Intelligence Analysis Tradecraft 101: What? And So What?

Tom Carey
Tom Carey
Aug 25, 2017 · 3 min read

Most intelligence professionals that I have worked with in the private sector have a stronger cybersecurity background than one in traditional intelligence analysis and tradecraft. And the analysts that come from the US Intelligence Community were not necessarily in “Analysis” branches (vs. “Policy” or “Collection Management” branches).

While I have found most private sector analysts to be quite talented and their built-from-scratch take on intelligence to be a refreshing perspective on some dated practices I saw in military intelligence, a consistent baseline of analysis tradecraft is lacking across many organizations and across the cybersecurity field in general.

With that, I am sharing a few gems from my old “Analysis 102” notebook that my first mentor in intelligence shared with me years ago. While this may be very basic for some, do not take for granted that your intelligence team has been trained in these concepts.

Most of these concepts apply to writing strategic intelligence products for security leaders in the private sector, but the core understanding of “What?” and “So what?” permeate to tactical intelligence analysts working more closely with their SOCs.

The Analytic Mission

The intelligence analysis mission is to synthesize. Analysts:

  • Interpret, they don’t describe.
  • They render the complex simple.
  • They read, weigh, and assess fragmentary information to determine what it means, and to get the “big picture.”
  • They draw conclusions that are greater than the data they are based on.
  • They see the forest, not the trees.

When to Write

Most private sector intelligence does not belong in a finished intelligence product — it belongs in a high-quality feed to the Detection and Response teams, or in a Full-Service program adding value to your company — but in some cases, executives and security leaders want a product they can hold in their hands and reference as they make decisions.

Before writing or publishing an intelligence product, the top-level question to ask yourself is:

Will this product create Decision Advantage for my customers? (i.e. What actions may be taken as a result of reading this product? and Will my product provide something unique to my customer that they cannot easily obtain from another source?)

An intelligence product is only needed if, and only if, the answer to this question is ‘Yes.’

The opportunity for Decision Advantage comes by conveying not only an event, or series of events, pertinent to your customer, but your analysis. In other words, the What? and So What?

What is happening?

Intelligence is event-driven. Every product needs a hook; a development that gives you an opportunity to write.

The development can be a single event. For example:

  • A variant of malware is infecting other companies in your sector.
  • A new 0-day vulnerability has been discovered.
  • A cyber security policy with industry-wide implications has been passed.
  • A series of events taking place in the campaign you follow.

The event can be happening now, forthcoming, or something you predict.

Does it meet the threshold?

The threshold is a significant departure from the norm that warrants the attention of your customer because it has implications for their interests.

The ‘So What?’

In other words, ‘What can I add that is unique?

You have to go beyond what is said in the press or what the basic facts are to add something unique. You must provide judgments or insights that answer one or more of your customers’ questions:

  • What is actually going on?
  • What does it mean?
  • What might happen next or in the future?

The crucial question to ask is, “What must the customer know compared with what would be nice or interesting for him or her to know?” and exclude the latter.

  • What new fact or point would the customer want to know first?
  • If I had to exclude everything else, what one thing would I tell him or her?
  • What would the customer want to know next? And next? And next…?
  • What is the least important thing?

If your the product in mind has the potential for creating Decision Advantage, has a hook, meets a threshold and adds something unique — then write!

Part 2: Writing Effective Intelligence


Originally published at craftcyber.net on August 25, 2017.

)
Tom Carey

Written by

Tom Carey

Cybersecurity Leader writing about Human-Centered, Well-Designed Strategy at craftcyber.net

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade