Intelligence Analysis – How To Build a Well-Rounded Team
If you build it (an intelligence analysis team), they will come.
CyBeer of The Week: Tiny Rebel Clwb Tropicana
Metal Artist of The Week: Metallica
Intelligence Analysis & Lilt – The Ultimate Combination
As another wonderful Monday graces our lives, I’m back chatting nonsense and offering opinions on intelligence analysis you didn’t ask for but are getting anyway. That’s right dear reader, it’s time for another blog and that can only mean it’s time for beers, metal and intelligence analysis and stuff! What an exciting development!
This week’s wonderful beer comes in the form of Tiny Rebel’s Clwb Tropicana, oh my what a fruity concoction it is too! This
alcoholic Lilt juicy IPA must have at least 13 of your five a day with all the aroma and flavour packed in. This is a perfect beer for a BBQ or for watching the football as these last days of summer grace us in what has been, the absolute best year ever for all of us </sarcasm>. The Tiny Rebel guys have a host of great beers, but Clwb Tropicana is an absolute sumptuous treat. If you like hazy IPAs with plenty of hop aroma, add this to your shopping basket.
So we have a fruity IPA perfect for the end of summer, and with that let’s get some EPIC metal on the speakers. The Metallica lads have just released S&M2 as an album following the cinema experience last year, and if you want to see gods of metal smashing it with full orchestral backing, then you owe it to me, to yourself, and to your favourite pet to check this out. I saw this show in the cinema last year and it was exceptional. For full disclosure, I also went to see them twice on tour last year, so I might be slightly biased, but it’s my blog and their awesome, so nerrrrr.
Anyway, we could talk about Metallica and beer all day, but this blog is for talking about cyber intel in all its forms, so let’s get cracking with the topic at hand shall we?
I want an intelligence analysis team. So what do I do?
Probably a question every CISO ever has asked themselves at some point. If you’re at a stage when you’re considering leveraging the power of intelligence to help you and your business, it should also be assumed that you have a fairly mature team of security professionals already. If you’re just starting out with a security programme, I’m not sure an intel team is the first piece of the puzzle.
It’s arguably the crown jewel at the centre when everything else is in line, but you need those foundations in place before you can dive head first into intelligence. Reasons for this are fairly straightforward – Without a mature security team in place, you won’t have customers to provide intelligence to, or get requirements from. You’ll struggle to understand the needs of the business and what risks you need to be concerned about and what’s already available. There’s also the fact that the intelligence team should be both proactive in its reporting, but also responding to requests from within the business. If you don’t have the relevant stakeholders already in place, the value your intel team is going to add will be minimal. Which isn’t good for anyone.
When everything else is in-line
Assuming you have a wider-team in place already, and you see bringing an intelligence analysis team onboard to join things together and bring that added context and value you can only get from intelligence, you need to get some staff. Now, depending on your organisation, budget, location and what kind of business you’re involved in, salary costs can vary and every organisation is different. So I won’t get into that level of detail here, but first and foremost: You’re going to need either someone who can be your senior analyst or head of intelligence.
These individuals will usually have extensive experience, ideally 10+ years for a head of, 5+ for a senior intelligence analyst. These individuals will have in-depth subject matter expertise in the area you’re recruiting for (cyber/fraud/OSINT etc). You’ll also want someone who’s been around the block and understands how businesses operate and who can identify quick-wins to get the team up and running, and with some momentum from the outset. It’s likely that you’ll also want someone with that direct experience to conduct further recruitment, so going top-down rather than bottom-up is the ideal starting point for this.
When it comes to looking for relevant candidates, you’re going to very quickly learn that there isn’t much out there in terms of intelligence qualifications. SANS have certifications in both CTI and OSINT, Crest have a couple of CTI ones, and then there’s those with law enforcement backgrounds who might have PIP qualifications.
All of the above is a good base for any analyst to have, but you’ll find some excellent candidates who have none of them. It’s a common issue in cybersecurity for people to have certifications in order to pass papersifts, but they’re really not the be-all and end-all. I currently don’t hold any formal certifications and it hasn’t stopped me from progressing in my career. I’d like to get a couple on a personal level, just so I can ensure I have all the requisite baseline knowledge that I think I need, but that’s a personal preference more than anything.
You’ll find some candidates will have experience in the public sector and may be very vague about it. Bearing in mind that intelligence analysis is still traditionally a cloak-and-dagger spy thriller every day someone works in one of the agencies. You’ll possibly want to consider bringing those people to interview on the basis that their CV might allude to things you’ll only be able to get the wider picture of from interview (by asking about skills relevant to the role). This will likely also be the case for anyone coming directly from the Military. Although you know with Military candidates that you’re getting an excellent set of skills across the board in terms of leadership, discipline and work ethic.
You’ll also find candidates coming from the private sector, which usually means that CVs are more open than public sector or Military backgrounds, and therefore easier to judge. Especially if the individual is active on social media with regards to their work and sharing information and content. As someone who now has a background across public, private and Military throughout my career; I can see advantages and disadvantages to those who only come directly from one area. Of course, this changes with development and further experience. When it comes down to interview, only you and your panel will know who seems to be the right fit in terms of experience, knowledge and culture fit. At the end of the day, intelligence analysis is a process, and all these factors need to be considered.
Building Beyond Employee #1
Once you have the right candidate(s) to lead the team, you’ll be looking at possibly adding more junior analysts to round off the team. In addition to what capabilities you need in order to provide the intel team with the right tools to do the job. Of course, this is a business where your budget can be spent in full by any single vendor if you want them to. The first thing you need to do is identify your core intelligence requirements. This will be internal as each stakeholder who could benefit from working with the intel team, as well as identifying your requirements with your existing vendors. After all, you might be able to provide the intel team access to data from your existing tooling.
Intelligence requirements will be a regularly evolving process and should tie into the team following the intelligence cycle. As and when you establish requirements, you can start to understand if you have appropriate protections where you need them; where gaps may lie and what data sources are working for you and which aren’t. This is a critical, yet often overlooked aspect of any intelligence team (particularly in the private sector in my experience). It is something we as an industry need to change. If you get this right, you set yourself up for success, regardless of your budget. Remember, you can’t do intelligence analysis if you don’t have intelligence requirements!
Once you identifying the relevant tooling the team can use, and get it up and running (probably 19 years later if project management gets involved), then you can start to focus on the team looking at not just external factors and potential threats, but ideally also internally. Bringing all the data together to help aid threat hunting (in a cyber team) or potential insider-threats etc (in a more traditional intel team). With the right people in place to direct and lead on this work, you’ll probably find there begins to be more questions than answers. This is a good thing, honest! It shows that your team is getting its processes down, is meeting its requirements and as any good intelligence professional should do, is asking more questions to ensure they can provide relevant, timely and actionable information to you as a customer. When this is happening, things are looking good!
The Intelligence Analysis Team
Assuming tooling and everything else is in place (in some make-believe utopia of course), let’s consider how you’d want to structure your intelligence analysis team. I’m going to base this on most of the teams I’ve come across in the private sector, as I think that’s largely the most representative of reality for most teams.
We already identified that you need an individual to act as a team leader. Assuming you already have the ‘head of intelligence analysis’ in place, you’ll want to consider getting at least one senior analyst. The senior analyst will be a subject matter expert in your field. They will have experience doing the work and will be able to mentor, train, quality-check and guide more junior analysts, as well as conducting their research and contributing to the teams’ output. Depending on the scope and size of your team, you may want more than one, but sticking to our rough team size of 5-8 total, we can use just one person in this role.
You may also consider the senior analyst the teams technical lead if your head of intelligence sits in a more traditional managerial role. This can work quite well as you have one person handling the teams wider issues and admin etc and one person focused on the more technical aspects of the role or the teams tooling.
In addition to the senior analyst, you’ll clearly want more analysts. You may have junior analysts in addition to your intel analysts, and these may also be apprentices, graduates etc. Your mid-level analyst should be someone with at least a couple of years experience doing the role and learning the ropes, who can operate independently and has room for growth and development. This level of analyst may contribute to training and mentoring of junior analysts in addition to being given their own opportunities to train. This level would be the majority of your analyst team.
If your organisation does have programmes for apprentices and graduates, you should definitely consider getting placements for them in your intel team. While a six-month stint might not be enough to build someone into a fully-fledged intel professional, it should give them a deep appreciation and understanding of the value intelligence can bring. By creating and maintaining training for them, you’re also ensuring that the wider team is keeping up to date with current trends and ways of working relevant to the field. This is especially useful in the cyber space. These small training programmes can also help you to understand what gaps there could be in your existing intelligence programme, which is obviously a good thing to know and be aware of.
One other thing I’d highly recommend is having at least one person who can act as a developer for new capabilities within the team. That could mean someone who is proficient in Python and can create scripts for the team to run against data or requirements. Or it could mean a full-time developer focused on delivering tooling and capabilities for the intel team (in the perfect world). This will be a huge time-saver and will prevent the intel team from having to go through laborious and painful procurement processes when they can develop new things in-house that can save time and automate a lot of the heavy lifting for their intelligence products.
With the tooling and the people in place, you’ll hopefully start to see some good results over the next months. When it comes to reviewing the teams’ output and whatnot, you probably want to review your intelligence requirements every six months. This gives everyone the opportunity to look at what was asked of the team. Including what the team provided, where that data came from and what sources were used with most success or failure, what the requirements are now and what actions you might want to take with any data provider. All in, this allows your team to focus on doing their job and working to the requirements set upon them, as well as ensuring you’re regularly reviewing what your vendors are providing too.
This is just a whistle-stop introduction into standing up an intel team and is based solely on my experience throughout the years in a range of different teams (in both size and scope). I hope this is a useful introduction and gave you some things to consider if you are in this position. If you think I’ve missed anything, please comment here or on my social accounts. Until the next time, I’m going for a Clwb Tropicana (even if the drinks not free).