General methodologies for intelligence analysis

Psychology of Intelligence Analysis by Richard J. Heuer, Jr.

Psychology of Intelligence Analysis by Richard J. Heuer, Jr. PDF [epub] provides insight for intelligence analysts, practitioners and academics to improve analysis at large.

Analytical judgments and estimative analysis

Judgment under Uncertainty: Heuristics and Biases by Amos Tversky; Daniel Kahneman

Judgment under Uncertainty: Heuristics and Biases helps analysts to take into account biases in judgements especially when evaluating uncertainty.

The Admiralty Scale (also called the NATO System)

The Admiralty Scale (also called the NATO System) is used to rank the reliability of a source and the credibility of an information.

The Admiralty Code is a relatively simple scheme for categorising evidence according to its credibility. It was initially used by the British Admiralty for the assessment of evidence used in naval intelligence, but it is now used in many police departments, intelligence agencies and defense-related organisations, including the US Army (US Army Field Manual 2-22.3, 2006) ref: The Admiralty Code: A Cognitive Tool for Self-Directed Learning

A MISP taxonomy called ‘admiralty-scale’ proposes an applied model to tag information in threat intelligence platform.

The Admiralty Code for evaluating the credibility of evidence

Words of Estimative Probability

Words of Estimative Probability proposes clear words when estimating probability. A MISP taxonomy called ‘estimative-language’ proposes an applied model to tag information in threat intelligence platform.

Expressing Confidence In Analytic Judgments

In JP 2-0, Joint Intelligence (page 114 - Appendix A) includes an appendix to express confidence in analytic judgments. This has been included in a MISP taxonomy called ‘estimative-language’ where these analytic judgments can be used in threat intelligence platform to directly express the confidence level on the information tagged.

INTELLIGENCE CONFIDENCE LEVELS IN ANALYTIC JUDGMENTS

Model of Intrusion and Attack Analysis

Cyber Threat Framework by Office of the Director of National Intelligence

The Cyber Threat Framework was developed by the US Government to enable consistent characterization and categorization of cyber threat events, and to identify trends or changes in the activities of cyber adversaries. The Cyber Threat Framework is applicable to anyone who works cyber-related activities, its principle benefit being that it provides a common language for describing and communicating information about cyber threat activity. The framework and its associated lexicon provide a means for consistently describing cyber threat activity in a manner that enables efficient information sharing and cyber threat analysis, that is useful to both senior policy/decision makers and detail oriented cyber technicians alike. ref: Cyber Threat Framework

A MISP taxonomy called ‘cyber-threat-framework’ proposes an applied model to tag information in threat intelligence platform.

The Diamond Model of Intrusion Analysis by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz.

The Diamond Model of Intrusion Analysis presents a novel model of intrusion analysis built by analysts, derived from years of experience, asking the simple question, “What is the underlying method to our work?” The model establishes the basic atomic element of any intrusion activity, the event, composed of four core features: adversary, infrastructure, capability, and victim. A MISP taxonomy called ‘diamond-model’ proposes an applied model to tag information in threat intelligence platform.

Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains by Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin

Using a kill chain model to describe phases of intrusions, mapping adversary kill chain indicators to defender courses of action, identifying patterns that link individual intrusions into broader campaigns, and understanding the iterative nature of intelligence gathering form the basis of intelligence-driven computer network defense (CND). ref: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains

A MISP taxonomy called ‘kill-chain’ proposes an applied model to tag information in threat intelligence platform.

MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)

MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected. ref Adversarial Tactics, Techniques & Common Knowledge

MISP implements the complete set of ATT&CK as galaxy.

Process and framework to support threat intelligence analysis

CSAE (Collect, Store, Analyze and Engage) - A Comprehensive Data Science Framework and Case Study for Investigating Organized Crime and Serving the Public Interest

Towards Data Scientific Investigations - A Comprehensive Data Science Framework and Case Study for Investigating Organized Crime and Serving the Public Interest by Erik van de Sandt, Arthur van Bunningen, Jarmo van Lenthe, John Fokker.