Intelligence vs. Infosec: The 3-letter-guy to the rescue?

Steve Townsley | 8 March 2016

Whenever Royal Marines deploy on operations, they take with them their own intelligence analysts. These analysts are fully trained and experienced Marines, meaning they benefit from having been in the position of the consumers of the intelligence they produce. Moreover, they complete rigorous intelligence tradecraft training, creating a formidable asset to support Marines on the frontline.

But do we have a similar arrangement in the information security industry? From what I’ve seen, the answer is mixed; some organizations are entirely technically focused, some lean more on the intelligence side, and a handful boast a combination.

In addition to this, there is also a developing skepticism against vendors who emphasize the intelligence background of their staff. This may be seen as the curse of the ‘3 letter guys’ – a term used to describe ex NSA/CIA/MI5/MI6 analysts, but also synonymous with any previous government analyst. Its usage is almost always negative. There’s obviously a danger with this input focused emphasis, but what is the output of intelligence expertise? How can we ensure that we can effectively merge technical knowledge with the intelligence tradecraft?

Firstly, like information security, intelligence is a discipline and profession of its own. Trained analysts bring with them a toolbox of intelligence instruments they can deploy. Therefore the relevance, accuracy, utility, and robustness of products are increased, thus reducing the risk of intelligence failure and, ultimately, the disruption of business and loss of profit.

So how can we get the best of both worlds and utilize information security and the intelligence? I see there being two options:

1. Hire individuals with both sets of skills. Unfortunately, these are rare and expensive.

2. Hire both technical and intelligence experts, and integrate the two.

So what would this integration look like in practice? Take this example. Our collection detects a criminal actor offering a new malware variant for sale on a criminal forum. Our intelligence analysts can assess the actor’s credibility using assessments from previous reporting and comparing these to the new information. Is the language similar to previous posts? Is the malware being offered similar to what would be expected from that actor? Is the post within the expected pattern of life? Does the post fit with what is expected of this forum? Why is this being offered for sale? Does it fit with a trend? Where is that trend going? Where does the author sit in the network of malware sellers?

The analyst can answer the “who, what, when, why, where”, but we rely on our information security colleagues for the “how”. In my example, they can comment on the technical details regarding the malware, what it means and potentially how it can be mitigated. Importantly, they can comment from the perspective of the consumer. Just like the Marine intelligence analyst with the frontline experience, the information security professional can contextualize intelligence so that it can be understood and acted on. This is becoming all the more important as consumers become increasingly demanding and are seeking relevant intelligence that is tailored to them and their sector.

Together, both these disciplines provide a powerful force for demystifying threats and increasing cyber situational awareness. This is exactly what we are building at Digital Shadows.