Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Operationalizing Threat Intelligence

You're reading from   Operationalizing Threat Intelligence A guide to developing and operationalizing cyber threat intelligence programs

Arrow left icon
Product type Paperback
Published in Jun 2022
Publisher Packt
ISBN-13 9781801814683
Length 460 pages
Edition 1st Edition
Arrow right icon
Authors (2):
Arrow left icon
Joseph Opacki Joseph Opacki
Author Profile Icon Joseph Opacki
Joseph Opacki
Kyle Wilhoit Kyle Wilhoit
Author Profile Icon Kyle Wilhoit
Kyle Wilhoit
Arrow right icon
View More author details
Toc

Table of Contents (18) Chapters Close

Preface 1. Section 1: What Is Threat Intelligence?
2. Chapter 1: Why You Need a Threat Intelligence Program FREE CHAPTER 3. Chapter 2: Threat Actors, Campaigns, and Tooling 4. Chapter 3: Guidelines and Policies 5. Chapter 4: Threat Intelligence Frameworks, Standards, Models, and Platforms 6. Section 2: How to Collect Threat Intelligence
7. Chapter 5: Operational Security (OPSEC) 8. Chapter 6: Technical Threat Intelligence – Collection 9. Chapter 7: Technical Threat Analysis – Enrichment 10. Chapter 8: Technical Threat Analysis – Threat Hunting and Pivoting 11. Chapter 9: Technical Threat Analysis – Similarity Analysis 12. Section 3: What to Do with Threat Intelligence
13. Chapter 10: Preparation and Dissemination 14. Chapter 11: Fusion into Other Enterprise Operations 15. Chapter 12: Overview of Datasets and Their Practical Application 16. Chapter 13: Conclusion 17. Other Books You May Enjoy

Intelligence cycles

Within the field of CTI, there are several intelligence life cycles that can be considered for implementation. In many cases, the most widely used models are the threat intelligence life cycle and the F3EAD cycle. Each model provides its own distinct benefit, and the application of each model depends on the organization's needs. However, implementing one of these models is paramount, as it provides consistent, actionable, reliable, and high-quality threat intelligence.

The threat intelligence life cycle

The threat intelligence life cycle is a process and concept that was first developed by the United States Central Intelligence Agency (CIA). Intelligence is the product of a process that includes collecting data, analyzing it, adding context, and finally, delivering that intelligence as a product of some sort. Following this life cycle will give your organization a structured, repeatable way of delivering consistently accurate and timely intelligence. The threat intelligence life cycle is a five-step process, which is meant to be followed in order, starting with planning and direction:

  1. Planning and direction
  2. Collection
  3. Analysis
  4. Production
  5. Dissemination and feedback

Let's examine the threat intelligence life cycle in greater detail:

Figure 1.4 – The threat intelligence life cycle

Figure 1.4 – The threat intelligence life cycle

When analyzing the threat intelligence life cycle, it's best to look at each stage individually to better understand how the stage fits into the overall threat intelligence life cycle. So, let's examine each stage in closer detail.

Planning and direction

Generally speaking, the first phase of the threat intelligence life cycle begins with planning and setting the direction for what intelligence will be collected and analyzed, as well as for what purpose. Objectives and direction are derived based on Prioritized Intelligence Requirements (PIRs), Prioritized Collection Requirements (PCRs), and Essential Elements of Information (EEIs).

Collection

In response to the PIRs, PCRs, and EEIs, data collection can begin. Data can be collected from several sources, ranging from humans to open source and public locations, all the way to messaging apps such as Telegram. Often, this data is collected both manually, by an analyst, and en masse, via automated means. Data processing takes place after the data is gathered; it should be stored, organized, and normalized in such a way that makes the data easy to analyze. Since the collection phase typically ends up generating a lot of data, the processing stage includes the systematic way to store intelligence in a centralized location, such as a Threat Intelligence Platform (TIP).

Analysis and production

After the data has been centralized in a standardized way, we begin the process of analyzing and making the data into intelligence that is deliverable in some format. For example, the analysis could include deduplication, Admiralty scoring, pivots, and enrichment. Production could include turning the intelligence into some sort of deliverable format, such as a report for higher executives.

Dissemination and feedback

Finally, after the intelligence has been analyzed and produced, it should be disseminated with feedback sought. Additionally, after a thorough review of the intelligence, decision-makers will likely take actions based on the intelligence. The entire process is then reviewed, and feedback is sought from internal and external key stakeholders and consumers of the intelligence.

Typically, using the threat intelligence life cycle in your organization is a strategic decision, which when used in unison with the second, more tactical life cycle, F3EAD, can be a great complement to adopt. Let's examine the F3EAD life cycle in greater detail.

F3EAD life cycle

The F3EAD cycle is an alternative intelligence life cycle that can be considered for application within a CTI organization. While this life cycle is typically used in militaries worldwide involved in kinetic operations, the F3EAD life cycle can just as easily apply to CTI. F3EAD is more tactical in its approach, as opposed to the more strategic threat intelligence life cycle, which can be viewed in six individual stages:

  1. Find
  2. Fix
  3. Finish
  4. Exploit
  5. Analyze
  6. Disseminate

When used in unison with the threat intelligence life cycle, both operational and strategic objectives can be more holistically accomplished:

Figure 1.5 – The F3EAD life cycle

Figure 1.5 – The F3EAD life cycle

Now, let's examine Figure 1.5 in detail.

Find

The find stage is the who, what, when, why, and where of CTI. In this stage, a tactical target of intelligence is defined, located, and collected. As an example, an incident responder would find suspicious information across several endpoints.

Fix

The fix phase effectively transforms the data and intelligence gained from the find phase into evidence that can be used as a basis for action within the next stage. An example of activity in the fix stage includes an incident responder correlating multiple IOCs across a cluster of infected endpoints within the enterprise.

Finish

The finish stage is the action phase. In this stage, an action is taken based on the first two stages, find and fix. Let's use the preceding example: after the incident responder isolates the suspicious endpoints that were grouped together, they are taken offline and wiped.

Exploit

The exploit stage deconstructs the intelligence from the first three phases and develops after-actions and next steps. An example of this stage includes a malware reverser that statically reverses the engineering samples identified on the infected endpoint by the incident responder. The malware reverser can then assist in deploying organization-wide mitigation methods.

Analyze

The analyze stage is the fusion stage. It includes folding the intelligence that has been identified into the broader web and context of intelligence. An example of this would be the aforementioned reverse engineer entering malware intelligence and data from reversing efforts into a TIP.

Disseminate

As the result of the previous stage, the results are disseminated to both tactical consumers (for example, SOC) and strategic consumers (for example, CISO). For example, this could include the malware reverse engineer passing the isolated malware activity to the SOC for further blocking across the organization.

When the threat intelligence life cycle and F3EAD are used in unison, like two large cogs, the enterprise can truly benefit from each unique approach. One way of visualizing these cycles working together includes looking at both cycles as cogs in a larger threat intelligence cycle. The interfaces between the threat intelligence life cycle and F3EAD are at the collection and analysis phases and F3EAD's find and analyze phases.

While there are many intelligence life cycles that could be implemented inside a CTI function, and there's no one-size-fits-all implementation, we've shared two prominent models that are easily adaptable to CTI. In the next section, we're going to examine a very important implementation consideration: the maturity and hunting models.

You have been reading a chapter from
Operationalizing Threat Intelligence
Published in: Jun 2022
Publisher: Packt
ISBN-13: 9781801814683
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at €18.99/month. Cancel anytime