The intelligence lifecycle is a high-level process that can be mapped to multiple sources, such as SIGINT, HUMINT, etc. It consists of six stages:
- Direction
- Collection
- Processing
- Analysis
- Dissemination
- Feedback
The question is how this process maps to cyber threat intelligence (CTI) and what actions should be taken during the different stages. Not all the stages are unique to cyber intelligence; specifically, direction, dissemination, and feedback are similar across all types of intelligence. What all these stages have in common is their focus on the consumer.
Direction is about the questions the consumer has for the intelligence team. No matter what source you are working with, if the actions taken are not based on the requirements, you are doing intelligence for intelligence’s sake.
Similarly, the dissemination of generated intelligence is critical. It is essential to deliver the intel in a format that users understand and can take action upon; otherwise, all previous efforts will have been wasted.
Here is how the intelligence lifecycle maps to the Cyber Threat Intelligence (CTI) process:
- Direction
- Define the requirements for the intelligence team, focusing on the questions they should answer.
- Collection
- Read threat reports.
- Analyze MITRE ATT&CK techniques related to threat actors within your requirements and assess your protection against these tactics.
- Perform threat hunting based on the tactics discovered in the previous step, and determine if they are present within your organization. If found, analyze the context surrounding their detection.
- Incident response (IR) is a valuable source of intelligence, as it is directly related to your organization, and you know the context of all the data.
- Processing
- Unify the collected information and store it in an analysis bucket for further examination.
- Analysis
- Analyze payloads.
- Identify TTPs (Tactics, Techniques, and Procedures).
- Review previous activity seen from the threat actor.
- Pivot on the information discovered.
- Identify overlapping infrastructure.
- Dissemination
- Create detection rules based on the new tactics discovered.
- Share IOCs (Indicators of Compromise).
- Generate reports.
- Feedback
- Iterate and improve the process.
These are just some of the steps taken during the Cyber Threat Intelligence process. The goal of this article is to map the intelligence lifecycle to the various actions taken during the different stages, providing a better understanding of CTI and its components.