Direction: Terms of Reference, Intelligence Requirements, and Project Review

Executing the intelligence cycle starts with Direction, i.e., defining the questions that must be answered by the analyst (the Intelligence Requirements [IRs] and Priority Intelligence Requirements [PIRs]).

However, producing intelligence is, at its essence, a project, so basic execution parameters are necessary (the Terms of Reference [ToR]). They are:

• Objectives: the project’s scope, i.e., what the intelligence project seeks to answer. It also considers criteria to indicate the project’s conclusion and the desired output format (e.g., a text or a presentation).
• Stakeholders: the key people involved in the project and their specific roles. It includes who commissioned the intelligence project, who is responsible for executing it, and who will review it.
• Resources: include (1) the standards and procedures that must be followed to generate a quality output and (2) a risk register necessary to estimate, visualize, and monitor the level of exposure intrinsic to the intelligence activity, i.e., the danger involved in getting in contact with adversaries. This last topic will be discussed further in a future post about Operational Security (OPSEC).
• Methodology: refers to the entire process of the intelligence life cycle, which encompasses Direction, Collection, Analysis, and Dissemination.

Intelligence Requirements, Priority Intelligence Requirements, and Requests for Information

After establishing ToR, the next step is to define the IRs, which encompass all the questions the project aims to answer, similar to the research objectives in the academic field. The decision-maker (the “commander”) is central to determining the IRs, but the CTI team often contributes, given its province over the subject. Other important parameters are:

• Industry verticals: intelligence topics inherent to a given sector. For example, financial institutions will worry about threats against the Society for Worldwide Interbank Financial Telecommunication (SWIFT) systems; essential infrastructure and industrial companies (e.g., utilities and manufacturing) often focus on Operational Technology (OT), including Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA).

Different industry sectors have specific cyber security demands, including threat intelligence directions.

• Organizational specificities: include dimensions like dealing with critical or sensitive data, e.g., intellectual properties (IP) and personal health information (PHI); geographical location, e.g., operating in one or multiple countries; and political vulnerabilities, which makes the organization a potential target for threat actors with opposing political agendas.

Like research questions, IRs must be concise and objective, often mentioning a threat actor, a target, and an attack type or vector. Some illustrative examples are “Which threat actors may target company X’s supply chain?”, “What’s the probability of an APT 1 data exfiltration attack against organization Y’s intellectual property?” and “What probable attack vector cybercriminal groups like DarkSide may target against company Z?”.

After defining a pool of IRs, the “commander” indicates which ones the CTI will investigate (i.e., the PIRs). However, it’s fundamental to note the level of agreement between the “commander” and the CTI team regarding the validity of the chosen IRs/PIRs and whether they are researchable at the moment of the project’s onset.

The next step is operationalizing PIRs, breaking them into specific research topics called Requests for Information (RFIs). To investigate each RFI, the analyst accesses specific Sources and Agencies (SANDAs), which will provide valuable data for this process. The same RFI may be associated with multiple SANDAs and vice versa. The CTI team can research different RFIs in various ways depending on the nature of the subject they deal with or the preferred methodology: in parallel or sequentially (independently or interdependent RFIs).

The analyst can consider threat actors’ modus operandi (MO) as guidance for mapping PIRs/RFIs to SANDAs. Following the Diamond Model, adversaries have different capabilities delivered by specific infrastructure elements, and those dimensions have corresponding SANDAs dedicated to investigating them. For example:

• Nation-state threat actors (APTs) typically use general networks to deliver attacks (commonly malware-based), preserving their valuable stealth. Reverse engineering and passive DNS, CVE, and malware-signature databases are SANDAs that may help collect intelligence regarding such actors.
• Cybercriminals often use the dark web, from accessing stolen credentials markets to hiring ransomware-as-a-service. Helpful SANDAs for researching these groups include those for APTs and dark web access methods and aggregators.
• Hacktivists have an extensive presence on social media, given their political agenda that demands public attention. Social media aggregators and monitors are the corresponding SANDAs that collect data on them.

Following the general description above, the analyst can map by considering that PIRs/RFIs describe specific threat actors, capabilities, infrastructures, and groups of victims/targets, each with preferable SANDAs for researching.

Using resources like a simple spreadsheet or even more complex solutions like Microsoft SharePoint helps the CTI team visualize the RFI-SANDA links. This is the collection plan, an essential method to monitor the overall collection effort progress.

Intelligence Gaps

The collection plan also helps detect and deal with intelligence gaps, which are situations where a PIR/RFI can’t be answered. Such gaps typically creep up when there’s little to no SANDA redundancy, which means there’s a shortage of data collection sources and agencies available to execute the intelligence project.

The CTI team can deal with intelligence gaps by diligently mapping RFIs to SANDAs (described above). It can also account for a broader selection of SANDAs, e.g., freely available but often time-consuming (open-source) or those requiring payment (closed-source). Conceptual definitions are essential, e.g., open-source isn’t synonymous with Open Source Intelligence (OSINT). The sector where the analyst works also influences the notion of open and closed-source SANDA since the public sector frequently views the difference as the level of security classification attached to the SANDA (e.g., Top-Secret, Secret, Classified, and Public). In contrast, private sector organizations only consider the cost discrepancies across SANDAs. As a last resource, the analyst can adjust the commander’s expectations and be honest with the decision-maker about the current project’s limits regarding specific RFIs. Such posture is considered a good practice in CTI.

Project Review

As with any project, intelligence research must be critically monitored and reviewed as necessary. This means considering if and how it effectively answers its IRs/PIRs, timeliness, overall presentation (e.g., communication format, spelling, and grammar [SPAG]), and if it follows budget constraints.

CROSSCAT is a helpful review framework. Each letter of the acronym refers to a fundamental project dimension the CTI team must evaluate:

• Centralized: the project’s workflow and monitoring goes through central organizational control.
• Responsiveness: an open communication channel exists between the intelligence team and the customer, enabling good responsiveness to the latter’s IRs/RFIs and optimized tasking.
• Objectivity: the CTI team strives to control bias and maintain an adequate impartiality approach through the intelligence life cycle.
• Systematicity: each piece of data or information is methodically and logically analyzed.
• Sharing: the CTI team shares the intelligence product carefully, following protective markings that signal who can access the information and to what degree it may be disseminated while protecting sources, if necessary.
• Continuous review: the project stakeholders constantly monitor the progress and observe shortcomings, which helps improve future projects’ methodologies. Knowing that an intelligence product is a picture of its object at a given time is fundamental. So, it must be continually compared with new data or information for essential updates that will feed into new intelligence cycles. Recognizing intelligence gaps and discovering previously unknown IRs/RFIs is especially important.
• Accessibility: the CTI team communicates the intelligence product following the customer’s specificities, including their demands, expectations, and viewpoints. In other words, the team adapts to its specific audience.
• Timeliness: the intelligence project generates outputs promptly. This means an incomplete product is better than a complete but delayed one, i.e., outside the intelligence cut-off frame (when the intelligence output remains useful to the customer or decision-maker).