Intelligence is the asset generated by collecting and analyzing data, then forming that analysis in to an actionable output, such as a report. Well-formed intelligence products can aid with predicting future actions by understanding past behaviors, help determine appropriate courses of action for attacking or defending objectives (such as critical infrastructure), or even help improve situational awareness around macro-level industry or economic trends in a business.
Open-Source Intelligence (OSINT) refers to intelligence data gathered from public sources, and has quickly become one of the most important elements of intelligence programs for entities ranging from the Intelligence and Defense communities, to law enforcement, to businesses, and even journalists and hobbyist researchers. Common sources for OSINT collection include social media, video sharing platforms like YouTube and Vimeo, blog and news websites both the clear and dark web.
Understanding the Intelligence Cycle is key to a successful investigation, whether you are working exclusively with open sources, or you’re analyzing classified government intelligence. The Intelligence Cycle consists of five phases, and is a looping process where findings and feedback from each iteration can be used to help feed the planning and direction that goes into the next round of investigations. The five phases of the Intelligence Cycle are:
- Planning and Direction: Begin your investigation by understanding the need for data and defining specific requirements for intelligence collection and analysis, as well as identifying the scope of sources to be used for the investigation. If this is a continuation of an investigation based on past findings, leverage the previous finished intelligence product(s) from that investigation and the feedback from the intelligence consumers to drive your next steps.
- Collection: Gather the raw information that you need to produce your finished intelligence product. Information should be collected from all sources which are in-scope for the investigation, even if the information does not appear relevant at first.
- Processing and Exploitation: Convert the information you’ve collected into usable data. This can include decryption and decoding efforts, translation, data deduplication, reformatting data, and even conducting follow-up collection efforts to expand your dataset based on previously unknown selectors (search terms).
- Analysis and Production: This phase involves analyzing all the intelligence collected, and potentially intelligence gathered during previous efforts, to build your finished intelligence product (e.g., your intelligence report).
- Dissemination: Finished intelligence products should be distributed to the intended consumers of your intelligence product, so that the intelligence can be reviewed and actioned if necessary. Feedback and actions on the finished intelligence products can be used to fuel future iterations of the intelligence cycle for this case, or for future casework.
Intelligence can be a game changer, whether you’re looking to investigate a missing person’s case, looking to understand business and marketplace competition, assess vendor and supply chain risk, or even for planning a penetration test or red team engagement. Leveraging the Intelligence Cycle, along with this notebook and other tools at your disposal, can help you be successful in generating finished intelligence for your investigations, projects, and organizations.
- The Threat Intelligence Lifecycle: https://www.recordedfuture.com/threat-intelligence-lifecycle
- Five Phashes of the Threat Intelligence Lifecycle: https://flashpoint.io/blog/threat-intelligence-lifecycle/
- Threat Intelligence Lifecycle | Phases & Best Practices Explained: https://snyk.io/learn/threat-intelligence/threat-intelligence-lifecycle/
- Open-Source Intelligence (OSINT) Cycle: https://securityorb.com/featured/the-open-source-intelligence-osint-cycle/