Machine and Human Analysis Techniques (and Intelligence Cycle)

Analysis Techniques

Strategic Intelligence Analysis

In order to understand how to analyze information we must first understand the information hierarchy also known as the Data, Information, Knowledge, and Wisdom pyramid.

Strategic Intelligence Analysis

This pyramid is a graphical representation of how data is transformed into wisdom:

How does this look in an information security organization?

Information Security Organization

Intelligence and Cyber Security

“Cyber intelligence is the ability to gain knowledge about an enterprise and its existing conditions and capabilities in order to determine the possible actions of an adversary when exploiting inherit critical vulnerabilities. It uses multiple information security disciplines (threat intelligence, vulnerability management, security configuration management, incident response, and so on) and tool sets to gather information about the network through monitoring and reporting to provide decision makers at all levels to prioritize risk mitigation.”

Priority Information Requirements

Priority Information Requirements

Military commanders make decisions based on specific pieces of data that pertain to solving a specific question. Gathering of that information for the commander is based on a term called Priority Information Requirements (PIRs). These PIRs are what drives intelligence gathering operations as it provides guidance on what information is the most important to the commander so that they can plan for the next steps.

Good PIRs have three criteria:

  1. They ask only one question
  2. They focus on a specific fact, event, or activity
  3. They provide intelligence required to support a single decision

Military examples:

The same logic can be used within private organizations with the use of Key Performance Indicators or Key Risk Indicators. Leaders will have to provide targets, the means to measure them in order to validate whether or not they have met thresholds that are within or out of defined thresholds. Having a top-down approach when defining specific information to be derived from multiple security tools, will fuel an organization’s capability to prioritize and analyze information to be accurate, timely, and actionable.

Below are examples from the first two Center for Internet Security Controls

  1. Do we have an inventory of authorized and unauthorized devices?
  1. Do we have an inventory of authorized and unauthorized software?

The above scenarios provided multiple points of intelligence gathering to provide a holistic view of an organization’s risk exposure and propensity to exploited by adversaries.

image 04

The Defense Acquisition Guidebook (DAG), Chapter 7, provides guidance to Program Managers (PMs) on how to use intelligence information and data to ensure maximum warfighting capability at a minimum risk to cost and schedule.

“The ‘intelligence cycle’ is a process which forms the basis of operations in government organizations like the CIA and the NSA. It very broadly outlines the stages of developing raw information into finished intelligence for policy makers to use in decision making.”

The Intelligence Cycle

The Intelligence Cycle

  1. Planning and Direction
  1. Collection
  1. Processing and Exploitation
  1. Analysis and Production
  1. Dissemination and Feedback

Technical Intelligence analysis

Technical intelligence need to be accurate, timely, and actionable. Analysis methodologies are designed to provide with better ways to operationalize technical data in support of security operations.

Intelligence at this level is focused mostly on indicators of compromise (IOCs) and signatures.1

The analysis phase of the threat intelligence lifecycle aims at evaluating, analyzing and interpreting the processed information against the program’s requirements (planning phase) to provide analytic judgments that determine confidence, relevance and threat impact of the collected data.

Structured Human Analysis Techniques


Direction, Collection, Processing, Analysis, Dissemination, Feedback (Review)

Direction, Collection, Processing, Analysis, Dissemination, Feedback (Review)

Collecting threat data is the first step in producing threat intelligence.

It is fundamental to highlight the difference between indicators and signatures as well as the difference between atomic and composite indicators.

A signature should be thought of as a fingerprint (something that have a high confidence) whereas indicators are not as precise and need to be further analyzed and contextualized to produce valuable information.

As a result of analyzing indicators we try to move from atomic indicators (a piece of information e.g. an ip) to composite indicators (putting atomic information together).

Composite information is much richer in content and can better support security operations.

The data collected is going to be as good as the use that you have of it and the analysis phase helps assessing how relevant it is to your environment.

Moving from atomic to composite indicators to climb the pyramid of pain.2

Data preparation steps

Def: Data Preparation is the process of (collecting), cleaning, and consolidating data into one file or data table, primarily for use in analysis.

  1. Data consolidation refers to the collection and integration of data from multiple sources into a single destination. During this process, different data sources are put together, or consolidated, into a single data store.<br/ > Adding more context to the atomic data to leverage pivoting points for aggregation, correlation and visualization capabilities.<br/ > Sources for network atomic indicators enrichment:

    • pDNS (A, AAAA, PTR... records)
    • AS
    • ASN
    • Geolocation data
    • BGP lookups

Enriched technical indicators’ keys:

  1. Data cleansing:

    Data cleansing or data cleaning is the process of detecting and correcting (or removing) corrupt or inaccurate records from a record set, table, or database and refers to identifying incomplete, incorrect, inaccurate or irrelevant parts of the data and then replacing, modifying, or deleting the dirty or coarse data.(wiki)

    Removing well-known indicators that can be associated to potential false positives, errors or mistakes.

    MISP offers a list of 31 sources for data cleansing.3 .


  1. Practical Cyber Intelligence ^
  2. Intelligence Support and Acquisition ^
  3. Applying Government Intelligence Strategies to Commercial Organizations ^