This was first published on Tripwire here.
In the previous blog in this series, An Introduction to Cyber Intelligence, I gave an overview which primarily focused on defining and discussing some of the fundamentals of intelligence work in general. In this edition we will cover more in depth what it means to be a cyber intelligence analyst in terms of understanding intelligence products, skills to develop, and an introduction to the sub-disciplines of cyber intelligence.
First we need to start with the end goal in mind – intelligence products. An intelligence product is that final evaluation of the data that you provide in a polished and easy to understand format to the customer.
In some cases the customer may just be yourself, your organization, or customers of your organization. There are no set formats and standards for the intelligence product, but technical writing is definitely a skill that needs to be developed properly. The focus should be presenting intelligence that satisfies the original goal or intelligence need.
One common method is to give a Bottom Line Up Front (BLUF) type statement, which is nothing more than a quick summary that if the reader only has 10 seconds to read your report, what they should take from it. Following that, intelligence products should contain the important details from the information evaluated and the analyst’s opinions.
These opinions should be clearly separated from the facts presented as analysts should be careful not to misrepresent the data. Ultimately, it is the intelligence analysts’ analysis that is most important; that individual is the expert on the subject matter and important decisions are often derived from intelligence products.
With the end goal of the intelligence product identified, the question is left as to how intelligence analysts become better at creating such reports. Technical writing skills are a must, but those are most often developed over time with practice writing.
The most important piece though is the analysis skill of the intelligence analyst. At times this skill is more of an art form than a hard science. However, it can be aided in a few ways. First, it requires that you become a technical expert in the area you are working.
Unfortunately, many starting analysts feel that intelligence tradecraft is a “fuzzy” field that people without technical skills can still be experts. The opposite is the case; cyber intelligence performed correctly should be the most technically demanding field. A good analyst should be able to pick out what is obviously true or obviously false almost instantly when presented information.
For example, a cyber intelligence analyst who does not understand routing protocols and infrastructure cannot give proper analysis on what it means when an adversary communicates with their servers by sending malformed and manipulated TCP packets.
Likewise, if the cyber intelligence analyst does not have enough understanding of exploits to identify the difference between a 0day that is ineffective and a 0day that can severely hamper core operations then their analysis will be of little use for actionable recommendations to defense.
In this way, good cyber intelligence analysts are those who have a strong understanding of their organization, know the intelligence needs, and are technical experts. These skills are developed with time, but can be quickly sharpened through practice and reading the security books, blogs, and threat feeds of others in the field. There is no substitution for hard work in this field but the wheel does not have to be reinvented each time.
Additionally, a good cyber intelligence analyst should be able to identify and call out “experts” giving bad analysis. It is sometimes even more important to be able to identify bad intelligence than it is to generate good intelligence products.
The second way to really sharpen analysis skills is to practice thinking critically. Instead of just thinking about what the answer is, or what answer another analyst arrived at, a good cyber intelligence analyst will think about what processes and questions they should ask themselves to arrive to the answer.
If an adversary is extracting documents off of your network. it’s important to think like the attacker and ask questions such as. “what would my next move be if I were the attacker.” or piece together the pieces of information to view the bigger picture. Maybe the attacker is going after a specific type of document. and you can determine where they might strike next.
The answer isn’t that they are going after a certain document but maybe how they are doing so, why, what they want to obtain, how the intrusion was discovered, how the next one can be discovered even when change is introduced, etc.
One resource that I consistently point my students to is a publication from the Central Intelligence Agency’s Center for the Study of Intelligence titled “Psychology of Intelligence Analysis” by Richard J. Heuer, Jr. It is a great publication worth reading in depth but for those with constrained schedules “Chapter 8: Analysis of Competing Hypotheses” is a must read.
In this chapter the concept of thinking critically and providing strong analysis is explored very well. The Analysis of Competing Hypotheses incorporates cognitive psychology, decision analysis, and the scientific method to help analysts arrive at a better conclusion. Understanding such concepts will propel your development forward.
Developing your skills is only a piece of the puzzle though to performing cyber intelligence. An analyst must have access to data and information to be able to exploit, or develop it, into intelligence. Cyber intelligence can use any source of information such as Firewall logs, Intrusion Detection System logs, digital forensic analysis, the reverse engineering of malware, open source Internet searches, honeypots, and more.
Truly, there is no single source of great information but instead an analyst needs to be able to combine multiple data sources seamlessly. Cyber intelligence fits into many fields and can aid every good analyst.
Those just starting down this path need to be open and ready to ask a lot of questions and research the answer themselves. When I was starting out I spent countless hours reading malware and campaign reports, using Google to answer questions I had, and clicking through endless Wikipedia links that originated from my original question. I did all of this while reinforcing what I was learning with hands on experience.
This ability to process large amounts of data and think critically is an invaluable skill for practicing cyber intelligence. This blog series will not cover in depth specific tools or training methodologies (there are great tools out there such as RSS feeds, Maltego, Zmap, Nmap, Project HoneyPot, Twitter, Wireshark, and Cuckoo Sandbox) as they change over time. Your analysis skills should be tool agnostic and you must develop them by a dedication and passion to learning and research.
After gaining hands on experience and developing your technical expertise and analysis skills it is important to pick out the sub-disciplines of cyber intelligence and gain familiarity in each of them. Eventually you will gravitate to a topic that you enjoy most and you will become more competent in that area. With how much research and analysis you have to do to be an effective cyber intelligence analyst it is extremely important that you enjoy your focus area.
Some of the more prevalent sub-disciplines of cyber intelligence are:
- Intelligence Collection Operations
- Cyber Counterintelligence
- Threat Intelligence
The next three blog posts in this series will cover each sub-discipline in depth.