Getting In Gear: Accounting for Tactical and Strategic Intelligence

Michael Marriott | 9 August 2016

We’ve written before about how we like to map our services to the intelligence cycle. Of course, the intelligence cycle has its challenges – you only need to look to the work of Arthur Hulnick to see some of these. What it does do is produce a product that is accurate, well researched, timely and actionable.

But how do you account for competing priorities and requirements within your organization? Some will care more about the tactical side; others will favor the strategic aspects. Indeed, the guide below shows the extent to which different priorities and needs manifest themselves at tactical, operational and strategic levels within organizations. 

Guide to CSA

Fig 1: A guide to achieving cyber situational awareness

To ensure all of these varied priorities are accounted for, we’ve taken three steps:

1. Codified in the Collection Plan. Our collection plan spans from tactical to strategic elements; from data leakage to new trends with TTPs, threat actors and marketplaces. Having these codified in a collection plan ensures that we are collecting for clients’ concerns and priority requirements. In fact, we have a great video on this, which you can watch to learn more.

2. Separate teams. We have two analyst teams: intelligence operations and intelligence development. The former concentrates on predominantly tactical elements. What sensitive documents have been released online? Which online forums mention their IP ranges? Is there sensitive code on Github? Intelligence development, on the other hand, has its own intelligence cycle. This team focuses on emerging threats, new actors, new TTPs and answering our clients’ more thematic requests for information. While the teams are separate and have their own intelligence cycles, they simultaneously feed off each other and drive one another.

getting In gear

3. Communication and interaction. While the day-to-day work can be different, good communication throughout the day, including morning stand-ups, the use of instant messaging chat rooms and evening handovers to our U.S. offices, keeps our teams talking and the work of one drives the work of the other.

It’s important to acknowledge the different concerns, priorities and requirements of different individuals within an organization. To address these concerns at Digital Shadows, we have produced a collection plan and structured the teams in a way that they may maintain independence yet simultaneously drive each other. As is the case with so many aspects, having effective communication between teams is essential in order to ensure the intelligence we provide to our clients is as strong as possible.