Intelligence is about finding out about something before it happens. Detective work is about finding out how something happened after the event already has taken place.
In the cyber world, the detective work is much easier than the intelligence work, although neither are particularly elementary.
Before the fact, and after the fact. Lets start with after. A criminal act is carried out. These days, it is either a cyber act in itself, or it is dependent in some way upon some aspect of the cyber world. Once a person involved has been identified then law enforcement can get a court order to demand all of the cyber baggage being carried around by the perpetuator. Phone calls, travel records, banking records, credit card records, social media accounts, emails. Each of these sources of information give important clues to the network of individuals who are the living system supporting the defendant. Degrees of separation. By linking the responsible person to their contacts, and then those contacts to all of their contacts, then by the second or third level the number of affiliated persons becomes very great.
But usually it is possible to determine the wheat from the chaff, and to use the numerous hints given by the cyber footprints left by the perpetuator. It is possible to uncover a network of individuals, places of interest, and even more about what happened before the event. With good detective work, it is possible to find anyone else involved, and even get hints regarding any future similar event if one seems to be planned.
But finding out things before the fact is much harder. For one thing, there may be no starting point, no person who can be identified. This essential first step is easy after the fact, but before is another issue. So the essence of the problem becomes how to find the subject of interest, the starting point.
This is one of the reasons why in combatting terrorism and its use of social media and Internet, investigators are caught in a dilemma. On the one hand, there is a need to stop or severely limit this type of activity. On the other hand, if the activity is cut off, then there no longer remains any cyber clues left regarding the identity of the terrorists or criminals or other subjects of interest.
In discussions over a cyber arms limitation treaty, one of the stumbling blocks is the question of how to determine the source of an attack. It is the same type of problem. How to find out the after before it it happens. Making after before.