First, what is an intelligence collection plan? Why does this even matter? In general, I think it's clear that plans are helpful and an effective practice for achieving concrete goals. But when it comes to intelligence, I'd argue that having a plan really is imperative. There is so much information out there, so much intelligence, that any organization really needs to have a clear direction and trajectory of where they would like their threat intelligence to take them or they will be swept up by whatever might happen to come their way, which may or may not be relevant for their particular risk posture. Three reasons for an intelligence collection plan; the first, every organization faces risks, but the risks are not the same for everyone. The intelligence that a network security team at a nuclear power facility will need is likely to be quite different from the intelligence that a retail organization might need to combat cybersecurity threats. While some types of attacks are common to all, the truth is that different attack types tend to hit different industries differently. Retail organizations will want to closely guard any payment card information that transits there networks, because they know that threat actors are likely to go after that very aggressively. For the most part, retail organizations will be combating cyber criminal actors. On the other hand, a nuclear power plant's worst enemies might be Nation-State actors seeking sabotage and destruction. They will want to prioritize intelligence on these groups, well, of course also paying attention to cyber criminal activity especially ransomware groups, which can also cause quite a bit of destruction. Second, there is more information available than any one organization can effectively harness. We live in an information rich world. But that doesn't mean that all this information we have access to is always useful or relevant to our particular situation, and this is no more true than with intelligence collection. If your organization doesn't identify what information is going to be most relevant for you and zero in on that, you're likely to miss it and get bogged down with distracting data that really doesn't matter, and that's not what you need. Third, having a plan simply maximizes the chances that you will get the information you need. Of course, it's not a guarantee that you will be able to answer all of the burning questions that your CISO or your CEO might have, but if you're targeted in your approach to collecting information and collect it deliberately, rather than relying on whatever comes your way, then you're more likely to get the most valuable, most relevant information for your organization and cut through all of that chaff that doesn't really matter. Just to give an example, to paint a picture of how an intelligence collection plan might help an organization, I have here two contrasting stories. The first is about company 1 that spent a lot of time on intelligence analysis last year and delivered a large volume of information that was interesting and insightful, but they didn't do this with a plan. They didn't have key intelligence questions, they were very opportunistic in their approach. Much of what they delivered was either based on, or even simply a regurgitation of intelligence work that others had done. The top headlines of the day, SolarWinds, the Kaseya ransomware attack, new F5 vulnerabilities. They produce all sorts of reports and hit on this wide variety of topics. But not all these topics were really relevant to the organization. They didn't even use F5 in their infrastructure, so that vulnerability wasn't even necessarily relevant to them. Near the end of the year, that organization was hit with a pretty significant ransomware attack plus a data theft attack that they would discover in a few months, and two BEC compromises that year. The organization didn't do their homework to understand the attack types they would be most likely to face and really focus intelligence on those. Instead, they just focused on whatever happened to hit headlines at the time. In contrast, company 2 did do their homework. They knew that ransomware attacks and Business Email Compromise or BEC attacks would be the top two cybersecurity threats that their organization would be up against, based on their industry, and geography, and recent attack data trends. They zeroed in on those two attack types, they were proactive rather than opportunistic in their intelligence collection approach. They dug deeper than what easily floated their way in open source so that they can answer there rigorous and carefully thought through intelligence questions about the TTPs, the actors they were most concerned about were using. They came to better understand how these threat actors were gaining initial access, how they were moving laterally, and executing on their objectives. They used this intelligence to drive proactive threat hunting within their networks. As a result, the company caught two ransomware groups before they were able to deploy ransomware, and did not experience any BEC compromises this year, which was a huge improvement over two years ago. Probably, implementation of multi-factor authentication helped to contribute to drive those BEC attack numbers down. Two rather dramatically different outcomes, and it all started with an intelligence collection plan. That is what really helped to make the difference.
