Defining your IR
The first stage in the intelligence cycle is to identify the information that the decision-maker needs. These requirements should be the driving factor in the intelligence team's collection, processing, and analysis phases.
The main problem that occurs when identifying these IRs is that, usually, the decision makers do not know what information they want until they need it. Moreover, other issues, such as resource and budget shortcuts or sociopolitical events, may arise, as well as the difficult task of identifying and satisfying the IRs.
Posing and trying to answer a series of questions, not only the ones stated here as examples, could be a good starting point when you're trying to identify the PIRs (P for priority, referring to those that are more critical) and the IRs of an organization.
When working out your IR, ask yourself the following questions:
What's the mission of my organization?
What threat actors are interested in my organization's industry?
What threat actors are known for targeting my area of operation?
What threat actors could target my organization in order to reach another company I supply a service for?
Has my organization been targeted previously? If so, what type of threat actor did it? What were its motivations?
What asset does my organization need to protect?
What type of exploits should my organization be looking out for?
There are four criteria to keep in mind when validating a PIR: the specificity and the necessity of the question, the feasibility of the collection, and the timeliness of the intelligence that would be generated from it. If the requirement meets all these criteria, we can start the collection process around it. In the next section, we will cover this in detail.