A Word on “Actionable” Intelligence
As we engage new Cyber Threat Intelligence (#CTI) teams, we will pretty quickly ask, “What’s your mission?” It’s a pretty quick way to determine if they’re an Indicator of Compromise (IOC) shop or striving to provide more ‘strategic’ intelligence. In the case of the latter, the response is almost always some derivation of “to provide actionable intelligence.” Okay, well, good, but what does that mean? “It means our intelligence is actionable,” and it often doesn’t go beyond that. Like most CTI industry-jargon — the term was taken without the meaning and process along with it.
Actionable implies Utility
“Actionable Intelligence” has become a splashy buzzword that, like so many others in our field, has lost its foundations. (Search that term and see how often it comes up in an ad piece.) But how has it lost its way?
The private CTI field was born out of the desire to imitate the government/military intelligence community, and in those contexts, the purpose of intelligence was a little more clear. “Find us beach conditions here, here, and here.” Why? It doesn’t take a great leap to know we’re choosing an invasion spot and want to know which beaches can support the tanks and which cannot. Invasion? Yes, that’s an Action! “Get me the home address of Bad Guy X.” Why? Well, we’re going to go pay him a visit! Again, Action! In private industry, the intent isn’t so clear. “Here’s a list of IOCs!” Bam! “Here’s the top 20 malware samples in the industry!” Boom! ACTION!… wait…. What?
The “So What” Factor
The bottom line, the CTI industry got away from the decision-support aspect of intelligence. In the Government/military space, intelligence is used to form decisions, to help choose the next best course of action, and to eliminate as many “unknowns” as possible. For intelligence teams to provide actionable, i.e., “useful” intelligence, they must understand what the decision-maker is trying to do and what actions are being considered. That is where the “action” comes from, the decision-maker and operations teams, not the intelligence team.
Be of Good Use
When CTI teams produce intelligence products, they need to address the “so what.” The reader, the consumer of said products, needs to understand immediately 1) why they are receiving this product and 2) how it might be of use to them. The only way that quality of communication will occur is if the intelligence team understands their consumer’s need, or in intel-speak, their “intelligence requirements.”
So don’t focus on the term actionable, but instead, think of how to be useful.
Want to discuss further? We can be reached at info@d3intel.solutions.
