In all of my years working in cybersecurity, I never thought I’d create my own framework — let alone one for threat intelligence programs. Why? Because I didn’t think I had anything impactful enough to say that could be boiled down to a nice, neat, acronym. But one day, while working at Netflix, I received inspiration from the strangest source… Jerry Seinfeld.
Jerry spent some time with us on the Netflix campus, sharing stories about his life and craft. One involved a single joke that he’d been working on for two years. For some reason, this joke didn’t land, despite his many attempts. That is, until one day — when he decided to change a single word. That night, when he performed the new-and-improved joke for the first time, it finally landed. This illustrates that mastery isn’t about being perfect — it’s about using awareness and experience to make an impact or accomplish an objective. During my time with Jerry, he also mentioned that his latest goal was to help new comedians take comedy to greater heights and that he wanted this to d be part of his legacy.
After hearing Jerry's story, I felt inspired. I started thinking about my craft, threat intelligence, and how so many companies struggle to implement an impactful program that yields real results. I thought, “Wouldn’t it be great if I had a four-point concept that covered the majority of my philosophies on threat intelligence?” Then I asked myself, “Wouldn’t it be even better if folks building their threat intelligence programs had a theoretical ‘button’ that they could press to get them back on track when they get stuck?” With these thoughts in mind, I set out on a mission.
I’ve since spent my career coaching threat intelligence analysts and teams. Most of what I’ve taught them can be boiled down to four simple — but at times difficult — concepts:
- Elicit requirements
- Assess collection plan
- Strive for impact
- Yield to feedback
And there you have it: the Intelligence EASY Button or the EASY Framework. I’ve used these concepts throughout my entire career — and, after a little inspiration from Jerry, I was finally able to distill them down into digestible nuggets.
Now, let’s take a look at each of these.
Elicit Requirements
“It’s not me, it’s you.” - Lily Allen
I’ve foot-stomped this concept so many times in my podcast Hacker Valley Studio, during keynotes, and in articles. Threat intelligence teams, companies, and experts are in the “service” business. We support other functions. While I do believe we lead security (a claim that warrants an article on its own), our work isn’t about us — it’s about our stakeholders.
We need to know what information will make their jobs more efficient, more effective, or change what they are doing entirely. You will encounter some stakeholders that don’t know what information will aid those objectives. This is one of my favorite situations. You can have an aha moment right there with your stakeholder. Ask questions — good questions. Practice asking those questions and refine your stakeholder analysis. You’ll often find: the more polished the requirements, the easier it is to support your stakeholders.
Assess Collection Plan
“Everybody has plans, until they get hit.” - Mike Tyson
If you’re starting a threat intelligence program and you’ve a fleshed out collection plan before doing your first stakeholder interview, I assess with high confidence that you’ll have to go back to the drawing board.
Even after you’ve completed stakeholder analysis and new requirements come up, you’ll still have to look at the information you’re currently using.. Ask yourself, “Is this feed answering the questions my stakeholders have?” Every feed is not for every team. A great source may not have the answers you are looking for. Constantly reassess your collection plan and be aggressive in trimming away the non-essential.
Strive for Impact
“What you do has far greater impact than what you say.” - Stephen Covey
Let me paint a picture. You spent the last two months working on a report you believe will change the game at your company. You were diligent in your analysis. You included the best research from world-renowned experts. You polished it up nicely with the help of a couple of editors. You even had marketing make graphics for you. You deliver your masterpiece and… *crickets*.
You wait a few days and ask, “Hey, what was the reception of the report?” Your boss replies, “It was great work! Everyone loved it. The only problem is they didn’t understand the ‘So what?’” Ouch! I’ve certainly been there and I’m sure many of you have, too.
The beauty of threat intelligence is its ability to ignite change. The work I do can literally change the way my company operates — if I strive for impact in my intelligence analysis and reporting. Take some time to think about what information is going to who, in what context, and to support what decision every time you hit send on that email.
Yield to Feedback
“Feedback is the breakfast of champions.” - Ken Blanchard
Before I talk about using feedback, I feel obligated to provide a tip about receiving feedback. Please, make it easy for your stakeholder to present feedback. For instance, I built a simple Google form that I can send pre-filled with context data to the stakeholder that can be filled in under a minute, if they so wish.
Subsequently, I produce a shareable link and personally message the stakeholder. I thank them for submitting the request for information and ask them to fill out the form. I also mention it’ll take only moments of their time. It’s not my intent to boast, but under this construct I have a 100% return on my request for feedback.
Now once you have your feedback, use it! Even if you believe your stakeholder is misaligned in some way, that still means the mark is being missed. Are your reports too long? Are they missing key details? Was your intelligence not actionable? Was the delivery medium wrong? Did it take too long? These are just a few examples of things that, while they bruise the ego, can incrementally improve your intelligence reports and, ultimately, your intelligence program.
