Most reports we read are marketing documents. They are meant to impress you as opposed to inform you. Most come from organizations that sell technology, using the ‘report’ to drive you closer to a major purchase. Most all technologies being sold are simple iteration improvements over the same information security model that does not work. Remember, it took a person to identify a pattern anomaly to find the Solarwinds hack. Not one solution in the marketplace today identified the issue. From FireEye and Crowdstrike to Palo Alto and the multitude of ‘threat intelligence’ products could detect, discovery, acknowledge, find, reason, or behaviorally find the Solarwinds hack. Nary a one. It took a human. I digress.
Analytic writing should be very simple with your primary analysis (with confidence level) answering the:
- why now
- so what (why do we care)
- what is the impact so far
- what do we expect to happen next
- are their any immediate recommendations or opportunities for us to take
- what are the implications of those recommendations or opportunities
- what gaps do we have with collection and analysis
Keep it at a 9th grade reading level. Keep it to 1-2 minutes maximum in length. Limit the adjectives and adverbs. Remove complex sentences. Stay away from acronyms and jargon. Be sure to go back to your priority intelligence requirements (i.e., PIRs are NOT static and not just a technical response – they are driven by Stakeholders not tech product companies).
Use words of probability and likelihood (not in the same sentences as your confidence levels.
Finish with an alternative analysis that matches the bullet points above with a confidence level on the analysis findings (high, moderate, low). Confidence levels do not apply to evidence.
Remember, the intent is to inform quickly. If you want to try and impress someone, write a marketing document, aka a ‘Threat Intelligence Report.’
Take the course on Analytic Writing – it is liberating to write this way and your stakeholders will love it.