Threat Inteliigence / OSINT / NETSEC / NATSEC

Kent and Heuer - The roots of CTI in a traditional interview

The holiday season is good for catching up on books, so let's take a look at historical-bookish topic at It will be no secret that CTI is quite a fledgling field. Even if we look at the distance that separates information protection as such from information protection in the context of computer networks, threat intelligence will be an even younger discipline. As long as the book Cliffa Stolla The Cuckoo's Egg in which the author described his investigation into the hacking into the university's network where he worked and which we can consider as the first description of threat intelligence analysis appeared in 1989, we had to wait another 15 years for the discipline to be formalized. The symbolic date of the beginning of CTI as we know it today is sometimes 2004 and the publication by Mandiant of a report describing the activities of the APT1 group. Given such a short history of the discipline, it is not surprising that it draws heavily on the achievements and discoveries of its "analog" ancestors. In this post, I would like to present two characters and their concepts of authorship, which, despite the fact that they come from a completely different world, are strongly embedded in contemporary CTI practice. Our heroes will be Sherman Kent and Richards Heuer.

Let's start with a character whose achievements in the field of intelligence and intelligence analysis are so significant that he is often even referred to as "the father of intelligence analysis." We are talking about Sherman Kent, who, after graduating from Yale, where he studied European history, joined the Office of Strategic Services (OSS), which we can consider as the forerunner of the CIA. During the war, he served in that organization in the Research and Analysis Department as the Head of the Department for Europe and Africa. He even dealt with preparations for Operation Torch - the Allied invasion of North Africa. After the war, he resumed academic work at the National War College and Yale, during this period writing one of his most famous works - Strategic Intelligence for American World Policy. The study was inspired by the desire to provide a solid methodological basis for analysts starting their professional adventure with intelligence analysis. And among Kent's many activities, it was the work of an analytical methodology to ensure that intelligence products would be of most value to consumers that had the greatest impact on shaping the CTI practice. If we even look at Katie Nickels' post in which she writes about an exemplary plan for science for aspiring CTI analysts, Kent's analytical doctrine is the first point. So let's take a closer look at that what principles Sherman Kent had in mind in analytical doctrine:

  1. Focus on policymakers' concerns - Kent obviously focused on working in the government sector due to the conditions in which he worked, and by policymakers he meant policy makers, but the principle will apply regardless of our working environment. Remember that an interview is an advisory function and analysts must avoid creating products and evaluations for the sake of creating them. Instead, as important as analyzing the collected data in order to prepare a report, is the analysis of how the report can be used by our recipients and whether it will facilitate their work.
  2. Avoidance of a Personal Policy Agenda - the principle was quite difficult for me to translate into Polish, but I hope I conveyed its essence. As an analyst who has an influence on what decisions will be made, it may be tempting to conduct the analysis in such a way that the final product supports the decision that will be consistent with our private views. However, this, of course, can completely disrupt our analysis process, not to mention the fact that by referring to the first principle, when trying to impose our views, we leave our analytical role.
  3. Intellectual rigor - Kent paid great attention to the need for a critical and thorough assessment of the facts. This assessment must include an assessment of the source and context of the information and a fair approach to gaps in the situational picture.
  4. Conscious effort to avoid cognitive errors - the work of the analyst is unfortunately riddled with traps resulting from the subconscious bias of thinking, looking for shortcuts and the need to break away from our natural way of thinking - for example the need to look for evidence against the thesis that seems most appropriate to us. Therefore, analysts must pay as much attention to avoiding cognitive errors as to conveying their own political and ideological beliefs in products.
  5. Openness to other views and judgments - one of the most important symptoms of the fact that something is wrong with the analytical process is that all analysts agree on the assessment 🙂 Kent recommended not only discussing conclusions, but even confronting views and juxtaposing opposing views analyzes. The "clash" of analysts should lead to a better assessment of individual arguments, and thus more precise analyzes.
  6. Regular use of external sources - Analysts should use the widest possible range of external sources and analyzes, especially those with whom they disagree. Additionally, Kent was a supporter of engaging in business, scientific and academic cooperation in order to work with analysts from other centers.
  7. Shared responsibility for assessment - When the analyst team decides to make an evaluation, it should represent the position of the entire team. When presenting their products to consumers, analysts should present a uniform position resulting from the analytical process.
  8. Effective communication supporting decision-making - Kent realized the need to maintain a balance between the limited time that decision-makers have to familiarize themselves with the analysis products and the need to provide all relevant details. Therefore, analysts must take care of the style of expression, avoiding even phrases such as "possible", "maybe" which do not convey any value in terms of the assessment of the situation.
  9. Honest admission of mistakes - the work of an analyst is particularly burdened with the risk of errors in the assessment and forecast of the situation, if only because of an incomplete picture of the situation or unreliable sources. It is therefore particularly important to use errors and mistakes as opportunities to improve the analytical workshop. However, this approach requires an environment in which analysts feel confident and are not afraid to admit their mistakes.

As we can see, Kent's principles are universal and they work well in a classic interview as well as in its cyber dimension. However, while the principles of Kent's doctrine are general and abstract in nature, CTI analysts certainly had contact with Kent's more specific work - probability evaluation words. As an advocate of effective communication, Kent was quick to recognize the problem of using vague statements to describe the likelihood of events and the fact that they could be confusing to the public. Therefore, he proposed assigning given statements to specific chances of the occurrence of an event expressed as a percentage. The terminology proposed by him was therefore as follows:

  • Certain - 100% odds
  • Almost certain - 93% odds +/- 6%
  • Probably - 75% odds +/- 12%
  • Equal Odds - 50% +/- 10%
  • Probably not - 30% odds +/- 10%
  • Almost certainly not - 7% odds +/- 5%
  • Certainly not - a chance of 0%

In this way, by using the same terms in the preparation of a product such as a report, the analyst facilitates the work of his recipients, who do not have to guess what the author meant by using a specific term and whether "almost certain" is something other than "probable".

During his career, Kent was deputy director, then director of the Office of National Estimates and first chairman of the editorial board of Studies in Intelligence. The non-classified articles of this publication are available on the CIA website. Kent died in 1986, and in 2000 the Sherman Kent School for Intelligence Analysis was founded in which analysts are honing their own skills.

Another figure whose work should be well known to CTI analysts is Richards J. Heuer. Heuer joined the CIA shortly after receiving his BA in Philosophy and spent 24 years in the Operations Directorate before joining the Intelligence Directorate. His interests in objective analysis and considering how we come to specific conclusions were caused, among others, by case analysis Yurija Nosenko - a KGB officer who joined the United States, but his cooperation with the American services was marked by doubts as to the sincerity of his intentions and whether his betrayal was not part of a KGB operation. He finally presented his thoughts on the matter in the above-mentioned Studies in Intelligence, where he published it an article on the analysis of a situation in which we are dealing with a trick and attempts to mislead the analysis. In terms of intelligence analysis methodology, Heuer is best known for his publications on structured analytical techniques and the avoidance of cognitive bias. He devoted his entire book to the latter of these issues - Psychology of Intelligence Analysis. The author noticed in it not only how poorly our mind is adapted to the objective and uncontaminated assessment of information, but also that the mere knowledge of cognitive errors is not a great help for analysts. What helps is the use of analytical tools and techniques to keep in check your own subconscious beliefs that may affect the interpretation of data. The publication was also devoted to this topic Structured Analytic Techniques for Intelligence Analysis - which Heuer wrote with Randolph Pherson. The book contains over fifty techniques that apply to the entire analytical process, from generating ideas, to hypothesis testing, to decision support. Citing even parts of them is a topic for a whole series of posts, but one of them gained special recognition from CTI analysts. I am talking about the analysis of competing hypotheses (ACH), i.e. a technique consisting in an independent assessment of individual pieces of evidence in the context of previously adopted hypotheses. The symbol of the technique, as well as the easiest way to explain how it works, is the table that is the most important element of the process. This is because in the table we write how the evidence relates to the support of specific hypotheses, which allows for a cross-sectional view of how strong support for given hypotheses is. Let's look at an example where we analyze four hypotheses based on four pieces of evidence:

We put the proofs in the left column, the hypotheses in the top row, and in the cells we enter whether the proof supports (1), denies (-1) or is neutral (0) towards the hypothesis. By assessing the evidence independently for each hypothesis, we can avoid applying our own preferences to support a given hypothesis. In addition, the table facilitates the evaluation of the value of the evidence. In the example above, we can easily see that the evidence number four is in fact irrelevant to our analysis. It supports each of our hypotheses, so its removal will not affect the final assessment, which proves its low diagnostic value. Describing ACH more formally, the process has seven phases:

  1. Creating hypotheses - ideally in the conditions of brainstorming and comparing analysts with different views, we should list all possible hypotheses. In this way, we limit the possibilities of focusing on "favorites" and poisoning the process with your own preferences at the very beginning.
  2. Evidence - then list all the proofs that either support or deny the hypothesis.
  3. Diagnostics - the most important step in Heuer's opinion is the step in which the analyst assesses how the evidence relates to the hypotheses, trying to rule out as many of them as possible. Instead of focusing on all the evidence related to a given hypothesis, the author suggests the opposite approach - assessing how a particular evidence relates to subsequent hypotheses.
  4. Inconsistencies - after assessing the evidence, the analyst assesses the degree of compliance of individual hypotheses with the evidence and eliminates the most inconsistent.
  5. Sensitivity - the analyst performs a sensitivity assessment, that is, assesses how the result of the analysis would change if the key evidence turned out to be false or incorrect.
  6. Conclusions - on the basis of the process carried out, the analyst presents his conclusions, describing why he adopted a given hypothesis and why the others were rejected.

As we can see, Heuer's basic assumption was to separate the process of evaluating hypotheses and evidence, which allows us to limit perhaps the strongest and most "tempting" cognitive bias - the confirmation effect when we evaluate the evidence in the context of the solution we want to obtain. At CTI ACH there is often used in the attribution processwhich, due to its multifaceted nature and the need to operate on assumptions and incomplete information, is particularly prone to cognitive errors.

Heuer left the Intelligence Directorate in 1979, but worked on various projects as a consultant until 1995. In his work, he did not hide his fascination with cognitive psychology and argued that the field could be very useful in developing intelligence analysis techniques. He died in August 2018.

I often say that I am very lucky to work at CTI. This is due not only to the fact that I can translate my passions and interests into my professional work, but also because observing how a new field of security is created and shaped is a unique opportunity. Let us not forget, however, how deep the roots of intelligence outside the cyber realm and how much we "stand on the shoulders of giants" when making judgments about the source or motivation of the attack. So let us not forget about figures such as Kent and Heuer, whose work laid the foundations for the methodology that was current in times and circumstances, about which none of them probably dreamed when creating the first sketches of their concepts.

Leave a Reply

Your email address will not be published. Required fields are marked *