Building an Intelligence Capability: Agility, Creativity and Diversity

Mark Tibbs | 2 June 2016

The Internet is a big old place, full of disparate – and often contradictory – data in various languages, formats and structures. The sheer volume, variance, velocity and veracity of this data poses challenges for organizations: amid all of this noise, how do you pick out the information that means something to you and your organization? How do you ensure that the right people get the right information at the right time? 

Threat intelligence can help to solve this problem. While we provide threat intelligence as part of a much broader offering to our clients, we too have been through the process of building an intelligence capability. In our case, we have mapped our processes to the various stages of the intelligence cycle: planning, collection, analysis, dissemination and review. I’ll be going into some more detail on how we’ve actually implemented processes at each stage in my talk, but I wanted to first draw out three broader lessons that we can learn.

Firstly, at all stages of the intelligence cycle, it is important to stay agile. This is important to respond to new intelligence requirements, identify intelligence gaps and provide requests for information (RFIs).  But agility does not just refer to what you look for, but also how. Organizations ought to be agile in developing and implementing new features and capabilities. For example, we’ve just released a new typo-squatting feature to better identify threats that our clients care about.

Secondly, while it is necessary to take direction from clients in a structured way, it needs to be balanced with internal creative ideas. This does not always mean looking to external provides; organizations can also look to develop tools and capabilities internally and allowing people time for their own projects.   

Lastly, don’t overlook the importance of recruiting and training. This is essential to avoiding cognitive biases, such as groupthink. At Digital Shadows, for example, we employ analysts with a wide range of skills and backgrounds, such as law enforcement, military, government with language, academic, geopolitical, technical, analytical and investigative skills. This is good, but further training is required to ensure that everyone is aware of analytical techniques such as Analysis of Competing Hypothesis (ACH)

If you’re coming to Infosec in London next week, come along to our presentation on “Threat Intelligence – Lessons on Creating a Capability” at 2pm on 9th June to find out more about how this maps to the intelligence cycle.

Alternatively, request a private meeting and visit us at booth A110!