November 24, 2020 • The Recorded Future Team
Editor’s Note: Over the next several weeks, we’re sharing excerpts from the third edition of our popular book, “The Security Intelligence Handbook: How to Disrupt Adversaries and Reduce Risk with Security Intelligence.” Here, we’re looking at chapter three, “The Security Intelligence Lifecycle.” To read the entire section, download your free copy of the handbook.
Security intelligence changes the way we combat threats and adversaries. It empowers security teams to collaborate effectively while making swift, confident decisions. And in this world of fast-moving threats coupled with a massive cyber skills shortage, every decision advantage we have makes a difference.
To gain that critical advantage, intelligence needs to be tailored to the task at hand — delivering everything you need without any unnecessary noise. That’s why security intelligence tightly aligns with the tried-and-true “intelligence cycle,” which has guided government and military security teams for decades.
There are six precision intelligence components of security intelligence:
Recorded Future tailors each component to specific use cases, providing actionable, precision intelligence to streamline workflows and solve real-life challenges. This strategic, highly flexible approach enables your organization to implement security intelligence in a way that easily scales to match your program’s maturity and specific needs.
Examine the phases of the security intelligence lifecycle in the following excerpt from “The Security Intelligence Handbook.” In this section, which has been edited and condensed for clarity, you’ll explore security intelligence sources as well as the roles of automated tools and human analysts:
The Six Phases of the Security Intelligence Lifecycle
Security intelligence is built on analytic techniques honed over several decades by government and military agencies. There are six distinct phases that make up what is called the “intelligence cycle”:
The direction phase of the security intelligence lifecycle is when you set the goals for your security intelligence program. This involves understanding and articulating:
- The information assets and business processes that need to be protected
- The potential impacts of losing those assets or interrupting those processes
- The types of security intelligence that your organization requires to protect assets and respond to threats
- The priorities about what you need to protect
Once high-level intelligence needs are determined, an organization is able to formulate questions that channel the need for information into discrete requirements. For example, if a goal is to understand likely adversaries, one logical question would be, “Which threat actors on underground forums are actively soliciting data concerning our organization?”
Collection is the process of gathering information to address the most important intelligence requirements. It can occur organically through a variety of means, including:
- Pulling metadata and logs from internal networks and security devices
- Subscribing to threat data feeds from industry organizations and cybersecurity vendors
- Conducting conversations and targeted interviews with knowledgeable sources
- Scanning news websites and blogs
- Scanning social media platforms
- Scraping and harvesting websites and forums
- Infiltrating closed sources, such as dark web forums
The data collected typically will be a combination of finished information, such as intelligence reports from cybersecurity experts and vendors, and raw data, like malware signatures or leaked credentials on a paste site.
Processing is the transformation of collected information into a format usable by the organization. Almost all raw data collected needs to be processed in some manner, whether by humans or machines.
Different collection methods often require different means of processing. Human reports may need to be correlated and ranked, deconflicted, and checked. An example might be extracting IP addresses from a security vendor’s report and adding them to a CSV file for importing to a SIEM product. In a more technical area, processing might involve extracting indicators from an email, enriching them with other information, and then communicating with endpoint protection tools for automated blocking.
Analysis is the process of turning information into intelligence to inform decisions. Depending on the circumstances, these decisions might involve whether to investigate a potential threat, what actions to take immediately to block an attack, how to strengthen security controls, or how much investment in additional security resources is justified. Analysis is generally performed either by a human or a very sophisticated algorithm.
Analysts must have a clear understanding of who is going to be using their intelligence and what decisions those people make. The intelligence they deliver needs to be perceived as actionable, not as academic. Most of this book is devoted to giving you a clear picture of exactly how security intelligence improves decision-making and actions in different areas of security.
The form in which the information is presented is especially important. It is useless and wasteful to collect and process information only to deliver it in a form that can’t be understood and used by the decision maker.
For example, if you want to communicate with non-technical leaders, your report must:
- Be concise (a one-page memo or a handful of slides)
- Avoid confusing and overly technical terms and jargon
- Articulate the issues in business terms (such as direct and indirect costs and impact on reputation)
- Include a recommended course of action
Some intelligence may need to be delivered in a variety of formats for different audiences, like a live video feed and a written brief. Not all intelligence needs to be digested via a formal report. Successful security intelligence teams provide continual technical reporting to other security teams with external context around IOCs, malware, threat actors, vulnerabilities, and threat trends.
Dissemination involves getting the finished intelligence output to the places it needs to go.
As illustrated in Figure 3-1, most cybersecurity organizations have at least six teams plus security leaders who benefit from security intelligence. For each of these audiences, you need to ask:
- What security intelligence do they need, and how does external information best support their activities?
- How should the intelligence be selected and organized to make it easily understandable and actionable for that audience?
- How often should we provide updates and other information?
- Through what media (emails, newsletters, web forums, documents, slides, oral presentations) should the intelligence be disseminated?
- How should we follow up if they have questions?
Regular input is required to understand the requirements of each group and make adjustments as their requirements and priorities change. That input is gathered in the feedback phase. It is critically important to understand your overall intelligence priorities and the requirements of your “customers” — the security teams that consume the security intelligence. Their needs guide all phases of the lifecycle and tell you:
- What types of data to collect
- How to process and enrich the data to turn it into useful information
- How to analyze the information and present it as actionable intelligence
- To whom each type of intelligence must be disseminated, how quickly it needs to be disseminated, and how fast to respond to questions
Tools and People
Tools are essential to automating the collection, processing, and dissemination steps in the intelligence lifecycle — and to supporting and accelerating analysis. Without the right tools, analysts will spend all their time on the mechanical aspects of these tasks and never have time for analysis. Most mature security intelligence groups leverage two types of tools:
- A security intelligence solution designed to collect, process, and analyze all types of threat data from internal, technical, and human sources
- Existing security tools, such as SIEMs and security analytics, which collect and correlate security events and log data
Human analysts are equally important — if not more important. You can’t rely on tools to interview security experts and probe closed dark web forums. Also, you need people to analyze and synthesize intelligence for the security teams and managers who will consume it.
The analysts do not need to belong to a central, elite intelligence department. Someone does need to take an organization-wide view of the security intelligence function, make decisions about resources and priorities, and track progress, but success is achievable under a variety of organizational structures. You could have a central group with dedicated security intelligence analysts, or a small group inside the security operations and incident response organization. Alternatively, members of the different cybersecurity groups may be responsible for analyzing security intelligence for their direct colleagues.
In Chapter 14, we discuss how the organizational structure often evolves as the security intelligence function matures, and Chapter 15 provides advice on how to organize a core security intelligence team.
Get ‘The Security Intelligence Handbook’
This chapter is one of many in our new book that demonstrates how to disrupt adversaries and measurably reduce risk with security intelligence at the center of your security program. Subsequent chapters explore different use cases, including the benefits of security intelligence for brand protection, vulnerability management, SecOps, third-party risk management, security leadership, and more.