Applying Lessons From the Intelligence Community to Cyber Threat Analysis
July 31, 2018 • Maggie McDaniel
Noun. A detailed examination of the elements or structure of something, typically as a basis for discussion or interpretation.
Over a decade-long career in the U.S. intelligence community has afforded me plenty of opportunities to experience firsthand when analysis worked and when it failed — from not connecting the dots to group think and not challenging what we assume and what we think we know. The lessons learned supporting our nation’s security resonate just as well in public and private sector cybersecurity, regardless as to whether you are a solo security researcher, part of a team protecting an enterprise, or a service provider supporting many customers across multiple verticals.
Comfort With the Unknown
I encountered many analysts that kept waiting and waiting for more information before they were comfortable “making a call.” That’s not a luxury threat intelligence analysts have.
You may be familiar with the metaphor that threat analysis is like putting together a puzzle with only a fraction of the pieces and a partial picture on the box; there are times when it will feel like all of the pieces are printed on both sides and are all the same size. You may never get all the information that you need, and you need to begin being comfortable with the notion that you can only offer your best analysis at the time with what you have. This is why you absolutely have to make sure …
Every Voice Should Be Heard
Do not force consensus. Period. Experts are all around us, and none of us as individuals are experts in everything. I’m not talking about isolating that source of input to only other analysts. It is often essential to get points of view from multiple verticals, particularly within an enterprise where stakeholders can be spread from operations to risk to governance. This not only expands the inherent limitations in human mental processes, but also forces challenges to our cognitive biases when approached with an open mind.
For high-profile analysis where the analytic bottom line is divided, there is nothing wrong with laying out the various points of view, and then pointing out what additional information could be revealed from these arguments converging. For complex issues, insisting on a single bottom line waters down analysis; it makes it harder to explain why you think what you think, and it increases the odds for an intelligence failure.
Show Your Work
It isn’t just about knowing your sources and using the most reliable information you have available (although that is just as essential). As a threat intelligence analyst, you have to be able to articulate why you think you know what you know. If you can’t explain it clearly, you don’t understand it fully — tell them what you know, what you don’t know, what you think, and why you think it.
To do this successfully and consistently, you may need to establish some frameworks and standards around your analysis and analytic products. For example, when do you name a new threat actor? What is your threshold for attribution? How do you evaluate source credibility? Are you consistently using analytic qualifiers to the point that you can explain “what you mean when you say … ”?
Devil’s Advocacy Only Scratches the Surface
There is a breadth of analytic bottom lines between “this will happen” and “this won’t happen,” and just as many techniques to get you there. If you aren’t familiar with them, get to know them. Some of my favorites include:
- Key assumptions check
- Signposts analysis
- Competing hypothesis
- Low-probability and high-impact scenarios
They take diligence to learn and practice to master, but they are worth it. Many have been dubbed “alternative analysis,” but they are actually structured analytic techniques that form the backbone of critical thinking and should be considered “essential” rather than “alternative.” Richards Heuer’s “Psychology of Intelligence Analysis” is still essential for any analyst’s desk.
Based on personal experience, I believe leveraging these practices is essential. Not only can they help minimize confusion on behalf of consumers of threat intelligence by making analysis clear, but in the long term, if practiced broadly, they can minimize potential negative consequences for security and our industry, which finds itself in a culture where prestige is bestowed upon those first to find and first to print or tweet. In that spirit, I encourage you to question everything you think you know, be open to alternatives, and keep up the good fight.
In addition to Heuer’s work, here are some other reading recommendations from Insikt Group analysts:
- Daniel Kahneman’s “Thinking, Fast and Slow”
- BG Wayne Michael Hall’s “Intelligence Collection: How to Plan and Execute Intelligence Collection in Complex Environments” and “Intelligence Analysis: How to Think in Complex Environments”
- “Russian Political Warfare: Origin, Evolution, and Application”