13 Principles of Threat Intelligence Communication 13 Principles of Threat Intelligence Communication
I have written at length about bad threat intelligence. However, I think it is time that I spend the effort communicating my key principles... 13 Principles of Threat Intelligence Communication

I have written at length about bad threat intelligence. However, I think it is time that I spend the effort communicating my key principles to making great threat intelligence. One aspect of great threat intelligence is great communication. As I have said before, you may be the greatest analyst in the world, but if you can’t effectively communicate your knowledge then it is of little use.

I’ve found these principles apply to all modes of my communication when discussing threat intelligence with others. They’ve guided me well and I hope they do the same for you.

Answer the Three Questions

All threat intelligence communication should work towards answering three critical questions, if you clearly articulate the answer to these questions your communication will be generally successful.

  1. What is it? (give me the information)
  2. Why should I care? (tell me about the threat and its relevance to me)
  3. What am I going to do? (enable my decision and action)

Maintain Your Focus

Focus is key to your communication – understand your audience and your objective and maintain that throughout. Here are some elements which help me:

  • Remember the four qualities of good intelligence (CART): completeness, accuracy, relevance, and timeliness. Fulfill them as best you can.
  • Remember the purpose of threat intelligence to inform and enable effective decision-making, whether that be tactical/technical, operational, or strategic. You don’t need to provide EVERYTHING, only that which will support and enhance the intelligence.
  • Length matters: your communication should be as long as it needs to be but never longer than it should be. Here’s a secret: it’s okay to not communicate everything in one vehicle – sometimes separating the material makes the threat intelligence more effective.
  • Don’t derail your audience. After reading your 30 page report, make sure I know the value of the information and that you’ve addressed the key questions. For example: don’t all of a sudden drop an unrelated element in your conclusion just because you want to make a point.

Analytic Integrity is All You Have

Intelligence is about trust. When people can’t independently verify your findings and conclusions (which most won’t/can’t) then they must trust you. You must create, support, and encourage that trust by practicing analytic integrity in your communications. If you break that trust you lose your integrity and nobody will listen to you. Here are some of my rules to creating and encouraging trust with your audience:

  1. Don’t lie – if you don’t know, just say that
  2. Don’t embellish – don’t use hyperbole or language which might cause an over-reaction
  3. Don’t plagiarize – never intentionally (and avoid accidents) copy the work of another
  4. Practice humility – hubris infers overcompensation for weakness, be bold but not stupid

Be a Storyteller

Threat intelligence is a story – tell it as one. Threat intelligence should have a beginning, middle, and an end. Engage your audience.

The Summary IS the Communication

I know it sounds weird, but your summary is the most important part of your communication. This is what people will remember and what they’ll rely on most afterwards. For many, this is the only part to which they’ll pay attention. The summary (or key points, etc.) should be par excellence. I instruct analysts to spend at least 20% of their time on their summary and conclusion – it is that important.

As the old adage goes: “tell them what you’re going to tell them, tell them, tell them what you told them.” This is CRITICAL advice and not often heeded by technical analysts.

However, I want to caution you. Others suggest that following this old adage only bores an audience. I agree that it is a pitfall for most, only because many follow the guidance without understanding it. Avoid the summary and conclusion containing the same bullet points or phrasing – that is boring. However, your summary/introduction/key points/etc. and your conclusion should carry your key message and information, but in different ways.

Language Matters

The language you use greatly determines the effectiveness of your communication.

  • Use Active Voice – this isn’t some joke or regurgitation of high-school English. It matters. Active voice has been proven to decrease ambiguity and increase comprehension. It improves your intelligence.
    • Science: “Certain syntactic constructions are known to cause the processor to work harder than others. Sentences with passive verbs are more difficult to comprehend than those with active verbs (Gough 1966; Slobin 1966; Olson and Filby 1972; Ferreira 2003) since they not only reverse the standard subject-verb-object order of the participants but are often used without a byphrase , which omits one participant altogether and can obscure the grammatical relations.”
  • Use Estimative Probability – judgements, hypotheses, and conclusions are never 100% certain; use words of estimative probability to clarify your certainty to your audience.
  • Clarity wins over all – don’t use complex language when simple will do.
  • Minimize subjective qualifications – avoid words/phrases like (sophisticated adversary) or (complex encryption) unless you can measure them either objectively or in comparison with others. These phrases only add ambiguity.
  • Words mean things – don’t dilute your language or create a phrase when one already exists.
  • Analysis is not a religion – don’t use the word believe; hold measured judgements expressed in language differentiating fact and hypothesis.

Value Your Audience

Value their intelligence and their time. They are not fish caught by click-bait or hyperbole but respected for their interest in your work. Your audience is spending time with you because they think you have something valuable to communicate and they have come to learn something new – GIVE IT TO THEM! Or, they will leave you.

Images are Powerful

Use images strategically to tell your story, reinforce critical concepts, and increase accessibility and understanding. Images should not become overwhelming, distracting, or superfluous.

Write for Your Future Self

Communicating intelligence and analysis is HARD. It’s hard because you’re trying to take a very complex cognitive process and share that with others. I’m not the only one who has read something they wrote a year ago only to scratch my head and wonder what I was smoking. I’ve found that to make this easy I simply imagine that I’m communicating to my future self – say 1, 2, or 3 years from now. This helps ensure that I include important details which are obvious now but will be lost later. Further, it ensures that I make my logic chains clear and easily followed by others.

Don’t be an Island

Be part of the community. Respect the community. Expand on the work of others and fill in knowledge gaps. Confirm others’ findings and add support to their conclusions or hypotheses. Add exculpatory evidence and provide alternative hypotheses. And here’s a secret: it’s okay to point to the analysis of others in your communication – you don’t always have to self-reference. This actually adds value for your audience and makes you more valuable to them because they trust you’re going to tell them the whole story – not just your story.

Respect Your Adversaries

Don’t belittle adversaries in your threat intelligence. Don’t give them undue credit, but also don’t take away from their effectiveness. This will only lead to hubris – and hubris is deadly. We all know of an analyst who called a threat “unsophisticated” or “simple” only to later report a massive compromise.

Be Bold, Be Honest, Be Right, But Always Be Willing to be Wrong

I’ve said it before, I like my analysis like I enjoy my coffee, bold. I want analysts to be analysts – not reporters. I want to hear ideas, conjecture, assessment, opinions. I want those clearly separated from the facts.

Separate Fact From Everything Else

This is a pretty simple rule. But harder to follow in practice while working through a complex analysis. Strive to use language, format, font, etc. to separate fact from hypothesis. Because threat intelligence enables decision-making, decision makers (whether a SOC analyst, a CIO, or whoever) should make their own judgement based on your analysis. If your facts and hypotheses are indistinguishable it is highly likely they’ll make poor decisions based on misinterpreted analysis.

 

No comments so far.

Be first to leave comment below.

Your email address will not be published. Required fields are marked *