This post was inspired by an article I read the other day that highlighted something which struck a chord, “[m]uch like threat intelligence & string theory, people talk a lot about this, but nearly no one knows what it actually means.” After almost a decade in the Intelligence Community, I’d like to share my thoughts with the broader community on some distinct problems I’ve found with private sector intelligence programs… and more importantly, what intelligence professionals can do to fix them.
A Functioning Intelligence Ecosystem
Let’s focuses on the overarching design considerations and requirements when building a comprehensive intelligence program. We will bring lessons learned from some of the best intelligence organizations in the world and demonstrate their applicability to the private sector.
A Tried-and-True Intelligence Model – The Military
All oxymoron jokes aside, when you mention military intelligence, the first things that come to mind are the “big three-letter agencies.” The ultra-secret Tom Clancy organizations surrounded with mystery and conspiracy; the most common being the CIA and NSA. Not many people are aware of the fact that there are actually seventeen different organizations attached to the United States Intelligence Community.
These seventeen disparate organizations operate under strict guidance and oversight led by the Director of National Intelligence. Guidance can come in many forms, from executive orders and laws, down to organizational policies, but the end state is clear: every intelligence analyst with the United States Intelligence Community knows their analytic ‘lane in the road,’ the authorities that allow them to pursue the mission, and the customer they support.
From an intel analyst perspective, analysis results in three primary levels of intelligence reporting which we’ve listed below, each with an example of a potential audience. For those of you with a strong background in the IC this will be over-simplifying; bear with me.
| Strategic | Senior Leadership (Pentagon) |
| Operational | Combatant Commander (Colonels, Generals) |
| Tactical | Field commander (Captain) |
Identifying that a General or Admiral requires different intelligence than an Army Captain seems obvious, but let’s be clear: these three levels of reporting are defined by the decision space they address. To highlight this delineation, let’s look at the fifth Generation Russian Fighter, the PAK-FA, as an example of the different levels.
Strategic Intel
The PAK-FA is a threat to F-22 air superiority and will reach FOC (full operational capability) by 2016.Decision Space – Have I allocated enough budget to develop defeats to the PAK-FA threat to US air superiority?
Operational Intel
Kerplakistan has 15 PAK-FAs. The PAK-FA radar detects at a range of 20mi and can carry 16 missiles, pull 15G’s, and go Mach 6.Decision Space – What do I need to deploy to Kerplakistan to deal with the PAK-FA threat?
Tactical Intel
AWACS reports a PAK-FA 2 ship is airborne over Al-Capital, Kerplakistan, headed ESE @ 200 knots.
Decision Space – Do I need to deal immediately with this and intercept? Where is my closest asset to respond?
As the examples illustrate, the decision spaces differ greatly and therefore require fundamentally different intelligence products. Setting aside the analysis function for now, it becomes evident that a connection exists between the threat and its associated response. This further implies that all levels of reporting are essential when creating a comprehensive intelligence program that delivers the right intelligence to the right people at the right time.
The Private Sector Comparison
The first obvious difference is the distinct lack of governance, oversight, and/or policy; but that’s not necessarily a bad thing. That lack of strict governance gives private sector intelligence professionals freedom to explore and freedom to create. It does, however, also provide us enough rope with which to hang ourselves. In reality, we can’t even agree on a common definition yet (just peruse the 10.6 million google results from “threat intelligence” if you don’t believe me).
With our military roots, we went back to the levels of intelligence reporting. What, or who, is the target audience for the levels of reporting?
| Strategic | Senior Leadership (CEO, COO, CFO) |
| Operational | Security Leadership (CISO, CSO) |
| Tactical | Security Staff (SOC analysts) |
Let’s demonstrate this delineation with another example.
Strategic Intel
Breaches in my industry have increased 40% in the past 2 years and increased in total cost.
Decision Space – Am I comfortable with my balance of security vs risk? What are my company’s crown jewels I need to protect?
Operational Intel
The primary actor groups attacking my industry are Pipelink, Chain Panda, and Energetic Sloth. Their primary TTPs are to use phishing, web-app attacks, and VPN brute forcing.
Decision Space – Are my defenses set up in a way to maximize my detection of these threat vectors and protect the crown jewels? Do I have a response plan if something happens?
Tactical Intel
A VPN brute force attack is being detected on one of the servers in the DMZ.
Decision Space – Do I need to deal with this immediately?
With these examples in mind, take a careful look at your intelligence program. Compare it to the model that is “tried and true” from the military. Is your intelligence program meeting the needs of the decision makers, the CISO, and the security staff? Is the intelligence relevant in their decision space? Does it provide the right intelligence to the right people at the right time?
The stark reality is that a comprehensive threat intelligence program is more than a collection of indicator feeds.
