To achieve the benefits of those capabilities, organizations need to adopt an intelligence cycle that defines and drives intelligences practices, Howard said.
Howard told Infosecurity that there are four stages to an effective intelligence cycle: direction, where the intelligence team defines requirements based on an analysis of the customer’s core business; collection of the data; analysis of the data to provide an integrated intelligence product; and dissemination of the intelligence to the appropriate people.
“Most intelligence agencies, whether they be government or commercial, follow this idea of an intelligence cycle”, Howard explained. “The process of intelligence never stops; in keeps going and going”, he added.
In setting up an intelligence team, organizations should consider at which stage they are currently, Howard said. He identified three stages of an intelligence team’s development: early (exclusively reactive), mid (predominantly reactive), and late (balance between reactive and proactive).
“The guys in the mature stage are less reactive and more proactive, meaning they are getting intelligence to their customer base before bad things happen so they can make decisions”, Howard said.
In a white paper, VeriSign iDefense offered organizations a number of best practices to develop internal cyber intelligence capabilities: implement a consistent in-house style to standardize intelligence products, grade existing intelligence system, appoint a database manager, establish relationships with key cross-functional partners, use an iterative interview process to define requirements, engage third-party vendors to address gaps, and develop a battle rhythm.
In grading the intelligence system, the white paper recommends the use of the 5x5x5 system. This system grades on a five-point scale the “veracity of the source, the veracity of the information, and how the processing organization should handle that information.” For the source, the scale ranges from “always reliable” to “untested”; for the information, the scale ranges from “known to be true without reservation” to “believed to be false or malicious”; and for the handling of the information, the scale ranges from “open source, no restrictions” to “no dissemination without authority”.
The paper stresses that the database manager should be the “primary user of the intelligence application and is responsible for ensuring that records are accurate and that the team is processing tasks appropriately”. In addition, the database manager should form a relationship with the intelligence customer that is unambiguous, singular, and feasible.
“Intelligence is not simply a data feed, nor is it purely information. The heart of intelligence is an assessment of that data. Arming customers with insightful intelligence products will better inform those customers, and will improve their ability to make informed decisions”, the paper concluded.