Raw information vs actionable intelligence – How intelligence analysts create actionable intelligence

An uncertain and ever-changing threat landscape means that the need to quickly react and respond to a situation is greater than ever – leading many businesses and security companies to turn to heavily automated data feeds in an attempt to get a perceived speed advantage. Emphasizing speed in your intelligence collection efforts should be a key priority – but without any context or built-in analysis to this information you could actually be costing yourself time. 

Getting the latest information on incidents as and when they happen is absolutely essential to the companies we work with, and to their clients, which is why we have integrated datamining capabilities to help feed our intelligence analysts with a constant stream of up-to-date data. But without their expert analysis, that’s all that information is – raw data, with none of the tailored intelligence, verified information or actionable insights that allow our clients to act quickly on accurate intel. Instead, having to sift through a feed of contextless information, identifying your own insights and filtering out irrelevant info and fake news as you go can cost you and your team vital time and resources. This is why actionable intelligence is so important.

At Intelligence Fusion we place emphasis on the human element of intelligence. This means that rather than simply relying on collecting data entirely through algorithms, our intelligence analysts also use their own expertise and experience to find information, assess and grade sources for reliability, and update incidents in real time. This has strong benefits in terms of ensuring that our threat intelligence is accurate; an intelligence analyst with experience in their area of coverage is able to spot whether an incident is genuine, so you’re never acting, or advising your clients, based on fake news – an important consideration in the age of social media and misinformation.

Businesses should be able to not only respond to incidents but to anticipate and be prepared for them too, wherever or whenever they may occur. This means not only making sure you receive actionable, accurate incident details at speed, but also building up your level of situational awareness, and understanding the context surrounding an incident – this is why in addition to our intelligence feed, we follow up each significant event with insightful, expert analysis.

We give our clients context, as well as facts, by delivering in-depth assessments of incidents that fully analyse the immediate repercussions as well as the long-term effects of every event. Because we collect data on a huge variety of incidents, from petty crime and planned protests to political corruption, social unrest and terrorism, we can track trends, foresee likely scenarios and identify discreet similarities or connections to give organisations a complete picture of different security landscapes.

It starts with our military principles – using the intelligence cycle to put order into the intelligence collection process and drive our analysis. This is a four stage process, comprising Direction, Collection, Processing and Dissemination. So what does this mean, and how does it guide what we do at Intelligence Fusion?

Essentially, each stage of the cycle adds another element of human-led input to the intelligence collection process, building layer-upon-layer of refinement until you have actionable intelligence that can be easily understood and that actually has a purpose. 

As we explain in more detail here, it begins with Direction, the first stage of the cycle, where the intelligence requirements are identified, and the collection efforts are planned. This creates a clear focus and list of priorities for the intelligence team. For us this takes the form of our Intelligence Collection Plans (ICPs), which is where we dig into the intelligence requirements of every new client – and which we are able to update and adapt whenever an existing client has any additional requirements or areas of operation. 

This information then feeds the Intelligence Collection process, the second stage of the cycle, where both intelligence analysts and AI tools are led in their collection efforts by the established intelligence requirements. This means even automated collection through datamining is, from the very beginning, being guided by human-led Direction efforts. How we select our sources at Intelligence Fusion again comes down to the human factor, with our intelligence analysts’ expertise evaluating the capability and suitability of each source – we currently use around 12,500 active open-source channels, and growing, so the ability to choose the right sources to get timely, balanced and accurate information is vital.

It is the third stage of the intelligence cycle though, Processing, where human expertise really comes into play. This is where all the information we collect becomes actionable intelligence through a process of collation, evaluation, analysis, integration and interpretation. We currently gather 20,000 global incidents every month, all of which are put through this process by Intelligence Fusion’s team of experienced intelligence analysts – who, on an individual basis, map an average of 1,500 incidents each per month. 

Because information cannot simply be taken at face value, it’s important to start by verifying every piece of information that gets collected. At Intelligence Fusion, we evaluate the credibility of the information and reliability of the source for each incident, so we can understand how much confidence can be placed in each item of information and filter out misinformation and fake news. This evaluated information is then scanned for significant facts, verified and accurately geo-located by a team of intelligence analysts. At the same time as this, it can be combined with other information that has also undergone the same analysis process, until a pattern of intelligence can be identified, such as a sequence of events, threat level or profile of a group – this is the integration part of the process.  

Once an intelligence analyst has analysed and integrated the information, they can use their expertise to make actionable interpretations. How significant the information is, and how it relates to what is already known, is judged via a process of comparison and deduction based on their common sense, knowledge and experience. 

This use of human experience and understanding ultimately means that, regardless of if the incident was initially identified by our team, or picked up by our automated datamining technology, each new piece of information we process at Intelligence Fusion is:

• Accurately geo-located
• Graded based on the reliability and credibility of the source
• Reviewed and verified to eliminate false information
• Analysed to determine patterns, trends or connections
• Structured in a way that’s easy to interpret and act upon

Ultimately this means that when this information is Disseminated to our clients – the final stage of the cycle – via our threat intelligence platform, or through regular detailed intelligence reports, they’re able to immediately understand the intelligence provided, the context surrounding it, and most importantly, take quick, informed actions based on this actionable intelligence.

Take away this human element, then, and our clients would instead be left with a feed of raw data, most of which is not relevant to their needs, and all of which they and their security team would have to collate, evaluate, analyse, integrate and interpret themselves, costing a significant amount of time, money and resources.

Naturally, with the human element of intelligence being so important, it’s absolutely vital that each member of the intelligence team is highly-trained, skilled and knowledgeable. 

Taking our threat intelligence analyst team at Intelligence Fusion as an example, we have a wide-range of backgrounds, careers and experiences, with diverse skills and knowledge based on the back of this – so we have a great blend of interests and capabilities within the team. Added to this is the military-standard intelligence training programme that each intelligence analyst goes through upon joining the team – this ensures that no matter which member of our 24/7 team is tracking an incident, we have consistency and high standards across our intelligence collection and reporting.

This training programme covers a wide range of modules, built using real-life experiences, case-studies and examples from our team’s previous careers across many countries and sectors, and also from the military and private-sector intelligence experience of our training leaders.

With every incident that they map, our intelligence analysts build up a greater level of experience and situational and contextual awareness, too. This means our team are able to quickly identify patterns of activity based on the incidents that they’ve tracked over a number of years – and allows them to make accurate comments and predictions using this knowledge that they’ve built up.

Because we like to promote from within, with most of our senior analysts one-time graduates of our internship programme, each member of our intelligence team therefore has a wide base of knowledge and experience they can draw from that they’ve built up as a result of mapping thousands of incidents every month, over a period of years.

While this might all sound like a lot of time-consuming work, this doesn’t mean that it affects our ability to work at speed. One of the key principles of our intelligence collection is the timely dissemination of intelligence – and one of the results of our intelligence analysts’ training and experience is their ability to quickly identify, collect and process an incident with accuracy, and with speed.

Not only does the human element of intelligence collection mean you get accurate, trustworthy and immediately actionable intelligence, you also get deeper contexts and insights, too.

Intelligence analysts can put together detailed intelligence reports on significant incidents, diving deeper into the details of an incident, the build up of events leading up to it, and analysis of what we might see in the future.

This can be an incredibly valuable resource, giving you a clear understanding of exactly what transpired in an incident. Whether it’s the groups involved – and any notable tactics employed – particular routes taken, a timeline of events, or a multitude of many other factors, it all adds up to giving you a greater understanding of the situation, and allows you to better prepare for the threats to come.

This level of situational awareness can only be achieved through the thorough application of human expertise and judgement.

This doesn’t just have to be in the form of a deep diving report though, but also through the regular reporting of incidents on a day-to-day basis. Alongside a constantly updating, timely threat intelligence feed, it’s important to consistently follow incidents until their conclusion. This is exactly what the team at Intelligence Fusion do – meaning our clients receive instant updates as stories develop and unfold. While these details aren’t necessarily information you need to act on quickly, the more you learn about the build up to an incident and the consequences that follow, the more a business’ security team can redefine and perfect their strategies for mitigating threats in the future.

One of the added bonuses for our clients is the fact that they have the ability to have regular direct access to an expert intelligence analyst. Our operations centre runs 24/7, so no matter where our clients are in the world, or when they might need additional help, they know that there’ll be a member of the team available to assist them, or to provide this additional context or insight.

However, many organisations prefer to harness their own internal team to filter, verify and evaluate information as and when it comes through – making the speed with which this raw information arrives to their team the most crucial consideration. For this purpose, our tech and development team have put together the “News” feature, which is integrated into our threat intelligence platform. This raw, automated news feed adds the lightning-quick speed of an AI data feed to the platform to complement the verified and actionable intelligence we produce as part of our core offering – thus allowing our clients to switch between a raw and verified feed depending on their needs at the time.

As we’ve stated throughout this piece, the speed with which information or intelligence can be actioned is one of the key considerations for any effective threat intelligence programme. It will vary from organisation to organisation, security team to security team, whether it proves quicker for them to utilise a raw information feed that arrives as soon as it is reported, or a feed of actionable intelligence that has already been processed by a team of expert analysts.

Regardless of how you gather your threat intelligence, it’s clear that the end result should be timely, accurate, trustworthy and actionable intelligence. This is only possible with the use of human expertise.

For some companies, especially those armed with a large in-house team of expert analysts, it’s enough to wait until the end of the intelligence process to add this human factor – fully embracing the remarkable speed of an unfiltered AI feed, and relying on their security and operations team to filter and process it into intelligence as it arrives.

We believe, though, that by arming our clients with intelligence that has been verified, integrated, and is ready to be acted on as soon as it arrives, you can ensure consistency and reliability, and actually save time, too – this means making human expertise an integral part of every stage of the process.

Learn more about how we turn information into actionable intelligence and see the end result of our intelligence collection process for yourself. Book a demo of our threat intelligence platform and take the first step to enhancing your situational awareness.

Get Started