Intelligence Requirement (IR):

Intelligence Requirements (IRs) is the request for what information an organization needs from a CTI team through cyber threat intelligence operation. IRs is the request for information about threats, risks, and opportunities to protect the organization. These are objectives that CTI analyst tries to accomplish through the cyber threat intelligence process. IRs reflect senior leadership (CISO) and board concerns about threats and risks to the organization’s environment, operations, revenue, bottom line, and reputation. Intelligence Requirements (IRs) are generated from the intelligence gap and describe the information that an organization wants to collect. An intelligence gap is an unanswered question about a cyber threat or security issue. Requirements can be divided into three categories:

1. Intelligence Requirements (IRs)
2. Priority Intelligence Requirements (PIRs)
3. Specific Intelligence Requirements (SIRs)

Intelligence Requirements (IRs) are for the general threat environment. Priority Intelligence Requirements (PIRs) are those that are most critical to be answered for the organization, PIRs are more detailed and operationally focused also aligned to IRs. Specific Intelligence Requirements (SIRs) are operational, tactical plus technical and focus on particular facts, entities, or activities.
Identifying the Intelligence Requirements for the organization means identifying the policy and security issues in which cyber threat intelligence is expected to contribute.

Intelligence Requirements (IRs) Examples:
• Identify notable threats to the organization
• Identify internal and external cyber threats targeting the organization
• Identify cyber threats targeting related industries

Priority Intelligence Requirements (PIRs) Examples:
• Identify threat actors targeting our organization’s critical assets or new technologies
• Identify the threat actors’ motives
• Identify the person, group, entity or asset in the organization that is being targeted

Specific Intelligence Requirements (SIRs) Example:
• Describe threat reconnaissance activity that occurred today
• Identify changes observed in a specific threat actor tactics, techniques, and procedures (TTPs) today
• Identify C&C server infrastructure a specific threat actor is using

Jared Ettinger, (2019) Cyber Intelligence Tradecraft Report: The State of Cyber Intelligence Practices in the United States, Carnegie Mellon University.

See more information about How to Develop Effective Cyber Threat Intelligence Requirements: