IR vs PIR vs SIR

In the world of cyber threat intelligence, analysts would often come across the terminologies like IR, PIR, SIR. These have originated in the military and traditional intelligence operations, and are adopted into cybersecurity as well.

While they may seem to be similar, each of them play an important role in the threat intelligence lifecycle. Understanding these foundational concepts help organizations focus their cybersecurity efforts and resources on understanding and mitigating the most pressing threats to their digital environments.

This post tries to touch the surface on what they are with some examples.

Intelligence Requirements (IR)

This refers to the general information needs regarding cybersecurity threats and risks. An IR would encompass any information that helps an organization understand and mitigate threats to its digital assets. This might include information about potential attackers, methods of attack, vulnerabilities in software, and trends in cybersecurity threats.

Examples

• Provide a comprehensive analysis of the current APT threat landscape, including information on the most active APT groups, their tactics, techniques, and procedures (TTPs), and the industries or organizations they are targeting.
• Provide an overview of the current threat landscape for cloud-based infrastructures and services, including information on common attack vectors, vulnerabilities and best practices for security.
• Provide an analysis of the current trends and development in phishing attacks, including information on the most common types of phishing attacks, social engineering tactics used and best practices to mitigate them.
• Provide an overview of the current threat landscape for mobile devices, including information on common attack vectors, vulnerabilities, and best practices for security.
• Provide an analysis of the current trends in DDoS attacks, including information on the most common types of DDoS attacks, methods used to launch them and best practices to mitigate them.
• Provide an analysis of the current trends and development in Web Application attacks, including information on the most common types of attacks, methods used to exploit vulnerabilities and best practices to mitigate them.

Priority Intelligence Requirements (PIR)

In the cyber realm, a PIR is a highly important subset of intelligence requirements that an organization must address urgently. For example, if an organization is facing frequent ransomware attacks, understanding the tactics, techniques, and procedures (TTPs) of ransomware attackers might be a PIR. These are prioritized based on the potential impact on the organization’s critical assets and operations.

Examples

• Determine the likelihood of a successful APT attack against our organization within the next 12 months and provide regular updates on any relevant indicators of potential compromise or malicious activity.
• Determine the likelihood of a successful attack against our organization’s cloud-based infrastructure within the next 6 months and provide regular updates on any relevant indicators of potential compromise or malicious activity.
• Determine the likelihood of a successful phishing campaign targeting our organization within the next 3 months and provide regular updates on any relevant indicators of potential compromise or malicious activity.
• Determine the likelihood of a successful attack against our organization’s mobile devices within the next 6 months and provide regular updates on any relevant indicators of potential compromise or malicious activity.
• Determine the likelihood of a successful DDoS attack against our organization within the next 12 months and provide regular updates on any relevant indicators of potential compromise or malicious activity.
• Determine the likelihood of a successful web application attack against our organization within the next 3 months and provide regular updates on any relevant indicators of potential compromise or malicious activity.

Specific Intelligence Requirements (SIR)

SIRs in the cyber context are detailed, focused questions that stem from broader IRs. For instance, if an IR is to understand the threats to an organization’s network infrastructure, a SIR might be to identify the specific types of malware most commonly used against similar infrastructure in the industry. SIRs guide the gathering of detailed and actionable cyber threat intelligence.

Examples

• Provide detailed information on the APT group known as ‘DarkHydrus’, including their TTPs, known infrastructure, and any known campaigns or targets.
• Provide detailed information on the Cloud malware ‘Cobalt Strike’ including its TTPs, known infrastructure, and any known campaigns or targets.
• Provide detailed information on the phishing campaign known as ‘Sea-Phish’ including its TTPs, known infrastructure, and any known campaigns or targets.
• Provide detailed information on the mobile malware ‘XLoader’ including its TTPs, known infrastructure, and any known campaigns or targets.
• Provide detailed information on the DDoS botnet known as ‘Mirai’ including its TTPs, known infrastructure, and any known campaigns or targets.
• Provide detailed information on the web application attack campaign known as ‘Web-skimmer’ including its TTPs, known infrastructure, and any known campaigns or targets.

Thanks for reading!