Breaking the Intelligence

Cycle
HOW TO TAILOR INTELLIGENCE FUNCTIONS TO YOUR NEEDS?

Ohad Zaidenberg
August 2022
BioHacking Village

All rights reserved Ⓒ Ohad Zaidenberg 2022

I am not speaking on behalf of AB InBev, and
all thoughts and statements are my own.

Disclaimer

All rights reserved Ⓒ Ohad Zaidenberg 2022

A Tale About Intelligence
Once upon a time in Troy…

All rights reserved Ⓒ Ohad Zaidenberg 2022

A Tale About Intelligence
Once upon a time in Troy…

All rights reserved Ⓒ Ohad Zaidenberg 2022

A Tale About Intelligence
Once upon a time in Troy…

All rights reserved Ⓒ Ohad Zaidenberg 2022

A Tale About Intelligence
Once upon a time in Troy…

All rights reserved Ⓒ Ohad Zaidenberg 2022

A Tale About Intelligence
Once upon a time in Troy…

All rights reserved Ⓒ Ohad Zaidenberg 2022

A Tale About Intelligence
Once upon a time in Troy…

All rights reserved Ⓒ Ohad Zaidenberg 2022

A Tale About Intelligence
Once upon a time in Troy…

All rights reserved Ⓒ Ohad Zaidenberg 2022

 Intelligence Matters
Sometimes we forget…
• We forget hackers execute cyber attacks,
not computers

• We forget these hackers have an endpoint, which is

not limited to hacking

• We forget our resources are scarce, and we need

to use them carefully

• We forget hackers learn about our

defensive capabilities

All rights reserved Ⓒ Ohad Zaidenberg 2022

Nothing is off-limits
• Hackers proved they have ‘flexible’ code of conduct

• The medical sector is not off-limits, on the contrary

• What we’ve learned in the past two years?

All rights reserved Ⓒ Ohad Zaidenberg 2022

Nothing is off-limits
• Hackers proved they have ‘flexible’ code of conduct

• The medical sector is not off-limits, on the contrary

• What we’ve learned in the past two years?

All rights reserved Ⓒ Ohad Zaidenberg 2022

Nothing is off-limits
• Hackers proved they have ‘flexible’ code of conduct

• The medical sector is not off-limits, on the contrary

• What we’ve learned in the past two years?

All rights reserved Ⓒ Ohad Zaidenberg 2022

Who am I?

• Intelligence person • Past positions:

• $Dayjob: Threat Intelligence • Lead Cyber Intelligence researcher at
ClearSky Cyber Security
Strategic Leader at ABInbev
• IDF Intelligence Unit Cyber Analyst and
• Personal project: Commander
• CTI League co-founder and
executive director
• Let’s talk
• Cognitive security researcher
• Twitter @ohad_mz

• Volunteering, contributing,
• Linkedin

#OSINTforGood

All rights reserved Ⓒ Ohad Zaidenberg 2022

 Planning and
Direction

Back on
the Evaluation and
Feedback
Preparation and
Collection

Chain
Gang
Dissemination and Processing and
Integration Exploitation

Analysis and
Production

All rights reserved Ⓒ Ohad Zaidenberg 2022

Back on
the
Chain
Gang

All rights reserved Ⓒ Ohad Zaidenberg 2022

Breaking the Intelligence Cycle
• How do we ‘digest’ Intelligence, not
only produce it?

• Where is the ‘Decision Making’ phase?

• Intelligence vs. Information

• Key factors for impactful intelligence

• Whom am I speaking with? Everyone!

All rights reserved Ⓒ Ohad Zaidenberg 2022

 Prioritized
Intelligence
Fantastic Key requierments
Factors and
Where to Find Three Levels of
Intelligence Model
Them
Actionable
Intelligence

All rights reserved Ⓒ Ohad Zaidenberg 2022

PIRs: All About that Gaps
• Intelligence is not information
• Remember the torjan hourse? 2500 years after, it
remains the same
• Threat Intelligence focuses on our pain points, our
gaps
• How to balance between offensive mindset and
defensive mindset

All rights reserved Ⓒ Ohad Zaidenberg 2022

 PIRs: Why do we need them?
• Our resources are scares; we need to allocate them carefully
• Find the next horse, don’t build another obstacle
• Desiocions are made based on data, not driven by fears or trends
• How to collect our data? How to disseminate our data?
• Understanding the business implication, not the technological only
• Requirements prove value; with PIRs, we can measure!
Those intelligence requirements for which a commander has an anticipated
and stated priority in the task of planning and decision making
All rights reserved Ⓒ Ohad Zaidenberg 2022
PIRs: How to Register a PIR?
• Define your stakeholders, internal or external
• Who’s in charge of protecting? Who’s in charge of managing the
network?
• What are the gaps of each stakeholders?
• What are the prominent threats to the organization? Which threat
could cause the largest impact?
• Use the Intelligence Cycle!
• PIRs components: Mission, Endpoint, Required level of intelligence

All rights reserved Ⓒ Ohad Zaidenberg 2022

Three Levels: Same Intelligence, but Different
• The Intelligence cycle • Tailor the intelligence
remains the same, but to our gaps; tailor the
the audience is outputs for the
different stakeholder
• Can one dissemination • Use the ‘three levels of
plan be relevant for our
stakeholders? intelligence’ model
• How do we translate
intelligence for
different stakeholders?

All rights reserved Ⓒ Ohad Zaidenberg 2022

 Three Levels: Pyramid of What?
• Collection artifacts (IOCs and IOAs) can be divided into the
‘pyramid of pain’
• All these artifacts (and more) can make a difference

Pyramid credit: Matthew Herring, CriticalStart All rights reserved Ⓒ Ohad Zaidenberg 2022
 Three Levels: Pyramid of What?
• Collection artifacts (IOCs and IOAs) can be divided into the
‘pyramid of pain’
• All these artifacts (and more) can make a difference
• Different language = framing the artifacts (including assessments)
for the stakeholder
• Instead of the pyramid of pain, let’s look at the pyramid of
intelligence Strategic
• Strategic answer to the ‘who and why’ questions
Operational
• Operational answer to the ‘how and where’ questions
• Tactical answer to the ‘what’ questions
Tactical
Pyramid credit: Matthew Herring, CriticalStart All rights reserved Ⓒ Ohad Zaidenberg 2022
Three Levels: Definitions
• Strategic level informs the top decision makers.
• The intelligence must help its decision-makers understand the threats
they are up against and allocate resources accordingly.
• Operational level is given to the making day-by-day decisions.
• The intelligence must help its decision-makers protect from wide threat
(TTPs, behavioral) and lead the defensive and offensive capabilities.
• Tactical level is given to the recipients who identify, mitigate
and prevent the threats.
• The Intelligence must help its decision-makers protect the organization
pro-actively and examine its capabilities to get protected from a
specific threat.
All rights reserved Ⓒ Ohad Zaidenberg 2022
Three Levels: How to Speak in Three Levels?
• Define the required level of intelligence for the right stakeholder
• Allocate resources based on the gaps to the right intelligence level
• Tailor the output for the right level of intelligence
• Use case – Quantum Ransomware targets hospitals

Strategic: Operational: Tactical:

Assesment – How
Quantum threat would MITRE Mapping for IOCs blocking
affect the organization, Quatum group (TTPs)
buisness focus Threat Hunting
Resources Allocation Simulation

All rights reserved Ⓒ Ohad Zaidenberg 2022

Actionable Intelligence: Intelligence, not
Marketing
Unlike the academic world, journalism or marketing, if you want to protect better, the
intelligence must have an endpoint.
• Intelligence should be actionable (making impact)
• Our PIRs focus us to collect actionable data on the right level of intelligence
• Intelligence is not marketing, but it can be a component of marketing
• How to make it actionable? You can do something with the information! As we saw before:
• Blocking indicators (Tactical)
• Threat Hunting (Tactical)
• Simulate TTPs (Operational)
• Build playbooks and best practices (Operational)
• Vulnerabilities management strategy (Strategic)
• Etc (All of the above)
All rights reserved Ⓒ Ohad Zaidenberg 2022
But... Where to Start?
• Define your PIRs first – which information can help you to solve a gap?
• Understand your capabilities:
• Which intelligence you can already digest?
• What is the required level of intelligence?
• Can you allocate resources differently to face more threats?
• Start yesterday, do whatever you can to include intelligence
• Avoid marketing (use the ADEPT model by Sergio Caltagirone), extract the
actionable data
• Appoint ‘intelligence officer’ in your organization
• It can be anyone, you don’t necessarily need an analyst or researcher, you need
someone to manage the intelligence
• Use the community!

All rights reserved Ⓒ Ohad Zaidenberg 2022

 Thank you
Breaking the Intelligence Cycle

Ohad Zaidenberg
August 2022
BioHacking Village
Let’s stay in touch!
@ohad_mz
Ohad Zaidenberg
All rights reserved Ⓒ Ohad Zaidenberg 2022