Question to Treadstone 71:
I am looking at your “Analytic Writing, Reporting, and Dissemination” and I was wondering if the course covers reporting and dissemination for all types of intelligence requirements (Tactical / Operational / Strategic), or it is for reporting addressed to only one in particular? If only one, which one?
First, an intelligence requirement may contain results that cover more than one type of intelligence.
Secondly, we look at types of intelligence from four perspectives (this is at a high-level and includes within the types intelligence such as cyber, human, signals, etc.):
Unlike most tech companies with security backgrounds, our backgrounds started in the ’80s with intelligence. We see threat intelligence as a subset of cyber intelligence, and an area that we associate with traditional warning intelligence meant to notify early and prevent. We do not see indicators of compromise and threat hunting as an intelligence function, but a necessary cyber hygiene task that may be driven or supported by intelligence. The act of hunting for threats in your environment means if found, they are already ‘inside the wire.’ The act of prevention has passed.
Lastly, we discern between analytic writing and report types. Analytic writing can address any of the four areas since that is a standard in intelligence function of analysis. The ultimate goal is to follow analytic writing rules while communicating clearly, concisely, with the intent to inform. Report types are a by-product of analytic writing. As long as you follow analytic writing rules, it does not matter what type of intelligence you address.
This is where the concept of tearlines comes into play. You fashion your analytic writing in such a way that you can easily tear off sections based on stakeholder needs (the commercial sector explained below), i.e., the SOC and Incident Response will likely want some level of operational and tactical with a heavy dose of technical while stakeholders outside those functions may wish to learn of strategic and operational components of your report (as examples). This comes down to how you build your reports (and not actual analytic writing). Tearlines may also associate with classification levels, the protection of sensitive sources, and who should see what (for organizations that have a pure intelligence capability). Our experience shows that reporting in the commercial sector requires segmentation by intelligence type aligned with stakeholders. As with anything, there are exceptions to the norm.
For more a review of (US) standards, please see Intelligence Community Directives (ICDs) 203, 206, and 208: