The final instalment of our blog series on AI’s potential for the threat intelligence cycle is here. After all the directing, collecting, and analysing, it’s time to disseminate, or publish the insights gathered for your client.
Dissemination is the most overlooked intelligence-cycle phase. Maybe that’s because it’s the end and, after three other phases, communicating insights to your client might seem like coasting to the finish line. If the insights are communicated well, then the client is bound to understand them well enough to use them, right?
It’s not that simple, unfortunately. Inspired by an insightful presentation we recently sat in on, we were moved to explore why, and how AI has potential in this phase.
Get to Know Your Readers (All of Them)
When anticipating ease in writing and disseminating an intelligence report, the missing subtext is that reading published intelligence takes a lot of time, and not all readers are created equal. Some might only have five minutes and want to grasp only the gist of a certain situation (e.g. decision makers); others might have more time and the desire to really dig into the details (e.g. analysts).
If we apply the ‘more is better’ philosophy to report writing, we’re ignoring those reader-group distinctions. And, as a result, we’re probably consuming more time than is necessary – for the writer and the reader.
The Social-Media Paradigm
Think of how we spend time on social media. Each of us prefers certain topics to read about or interact with. Over time, the algorithms behind the social-media machine fill our platforms with our favoured topics.
But, fundamentally speaking, the format of any user’s content is presented to them in a uniform way: most platforms feature a home page and a trending page, offering content or links to content that the user finds interesting and prefers to engage with.
In a similar vein, intelligence reports have readers with differing interests in the content, (depending on their roles), but only a single format is being used for presenting. And that format seems to encourage writers of long, detailed blocks of text – without a lot of signposting of what to find where. It’s not recognising all those reader profiles with their unique interests.
Format Fluidity: How Templates Can Help
This might have been the best practice back when the Cyber Threat Intelligence industry was young. Companies producing reports naturally wished to show their skills and talent in threat hunting, and provided comprehensive details for readers to protect themselves. But today that practice is more of a hindrance than a boon to readers.
Given that each reader of an intel report has a different focus, what if templates were used to produce multiple variants of the same report? A template defines a document’s structure and establishes which information should be included. So, each variant could present the same topic but only with specific details that target a particular reader profile, after which, it can be modified for other cyber-attack or incident reports.
AI and the Reformat Revolution
Here’s where we find AI waiting in the wings. A proposed role is that of a document planner. AI can first help define the document structure, and create a template based on that. After that, it can populate the sections of the document with the data from the original intel report, tailoring it to each reader profile.
What’s the Verdict?
Looking at AI’s potential for all phases of the intelligence cycle, dissemination is probably the trickiest use case. Synthesising information from original reports with AI or machine learning (ML) could require a lot of trial and error before a certain sense of workability is achieved. When deciding to attach an AI or ML synthesiser to an original report, to target specific respective reader profiles, consider that simple AI/ML models could reap a better outcome than more complicated models.
This concludes our series about AI and its application to the intelligence cycle: a multi-layered debate with no certain answers but many possibilities.