This blog is the first of several by the Multi-State Information Sharing and Analysis Center’s (MS-ISAC) Intel & Analysis Working Group (I&AWG) on Cyber Threat Intelligence and intelligence analysis. Starting with this blog we will explore what is cyber threat intelligence, and examine what it is used for, its value to MS-ISAC members, the difficulties inherent in developing cyber threat intelligence, and the varying components of intelligence, such as Words of Estimative Probability.

Cyber threat intelligence is what cyber threat information becomes once it has been collected, evaluated in the context of its source and reliability, and analyzed through rigorous and structured tradecraft techniques by those with substantive expertise and access to all-source information. Like all intelligence, cyber threat intelligence provides a value-add to cyber threat information, which reduces uncertainty for the consumer, while aiding the consumer in identifying threats and opportunities. It requires that analysts identify similarities and differences in vast quantities of information and detect deceptions to produce accurate, timely, and relevant intelligence.

Rather than being developed in an end-to-end process, the development of intelligence is a circular process, referred to as the intelligence cycle. In this cycle requirements are stated; data collection is planned, implemented, and evaluated; the results are analyzed to produce intelligence; and the resulting intelligence is disseminated and re-evaluated in the context of new information and consumer feedback. The analysis portion of the cycle is what differentiates intelligence from information gathering and dissemination. Intelligence analysis relies on a rigorous way of thinking that uses structured analytical techniques to ensure biases, mindsets, and uncertainties are identified and managed. Instead of just reaching conclusions about difficult questions, intelligence analysts think about how they reach the conclusions. This extra step ensures that, to the extent feasible, the analysts’ mindsets and biases are accounted for and minimized or incorporated as necessary.

The process is a cycle because it identifies intelligence gaps, unanswered questions, which prompt new collection requirements, thus restarting the intelligence cycle. Intelligence analysts identify intelligence gaps during the analysis phase. Intelligence analysts and consumers determine intelligence gaps during the dissemination and re-evaluation phase.