Developing Priority Intelligence Requirements: A Warhammer 40000 Example
I play Warhammer 40,000. For those of you who don't know, Warhammer 40,000 is a tabletop war game in which players take turns rolling dice and use plastic miniature soldiers to fight battles in a science-fiction setting. It is a complex game, full of rules and obscure situations in which a lack of information is the norm, but that information can be game changing. Not only do you have to understand the rules of your army, but you also need to have a grasp of the rules of every other army in the game, as well as special stratagems each army can perform. In short, it's an overwhelming amount of information that even the best players in the world (of which I am not one) struggle with.
Sound familiar? It's very similar to the situation that many of us in the security field deal with - constantly changing situations with incredible amounts of information that we need to break down into actionable items.
In the CTI field, we're often challenged by our stakeholders to distill down the overwhelming amount of information out there to a simple "what do I need to know?" We call this process developing PIRs, or priority intelligence requirements. Essentially, it is the process of asking the right question to which we as analysts can give detailed, timely, accurate, and complete answers.
So what on Earth does Warhammer 40,000 have to do with this? I'll explain.
The other day, I was reading an article by Rob Jones (of goonhammer.com) describing a battle report of a game he had played with his friend. Something struck me about a portion of the article, which I will get to in a moment. For a second, though, let's take a step back. Warhammer 40,000, as I said, is a complex game with a lot of rules. Many times, games will start with players spending an inordinate amount of time explaining the rules of their army in case their opponent isn't familiar with them. This can take a LONG time, especially for armies with more complex rules. Rob, though, had broken down the questions he asked to a specific set (and I'll paraphrase here to avoid a lot of gaming jargon that isn't relevant). Instead of having his opponent explain his army rules, he asked the following questions:
1. For Deployment: What do you have that can Advance and Charge?
2. For My Offensive Strategy: Which of these are monsters?
3. For My Defensive Strategy: What can do Devastating Wounds? What’s your anti-vehicle shooting?
Now, some of this isn't going to make any sense outside of the context of the game, but given the construction of Rob's army, he was trying to establish the important aspects of his opponent's army so he can understand how to deal with them. On a higher level, though, he was refining the main question of "what do I need to know?" and conducting the process of building out a priority intelligence requirement - what do I need to know so that I can make a decision? As you are developing the parameters that your stakeholders want to operate within (and how you can effectively communicate important information), you can use the same process.
Our role as CTI analysts is to give context to the world - what is something, and why is that something important? If you can guide your stakeholders in asking the right questions, you can be more effective as a CTI analyst. Instead of your stakeholders saying "I want to know who is attacking us" (to which the answer is "everyone", next question), you can help by establishing a baseline - what does your stakeholder identify as their "crown jewels?" What's most important to the line of business? Once you've established that, then break it down further. What technology stack do you use?
You can see that you can go from the question of "Who is attacking us?" to "We use ACME Co. Software. What common attacks are conducted against this software? What versions are vulnerable? What do we need to do to mitigate?"
I'm glossing over a lot the details here, but I wanted to use this as an example of how you can distill down the overwhelming amount of information out there into easily consumable, actionable intelligence that you can use to educate and enable your stakeholders.
Tech Entrepreneur & Visionary | CEO, Eoxys IT Solution | Co-Founder, OX hire -Hiring And Jobs
5 个月Nick, thanks for sharing!
Cyber and All Source Intelligence Leader | Veteran | Speaker | Instructor
1 年Great read. With some of us who did the PIR/FFIR/EEFI/CCIR process, I think that we need to reevaluate and un-combat this process. I do utilize the Intelligence Cycle as expected of the PIR process, but combine the intent and call it "Intelligence Directives." We as CTI folks already have a hard enough time getting buy-in from leadership in helping develop the Intelligence Requirements based on their intent (similar to getting a debrief from an officer who has been outside the wire for 12 hrs+). So.... why not making it easier and more comprehensive. I still love the process, but I think it needs to marry the simplicity that the private sector calls for. Nick, I would love to connect and talk more about all things Intel.
Cybersecurity at DT Midsteam
1 年Fantastic example Nick! Breaking down PIRs against the scenario you used I think helps demystify the process and gets down into the building blocks.