Threat Hunters know the process of turning raw data into intelligence through the Intelligence Cycle. It makes sense to do this for information gathered from logs or satellite images. But does it also make sense to apply the Intelligence Cycle process to news?

“News” is what we call the neatly packaged presentation of amalgamated raw data that is intended to inform, inspire, educate, motivate, scare, or influence. News articles have bias in reporting, in how or where it’s presented, or following specific initiatives mandated by corporate sponsorship. “Yellow journalism” hit a new level with the introduction of Generative AI and Large Language Models (LLMs).

With all that competition for clicks and readership, it’s easy - even for Threat Hunters - to be duped by sophisticated propaganda.

How do you drink from a tainted well of news and still get trustworthy Open-Source Intelligence (OSINT) or Publicly Available Information (PAI) when you need it for your research?

Consider this post your filtration straw - a guide on how to apply the Intelligence Cycle to vetting news items as a part of your Threat Hunting research.

But first, why is it so easy to fall for inaccurate or misleading information?

Just as all the different media outlets in the world are competing for your attention, so are the forces behind the intentional broadcast of bad information. The competition for news readers is like a beauty pageant of sorts. Media outlets try to make their stories appealing by being flashy or enticing. Unfortunately, so do the malicious actors. Who are the contestants in this shadow pageant?

Using the Intelligence Cycle, you will be able to eliminate the bad news contestants.

Planning & Direction

Although a common method to begin a news search is to type some words into a search engine and see what sticks - much like throwing a bunch of spaghetti at a wall to test if the pasta is cooked. Establishing a scope to your research plan could mean the difference between sorting through 100 items versus 100,000.

• Audience - Who will consume the result of your research? Find resources that are appropriate for the audience. Forbes, for example, is a good resource for non-technical reporting on cybersecurity issues - as opposed to The Hacker News which get into more technical reporting.

• Budget - Paywalls can be frustrating. Circumventing a paywall could call your research ethics into question. Have a budget for paid articles or subscriptions when necessary.

• Geography - Local news vs national news vs international news. If you’re having a difficult time finding information about a global company’s financial health, look at local news in towns where the company may have manufacturing plants. It’s likely local layoffs will be big news there. Search engines in other countries could also be key to yielding new or different results, see France’s Qwant (English) for one example and other examples here.

Collection

Using tools like Hunchly or IFTTT can save a lot of time and be a repository of information that you can build into your own news library.

• Bias - Your own personal bias will get in the way of performing news collection. The bias of the publication could be a problem in your news information collection. Not only do you need to recognize your own bias, but you also need to be aware of the motivations of the publication. Sites like Ground News provide a summary of leanings of particular news items. There are several “media bias checking” sites, but ultimately you need to follow the money. Determine who owns the publication and/or who their advertisers are.

• Language - Even if you can’t read or speak multiple languages, online translation tools can be very useful - but use a reputable human translator for important documents like legal papers or patents. Translate your frequently used search terms to set up alerts for non-English language publications.

• Timing - A good rule of thumb is to set a time limit on how long you will search for something. I used to tell the attorneys when I was a law firm librarian to not spend longer than 15 minutes doing fruitless research. Whatever time frame you use, this can help keep you from unnecessary rabbit holes and frustration of spinning your wheels.

Analysis and Evaluation

In my mind, Collection goes right along Analysis and Evaluation at the same time. But, if you’ve cast a wide net and now need to sort through your findings, validating your choices would fulfill this part of the Intelligence Cycle as it pertains to news gathering.

• Contextualize the Data - I interpret this a few ways. Is the OSINT you found applicable to your scope, your industry, to the problem you are trying to solve? It might be a really good article or piece of reporting, but is it still applicable to your needs? Are there other industries than your own that are experiencing similar issues? A bus strike in Stockholm may not mean anything at first, but then you realize a client has offices in that city and could be impacted by the strike. Think of how to apply what you find.

• Updates - If something is an on-going news item, don’t forget to include new or corrected information. Check for retractions, errors and omissions in publications.

Dissemination

What does your final product look like? Is it a newsletter, an email, a slide in a deck? How you present your news findings will impact how your communication is received by your audience. Help them connect the dots. Display the information in a way that it is easy to understand with an executive summary, a “so what” statement, or highlighted terms just to name some tactics.

• Citations + Archives - It is crucial to state from where you retrieved the information you are presenting. It doesn’t have to be something official like an MLA format, but it’s crucial to capture the source of data. Sites like the Wayback Machine are great, but capturing your own full-text copy of information is better. Links rot.

• Linking - Speaking of links, include links to extra information when you present it. If a news item mentions a court case, legal statute, or another news item, cross-reference that for yourself as a researcher and for the edification of your readers.

Following a guideline like the Intelligence Cycle for your news and OSINT research can provide you with a framework to streamline your intake and aggregation, making for a better research product in the end - and that’s good news for everybody!