It is hard to talk about any type of intelligence without mentioning the intelligence cycle. It is a method for delivering actionable intelligence to customers through a flexible stepwise process. Even though it is usually depicted as a cycle that moves in one circular motion, in reality it does not run so smoothly. At any point in the cycle the process can move back several steps and typically certain steps are recycled multiple times before moving on to the next. It is an iterative process that takes time to implement in order to get an effective and accurate product.
The CTI cycle is divided into six steps:
· Direction
· Collection
· Processing
· Analysis
· Dissemination
· Feedback
Direction
First, let’s look at the Direction Phase. This phase is an important step in the cycle because it is when analysts determine the goals of the intelligence product, also known as the intelligence requirements. These requirements guide each phase of the cycle to ensure that the intelligence product will match the critical needs of the consumer and provide effective actionable intelligence. In order to achieve this, analysts need to consider the consumer of the intelligence report, the specific needs of the consumer (feedback), and the demands of their industry. This is why it is important for analysts to be familiar with the consumer’s business processes and assets that need to be protected.
Collection
After the intelligence requirements have been determined, the Collection phase can start. This is one of the most robust phases of the CTI cycle due to the massive amount of data that can be collected from various resources. It is very possible that analysts can collect too much information that impedes the cycle and does not allow for the timely production of an intelligence product. This is especially common in the case of operational intelligence, the time sensitive intelligence process mentioned in the previous article. Therefore, analysts must use discretion when collecting information. It is always good to collect from more than one source, but it is important to ensure that the information is valid and relevant. Briefly, I will go over the various sources that analysts use in the collection phase. The sources for collecting information include security tools within the network, threat feeds, security websites, social channels (Twitter), threat actor forums, and the dark web.
Processing
The Processing phase is similar to a translation process that prepares all of the different types of data to be analyzed. This is when the raw data/information is gathered from the Collection phase is converted into a more human readable format ready for analysis. This can mean organizing data into a spreadsheet or CSV file to organize the information in a cleaner way to be analyzed by humans or entered into a SIEM for further analysis. An additional example could be analysts researching the sources from the Collection phase to ensure the information gathered is from a recent valid source.
Analysis
Analysis is the phase where the raw data collected finally becomes actionable intelligence. Analysts use research methods and other analytical tools to further validate and investigate the information so that it transforms into actionable intelligence to be used by consumers to make critical decisions in their network. These decisions can range from immediately implementing security controls, blocking an IP or domain to prevent a pending attack, or allocating more finances to the security budget.
Dissemination
Since intelligence is actionable and can be time sensitive there needs to be clear directives on which department will receive the intelligence product, this makes the Dissemination phase essential. As stated in the previous article, typically the SOC will receive the operational or technical intelligence, while the high-level executives usually receive the strategic intelligence. This is based on the requirements that are determined in the Direction phase mentioned earlier. The SOC will receive time sensitive reports that require immediate technical action such as adjusting firewall controls or blacklisting domains or email addresses. On the other hand, strategic intelligence reports are tailored more for the high-level executives who are more concerned with the business side and are capable of making changes to the budget to hire more security specialists or purchase new tools.
Feedback
Arguably one of the most important parts of the intelligence cycle is the Feedback phase. This is when consumers are able to review the intelligence product and inform the analysts if and how it suited their needs. This way the analysts can either adapt their approach or change the focus of the intelligence product to make a more effective product. The Feedback can be used in the Direction phase to determine the intelligence requirements for a specific organization. This is why it is a useful and effective phase that can help to greatly improve on the intelligence cycle and the resulting product.
It is important to note that as this cycle is implemented many things do change throughout the process. Sometimes new information is discovered in the final stages, which brings the analysts back to the Processing phase or information collected may no longer be valid and the process is halted, and the Collection phase starts again. There are many different scenarios that can disrupt this cycle and it should really be thought of as a guide rather than a specific roadmap of the intelligence process.
I hope you enjoyed this quick rundown of the CTI cycle and are interested to check out more as these articles come out. It is always important to do your own research and I have provided some useful resources below. Also, remember YouTube can be a great learning tool and there is a wealth of knowledge about CTI out there for you to explore.
Until next time!
Lou Dell’Italia
Hackhouse.net Author
https://www.linkedin.com/in/lou-dell-italia-43745a82/
Suggested Resources:
Mark Lowenthal – Intelligence: From Secrets to Policy https://www.amazon.com/gp/product/B07YHZMBYB/ref=dbs_a_def_rwt_bibl_vppi_i0
John Friedman & Mark Bouchard – Definitive Guide to Cyber threat Intelligence
Recorded Future – Threat Intelligence Handbook
Recorded Future – Threat Intelligence
https://www.recordedfuture.com/threat-intelligence/
James Dietle – Effective Threat Intelligence