Skip to content ↓ | Skip to navigation ↓

This is the beginning of a short blog series on the topic of cyber intelligence, its sub-disciplines, and its uses. As an Adjunct Lecturer at Utica College, I teach graduate students in the M.S. Cybersecurity program on topics including cyber intelligence and cyber counterintelligence.

One of my observations while building the course syllabus and instructing the students is that there is a general lack of information on what cyber intelligence is and how to appropriately use it. There are a few resources out there but cyber intelligence is more often thrown around as a buzz word for company statements and contracts than it is actually defined and used.

I would argue that every good analyst working in information technology or “cyber” type roles uses intelligence; although I would readily admit that having encountered plenty of people in this field I know that some use it more than others.

The first step to understanding cyber intelligence is to realize that intelligence tactics, techniques, and procedures (TTPs) as well as various types of operations existed long before cyberspace was conceived. Intelligence is most often seen as offensive in nature when viewed from the lens of spying and collection operations but its ultimate purpose is also equally rooted in defense.

In a military context commanders want to know the intent of the adversary to either make better strategic choices on the battlefield (offense) or to more aptly prepare for an attack (defense). The definitions and tradecraft used by various government and military organizations serve as the best foundation for understanding cyber intelligence.

These definitions and processes will be reviewed in this first blog post and set the theme for the series as we explore the specific discipline of cyber intelligence more in depth.

The U.S. Department of Defense (DoD) has a document titled “Joint Publication (JP) 2-0 Joint Intelligence” (PDF) that serves as a foundation for their understanding and use of intelligence. From that document we can extract three very important pieces of information for use in cyber intelligence. The first is the definition of intelligence:

  1. The product resulting from the collection, processing, integration, evaluation, analysis, and interpretation of available information concerning foreign nations, hostile or potentially hostile forces or elements, or areas of actual or potential operations.
  2. The activities that result in the product.
  3. The organizations engaged in such activities.

From this definition we see that the DoD views intelligence as a product, the activities in that product, and the organizations performing the activities. Most civilian organizations and uses of intelligence will not include goals defined by foreign nations. A useful and more simplistic definition for general use thus can be presented as: Intelligence is both a product and process from collecting, processing, analyzing, and using information to meet an identified goal.

The key here is making sure the data meets some goal or purpose and is not just “intelligence for intelligence’s sake” (dragnet type intelligence operations actually hinder analysts and negatively impacts security; I’ll address the topic of privacy being crucial to security in a presentation to TROOPERS 2014 in March). This definition is applicable to cyber intelligence and we can simply apply the sources and efforts of the collection, processing, analyzing, and using of the intelligence to cyberspace related topics.

The second important piece of information from JP 2-0 is the way the DoD intelligence community defines its intelligence disciplines. This would be a much longer blog post to go through each discipline and define them but it is well worth the read to understand how the DoD defines specific categories of intelligence disciplines.

As examples, there are those that are more commonly referenced such as HUMINT (human intelligence derived from human to human interaction), OSINT (open source intelligence gathered from publicly available sources) and SIGINT (signals intelligence usually refers to electronic mediums from sources such as satellites).

There are also those less often referenced such as GEOINT (geospatial intelligence such as images taken from aircraft) and MASINT (measurement and signature intelligence such as radar data and nuclear radiation readings). It can be helpful to understand these terms but the biggest takeaway is realizing that there are disciplines of intelligence and that it is useful to categorize the intelligence by both its intended use and collection source so that you can evaluate it and apply it quickly and correctly. Cyber Intelligence would be a specific discipline in intelligence (some have tried to use CYBINT as this term although it has never truly caught on).

The JP 2-0 document contains a lot of other great pieces of information such as how the DoD fuses their intelligence products together to use them. This can be useful to providing a baseline of how others do it so you do not have to train yourself or others from nothing. However, the final useful piece of information I want to highlight is the intelligence lifecycle.

The intelligence lifecycle is something we will want to use extensively in cyber intelligence.  The intelligence cycle is a circular and repeated process to convert data into intelligence useful to meeting a goal of a user or customer; it has the following steps:

  1. Planning and direction Determine what your requirements are. To appropriately create any amount of intelligence out of information you should have a defined goal and intentions. This could be something as simple as wanting to know the command and control servers of a piece of malware so that you can block it on your network to wanting to know the type of information systems your target uses so that you can infiltrate them. As you move through the intelligence cycle you can go back and address the steps again (as an example if you get new data which reveals something you did not know, an intelligence gap, you may define a new goal).
  2. Collection – Where and how you acquire the data and information to process. This can be honeypots, Firewall logs, Intrusion Detection System logs, scans of the Internet, etc. You should know most of your available collection options while in the planning and direction phase so you can make reasonable goals or intelligence needs.
  3. Processing – The conversion of your collected information into something you can use. E.g. being able to access and parse through the data you collected. This may apply to how you store and access the data or the actual parsing of data such as converting it to human readable information such as ASCII from binary data.
  4. Production – This is the step in which you will take your data and turn it into an intelligence product. This is done through analysis and interpretation and thus is heavily dependent on the analyst. All produced reports should meet a defined intelligence need or goal from your planning and direction phase.
  5. Dissemination – Supplying your customer or user with the finished intelligence product. If your users cannot access your product or cannot use it then it is useless and does not meet a goal. JP 2-0 does not directly include “feedback” as part of the intelligence cycle but all organizations and analysts should consider Step 6 – Feedback and make sure that your planning and direction phase lined up correctly with what was produced.

From the above we gather a great start into understanding cyber intelligence and moving to a point where we can use it appropriately. We also see the theme that intelligence is highly dependent on analysts and their interpretation of data.

In this way, a great analyst can use a small data set and get more out of it than an untrained analyst could from “big data” sets. In the next blog we will take a look at what it means to be a cyber intelligence analyst and some tips on developing your skills.


Part Two: Developing Your Cyber Intelligence Analyst Skills


About the Author: Robert  M. Lee (@RobertMLee) is an Adjunct Lecturer at Utica College. He is also Co-Founder of Dragos Security LLC, a cyber security company which develops tools and research for the control system community. Additionally, Robert is an active-duty U.S. Air Force Cyberspace Operations Officer – his views and this article are his own and do not represent or constitute an opinion by the U.S. Government, DoD, or USAF. He has published and presented on cyber security topics in publications and conferences around the world, and is the author of SCADA and Me.


Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Related Articles:



picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].


picDefinitive Guide to Attack Surface Analytics

Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.


Title image courtesy of ShutterStock

10 Ways Tripwire Outperforms Other Cybersecurity Solutions
  • Jeff Bardin

    Robert. As a former student of mine you know the syllabus was created along with the curriculum by someone other than yourself. You also know that all the above and more is included in the course. A course that has run with great success in attracting and keeping students such as yourself. Best not oversell like the conversation we had at the bar in Utica that night at residency.

  • Robert Lee

    Jeff, I was never a student of yours nor did I take any Intelligence courses at Utica. I did attend Utica prior to teaching there but I was in the Digital Forensics track. However, I do work in the Intelligence Community in an active-duty USAF Intelligence Squadron where I run two teams: one performing a cyber-intelligence mission and one performing a computer network defense mission. The above, as I stated, is Intelligence tradecraft 101 and I clearly documented my source (JP 2-0).

    Additionally, you have me mistaken for someone else as you and I have never hung out at a bar together or anywhere else, I will admit though I met you one time in passing. You did teach at Utica though and I think those that step forward to educate and train others are doing a great service. Best of luck in all you do.

    • So, I guess you forget the residency and the evening at the Utica Hotel bar … Others there with me that night do not. Something I would not expect from an officer. Don't be a poser Robert. Please be sure to use citations when you copy directly. One last word of advice. Don't impose military tactics to civilian activities and, don't make statements about syllabus and curriculum that are both inaccurate and untrue. I do hope Joe knows what he has gotten himself into. That is all. Out.

      • Robert Lee

        Jeff, I'm not forgetting anything. I cannot actually prove that I was not at a bar with you (although I assure you I was not); however I can openly/publicly prove that I was never one of your students as you claim. My transcripts show that I was never in an Intelligence class at Utica and thus definitely not in any of yours. I do not understand the anxiety or frustration you are exhibiting and this is honestly becoming very silly. I completely documented my source (JP 2-0) and even linked to it. A quick look at the link will show, as I stated, that it is the source for everything I say in the above post; I do not make any grand claims. As far as the syllabus and curriculum when Joe asked me to teach the course I made a syllabus from scratch to use. This is another thing that I can publicly/openly prove. For someone who speaks about working in the realm of Intelligence you are making a lot of claims that I can factually disprove. I really hope this is some sort of mistaken identity because I do not understand where this anger is coming from; you are more than welcome to email me and I will prove all that I've stated.

  • Andre Gironda

    Few corrections: it's cyber security, not `cybersecurity'. There's no such thing as CYBINT. You're looking for TECHINT, perhaps?

    • Cybersecurity and cyber security are used interchangeably, there is no convention on that yet – much like InfoSec and infosec…

  • Robert Lee

    Andre thanks for the comment. As Anthony stated the terms gernerally get interchanged; there is no set standard. I saw one good naming convention for the difference between the two but it never ever took root in the community. Also as far as CYBINT I note in the article that it's a term that never really caught on but you'll still see the term pop up in the Intelligence Community from time to time. TECHINT deals with adversary equipment, not the method of collection and is generally used for physical items/equipment in the real world vs. anything in cyberspace. By and large the terminology used in the community tends to just be "cyber intelligence" and it doesn't often get put into a "INT" type category unless you collect it via a specific method such as HUMINT, SIGINT, COMINT, etc.

  • Angela Hoistion

    Great topic! Why is it so difficult to find a doctorate program in cyber intelligence vs. cyber security? They all seem to be cyber security with cyber intelligence as a subset…

<!-- -->