Page 6 - index
P. 6
The intelligence process—also known as the intelligence cycle—is divided into four or five steps
depending on the organization. For simplicity, the four-step version is described in the following
sections.
Planning and Direction
The first step of the cycle is to identify intelligence requirements, i.e., general questions to be
answered by the direction. In the military, defining these is usually the role of the commanding
officer (CO), a role that management or system administrators can fulfill in civilian organizations.
The broad requirements provided are then refined in precise questions by the analysts and
prioritized. Intelligence requirements must consider nontechnological aspects as threat actors,
whether they are criminals, hacktivists, or nation-states using the cyber environment for
economic, technological, political, or military purposes—not for the sake of breaching network
defenses.
Thus, guidance from above identifies the systems hosting key information, which requires
priority in terms of network defenses, while refining the requirements highlights threat actors
along with techniques and targets.
Examples of refined questions include the following:
• What information stored on our network would be of use to financially motivated
criminals?
• What intellectual property documentation stored on our network would provide a
technological advantage to competitor XYZ?
• Who in our organization produces intellectual property on product 1?
• What are the current tactics used by threat actor 6?
• Are our employees storing intellectual property on a personal cloud or removable media
at home?
Expect your list of questions to grow rapidly as they are refined: each must have unambiguous
and complete answers. Even if no answer is available, these unanswered questions will be
labeled as intelligence gaps representing unavailable information.
Collection
Rarely does one individual hold the answers to everything. At this stage, the analyst
enumerates every question with one or more parties that can answer—or partially answer—the
requirement into a collection plan.
These can include law enforcement agencies, Computer Emergency Response Teams
(CERTs), internal departments, or commercial intelligence providers. This plan can be shown as
a spreadsheet as seen below in figure 1.
6 Cyber Warnings E-Magazine – August 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide