Whitepaper Idefense Cyber Intel

Establishing a Formal CybEr intElligEnCE CapabilityFrom VErisign iDEFEnsE sECurity intElligEnCE sErViCEs

WhitE papEr

CONTENTS

2 Verisign Public | Establishing a Formal Cyber Intelligence Capability

introDuCtion 4

prEliminary ConsiDErations 5

thE intElligEnCE CyClE 6Direction 9Collection 10Analysis 13Dissemination 15

opErationalizing intElligEnCE 17Organizational Structures 17Implementation and Deployment 19Intelligence Maturity Model 22

bEst praCtiCEs 25

ConClusion 28

appEnDix: rFi tEmplatE 28

Verisign Public | Establishing a Formal Cyber Intelligence Capability 3

ThrOughOuT The wOrlD, OrgAnIzATIOnS Are reAlIzIng ThAT ADvAnCeD InTellIgenCe CApAbIlITIeS COnSISTenTly DelIver SubSTAnTIAl COST SAvIngSwITh prOACTIve InSIghTS On True ThreATS, The InTellIgenCe TO AvOID fAlSe AlArMS AnD The SySTeM AnD ApplICATIOn AvAIlAbIlITy requIreD TO preServe revenueS AnD CuSTOMer lOyAlTy.

While the benefits are clear, achieving them requires organizations to establish a formal cyber intelligence capability. The process involves carefully assessing a vast array of strategic and tactical considerations, and then implementing an intelligence model based on methodical, proven processes. Each decision influences the next, so those engaged in this effort would be wise to follow proven best practices. Over years of on-the-ground experience, Verisign iDefense has tested and refined those practices. This paper is built from that knowledge. It has been written to convey the fundamentals of intelligence operations, and will be most helpful to organizations still in the planning or initial stages of establishing an intelligence capability. Its content should also prove enlightening to organizations that find themselves struggling with the development and evolution of their existing intelligence capability. This paper describes a proven, repeatable process with clearly established steps. The process begins by defining who the customers of the intelligence products will be. They will issue directives and receive the final products, so their involvement up front is vital. And all stakeholders must share a common understanding of the goals, capabilities and limitations of the intelligence effort. All this is necessary even before selecting the intelligence team. Stakeholders also must agree on whether the intelligence teams goal is to produce assessments for internal use, for delivery to law enforcement or for use in judicial action. This largely determines the approach and methods the team adopts.

Direction, where the intelligence team defines customer requirements based upon an analysis of the customers core business.

Collection, one of the most complex elements of intelligence practice and a process that is fraught with issues for intelligence teams.

analysis, in which different opportunities and risks present themselves as the teams analytical function seeks to convert raw data into a fused intelligence product.

Dissemination, where the intelligence team delivers the product to the customer, and can assess the success or failure of the operation.


After defining the teams mission and understanding the basic Intelligence Cycle, the work of assembling resources and establishing a management plan can begin. Since most teams are rarely able to fulfill their entire charter at an early stage, prioritizing the most critical needs of the customer, and possibly the most critical customers, will help the team establish a solid foundation.

Even from outset, stakeholders should measure the intelligence team against a model of effectiveness or maturity as a way of gauging current capabilities and planning future efforts. The maturity model should assess the team or each sub-team at each stage of the intelligence lifecycle, providing management personnel with a means to produce overall assessments. The intelligence manager and other stakeholders should assess the capabilities on a scale of informal to highly repeatable and efficient, where the highest grade indicates well-documented processes and communications, a high degree of automation, and the visibility into the process that is necessary to identify and address insufficiencies in a quantitative fashion.

Ultimately, its the job of intelligence teams to deliver useful and relevant intelligence products (such as risk assessments, presentations and databases) that help decision makers protect information, assets and people. Still, the true impact of intelligence on decision making often remains unquantifiable and, as such, immeasurable. By adhering to proven intelligence practices and applying the appropriate management structure and oversight, any organization can develop a successful intelligence capability.

introDuCtion Information today is plentiful and inexpensive. But for corporate organizations that make strategic and tactical decisions in an environment of uncertainty, a simple information feed frequently isnt enough. Too often, torrents of information lacking context and relevance overwhelm a decision maker. Intelligence analysis addresses this issue through methodically collating data into information and then turning information into intelligence. Many organizations recognize the need to better understand their adversaries, the security threats those adversaries pose, and their methods of attack. As a result, many organizations initially develop informal, ad-hoc intelligence capabilities that before long show their weaknesses or are simply outgrown. Eventually, the organization must consider how to establish more formal intelligence operations.Some organizations may still establish a formal intelligence team separate from their security operation. But in a world where the thread landscape is constantly changing, the view that intelligence and security demand separate sets of personnel, training, technology and skill sets may be outdated. Increasingly, intelligence and security are viewed as partners instead of separate stakeholders, since the intelligence product is seen as an input to the security cycle. This report lays out the fundamentals of intelligence both theoretical and practical to help organizations create an intelligence team, while providing guidance on how to evolve existing capabilities. It discusses the concepts that form the foundation for establishing intelligence gathering and dissemination capabilities.

businEss intElligEnCE: DEtECting thE VoiCE oF thE EnEmybusiness intelligence and threat intelligence both support decision makers in an organization, but the responsibilities of these two functions differ greatly. business intelligence focuses on assessing the market conditions and business competitors, whereas threat intelligence gains knowledge of malicious actors who can damage the organizations ability to provide services. if business intelligence is the voice of the customer, then threat intelligence is the voice of the enemy. iDefense asserts that there is a logical division between the types of teams that conduct each of these functions. this report focuses primarily on threat intelligence.


And it studies pre-intelligence steps that examine why companies commission others to carry out the task of gathering and presenting intelligence in the first place.

Additionally, this paper seeks to define intelligence gathering, analysis and dissemination as a practice one that moves away from guesswork toward a testable and repeatable process. This overview begins with defining the teams mission and customers, then presents the basics of the intelligence lifecycle and then discusses how to construct a team and evaluate its capabilities. Finally, the paper outlines some key best practices that should prove invaluable to any organization trying to establish or improve a cyber intelligence capability.

prEliminary ConsiDErations The crucial first step in developing an intelligence capability is to determine where it will fit in the organizations structure. This involves three activities may occur in parallel:1. identifying both customers and consumers of intelligence products 2. Determining the customers intelligence needs and requirements

3. Defining and communicating the intelligence organizations charter and mission

Work with partners. Regardless of where an intelligence team fits in the organization, the team should foster key relationships with cross-functional partners who may be consumers of the teams intelligence or even valuable sources of input for intelligence products. For instance, there is an organizations risk community (i.e., those departments responsible for managing different types of risk, such as information security, business continuity or disaster recovery, revenue assurance or fraud and physical security). Other areas, such as finance, supply management, marketing, legal, human resources or internal auditing, may also be worthy partners in the intelligence effort.

understand the needs of customers. The intelligence team needs to clarify the needs and requirements of primary customers. The team needs to know whether customers require intelligence to inform decisions concerning strategy, profitability, competitors, threats or something else, since each of these will drive very different intelligence outcomes. The process to identify intelligence requirements must incorporate an interactive dialogue between the intelligence team and its primary customers. Interviewing key customers and decision makers can be challenging, but it helps customers identify and define their intelligence requirements. These steps sharpen a teams focus and priorities. And they help establish the organizations intelligence capability requirements and identify the resources necessary to meet the needs of customers. While collaborating with customers to identify intelligence requirements, the intelligence team should be sure to address a few specific topics that can cause confusion if not clarified.

Will the organization supply intelligence to law enforcement? If so, authorities will require the production of evidence, which is significantly different from intelligence, and will require different collection and analysis methods to address relevant legal issues sufficiently.

In this paper, we define intelligence customers as those entities that issue direction to an intelligence team. intelligence consumers are those who may receive intelligence products but do not necessarily issue directions. an intelligence teams customers reflect where the intelligence team sits organizationally, and the company or agency should give this careful consideration, as it will greatly affect how the broader organization identifies and manages threats. a team will deliver vastly different products and capabilities depending on whether it receives its primary direction from a horizontal customer (the department of finance, information security or physical security) or a vertical customer (a director or C-level executive to which it reports).


How do customers see the role of the intelligence team and its products? Some customers look for guidance from intelligence analysts assessments, while others seek certainty.

Do customers expect the intelligence team to inform decision making or to make decisions itself?

Its vital to clarify these points, especially because intelligence analysts typically deal with ambiguous situations based on incomplete information.

get everyone on the same page. Its difficult for intelligence teams to succeed without a common understanding between all stakeholders, customers, consumers and intelligence managers about the teams full scope of responsibilities. And here, communicating limitations is just as important as specifying requirements. For example, the intelligence team may not be able to meet all of the customers needs due to legal, ethical or practical considerations, and disclosing those limitations early in the process will appropriately set expectations that the team can meet. This may lead to the customer looking to alternatives, such as external parties, to provide what the intelligence team cannot. All these steps help define the intelligence teams mission and charter, which are particularly important because an enterprise can easily misunderstand the teams role.

thE intElligEnCE CyClE To successfully mount and implement an intelligence capability, its essential to understand the intelligence lifecycle model. This section looks at the basic Intelligence Cycle, a lifecycle model (see Exhibit 4-1) for the intelligence workflow, and briefly mentions other models as a point of comparison. This is the first stage, in which a senior decision maker formally tasks the intelligence team with the essential facts and data that they need to collect. This is the stage where a relationship is formed between the customer and the intelligence team. This stage focuses on determining the customers requirements as intelligence requirements (IRs) the product of the direction stage of the cycle.

Once IRs are defined, the team then collects and compiles raw information into a specific format for later analysis. This is the first major checkpoint for the Intelligence Cycle, as any mistakes in collection can cause a cascade of erroneous data through the rest of the cycles process, resulting in the failure of the team to fulfill the IRs. Drawing from this raw information, analysts build intelligence throughout the analysis process. They use technical and non-technical methods to extrapolate patterns, meanings and sequences from raw data. This is the second point in the cycle, where failure is possible due to analyst bias, flawed hypotheses, or other factors. The intelligence team then creates and distributes a final intelligence product to the customer. This can take an innumerable number of forms from a static document to a constant feed of information or an always-current database. In many ways, this is the answer phase of the Intelligence Cycle. Rarely will an intelligence customer be satisfied with a single delivery; receiving one product usually inspires additional intelligence tasks. This makes carefully managing stakeholder expectations and priorities a constant imperative.

the mission should articulate what organizational needs the intelligence team meets and how the team accomplishes those needs. the charter should clearly articulate the purpose of the intelligence team (which should align with the teams mission), organizational or operational boundaries (i.e., scope), and endorsement from senior management.


Exhibit 4-1: thE intElligEnCE CyClE

Direction. This is the first stage, in which a senior decision maker formally tasks the intelligence team with the essential facts and data that they need to collect. This is the stage where a relationship is formed between the customer and the intelligence team. This stage focuses on determining the customers requirements as intelligence requirements (IRs) the product of the direction stage of the cycle.

Collection. Once IRs are defined, the team then collects and compiles raw information into a specific format for later analysis. This is the first major checkpoint for the Intelligence Cycle, as any mistakes in collection can cause a cascade of erroneous data through the rest of the cycles process, resulting in the failure of the team to fulfill the IRs.

analysis. Drawing from this raw information, analysts build intelligence throughout the analysis process. They use technical and non-technical methods to extrapolate patterns, meanings and sequences from raw data. This is the second point in the cycle, where failure is possible due to analyst bias, flawed hypotheses, or other factors. Dissemination. The intelligence team then creates and distributes a final intelligence product to the customer. This can take an innumerable number of forms from a static document to a constant feed of information or an always-current database. In many ways, this is the answer phase of the Intelligence Cycle. Rarely will an intelligence customer be satisfied with a single delivery; receiving one product usually inspires additional intelligence tasks. This makes carefully managing stakeholder expectations and priorities a constant imperative.

DirECtion

CollECtion

analysis

DissEmination


CrossCat-V The Intelligence Cycle model isnt the only guide for new intelligence teams. Several useful principles are encapsulated in the acronym CROSSCAT-V (centralized control, responsiveness, objectivity, source and methods protection, systematic exploitation, continuous review, accessibility, timeliness and vision).

Centralized Control: A single point of control for intelligence team simplifies interactions and eliminates duplication of effort.responsiveness: The team must answer the question the customer asked, not the question the intelligence team wishes to answer.

objectivity: An intelligence team should not pick sides, no matter how emotive a subject.

source and methods protection: Sources of information (both human and non-human), an organizations technical capabilities and its operational methodologies are the lifeblood of an intelligence team and must be protected.systematic Exploitation: Intelligence is a methodological practice of research and review, using multiple sources and agencies.

Continuous review: Intelligence has a shelf life, and the intelligence team must carry out a periodic review of their product to ensure it remains relevant.

accessibility: An intelligence team must constantly balance the risk of its product falling into the wrong hands with the need for the customer to access that product.timeliness: Delivering intelligence products to customers in a timely fashion is central to the intelligence function.Vision: The intelligence team must consider possibilities that are not immediately obvious. Often, the vision of an intelligence analyst, combined with the moral courage to voice an unconventional theory in an open forum, can make the difference between operational failure and mission success.

F3Ea Another useful model is f3eA, a methodology used by special operations forces in the US and UK militaries. F3EA stands for find, fix, finish, exploit and analyze. This model can deliver an intelligence product sooner, but typically is appropriate only for organizations with the authority and capability to act against external adversaries. This largely limits F3EA applicability to military and law enforcement agencies since enterprises lack the authority to apprehend human or non-human assets and in many ways cannot even disrupt an adversarys operations. Even those efforts can give rise to complex issues, such as the difference between intelligence and evidence. Given both legal and operational limitations, the assessments and mitigations that the standard Intelligence Cycle produces are better suited for private sector organizations.


DirECtion Direction is the first step in the Intelligence Cycle. It requires knowing who the customer of the intelligence product is, which, in almost all cases, will be external to the intelligence team. Their collective needs define the teams scope and requirements. Here, customer organizations must decide if they require strategic versus tactical information, business and market intelligence, or threat and security intelligence, and if they need to produce legally recognized evidence or consume the intelligence product internally.issuing directions and intelligence. Its rare for the customers themselves to issue clear direction or provide actionable tasking orders. Instead, intelligence managers work with customers to translate customer needs into actionable tasks.

Requirements generally fall into a loose hierarchy of critical information requirements (CIRs), priority information requirements (PIRs) and requests for information (RFIs).

Cirs are long-term, broadly defined categories that collectively set the scope of the teams efforts and responsibilities. CIRs might persist for one or more years, and should require approval from both customers and intelligence managers. If a task does not pertain to an existing CIR, it is outside the teams scope.

pirs are medium-term directives that often revolve around a particular topic or project and are more specific than CIRs. Handled within weeks or months, PIRs are not subject to the same change-control rigor that CIRs are, and the intelligence team creates and closes them based on direct requests from a customer or intelligence manager.

rFis are tactical and narrower in scope, and may be generated by the team in an ad-hoc fashion; they may also come directly from a customer. rfIs are a critical component of the daily intelligence process. They may directly support pIrs or CIrs, but must at least indirectly support one or more CIRs. This paper includes an RFI template as an appendix.

Evaluating requests. When the intelligence team receives an RFI from a client, the teams management should make a number of checks before embarking upon any kind of work stream. The team manager should ask three essential questions before initiating any kind of work stream:

What can the team do? A team should agree to work that fits well within its scope and capacity to fulfill a clients request.

What can the team not do? Sometimes, work falls outside a teams capability due to technical limitations, legal restrictions or a lack of time.

What will the team not do? A team may decline work that is outside its defined scope, or tasks that violate the parent organizations code of ethics. Managers should give a reason when declining these projects.

Accepting requests. The team should always give the customer a confirmation that it received the request and will complete it within an established time frame. Despite the risks of succumbing to hubris, which can lead to acting independently and apart from stakeholder direction and oversight, intelligence teams must never lose sight of their main function: customer service.


CollECtion Collection is the bedrock of any intelligence operation. During the collection stage, the intelligence team enjoys a significant amount of freedom. This can be a double-edged sword, as the team also has the freedom to fail. Its rare that the intelligence team has the opportunity, later in the Intelligence Cycle, to correct mistakes made at the collection level.

source types and associated risks. Data comes from a variety of sources that naturally breaks down into a handful of basic categories, with their own characteristics and associated risks:

human intelligence (humint). Analysts can either overtly or covertly collect human intelligence (intelligence derived from people using the relationship between the agent and agent handler). While HUMINT is the easiest discipline with which to start an intelligence-gathering operation, it is the hardest from which to gain reliable, actionable intelligence. It takes a skilled agent-handler to manage a covert human intelligence source (CHIS) collection, and the risks to all involved can be extreme. Various intelligence teams use a number of models for conducting HUMINT operations across industry sectors. Any may involve compensating the source for the information provided:

Military and Intelligence Services. Intelligence teams conduct these operations covertly with a classic agent handler and CHIS relationship, and all the features of traditional spy craft. Risk levels are high for all involved parties. iDefense does not recommend this model for private sector firms due to the potential reputational risks from conducting covert operations.

policing. Policing is done either overtly or covertly, and shares many of the features of the military and intelligence services model. Overt activities include elements of suspect interviewing and interaction with the public. iDefense recommends that management instill the formality and rigor of the wider process into a private sector intelligence teams daily functions.

Journalistic. This model is predominantly overt with some limited covert activities. It replaces the agent handler and CHIS relationship with the interviewer and interviewee model. The main difference: interviewers generally cannot coerce interviewees. Its easier to combine this approach with viral marketing techniques and population surveys. However, as the level of openness increases, the value of the derived intelligence decreases. Nevertheless, iDefense recommends the journalistic model as the preferable model for a private sector corporations intelligence capability.

signals intelligence (sigint). SIgInT refers to technical collection capabilities, such as mobile phone intercepts, and is arguably the most technically demanding of the disciplines. But the time an organization invests in the creation of a SIGINT-collection capability is worthwhile, as data typically comes directly from its source in the form of communication interception of data between actors. SIGINT also allows the observer to sit on the outside and look in on his or her target set, unlike HUMINT. SIGINT is by no means risk-free, with its main issue coming from the legal pitfalls of collecting such data.


open-source intelligence (osint). OSINT are assessments that a team derives from data that is available to the public. OSINT is easily the most accessible form of information, though the abundance of data often makes it difficult to distinguish noise from the actionable data. It can also be difficult to judge the authenticity of OSINT data. Thought at first glance, OSINT appears to be a risk-free practice, the truth is collecting and analyzing fragmented data can present both legal and ethical issues. The legality of OSINT practices also vary by country.

imagery intelligence (imint). IMINT is data derived primarily from photographic sources or other forms of technology that produce images.1 IMInT is increasingly becoming a sub-discipline of OSINT, and an intelligence agency should not underestimate the potential value of this source. It is challenging, though not impossible, to apply IMInT to most corporate intelligence applications. operational intelligence (opint). Traditionally a military intelligence function that seeks to predict the next operational move of the enemy, OPINT has limited applicability to the private sector. Intelligence teams should view OpInT as an essential function of intelligence practices, as this is typically the forum in which analysis fuses the products of the other sub-disciplines into one coherent intelligence product. An all-source or fusion cell intends to connect separate strands of intelligence data. The function of a fusion cell is not to eliminate conflict between separate collection groups. Instead, its core mission is to produce a unique product comprising reporting from multiple collection platforms.Classifying sources is a precursor to establishing a collection grid and choosing a scanning methodology. These processes determine the organizations ability to cover the wide range of available information.

1. IMINT does not always produce a product that humans can interpret. Often, the image can comprise multiple scanning technologies that require a large degree of processing to be of any value to the analyst.

An almost infinite number of other intelligence subcategories exist. one is technical intelligence (tEChint), which examines the function of systems, such as computer networks and missile systems. most high-tech companies already perform technical analysis of rival products, and many security teams dissect the inner workings of malicious code or other technology-based attacks methods. the vast body of tEChint activity does not require any form of covert or underhand activity.


breadth vs. depth collection. for the modern intelligence professional, the greater challenge isnt collecting data on a target but filtering the volumes of data collected to provide actionable and relevant intelligence. The intelligence team must often decide what is more important when dealing with a threat environment: breadth of coverage or depth of knowledge. Striking an appropriate balance between these two approaches establishes the frequency with which the organization will survey its sources and collect information, a process known as environmental scanning. There are three standard approaches to environmental scanning:

periodic scanning. The team scans the environment at an established frequency, using any combination of even or staggered dates and timings ranging from minutes to months or even years. The key point is not to ingest data outside the set limits. In theory, this approach creates enough operational space for the intelligence team to act fully on the available data. It is useful when dealing with a relatively static threat landscape, where there are little or no game-changing shifts or spikes of threat activity. In such an environment, the intelligence team will provide the best value by fully analyzing the threat to provide the best mitigating strategy.

ad-hoc scanning. The team scans the environment without a formal schedule for the event, which results in periodic blips in the volumes and depth of data that the intelligence team is dealing with at any given time. Within this model, the processing capacity of the team dictates the scanning frequency. This model can work well if the team is dealing with a threat landscape, where it is difficult to quantify the danger each individual threat poses without further investigation. Properly managed, this model enables the intelligence team to maximize its productivity, as the team theoretically never waits idly for the next scan. Yet, it also leaves the team open to strategic surprises, if its members focus on processing a large scan and miss a major event.

Event-driven scanning. In this model, the intelligence team scans the environment in response to a specific event within the threat landscape. This scan can be in response to an event that has already occurred or in anticipation of a future event. Though it can sacrifice flexibility, event-driven scanning can provide a tightly-focused intelligence product that will center on fulfilling very specific customer requirements. Generally, large, well-resourced intelligence teams can combine scanning methodologies. for smaller teams, it is often preferable to limit the scanning to a single approach to keep the operational tempo of the team manageable. In both cases, the intelligence teams management must balance the risk of strategic surprise against the risk of paralysis caused by excessive data volume.

Establishing a collection grid. The collection assets and coverage that an intelligence organization has at its disposal is known as a collection grid. By combining complementary collection sources, such as huMInT, SIgInT and IMINT, the team can create a comprehensive collection grid to fit the task.

a stratEgiC approaCh to sCanning For thrEatsin a perfect world, an organization would be fully aware of the threats against it at all times. but no organization, public or private, can achieve 100 percent situational awareness. still, many intelligence customers unreasonably expect that the intelligence team is fully aware of the threat environment at all times. as a result, the intelligence teams daily functions are shaped by managing customer expectations and by adopting a strategic approach to how it scans the threat environment.


when establishing a collection grid, the sponsoring organization must ensure that it has oversight over its intelligence resources (transparency) and the ability to configure those resources to fulfill organizational intelligence requirements (control). And it must keep in mind that reliance on a single source will rarely fulfill intelligence requirements.

The relationship between the grid and the organization is one of power and control: Control must lie with the sponsoring organization and the intelligence team must derive power, in the form of actionable data, from the grid. Failure to effectively develop, maintain and control a collection grid has proved, repeatedly, to be the source of intelligence failures. And any mistake at this early stage cascades throughout the Intelligence Cycle. Developing a collection plan. using a collection plan, teams can apply the Intelligence Cycle to the available intelligence. In this stage, organizations have two main goals. First, they must create a collection grid that will provide the necessary data for the analysis stage of the Intelligence Cycle. They must then develop the grid as a tool they can leverage, instead of allowing the collection grid to drive the organizations decision-making process. A number of factors, such as overreliance on one source of data, misinterpretation of customer requirements and internal conflict between intelligence teams, can create a flawed collection plan.

iDefense stresses that the development of a collection plan does not necessarily produce a tangible product that will dictate a step-by-step guide to how an organization should conduct an operation. Rather, the core objective is to help the intelligence team manager understand how the team can best use the collection assets available to fulfill its customers intelligence requirements. In developing the plan, the manager must assess how situational limitations on the collection grid may affect the teams final product. More often than not, an operation fails due to incorrect analytical conclusions from the collected data or due to intelligence collectors feeding incorrect data into the analysis process. The analysis section of the Intelligence Cycle can address the latter error, but only an intelligence team can mitigate the former error during the collection stage through the construction of an effective collection plan. Modern intelligence practice is about making the best assessment possible based on an imperfect data set.

analysis Analysis sits at the core of the Intelligence Cycle and is a crucial checkpoint of an intelligence team on the path to the completion of a project. Analysis is a core function of the intelligence teams work. Simply put, faulty analysis leads to project failure. Organizational culture, structure and process play a key role in enabling effective intelligence analysis. This section focuses on process, specifically on cognitive process as opposed to organizational process. This cognitive process is the analytical mind set that enables effective analysis, which results in better-informed decision making.


iDefenses own interpretation of analysis, which it has based on a number of years of on-the-ground experience, is that it is a testable and repeatable process through which raw data and information are structured into an intelligence product. Integral to this interpretation is the use of the word process, which is truly at the heart of what analysis really is from both a cognitive and organizational perspective.

Developing the analytical mind set. iDefense proposes that individual analysts, and teams as a whole, must seek to develop an analytical mind set that enables a genuine understanding of problems and threats to provide information in a meaningful context. An intelligence team should use analytical tools to support rather than replace the rigorous and disciplined cognitive aspect of intelligence analysis. At the end of the day, the primary purpose of the analytical effort is to inform decision makers and enhance the quality of the decision-making process.

In his book Analyzing Intelligence,2 roger george proposes the idea of a complete analyst and suggests five essential characteristics that the complete analyst must possess.

1. research methods to organize and evaluate data.2. the imagination to generate and test hypothesis.3. Awareness of the influence of cognitive bias and other

external factors on an analysts thinking.4. an open mind regarding alternative models.5. The self-confidence necessary to learn from errors.

Curiosity. In addition, analysts must possess a genuine sense of curiosity that fosters deep research into topics. They must develop an understanding of a given problem from opposing perspectives and be able to easily alternate between each perspective as they identify new information and as they seek to determine how that information impacts each perspective.

perception. In his book Psychology of Intelligence Analysis, Richards Heuer notes that peoples expectations largely drive what they ultimately perceive. That is, intelligence analysts possess a set of assumptions and expectations, and they tend to ignore or distort events that contradict these expectations. According to Heuer, patterns of expectations tell analysts, subconsciously, what to look for, what is important, and how to interpret what is seen.3

Context. Context tells readers that to comprehend fully an item of data, one must view a piece of data within its contextual reference. For the discipline of intelligence analysis, context is the environment from which an organization generates intelligence datathat being the data that, while not directly related to the core elements of a case, adds information to the case. Common cognitive traps. Its equally important to understand some of the more common cognitive traps that lead to faulty analysis.

2. George, Roger. Analyzing Intelligence: Origins, Obstacles, and Innovations. April 11, 2008. Georgetown University Press.

3. Heuer, Richards. Psychology of Intelligence Analysis. 1999. Center for the Study of Intelligence: CIA. https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/psychology-of-intelligence-analysis/index.html


mirror imaging occurs when intelligence analysts assume that the subject they are studying thinks like the analysts.

layering occurs when analysts base assumptions or judgments on previous work that they have not updated or revalidated.

groupthink refers to members of a cohesive group attempting to reach consensus without critically evaluating ideas and assumptions.

All these highlight the need for an environment that encourages self-awareness, peer review and questioning of existing procedures.

DissEmination The final stage of the Intelligence Cycle, dissemination is the point at which an intelligence team passes the product back to its customer in response to that customers original direction. Excellent intelligence that an intelligence team improperly presents will not effectively communicate the findings to the customer, resulting in a failure to achieve the teams task. As a result, dissemination is not a trivial matter. This final stage of the intelligence process contains several factors that determine the quality of an intelligence product and whether the customer base will accept it positively.

superior intelligence products share certain key characteristics:brevity. Intelligence products should not be verbose. Executive summaries and bulleted key facts at the start of an intelligence product are useful for conveying the so what element of an intelligence report.

accuracy. Intelligence reports should never contain subjective information or the opinion of the intelligence analyst. The intelligence team should be honest and disclose to the customer any intelligence gaps that are in the product. standardization. nothing distracts a customer more than one intelligence organization producing several different products within the same product set to different standards. each product line should be uniform in format and style, and any changes should be gradual. regularity. An intelligence team should avoid the feast or famine approach to publishing its intelligence products. To make full use of the intelligence product, the customer must incorporate an intelligence product into its own operational battle rhythm. A predictable publishing cycle from an intelligence team will help customers do this.security. An agreement between the customer and the intelligence team should dictate that the intelligence products not leave the readership of the customer base.

timeliness. As with all steps within the Intelligence Cycle, the product must be on time to be of any use to the customer. Of all the factors that influence the dissemination phase, timeliness is the most important.

in an ideal world, analysts would have all the resources and information they require to complete a given task. but in the real world, intelligence analysts deal with highly ambiguous situations that require judgment on their part before they know all the facts. the successful analyst will bring to bear a combination of experience, training, education, enthusiasm and an ability to think outside the box. an individual with an analytical mind set will be able to adapt to new subject matters and be able to produce cutting-edge products for any type of threat environment.


analysis. The fundamental role of the intelligence product is to make assessments. Analysts should attach an obvious assessment for every data element included in the product. Distribution. Over time, the intelligence team should build up a list of customers and ensure that their contact details are up to date. As a basic rule, intelligence products fit into one of three categories: high impact, medium interest and general background, though many organizations implement more granular segmentations of impact levels. A high-impact report will result in immediate and dramatic changes to the customers actions. Medium-interest reports will usually result in a dialog between the customer and the intelligence team and the integration of the intelligence product into the customers operational planning cycle. General background reports will build a picture for the customer of the threat environment but will stimulate little if any reaction on the part of the customer. Intelligence teams tend to generate reports within these categories in the form of a pyramid, with the most common report category being general background and the least common report category being high impact (see Exhibit 4-6).

Naturally, the bulk of the material the team produces will likely contribute to assessing long-term trends, such as the evolution of tactics, capabilities and types of adversaries. This general background information establishes a baseline understanding against which the team can assess new developments to identify those that are of medium or high impact.

Exhibit 4-6: rEport impaCt lEVEls

high impaCt

aCtionablE intElligEnCE

inFormation / nEWs

mEDium intErEst

gEnEral baCKgrounD


Often the factor that determines the quality of the product is not the content of the report but the presentation of the product. Ensuring that the final product reaches the customer in an appropriate format for consumption formally completes the intelligence process. when possible, the intelligence manager should engage the customer to ensure the deliverable did in fact fulfill the customers request and to collect any feedback or follow-up requests.

opErationalizing intElligEnCE Turning intelligence theory into practice is a challenge that any organization wishing to develop an effective intelligence capability must address. The initial stages of an intelligence organizations life can often pose the most risk to the future viability of the team, from either disinterest or misinterpretation of the teams roles and capabilities by the host organizations senior management.

This section starts by examining some key concepts for the development of the spirit of the team, both in its management structure and its outlook toward the individual members of the team. From this general look, this report continues by examining each job role in more detail, paying specific attention to roles that deal with intelligence and roles that manage the individuals within those roles. From this very practical focus, this section examines the higher-level concepts concerning data flow and management within the team and the decision the team needs to make between taking a passive or proactive operational stance.

organizational struCturEs Key to the success of any intelligence operation is a firm development of a logical team structure. Team managers must choose between a hierarchical or flat command structure within the team. From an operational perspective, there are a number of advantages and disadvantages to both command structures.

Hierarchical versus flat model. A hierarchical team is the classic management model. Its main advantage is its ability to respond quickly to senior management due to the clear chain of command. With this model, its easy to swiftly cascade direction through the team via the chain of command and make rapid strategic changes. Yet, there is also a risk of losing intelligence between command layers within the team. This loss can create delays and slow the analysis of new information. Intelligence circles refer to this delay as blink potential.

To avoid this, the team can establish a flat management structure that allows team members to easily pass data between peers. Establishing this unblinking eye of operations reduces the risk of blink potential causing the loss of intelligence. The downside of this organizational structure is a lack of control and oversight from the teams management, which can have serious consequences, specifically in areas such as team task-scope creep and coordination of operations.


When making the decision over what form the intelligence teams management chain should look like, senior decision makers should consider that: A hierarchical system tends to support those new to the intelligence practice,

whereas more experienced members appreciate the freedom of a flat management structure.

Management can control a hierarchy more easily but will have less flexibility than with flat-structured teams.

A widely distributed team organization will find a hierarchical structure more of a deterrent than a benefit for all levels of the team, though a large, flat organization will require recruitment of senior-level members who require less supervision.

team personnel. Intelligence teams can vary in size from one-man-band, single individuals working under the direction and support of a host agency to organizations comprising thousands of individuals, such as government agencies. Specific to information security, and cyber security more vaguely, intelligence teams typically consist of managers, analysts and operations specialists, organized according to the phases of the intelligence process (collection, analyzing, publishing) by categories of threat (malicious code, insiders, network intrusions, etc.) or a combination thereof. Some of the specialists who are frequently found in an enterprise security intelligence organization include:

intelligence manager, an authority figure may be a manager, director or vice president depending on the organizations size and organizational culture. This person acts as the primary interface for customers and other stakeholders and is ultimately accountable for the teams successes and failures. The intelligence team manager sets the direction according to the scope with the stakeholders and ensures the team executes the development plan. He or she also translates high-level strategic objectives into tangible tactical goals for the intelligence team.

operations team, which handles administrative and coordination functions, including working with customers to refine IRs, issuing requirements to teams, and assigning ownership to RFIs and larger analytical projects. This team shepherds tasks through the Intelligence Cycle and oversees the teams daily operations, escalating issues to the manager as needed.

publishing team to ensure that final products adhere to the teams standards of quality and formatting. Publishers also perform content reviews, evaluating if the author presents the content clearly and comprehensively and if the final product meets the customers requirements


intelligence generalists for cross-functional analysis and for leading inter-team efforts. The people that make up these groups are intelligence generalists. Small organizations may have only one pool of analysts that perform all collection and analysis for the entire scope of responsibilities.

malware Engineer, who often reverses malicious code samples and/or monitors their behavior inside a controlled environment to understand the risk the code poses to the customer.

network Engineer with a deep understanding of Internet protocols and defense mechanisms to help security operators analyze traffic during security events and assess the benefits of deploying next-generation technologies such as IPv6 and Domain Name System Security Extensions (DNSSEC).

social scientist focused on social network analysis, individual profiling and collecting information from huMInT and open sources. Only senior analysts should act as handlers of huMInT sources due to the dangers of information disclosure and reputational risk to a company. The social scientist helps customers determine the risks associated with certain business activities by understanding the capabilities of the attackers those activities may incite.

implEmEntation anD DEploymEnt In developing the team, intelligence managers aim to shift between a reactive to a proactive stance. In a reactive stance, the intelligence team tells the customer what has happened in the past, whereas a proactive team will be able to communicate what may happen in the future. This is possibly only by building the foundation for new capabilities, primarily by establishing assets and new job roles and assigning subject-matter specialists.

three stages of implementation. A useful way to view intelligence team implementation is to break it into early, mid and late stages. These stages should be viewed more as maturity levels than fixed timescales, since different organizations will move through the stages at different rates. Following a logical order will streamline the process of establishing each team post and achieving operational milestones. Exhibit 5-1 outlines the focus and milestones for each stage of building an intelligence capability.


Exhibit 5-1: proposED Early-to-maturE liFE CyClE stagEs OF AN INTELLIGENCE TEAMS DEVELOPMENT

Each stage could take as little as a few weeks or last as long as several years. Implementation times depend upon allocated resources, the sponsoring organizations appetite for risk, and the speed at which the team develops.

Early stage: Developing Core Capability Early in development, attention faces inward as the team focuses on crafting working procedures and developing a team identity. Initial deliverables (usually inquiry responses consisting of background intelligence) may not fully communicate a teams value, so support from senior management is essential.

the rFi form. Designing a formal rfI form and process is a necessary early step, because it offers an effective way to identify customer requirements. Customers have to adopt the RFI form for daily use, so its in the intelligence teams interest to make it easy for customers to provide the data the team needs by:

Simplifying the request process and the form

Differentiating between what might be useful and what is truly required

Engaging other stakeholders and vigorously challenging the value of each field and step

Focusing directly on how effectively the result captures the customers needs

stage team Focus team stance milestones and products

Earlyensuring management support of team, building customer base and establishing core processes and products.

Exclusively Reactive

Deploy standard RFI form and process Develop and maintain a collection plan Develop short-, mid- and long-term team plans Establish customer feedback process

miDAdjusting to customer needs and feedback, refining efficiency, and expanding scope.

predominately Reactive

Deploy periodic reports on trends and developments

Develop analytical specialities within the team Automate delivery of products through

Web services APIs and RSS

latEAnticipating customer needs and optimizing processes and capabilities.

balanced between

Reactive and Proactive

Deploy forward-looking assessments of emerging threats

Integrate products into customer processes and tools


soliciting feedback. The intelligence manager should solicit feedback from customers periodically, if not after delivering a response to each request. This feedback is critical to providing course corrections and capability assessments in the early stages and is necessary for the team to develop additional capabilities in later stages. Preferably, the manager provides a formal document template or even website for the customers to submit feedback, but simple e-mail responses are sufficient in this early stage.

Mid Stage: Expanding Scope and Refining Operations After forming a workable group and with an established set of products, the team can focus on expanding its capabilities and consolidating its customer base. Throughout the mid stage, the intelligence manager should use customer feedback to ensure the team is aligned with customer needs. This may include developing areas of specialty that require intense focus or where a capability gap exists. Teams may recruit external talent, train existing personnel or simply identify new sources of information.

moving beyond the baseline. By now the team should have a sufficient understanding of the security environment as it affects the organization. From this baseline, it can begin to assess trends and changes in the environment and provide assessments of their significance. Developing these internally-driven reports is the first step in introducing forward-looking intelligence products and transitioning from a purely reactive stance to a partially proactive posture.

Integrating output into customer workflows and tools. Providing the customer with convenient access to the intelligence products improves adoption and makes the team more useful to the customer. Of course, the availability of sensitive information must always adhere to access control policies. The goal of providing easy access to intelligence products should never outweigh confidentiality requirements, as doing so would severely damage the customers trust in the intelligence organization and make the customer less likely to engage it.

tracking and managing rFis. The team should also implement a central process to manage and track incoming RFIs and subsequent responses. without a formal process and centralized log, the intelligence manager cannot sufficiently oversee team tasks as the volume and diversity of requests increases. By gaining insight into the workflow and allocation of resources, teams can better prioritize tasks and minimize the risk of an unfulfilled request.

To this end, the team should establish a working database that records when an RFI comes in and when the team answers that RFI. The intelligence team will likely include additional database fields, such as the relevant CIR or PIR as required by the customer. In addition to avoiding mishandled tasks, overseeing an RFI database provides useful data for identifying capability gaps, resource needs and quantifiable metrics regarding the teams workload and usefulness to individual customers. The actual technical implementation of the database can be as simple as a version-controlled spreadsheet or as complex as a multi-user national system.

it is common for new intelligence teams to issue RFI forms as a fixed-format text document that the customer e-mails to the intelligence team, although this approach makes it difficult due to high volumes of requests. The Appendix of this report provides an example of a simple form that a team could use. organizations will inevitably develop more robust and automated processes, such as online rFi forms, as their capabilities mature.


late stage: becoming proactive Before entering the late stage of deployment, the team will have established most of its positions and will have the product set well-defined through. But it is when the team shifts from an inward-looking, reactive entity to an outward-facing, proactive team that it becomes a fully mature intelligence organization.

Evolving the mind set. At this point, when members are regularly producing top-level high-impact reports, the teams major change isnt in its structure but in enhancing its competence. This is why there are so few tangible milestones in the late stage of the model. All the pieces are now in place, but team members still must change their mind sets. A mature intelligence team starts to identify emerging trends and patterns. The team might even identify pieces of raw information that are relevant to the clients request even before the customer inquires about them.

Engaging further with customers. Mature teams will observe the customer becoming more dependent on the flow of intelligence that the team creates. Intelligence products will become more tightly integrated with customer workflows, with intelligence information (even raw, unanalyzed data) finding its way into tools the customer uses daily via plug-ins or modules. Intelligence teams should also explore other ways to remain engaged with customers, such as sharing collaboration spaces and databases.

intElligEnCE maturity moDEl The maturity an organization demonstrates at each stage of the Intelligence Cycle collectively defines the maturity of that organizations intelligence capability. iDefense proposes the following levels of maturity that can be easily applied to operating stance of a team at each stage of the Intelligence Cycle: ad hoc. Organizations handle tasks manually with little or no defined process.

They may handle recurring tasks inconsistently.

Formal. Expectations, capabilities and processes are all documented and understood. Tasks at this level are repeatable and have consistent outputs, though they are largely handled manually.

Efficient. Automated processes streamline handling of tasks and data, including prioritization. There is increased visibility into operations through reporting metrics.

proactive. Organizations can identify intelligence gaps and anticipate future needs.


assessing maturity. When grading ones own organization, there will likely be a tendency to summarize a teams overall capability. Some may try converting maturity levels into numerical averages, which will usually provide a misleading picture because the maturity levels listed above are ordinal values for which mathematical operations are not valid, even if represented numerically. Instead, it is useful to view the intelligence process as a system that is only as strong as its weakest link. Excellent direction, collection and dissemination that rely on poor analysis still yield a poor product. Insufficient direction accompanied by excellent collection, analysis and dissemination capabilities almost certainly produces an irrelevant result. Similarly, the capabilities of a team are only as mature as the teams weakest point. Exhibit 5-2 is a sample assessment of an intelligence organization that acts as a report card of intelligence capability. Customers may have enough visibility into the workings of the team to provide this level of feedback directly, but intelligence managers should produce a similar overview at least annually, if not quarterly.

Exhibit 5-2: samplE assEssmEnt oF an intElligEnCE organization

team Direction Collection analysis Dissemination overall Capability

Management formal N/A N/A N/A formal

Operations formal N/A N/A formal formal

generalists N/A Ad hoc formal formal Ad hoc

Malicious Code N/A Proactive Efficient Efficient Efficient

NetworkThreats N/A Efficient Efficient formal formal


bEst praCtiCEs Years of experience in the field has equipped iDefense with a list of best practices that would bolster the efforts of organizations seeking to develop an internal cyber intelligence capability. Implement a consistent style. An in-house style establishes a brand identity for the intelligence team and standardizes its products, thus making intelligence products easier to recognize, digest and integrate into the decision-making process. It makes it clear to customers that the intelligence team operates as an integrated organization. Teams should look to word processing programs, web portals, content management systems for templates and tools that help apply internal standards.Grade intelligence using the 5 by 5 by 5 system. Intelligence sources, value and sensitivity can vary greatly even within the same type of intelligence source. The process of grading intelligence helps convey clearly to the customer the assessed level of truth or fallacy in the product. To grade the quality of information coming from a HUMINT source, the intelligence community uses the 5 by 5 by 5 system. This system grades the veracity of the source, the veracity of the information, and how the processing organization should handle that information. An intelligence team should not attempt to filter information into categories of truth or falsity. Instead, the intelligence team should seek to communicate to the customer its assessment of the degree of confidence it has in the intelligence based on the reliability of the source and the credibility of the information the source has provided. Exhibit 6-1 displays a standard grading system for intelligence.

Using the system in Exhibit 6-1, an analyst on the intelligence team could grade a product based on source reliability (ranging from A to E) and information credibility (ranging from 1 to 5). Any possible combination of grades is possible, though extreme grades such as A5 and E1 are highly unlikely.

Exhibit 6-1: thE First tWo 5 by 5 by 5 ElEmEnts oF thE ClassiC intElligEnCE graDing sChEmE

sourCE

a b C D E

Always Reliable Mostly reliable Sometimes reliable unreliable untested

inFormation

1 2 3 4 5

Known to be true without reservation

Known personally to source by

not to collector

Not personally known to source

but corroboratedCannot be judged Believed to be false or malicious


The factors that determine intelligence grading become particularly important when an organization faces A4-categorized intelligence or unverifiable information from a single trusted source. A4 intelligence can cause an inordinate amount of stress to an intelligence team and a customer, especially if the content of the report requires a rapid and dramatic response from a customer. Before dismissing A4-categorized intelligence, the team should consider the impact it would have, if verified. Potentially high-impact information, though unconfirmed, may warrant additional corroboration. The final piece of the 5 by 5 by 5 system grades how the customer should handle the information.

Exhibit 6-2: thE Final ElEmEnt oF thE 5 by 5 by 5 systEm

hanDling

1 2 3 4 5

Open source no restrictions

restricted to clients only

restricted to specific clients

Restricted to specific clients with conditions

no dissemination without authority

appoint a database manager. A critical element of maintaining a successful operations management database is the appointment of a designated database manager. The database manager should be the primary user of the intelligence application and is responsible for ensuring that records are accurate and that the team is processing tasks appropriately. Rather than a classic technical administration role, the intelligence database manager combines the intelligence teams database management with its operations management. This will allow the database manager to allocate team members to each submitted rfI efficiently, actively manage resources, and oversee activities. Clearly, this is a senior role. The database manager needs an understanding of the teams collection capabilities and its ability to meet RFIs. Being available to answer the customers RFI is an essential qualification, in addition to assessing the teams ability to complete RFIs. Exhibit 6-3 displays the complexity of the database manager role by outlining the functions involved in answering an RFI.


Exhibit 6-3: rolE anD rEsponsibilitiEs oF thE DatabasE MANAGER AND THE MANAGERS RELATION TO THE ORGANIZATIONS CollECtion Capability

the database manager must form a relationship with the intelligence customer that is: unambiguous. Any project that results from an RFI must have clear project

boundaries and, most importantly, a clear and mutually agreed upon outcome.

singular. The database management process ensures customers do not submit redundant RFIs to the intelligence team, as any duplicated RFI wastes time.

Feasible. Customers may ask the intelligence team to complete tasks that are not feasible due to resource or time constraints, or both.

The database manager must carry the authority to delegate tasks and the ability to regulate the flow of requests within the intelligence teams systems. If the database manager is effective at overseeing the intelligence process flow, he or she will succeed in laying the foundation not only for short-term success but also for the long-term, sustainable growth of the intelligence team.

Establish relationships with key cross-functional partners. Developing working relationships with key cross-functional partners greatly enhances the work of an intelligence team. These ties can enhance intelligence collection efforts, better evaluate threats, and minimize conflicts by improving the teams understanding of business systems and processes. The obvious partners for the intelligence team are those organizations that manage risk, assuming they are not already providing direction to the intelligence team. An organizations risk community includes its physical security team, information security group, and business continuity personnel. Less obvious are groups that might help identify potential internal threats: the internal audit group, supply management operation, or legal department.

Receive RFI Log Requestin RFI DB

Determine What data the request requires Who is to look for the data and where When the task is due to be complete

Ensure response fulfills requestLog Requestin RFI DB

Monitors Task Progress

Take Data Collectors

Send Response


Use an iterative interview process to define requirements. Intelligence customers may not completely understand what they need from an intelligence team, or what they need may not align with the role, resources or responsibility of the team. An iterative interview process that encourages a two-way feedback loop is an effective way to define requirements. Interview questions should attempt to identify high-level areas of concern or needs, and then pull out key decisions that require intelligence support. The team should group its questions in a logical way, such as by threat areas (cyber, fraud, competitive, regulatory, etc.), business units or objectives (market share, revenue, products, etc.), business strategy (speed to market, investments, industry disruptors, geographic regions, etc.), or business assets (employees, network, reputation, intellectual property, supply chain, stores, customers, etc.). Conducted once or twice a year, interviews help acquaint customers with the teams resources and capabilities.

Engage third-party vendors to address gaps. particularly in the early going, intelligence managers and other stakeholders will need to balance intelligence priorities against available capabilities and resources. Using third-party vendors can fill those gaps. A qualified third-party vendor can:

Serve as a force multiplier by augmenting an organizations existing staff.

Provide expertise for short-term projects.

Serve as sources for collection or assist in collection itself.

Assist in intelligence analysis, or in developing an analytical mind set.

Play the role of a red team or adversary to help assess weaknesses.

Help teams develop an in-house style or co-brand products.

Develop a battle rhythm. when putting theory into practice, intelligence teams face the risk of being overwhelmedeither by too much data or too many tasks. As the stress of intelligence operations mounts, the team may become solely responsive to the influx of new data. When this happens, the team tends to ignore the data it has in hand and instead focus on new data feeds coming. The team is paralyzed, and the operation fails.A way to counter this is to develop a battle rhythm, a military management doctrine which focuses on maintaining control over personnel and assets in extremely stressful situations. This requires establishing working parameters for the management of data flowing in and out of the team, and clarifying the role of each team member in the process. This establishes a set of standard operating procedures (SOPs) for the teamSOps that can be learned, practiced, mastered and called upon in times of stress. It also allows the teams management to assess the capacity at which the team is running.


ConClusion Intelligence is not simply a data feed, nor is it purely information. The heart of intelligence is an assessment of that data. Arming customers with insightful intelligence products will better inform those customers, and it will improve their ability to make informed decisions. By following the steps outlined in this paper, an organization may establish an intelligence capability for the first time or may formalize and refine existing operations with the confidence that the direction of the team complements the needs of its customers. by outlining a framework for understanding the fundamentals of intelligence along with proven best practices, iDefense hopes it will help organizations establish an effective intelligence capability.


Required Date:Date by which the team has to return the intelligence product to the customer to be effective.

Requested Organization:The department or group initiating the request.

Background:This section includes a description of the scenario that applies to the request, including what information and sources of which the requestor is already aware. This may be a brief synopsis of events and reference previous requests.

REQUEST

Information Requirements:The main body of the request. The requestor should be as specific and direct as possible, preferably enumeratingspecific questions (e.g. bulleted list) rather than writing a free flowing narrative.

Return Format:Date by which the team has to return the intelligence product to the customer to be effective.

Point of Contact:The department or group initiating the request.

Special Handling:This section includes instructions indicating any exceptions to the standard RFI-handling process, such asadditional persons to include on the response or persons who should not have access to the request.

appEnDix: rFi tEmplatE Using a standard request format greatly simplifies the process of collecting and interpreting customer requirements and ensures that the requestor provides the information the intelligence team needs for an efficient response. At right is a template for customers to submit requests to the intelligence team. Other possible fields might cover priority, urgency, CIr, etc. Internal information, such as submitted data, assignees, control number and status, will aid in handling the request, though it is not advisable to include in the RFI form the customer uses. All fields should have an explicit response, with Not Specified or similar designation provided to indicate the customers lack of preference or available information.

Verisign Public 201205

VerisignInc.com 2012 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.

Whitepaper Idefense Cyber Intel

Documents

intelligence model

intelligence products

intelligence effort

operationalizing intelligence

intelligence cycle

intelligence teams goal

intelligence maturity

fused intelligence product