visual Analysis
I spoke above about going beyond vulnerability and threat feeds. I am not saying these are not valuable. We know they are. Big data is making its way into every facet of information security, but how does an analyst properly dissect and make this information relevant? The answer is Collections Management.
With the amount of information flowing to the intelligence team, from both internal and external sources, the staff will be easily inundated with masses of data. This is where a collections management system (CMS) comes in.
To be able to track, categorize and process the collected data, the CMS should be a dedicated database utilized by the intelligence staff, which is both user-friendly and easily queried. An example of a collections management database would be the “Collective Intelligence Framework (CIF),” an open community project that is labeled as a “cyberthreat intelligence management system… That allows you to combine known malicious threat information from many sources…”
Intelligence staff have many tools at their disposal for the collection and processing of raw data, and CIF is just one of them. Prior to establishing a set CMS, the staff should research and evaluate several that are available in order to determine which is the most feasible based on capital expenditure required for hardware and administration.
In addition to collections management, there are great analytical tools available both commercially and publicly, such as IBM’s i2 Analyst Notebook, Paterva’s Maltego and Palantir’s many platforms. These are mainly visual analysis tools but also assist the analyst in mapping out data and visually depicting a problem set that will identify trends, patterns and anomalies.
Identifying and investing in the proper people and tools from the beginning is a great way to get an intelligence program off of the ground. Businesses can find top caliber analysts via veteran targeted job boards, such as:
In addition, job fairs close to military bases throughout the U.S. provide a great opportunity to meet with potential candidates. On the tools side, there are a lot of vendors that are investing in creating and maintaining threat management collection, storage and analysis tools. There are also developers who are actively building and coding to assist the analyst.
Additionally, Development Operations is great way to encourage a staff to identify gaps in capabilities and begin building their own tools and processes that meet the needs of the organization.
- Part 2 - Encourage Internal Development (DEVOPS)
- Part 3 - Allow for Open Communication
- Part 4 - Don't Shy Away from Sharing
- Part 5 - Make It Operational
Director, Cyber Threat Intelligence
Danny Pickens has more than fifteen years of experience in the fields of military intelligence, counterterrorism and cyber security. As the director of Optiv’s cyber threat intelligence (CTI) practice, Pickens is responsible for the direction and operations of a staff of CTI analysts and consultants charged with conducting research and analysis to support clients with strategic advisement and consulting in the area of intelligence for business alignment and decision advantage.