The Importance of Priority Intelligence Requirements to EVERY Organization

The cornerstone of any threat intelligence program, be it one person tracking threats to their company on an ad hoc basis or a fully staffed and robust threat intelligence team, is the creation and implementation of Priority Intelligence Requirements (PIRs). PIRs allow threat intelligence practitioners to focus on the most critical issues, topics, and threats for the company. PIRs help identify what threats that are concerning to senior leaders, control teams, and business continuity partners. In previous conversations with company stakeholders, I’ve paraphrased this as “What keeps you up at night?” If everything is important, then nothing is important. When it comes to dedicating your limited intelligence resources, it is crucial to refine your focus.

There are a lot of fantastic guides out there from both the public and private sectors on how to create PIRs. The PIR itself was initially a government concept that has been brought into the private sector threat intelligence community. It has had success in the public sector in creating a common, agreed-upon focus for an organization’s limited intelligence capabilities, and there are doctrinal documents that can easily be found on the internet which provide guidance on the public sector’s approach. Many private companies also provide guidance on PIR creation, particularly companies focusing on providing threat intelligence. Our goal with this blog post (and the more in-depth series to follow… more on that in a minute), is to provide easily accessible insight into the approach we take here at LastPass in the creation (and annual re-evaluation) of our own PIRs, what our current PIRs are, and over a series of periodic blog posts, an examination of the current threat environment in relation to each of those specific PIRs.

We’ll begin by talking through how we created our initial PIR list.  These PIRs were intended to be strategic, covering significant issues of concern over the course of a year.  That’s not to say they couldn’t change during that time – we added at least one over the last six months – but the PIRs themselves are meant to be high-level.  There are other methods to tackle more timely and tactical threat requirements (we will cover this topic in a future blog post).  I’ll also note that organizations’ approaches may differ and your mileage may vary… it’s important for every organization to find the right way to collect and format this information for them.

For us, the first step was to brainstorm among our Threat Intelligence, Mitigation, and Escalation (TIME) team on the biggest threats from our analysts’ perspectives.  This first pass was very high level… direct threats to our company and customers, for example, and threats to cloud services.  We looked at our company, our customers, and our infrastructure and identified those as the overarching intelligence requirement. Once we had this overall list built out, we broke it down into component questions (e.g., What new tactics are emerging/have emerged that are used in the social engineering targeting of our customers?) to create a comprehensive breakdown of the questions we would need answered to protect against a threat. This serves at least two purposes: 1) it’s an excellent mental exercise to make sure you are considering your critical threats and how and why they pose a problem, and 2) these questions can be used later to help create specific alerting targeting information that can provide insight and/or answers and in turn help drive changes and advancements to your organization’s defenses.

Once we felt we had a comprehensive list, we identified key stakeholders in our organization and sought out their input. These included our senior leaders, in particular our Chief Information Security Officer, and the directors for each of our Trust and Security teams, which include our Detection, Response, Application Security, and Vulnerability Management teams, among others. As noted above, we asked them “what keeps them up at night?” and if there was anything we missed that we should consider. When possible, we had these meetings virtually or in person. We found direct conversations to be more useful as it allowed for more of an exchange of ideas - often leading to unexpected additions to the list. We incorporated the team’s feedback into the analysis and compiled into a draft list of Priority Intelligence Requirements.

Once we had this list, we shared it publicly with the broader information security team as part of our effort to foster a security culture. Below contains a sample of PIRs we created. This list would be a top-level PIRs, and it would be necessary to have more focused questions under each of these topics that focus on what to understand the data needed to better protect the organization and its customers against these threats. Often these questions are focused on the underlying tactics, techniques, and procedures associated with these threats and any new developments we may be seeing. To be clear, different organizations take different approaches to their PIRs. Some prefer a few very general topics, while some drill down and have dozens of topics… what is important is that the final product reflect the right approach for your organization.

Over the next year, we will be periodically revisiting our list, and we will address each of the below topics in dedicated blog posts where we will examine the current threat environment for each of these areas. Stay tuned for those!

1. Vulnerabilities in Critical Technologies: What vulnerabilities within our tech stack present a threat to operations, privacy, and/or data security?
   
   
2. Malware: What malware families are targeting our organization and/or our customers?
   
   
3. Threats against Encryption: What attacks and/or TTPs are being leveraged against encryption?
   
   
4. Direct Targeting by Threat Actors: What threat actors are targeting our company and/or our customers?
   
   
5. Threats to IAM Systems: What threat actors, cyber campaigns, and/or TTPs are targeting IAM systems that may impact us and/or our customers?
   
   
6. DDoS: What DDoS campaigns are actively targeting the private sector?
   
   
7. Threat targeting Cloud Infrastructure: What threat actors, cyber campaigns, and/or TTPs are targeting cloud infrastructure?
   
   
8. Ransomware: What are the new families, TTPs, and trends associated with ransomware?
   
   
9. Access for sale in the Underground: Is our network access being advertised for sale on the underground?
   
   
10. Emerging Threats: What new and/or previously unanticipated threat have arisen that could impact our threat landscape?
    
    
11. Phishing: What phishing campaigns are targeting our company and/or our customers?
    
    
12. Infrastructure Outages: What infrastructure outages are impacting our company, either internal or external?
    
    
13. Social Engineering: What are the latest social engineering campaigns targeting our company and/or its customers and the TTPs associated with them?
    
    
14. Supply Chain: What attacks are being conducted against providers for purpose of gaining broader access to the provider’s customer base and/or downstream access?
    
    
15. Insider Threats: Are there indications of insider activity that could pose a potential threat to our company on the open internet or dark web?