Intelligence cycles
Within the field of CTI, there are several intelligence life cycles that can be considered for implementation. In many cases, the most widely used models are the threat intelligence life cycle and the F3EAD cycle. Each model provides its own distinct benefit, and the application of each model depends on the organization's needs. However, implementing one of these models is paramount, as it provides consistent, actionable, reliable, and high-quality threat intelligence.
The threat intelligence life cycle
The threat intelligence life cycle is a process and concept that was first developed by the United States Central Intelligence Agency (CIA). Intelligence is the product of a process that includes collecting data, analyzing it, adding context, and finally, delivering that intelligence as a product of some sort. Following this life cycle will give your organization a structured, repeatable way of delivering consistently accurate and timely intelligence. The threat intelligence life cycle is a five-step process, which is meant to be followed in order, starting with planning and direction:
- Planning and direction
- Collection
- Analysis
- Production
- Dissemination and feedback
Let's examine the threat intelligence life cycle in greater detail:
Figure 1.4 – The threat intelligence life cycle
When analyzing the threat intelligence life cycle, it's best to look at each stage individually to better understand how the stage fits into the overall threat intelligence life cycle. So, let's examine each stage in closer detail.
Planning and direction
Generally speaking, the first phase of the threat intelligence life cycle begins with planning and setting the direction for what intelligence will be collected and analyzed, as well as for what purpose. Objectives and direction are derived based on Prioritized Intelligence Requirements (PIRs), Prioritized Collection Requirements (PCRs), and Essential Elements of Information (EEIs).
Collection
In response to the PIRs, PCRs, and EEIs, data collection can begin. Data can be collected from several sources, ranging from humans to open source and public locations, all the way to messaging apps such as Telegram. Often, this data is collected both manually, by an analyst, and en masse, via automated means. Data processing takes place after the data is gathered; it should be stored, organized, and normalized in such a way that makes the data easy to analyze. Since the collection phase typically ends up generating a lot of data, the processing stage includes the systematic way to store intelligence in a centralized location, such as a Threat Intelligence Platform (TIP).
Analysis and production
After the data has been centralized in a standardized way, we begin the process of analyzing and making the data into intelligence that is deliverable in some format. For example, the analysis could include deduplication, Admiralty scoring, pivots, and enrichment. Production could include turning the intelligence into some sort of deliverable format, such as a report for higher executives.
Dissemination and feedback
Finally, after the intelligence has been analyzed and produced, it should be disseminated with feedback sought. Additionally, after a thorough review of the intelligence, decision-makers will likely take actions based on the intelligence. The entire process is then reviewed, and feedback is sought from internal and external key stakeholders and consumers of the intelligence.
Typically, using the threat intelligence life cycle in your organization is a strategic decision, which when used in unison with the second, more tactical life cycle, F3EAD, can be a great complement to adopt. Let's examine the F3EAD life cycle in greater detail.
F3EAD life cycle
The F3EAD cycle is an alternative intelligence life cycle that can be considered for application within a CTI organization. While this life cycle is typically used in militaries worldwide involved in kinetic operations, the F3EAD life cycle can just as easily apply to CTI. F3EAD is more tactical in its approach, as opposed to the more strategic threat intelligence life cycle, which can be viewed in six individual stages:
- Find
- Fix
- Finish
- Exploit
- Analyze
- Disseminate
When used in unison with the threat intelligence life cycle, both operational and strategic objectives can be more holistically accomplished:
Figure 1.5 – The F3EAD life cycle
Now, let's examine Figure 1.5 in detail.
Find
The find stage is the who, what, when, why, and where of CTI. In this stage, a tactical target of intelligence is defined, located, and collected. As an example, an incident responder would find suspicious information across several endpoints.
Fix
The fix phase effectively transforms the data and intelligence gained from the find phase into evidence that can be used as a basis for action within the next stage. An example of activity in the fix stage includes an incident responder correlating multiple IOCs across a cluster of infected endpoints within the enterprise.
Finish
The finish stage is the action phase. In this stage, an action is taken based on the first two stages, find and fix. Let's use the preceding example: after the incident responder isolates the suspicious endpoints that were grouped together, they are taken offline and wiped.
Exploit
The exploit stage deconstructs the intelligence from the first three phases and develops after-actions and next steps. An example of this stage includes a malware reverser that statically reverses the engineering samples identified on the infected endpoint by the incident responder. The malware reverser can then assist in deploying organization-wide mitigation methods.
Analyze
The analyze stage is the fusion stage. It includes folding the intelligence that has been identified into the broader web and context of intelligence. An example of this would be the aforementioned reverse engineer entering malware intelligence and data from reversing efforts into a TIP.
Disseminate
As the result of the previous stage, the results are disseminated to both tactical consumers (for example, SOC) and strategic consumers (for example, CISO). For example, this could include the malware reverse engineer passing the isolated malware activity to the SOC for further blocking across the organization.
When the threat intelligence life cycle and F3EAD are used in unison, like two large cogs, the enterprise can truly benefit from each unique approach. One way of visualizing these cycles working together includes looking at both cycles as cogs in a larger threat intelligence cycle. The interfaces between the threat intelligence life cycle and F3EAD are at the collection and analysis phases and F3EAD's find and analyze phases.
While there are many intelligence life cycles that could be implemented inside a CTI function, and there's no one-size-fits-all implementation, we've shared two prominent models that are easily adaptable to CTI. In the next section, we're going to examine a very important implementation consideration: the maturity and hunting models.