generating-threat-intelligence-reports

# Generating Threat Intelligence Reports

## When to Use

Use this skill when:
- Producing weekly, monthly, or quarterly threat intelligence summaries for security leadership
- Creating a rapid intelligence assessment in response to a breaking threat (e.g., new zero-day, active ransomware campaign)
- Generating sector-specific threat briefings for executive decision-making on security investments

**Do not use** this skill for raw IOC distribution — use TIP/MISP for automated IOC sharing and reserve report generation for analyzed, finished intelligence.

## Prerequisites

- Completed analysis from collection and processing phase (PIRs partially or fully answered)
- Audience profile: technical level, decision-making authority, information classification clearance
- TLP classification decision for the product
- Organization-specific reporting template aligned to audience expectations

## Workflow

### Step 1: Determine Report Type and Audience

Select the appropriate intelligence product type:

**Strategic Intelligence Report**: For C-suite, board, risk committee
- Content: Threat landscape trends, adversary intent vs. capability, risk to business objectives
- Format: 1–3 pages, minimal jargon, business impact language, recommended decisions
- Frequency: Monthly/Quarterly

**Operational Intelligence Report**: For CISO, security directors, IR leads
- Content: Active campaigns, adversary TTPs, defensive recommendations, sector peer incidents
- Format: 3–8 pages, moderate technical detail, mitigation priority list
- Frequency: Weekly

**Tactical Intelligence Bulletin**: For SOC analysts, threat hunters, vulnerability management
- Content: Specific IOCs, YARA rules, Sigma detections, CVEs, patching guidance
- Format: Structured tables, code blocks, 1–2 pages
- Frequency: Daily or as-needed

**Flash Report**: Urgent notification for imminent or active threats
- Content: What is happening, immediate risk, what to do right now
- Format: 1 page maximum, distributed within 2 hours of threat identification
- Frequency: As-needed (zero-day, active campaign targeting sector)

### Step 2: Structure Report Using Intelligence Standards

Apply intelligence writing standards from government and professional practice:

**Headline/Key Judgment**: Lead with the most important finding in plain language.
- Bad: "This report examines threat actor TTPs associated with Cl0p ransomware"
- Good: "Cl0p ransomware group is actively exploiting CVE-2024-20353 in Cisco ASA devices to gain initial access; organizations using unpatched ASA appliances face imminent ransomware risk"

**Confidence Qualifiers** (use language from DNI ICD 203):
- High confidence: "assess with high confidence" — strong evidence, few assumptions
- Medium confidence: "assess" — credible sources but analytical assumptions required
- Low confidence: "suggests" — limited sources, significant uncertainty

**Evidence Attribution**: Cite sources using reference numbers [1], [2]; maintain source anonymization in TLP:AMBER/RED products.

### Step 3: Write Report Body

Use structured format:

**Executive Summary** (3–5 bullet points): Key findings, immediate business risk, top recommended action

**Threat Overview**: Who is the adversary? What is their objective? Why does this matter to us?

**Technical Analysis**: TTPs with ATT&CK technique IDs, IOCs, observed campaign behavior

**Impact Assessment**: Potential operational, financial, reputational impact if attack succeeds

**Recommended Actions**: Prioritized, time-bound defensive measures with owner assignment

**Appendices**: Full IOC lists, YARA rules, Sigma detections, raw source references

### Step 4: Apply TLP and Distribution Controls

Select TLP based on source sensitivity and sharing agreements:
- **TLP:RED**: Named recipients only; cannot be shared outside briefing room
- **TLP:AMBER+STRICT**: Organization only; no sharing with subsidiaries or partners
- **TLP:AMBER**: Organization and trusted partners with need-to-know
- **TLP:GREEN**: Community-wide sharing (ISAC members, sector peers)
- **TLP:WHITE/CLEAR**: Public distribution; no restrictions

Include TLP watermark on every page header and footer.

### Step 5: Review and Quality Control

Before dissemination, apply these checks:
- **Accuracy**: Are all facts sourced and cited? No unsubstantiated claims.
- **Clarity**: Can the target audience understand this without additional context?
- **Actionability**: Does every report section drive a decision or action?
- **Classification**: Is TLP correctly applied? No source identification in AMBER/RED products?
- **Timeliness**: Is this intelligence still current? Events older than 48 hours require freshness assessment.

## Key Concepts

| Term | Definition |
|------|-----------|
| **Finished Intelligence** | Analyzed, contextualized intelligence product ready for consumption by decision-makers; distinct from raw collected data |
| **Key Judgment** | Primary analytical conclusion of a report; clearly stated in opening paragraph |
| **TLP** | Traffic Light Protocol — FIRST-standard classification system for controlling intelligence sharing scope |
| **ICD 203** | Intelligence Community Directive 203 — US government standard for analytic standards including confidence language |
| **Flash Report** | Urgent, time-sensitive intelligence notification for imminent threats; prioritizes speed over depth |
| **Intelligence Gap** | Area where collection is insufficient to answer a PIR; should be explicitly documented in reports |

## Tools & Systems

- **ThreatConnect Reports**: Built-in report templates with ATT&CK mapping, IOC tables, and stakeholder distribution controls
- **Recorded Future**: Pre-built intelligence report templates with automated sourcing from proprietary datasets
- **OpenCTI Reports**: STIX-based report objects with linked entities for structured finished intelligence
- **Microsoft Word/Confluence**: Common report delivery formats; use organization-approved templates with TLP headers

## Common Pitfalls

- **Writing for analysts instead of the audience**: Technical detail appropriate for SOC analysts overwhelms executives. Maintain strict audience segmentation.
- **Omitting confidence levels**: Statements presented without confidence qualifiers appear as established facts when they may be low-confidence assessments.
- **Intelligence without recommendations**: Reports that describe threats without prescribing actions leave stakeholders without direction.
- **Stale intelligence**: Publishing a report on a threat campaign that was resolved 2 weeks ago creates alarm without utility. Include freshness dating on all claims.
- **Over-classification**: Applying TLP:RED to information that could be TLP:GREEN impedes community sharing and limits defensive value across the sector.