Skip to main content

Threat Intelligence: The Delivery

February 26, 2014

The best thing an intelligence analyst can provide to his customer is a finished product which is actionable and well laid out. The analyst needs to be a trusted source for intelligence information so that the consumers will listen and act on the information received.

There needs to be a takeaway for the operations component of any organization that initiates some form of action. In the military world, this may be a location of enemy fighters that needs to be targeted with munitions from either the air or ground. Or it may be a specific geographic area that needs to be secured, causing friendly forces to move to that space. In the information security world, it should be a set of recommendations used to protect against a known threat or attack based on best practices or the implementation of new signatures, custom alerts or device management rule changes. Well laid out simply means that it is in a format that is easily consumed by the end user to allow for the analysis to be interpreted and trusted.

With consumers at all levels within the organization, it is crucial that the product be formatted appropriately. Utilizing a common reporting structure that includes an executive summary, as well as a technical analysis and conclusion sections provides the necessary information to satisfy both the decision makers and the operators in the organization.

Executive Summary

The product should lead with a good, concise executive summary that condenses the findings for senior leadership and executive management. This allows for them to quickly read the finding up front and be able to move on, knowing that his organization is being proactive against the threat. They generally do not have the time necessary to dive deep in to the analytical methodology or findings.

Main Body

The main body is where the analyst will present his or her examination and analysis of the subject matter. The analyst should walk the reader through the findings, such as the breakdown of how a particular piece of malware works and the indicators derived, or possibly trended analysis of how a specific or individual indicator has morphed over a given period of time. This section is obviously dependent upon the subject of the product and the analytical methodology used, but will present the reader with the necessary evidence leading in to a conclusion and why the implementation of the recommendations is needed. The analyst can provide graphs, timelines, or networked analysis images to show how he reached his conclusions and provide for the visual representation of his finding.


The above sections should then be bundled into a conclusions portion that is similar but more in depth than the executive summary. It should include the analyst’s opinions and recommendations, up to and including the technical signatures and custom rules to be implemented. It should be worded in a way that spurs action by operations and understanding for executive leadership.

Remember, the goal of the intelligence analyst is to be a trusted source of intelligence information and to be relied on as the subject matter expert in the organization. By having an informative finished product that is technically proficient, easily consumed and leads to engagement from operations satisfies the intelligence support requirement of the information security program.

Related Blogs

March 05, 2015

Why do they call it DLP?

I always have to ask myself every time I hear the acronym “DLP.” Why do they call it that? There is no “prevention” in most DLP. It should be called D...

See Details

February 05, 2015

GHOST Vulnerability Puts Linux Systems at Risk | Optiv

A critical security vulnerability in the GNU C library, CVE-2015-0235 (a.k.a. “GHOST”), was reported on January 27, 2015. Many Linux systems are vulne...

See Details

January 15, 2015

DDoS Attacks Are Seldom What They Seem

In performing incident response over the years, I have frequently been pulled into DDoS incidents. These calls don’t come in every day, but they are p...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

October 06, 2017

Managed Security Services - Service Guide

Learn about our flexible and scalable services to improve your security capabilities.

See Details

May 29, 2012

What is DLP (Data Loss Prevention)?

As a Certified Information Systems Security Professional (CISSP) and Payment Card Industry (PCI) Qualified Security Assessor (QSA), I frequently run i...

See Details

June 16, 2014

Planning for a DDoS Attack

Last week several prominent DDoS (distributed denial of service) attacks were in the news, specifically targeting the popular note-taking app Evernote...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.