OSINT Blog / Post

June 19, 2024

Intelligence Function Architecture: A Blueprint for Building and Scaling an Effective Intelligence Unit

Intelligence has been used throughout history to gain an advantage over adversaries.

In the Book of Numbers, Moses sent The Twelve Spies, a group of Israelite chieftains, to scout the Land of Canaan for 40 days to assess geographic features, the strength and size of the population, and the agricultural potential and performance of the land.

During the Revolutionary War, George Washington recruited a spy ring and ran many agents. In one letter, Washington wrote, "The necessity of procuring good intelligence is apparent and need not be further urged”.

During the World Wars, intelligence units were established to understand the activities of and deceive the enemy, analyzing newspapers, journals, press clippings, and radio broadcasts from around the world and creating elaborate deceptions like Operation Mincemeat

In the 1990s, policing resources could not keep up with demand from increasing crime levels when addressing crime through responsive policing. UK policing shifted to an intelligence-led approach; instead of responding to calls as they came in, officers would focus on the causes of crime, including repeat offenders and crime hotspot locations. 

Intelligence units are not just for wartime and policing. Private organizations must increasingly contend with threats like political instability, natural disasters, pandemics, and crime. Many private organizations seeking greater situational awareness and operational efficiency have introduced intelligence units to deliver an intelligence-led approach to security to keep their business, employees, clients, and assets safe.

An effective intelligence unit collects, collates, and analyzes disparate data and information to create intelligence, captured in intelligence products alongside recommendations that inform decision-making and security measures/ crime prevention. An intelligence unit shares reliable and actionable intelligence with decision-makers, security personnel, or investigators to outline emerging trends and patterns or key individuals, enabling them to prepare for and prevent security risks.

Building an effective intelligence function within any organization requires a team of intelligence specialists, established practices and products, suitable tools, and an adequate budget. 

Employing the Team

Key Roles

Intelligence units can range in size, from as few as two individuals conducting rudimentary analysis to hundreds of individuals managing advanced operational, tactical, and strategic intelligence analysis. Most intelligence units will contain at least one individual with each of the following five job titles:

Intelligence Manager

The Intelligence Manager is responsible for the leadership of an intelligence unit, ensuring that the team meets its objectives to provide intelligence support to ongoing investigations and produce intelligence products to inform decision-making promptly. The Intelligence Manager provides leadership, guidance, and direction to their team, develops and maintains processes and standard product output, and manages the deployment of resources to ensure operational effectiveness. Ideally, the intelligence unit manager or supervisor should be an experienced intelligence professional, however, this will not always be the case. 

Senior Intelligence Analyst

A Senior Intelligence Analyst is responsible for managing the day-to-day activity of the analytical team or a specific area of business within the analytical function. Senior Intelligence Analysts are still involved in analytical work, however, their time also involves supervision activities, including allocating work and reviewing completed products. 

Senior Intelligence Officer

Senior Intelligence Officers, sometimes known as Intelligence Supervisors, oversee the day-to-day operations of the team of Intelligence Officers. In a small unit, the responsibilities of a Senior Intelligence Officer may be assumed by the Senior Intelligence Analyst. The Senior Intelligence Officers are responsible for conducting regular appraisals of Intelligence Officers, providing advice and support, and reviewing intelligence products. Senior Intelligence Officers may also manage intelligence queues, which contain unsanitized intelligence, distributing intelligence logs to Intelligence Officers and reviewing the sanitized intelligence logs upon completion.

Intelligence Officer

Intelligence Officers, also sometimes known as Intelligence Researchers, are typically responsible for the collection and evaluation of data and information. The Intelligence Officer uses this information to assess threat, risk, harm, vulnerabilities, opportunities, and intelligence gaps that exist and prepare actionable reports for operations. An effective intelligence unit should have at least 3 Intelligence Officers, however, the majority of intelligence units will have between 6 and 12 on each team. Intelligence Officers will often work directly with an Intelligence Analyst as their researcher. 

Intelligence Analyst

Intelligence Analysts process collected raw information to determine its Intelligence value, using qualitative and quantitative data to support the building of inferences about crime or incidents. Intelligence Analysts conduct this activity to identify trends and patterns in data, which can be used to provide recommendations for resource allocation and preventative activity to drive crime or security incident reduction. The Analyst develops analytical products to assist decision-making at a strategic, tactical, or operational level. Intelligence Analysts are increasingly college graduates with a relevant degree that involves analysis, writing skills, critical thinking, and creativity. An effective intelligence unit should have at least 3 Intelligence Analysts, however, most intelligence units will have between 6 and 12 on each team.

Additional Roles

Once an intelligence unit has become established, further roles may be added to the team to support increased output.

Intelligence Developer

Intelligence Developers conduct initial real-time investigative work in the field and fill Intelligence gaps. Whilst Intelligence Officers and Intelligence Analysts generally remain behind a desk, Intelligence Developers hold similar responsibilities to an Investigator and collect intelligence for the Officers and Analysts to process. Many Intelligence Developers are previous Investigators and Police Officers, trained to work in the field.

OSINT Specialist

OSINT specialists, also known as Internet Intelligence Investigators, conduct focused open source inquiries/ online research for the intelligence function. Internet Intelligence Investigators are specialists in online research with advanced training in collecting information from the internet in line with legislation. In smaller units, OSINT research is conducted by Intelligence Officers or Intelligence Analysts. 

Director of Intelligence

The Director of Intelligence leads an intelligence function, setting the team's strategic direction and ensuring an efficient intelligence process to inform decision-making and mitigate threat, risk, and harm. The Director of Intelligence sits above the Intelligence Manager and takes a more strategic approach to management, leaving operational control to the Intelligence Manager. The Director of Intelligence develops the intelligence function to provide a clear and consistent set of products that inform strategic, tactical, and operational decision-making and secures and allocate resources for the team to meet demand.

Head of Intelligence Analysis

In large teams, a Head of Intelligence Analysis may sit above Senior Intelligence Analysts at a similar level to Intelligence Managers. Heads of Intelligence Analysis are responsible for managing and developing intelligence analysis within the organization, providing advice, direction, and expertise across the organization on intelligence-related matters. A Head of Intelligence Analysis also develops a clear and consistent set of products that their team will produce to inform decision-making at a strategic, tactical, and operational level. A Head of Intelligence Analysis will have held positions as Intelligence Analyst and Senior Intelligence Analyst, guaranteeing expensive intelligence experience that some Intelligence Managers will not have. 

Digital Forensics Technician

Digital Forensics Technicians examine seized devices, like mobile phones and laptops, to collect evidence. Digital Forensics Technicians usually work as part of a separate Digital Forensics Team, however, this team may fall under the management of senior intelligence personnel.

Digital Media Investigator

Digital Media Investigators may exist instead of OSINT Specialists and Digital Forensics Technicians, bridging a gap between the two roles. Digital Media Investigators research, exploit, and capture information from online sources, as well as manage other digital investigations like CCTV, WiFi, ANPR, and Mobile Devices. 

Intelligence Administrator

Intelligence Administrators, or Intelligence Support Officers, provide information and data management and broad administrative support. Intelligence Administrators manage the receipt of information and maintain intelligence management systems, ensuring effective record management and an audit trail. Intelligence Administrators may also handle queries and calls as the first point of contact in the intelligence function. In a larger unit, Intelligence Administrators may also retrieve intelligence from internal systems, a task handled by analysts or officers in smaller teams. Intelligence Administrators may also be responsible for disseminating completed products to customers. 

Chief Intelligence Officer 

In private organizations, a Chief Intelligence Officer sits at the highest level in a C-suite position, ensuring intelligence is considered at every level in the organization. We covered the role of a Chief Intelligence Officer in a previous Skopenow article

Assigning Workload

Intelligence tasks and teams may be broken down by product type, region, or crime type.

Strategic

Strategic intelligence deals with “big-picture” issues, such as planning and long-term resource allocation. Strategic intelligence explores long-term, large-scope solutions, requiring analysts to work on products for extensive periods. Some strategic intelligence products can take multiple analysts months to publish.

Tactical

Tactical intelligence deals with analysis and planning for specific investigations and directs the optimal allocation of resources on a day-to-day/ weekly basis. Intelligence professionals working on tactical intelligence teams will analyze recent data, including daily, weekly, monthly, and annual datasets, to identify trends and patterns for resources to address. Most tactical intelligence products will be completed within one week. 

Operational 

Operational intelligence deals with the activities of on-the-ground resources, such as officers and investigators taking action to disrupt crime or assess suspects. Intelligence professionals will often conduct officer safety checks by researching targets for intervention, ensuring that their activities conclude with minimal risk. Operational intelligence products usually take less than a day to complete. 

Thematic

Intelligence Analysts will usually take on thematic specialisms looking at subjects like Serious and Organized Crime, Child Sexual Exploitation, Slavery, Trafficking, Acquisitive Crime, Violent crime, Cyber-crime, Extremism, or Economic Crime. Generally, analysts working on thematic crimes will work in a headquarters.

Geographical

Alternatively to thematic analysis, analysts may cover all crimes in a specific region within their jurisdiction. Analysts covering geographical areas may work from a single headquarters or on cross-function teams within their geographic region.

Establishing Standards of Working

Intelligence functions operate according to the Intelligence Cycle, a structured process that ensures clear tasking and consistent intelligence products. Learn more about the Intelligence Cycle in our recent article

Intelligence Products

Operational and Tactical products support ongoing investigations and short-term operations. Such products must be clear, concise, and focus on information and recommendations with added value to operational activity. 

Subject Profile

A subject profile provides a comprehensive intelligence picture of an individual, usually a suspect or offender. Subject profiles describe the criminal and their personal details (address, phone number, email address, DOB), social media accounts and activity, lifestyle, networks, criminal activities, and potential intervention points.

Business Profile

A business profile provides a comprehensive intelligence picture of an organization. Business profiles include business addresses, owners, employees, business filings, company directories, social media accounts and activity, criminal activities, and potential intervention points.

Link Analysis Chart 

A link analysis chart is a diagram that visualizes the association links between collaborators in a criminal network.

Problem Profile

A problem profile is a product that ​​provides a detailed analysis of a specific crime type or location hotspot, often covering a year's worth of data and trends. 

Crime Pattern Analysis

A crime pattern analysis product provides an analysis of a short-term crime problem, looking at weekly or monthly data. A crime pattern analysis can support resource allocation and the production of intelligence bulletins. 

Comparative Case Analysis

A comparative case analysis product analyzes numerous offenses with shared characteristics, such as the same crime type in the same region, to identify trends and patterns and any potential series. 

Strategic Analysis Reports

Strategic Analysis Reports are documents that outline crime in a specific region or theme area over a long period, such as a decade. Strategic Analysis Reports look at the long-term causes of crime and support informed decision-making to reduce crime at scale over time, such as education or area development.

Training

All intelligence professionals should have extensive intelligence training, including analytical techniques and crime theory. A basic intelligence training course covering these concepts usually runs one or two weeks and costs roughly $2000 - $9000 per person.

Individuals in roles that require OSINT activity or digital forensics work should also receive specialist training to conduct such work legally. Courses covering this content usually run a week and cost roughly $600 - $7000 per person.

Sources and Tools

Intelligence collection is a time-consuming element of the intelligence cycle, especially if you have multiple clients with multiple requirements. Establishing a source list enables the intelligence professionals to have instant access to a list of approved sources they can rely on to inform their analysis and build their intelligence products. Information sources can include both open and closed sources.

Closed Sources

Closed Sources are sources of information with controlled access that a general person could not access, such as internal data systems.

Open Sources

Open Sources are sources of widely available public information, such as social media.

Manual Investigation Tools

When working with closed sources, intelligence professionals can generally rely on database queries to extract data and information. When working with open sources, information collection can be more difficult and intelligence professionals may need to rely on tools to assist their data collection efforts. We’ve produced a list that outlines some tools that an intelligence professional might use whilst conducting open source research:

Investigative Tools Investment

Device/ Software

Cost

Recurrence

Investigation Device

MacBook Pro

$1,199.00

Single

Cell Phone

Samsung Galaxy A11

$150.00

Single

Sim Card for Cell Phone

Mint Mobile

$180.00

Annual

Mobile Hotspot

Nighthawk M6

$103.44

Annual

VPN

ProtonVPN

$101.70

Annual

Virtual Machine

TraceLabs VM

$0.00

Single

Browsers

Brave

$0.00

Single

Password Manager

LastPass Business

$48.00

Annual

Activity Recording Tool

Hunchly

$130.00

Annual

 

First Year Total

$1,912.14

Single

 

Following Years

$563.14

Annual

 

Automation Tools

Intelligence professionals can use tools like Skopenow to automate repetitive processes and free up time for more advanced analysis and investigative activity. 

Skopenow is a real-time situational awareness and investigative platform trusted by investigators to deliver instant intelligence insights and products. Employing image recognition and behavioral analytics on billions of data points, Skopenow detects and alerts actionable behaviors and risks like violent behavior, substance dependencies, and threatening language. Sign up for a 7-day free trial of Skopenow at: https://www.skopenow.com/try.