Know thyself. You should know your main goals and motivation before picking a threat intelligence vendor. One of the most important questions to ask yourself is why you are doing what you’re doing. “For me, the top things are — there are two real big ones. And the whole point of the ‘why’ comes down to a couple of different things. Are you doing it for efficiency? In other words, we don’t know what we don’t know, and we want to understand it. And how do we do it in the most efficient way possible? So that’s part number one. Are we doing it for visibility and awareness? In other words — back to the ‘we don’t know what we don’t know’ — if we’re going to put our head above the parapet, how do we actually tell what’s useful, usable, scalable, and actually effective to help with? […] Then the other big one is basically justification. So if you’re looking at next year’s budget or you’re looking at even going through this year’s or when your fiscal year ends or headcount — if you’re having to justify, to some degree, your existence — understanding internal and external threats and the risks associated with them is a really good way to start on that ‘why are we doing it’ exercise.”
Strategic, tactical, operational, OR other types of intelligence? The next step is to determine what type of intelligence your potential vendor can provide. Also, think about what type of intelligence matches your goals. “Strategic. How are you looking at the market itself? How are you looking at geopolitical areas? How are you looking at critical infrastructure as a whole or whatever your area is? Tactical. Well, what the heck is going on? APT group, ABC, Cozy Bear over here, and a whole bunch of Muppets in a different direction. What the Smurf are doing is great to know, but then you’ve actually got to bring in, ‘Well, why do I care?’ And then operationalizing that data as well is that other part of it. In other words, you’ve told me that IP sucks. Well, why? For how long? How long has it been? What’s happened with it, and what the heck am I going to do with it?”
Whose data are they collecting, where are they getting it from, and how? The following questions revolve around data collection. “All of this is information that you need to understand what they’re collecting because if you understand what they’re collecting, you could also understand what they’re missing. […] So the data is another interesting one. Take a messaging stream — this is a perfect example of what kind of data. Are they collecting 24 hours’ worth of messaging? And how can you disseminate what’s good, bad, and what’s ugly, and how are they doing it?”