An Important Internal Intelligence Source to Add to Your Collection Plan

Earlier this week Scott Roberts provided a useful list of intelligence collection sources for threat intelligence and security teams. His list included:

– Internal incident data
– Honeypots & the like
– Vendor reports
– Sharing communities
– Free IOC feeds
– Paid IOC feeds

I like this list because it covers automated machine-based collection—internal data, honeypots, and IOC feeds—and analyst-based, human collection: vendor reports and sharing communities. Analysts have to critically read and process reports and must dedicate time to developing external relationships, building trust. These tasks cannot be automated.

Similar to these “analyst-based” sources (which I suppose we could call, but which I’ll refrain from calling, HUMINT), I would add an additional source: internal IT and IT security staff.

Continue reading →