In my previous blog in this series I discussed the challenge of effectively communicating intelligence, and provided examples of how we inform our clients of individual incidents. Now, I’ll discuss how we communicate the more in-depth and comprehensive information to consumers. The challenge with this is to maintain brevity, clarity, and relevance, whilst also ensuring that the product is easy for the consumer to digest.

As part of our intelligence coverage, we also track multiple threat actors, campaigns, events, TTPs, and criminal locations. This makes up our intelligence base, or our combined knowledge of the threat landscape. We use this collection of insights to inform our clients when we see any of those affect them, but also have them available if a client wants to conduct further research into a threat (we like being transparent!).

Actor Profile

Our profiles include four main elements: biography, timeline, associations, and incidents. The bio provides a short summary of the entity, including an overview of tactics, a threat level, and all the associated STIX/TAXI tags. Our analysts work hard to keep these summaries as short as possible, whilst including the key details. The purpose of this is to provide readers with rapid access to information on threat actors. If further detail is required, users can also access a timeline of the entity’s activity, a link chart of their associations, and also a list of attributed incidents. This provides users with a rich repository of intelligence reporting, where they can use STIX/TAXI to search for entities which, for example, effect their sector, or use a particular malware variant, allowing them to pivot whilst researching.

Actor Timeline

The other intelligence communication method I wanted to discuss is our weekly intelligence summary. Whilst our intelligence base can be explored through our portal, the intelligence summary is pushed to our clients weekly.

Source Evaluation

The purpose of the intelligence summary is to update consumers on the previous seven days of activity from across the threat landscape. By its nature, it is reactive and driven by events, however is intended to provide context and insight around developments. For those familiar, it could be compared to the UK current affairs publication The Week.

The top of each week’s report is an executive summary. Aimed at busy readers, the purpose of this is to provide a rapid overview of each article within the full intelligence summary. Usually this is enough for most readers to gain the insight which they require. However, for when more detail is required, the full articles present our sources and analysis. Here we provide a detailed overview of the sources which we have used, a full description of the event, an assessment of how we anticipate this situation to develop, and lastly an assessment of the ‘so what’. The intention is to answer all of the readers’ questions, and efficiently inform them of threats. We also include an explanation of our sources, and how we have evaluated their credibility.

Wherever possible, we try and maximize the transparency of our assessments, and will include any Structured Analytical Techniques we use, such as trending, SWOT analysis, or Analysis of Competing Hypotheses. This gives consumers a deeper understanding of how we have connected the dots and can be valuable when consumers wish to action our intelligence, and are required to show their reasoning up the chain of command.

We also use infographics where they can replace text. These are easier to consume than prose, and can often have a better impact. Importantly, these are only used where we deem them to be effective. They are not used to enhance the aesthetics of an intelligence product!


ACH example

In conclusion, communicating intelligence is tough. Readers are busy people. They demand simple and easy consumption. They rely on intelligence analysts and managers to develop effective methods for communicating. As discussed in this series, at Digital Shadows (now ReliaQuest) will employ a range of techniques for achieving this across incidents, our intelligence base, and our intelligence summaries. The key factor in a lot of this is knowing and understanding the customer, and how they like to receive and digest intelligence to support their mission. By doing this, the impact of intelligence can be increased, and greater value gained from an intelligence capability.