Structured Analytic Techniques in Cyber Threat Intelligence
Structured analytic techniques (SATs) are methods for analyzing intelligence and reaching conclusions. They were originally developed by the US government to avoid bias and unchallenged assumptions, and have come to be used by intelligence analysts in a variety of fields, including cyber threat intelligence.
According to A Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence Analysis by the US government, structured analytic techniques
… assist analysts in dealing with the perennial problems of intelligence: the complexity of international developments, incomplete and ambiguous information, and the inherent limitations of the human mind.
Structured Analytic Techniques
There are 3 types of techniques, grouped by their purpose: diagnostic, contrarian, and imaginative thinking. Here are the techniques, with examples and descriptions from A Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence Analysis.
Other structured analytic techniques exist, but these are a good representative sample.
These make analytic arguments, assumptions, or intelligence gaps more transparent.
- Key Assumptions Check: “List and review the key working assumptions on which fundamental judgments rest.”
- Quality of Information Check: “Evaluates completeness and soundness of available information sources.”
- Indicators or Signposts of Change: “Periodically review a list of observable events or trends to track events, monitor targets, spot emerging trends, and warn of unanticipated change.”
- Analysis of Competing Hypotheses (ACH): “Identification of alternative explanations (hypotheses) and evaluation of all evidence that will disconfrm rather than confrm hypotheses.”
These challenge current thinking.
- Devil’s Advocacy: “Challenging a single, strongly held view or consensus by building the best possible case for an alternative explanation.”
- Team A/Team B: “Use of separate analytic teams that contrast two (or more) strongly held views or competing hypotheses.”
- High-Impact/Low-Probability Analysis: “Highlights a seemingly unlikely event that would have major policy consequences if it happened.”
- “What If?” Analysis: “Assumes that an event has occurred with potential (negative or positive) impact and explains how it might come about.”
Imaginative Thinking Techniques
These aim to develop new insights, different perspectives and/or alternative outcomes.
- Brainstorming: “An unconstrained group process designed to generate new ideas and concepts.”
- Outside-In Thinking: “Used to identify the full range of basic forces, factors, and trends that would indirectly shape an issue.”
- Red Team Analysis: “Models the behavior of an individual or group by trying to replicate how an adversary would think about an issue.”
- Alternative Futures Analysis: “Systematically explores multiple ways a situation can develop when there is high complexity and uncertainty.”
How to Use Structured Analytic Techniques
Different techniques are useful at different points in an analysis project.
- Beginning: Brainstorming, Key Assumptions Check, “What If?” Analysis, High Impact/Low Probability Assessment, Outside-In Thinking, Red Team
- Middle: Contrarian techniques (e.g., Team A/Team B), Red Team, deception detection (e.g., Quality of Information Check, Analysis of Competing Hypotheses [ACH])
- End: Brainstorming, Key Assumptions Check, Devil’s Advocacy, deception detection (e.g., Quality of Information Check, Analysis of Competing Hypotheses [ACH])
- Throughout: Analysis of Competing Hypotheses (ACH), Alternative Futures Analysis, Indicators or Signposts of Change