Understanding the Cyber Threat Intelligence Lifecycle
In today’s threat landscape, cyber threats are emerging and evolving at an alarming pace. This is due not only to the evolution of threat actor tactics, techniques, and procedures (TTPs), but also to the expansion of attack surfaces. Now more than ever, it is essential for organizations to adopt a proactive stance and stay ahead of the myriad of threats they face. You’re probably asking yourself, how can this be done? As a CISO or part of a leadership team, how can I effectively protect my organization? The answer lies in Threat Intelligence.
A mature Threat Intelligence program empowers organizations to make informed decisions at all levels, from strategic leadership level to operational and tactical levels. This program integrates the threat intelligence lifecycle into daily security operations, enabling intelligence analysts to produce insightful reports on current and emerging threat trends. Moreover, these analysts generate operational intelligence for threat hunting, purple teaming, and blocking indicators of compromise using various security tools.
This article aims to guide organizations in implementing a robust Threat Intelligence program by detailing the steps of the intelligence cycle and how to leverage Filigran’s OpenCTI platform for each step.
Planning & Direction
Priority Intelligence Requirements (PIRs)
The first step in the Cyber Threat Intelligence Lifecycle is Planning & Direction. This phase involves creating Priority Intelligence Requirements (PIR), which are critical intelligence needs that decision-makers must understand to mitigate threats. By identifying these PIRs, organizations can take strategic steps to understand their threat landscape and act proactively to mitigate risks. PIRs also enable an organization to prioritize the most pressing issues. These requirements are strategic in nature and can be broken down into more specific questions, called intelligence gaps or Essential Elements of Information (EEIs), which, when answered, address the overall PIR.
For example, a PIR might be, “How are threat actors targeting my industry?” A corresponding intelligence gap could be, “What specific TTPs have threat actors traditionally used against my industry?” This level of specificity helps focus efforts where they matter most.
Why are PIRs important?
PIRs help prioritize and focus collection against the most significant threats facing your organization and address leadership questions, enabling the C-suite to make informed decisions. If everything is a priority, then nothing is a priority. In OpenCTI, it is recommend to use the Reports, Groupings, or Request for Information containers to document the PIRs.
Collection Plan
Once PIRs and intelligence gaps are identified, the next step is to create a collection plan. This plan outlines the sources you currently use and an assessment of how well those sources are or could address the identified PIRs. If your current sources are inadequate, your team will need to assess which sources might meet your needs, which do not, and which new sources you could add. Your team can then suggest integrating these additional sources into the OpenCTI platform. Sources could include open-source data, premium feeds, TAXII feeds (from ISACs), and connectors to internal security tools like EDRs or SIEMs.
Collection
With a collection plan in place, the next phase involves gathering intelligence. Analysts must continuously assess whether the collected reports address the established PIRs. In OpenCTI, collection occurs through connectors to various feed vendors, TAXII feeds, and open-source intelligence. OpenCTI can also automate collection based on specified filters related to the PIRs, such as labels.
Processing
After data collection, the next step is processing, which involves filtering and organizing the information into a usable format. Collected data may come in various formats, including indicators, reports, artifacts, intrusion sets, etc. In OpenCTI, analysts can categorize information related to PIRs, ensuring that all pertinent data is easily accessible for further analysis.
Analysis
Once the data is processed and organized, analysts evaluate the information using analytic tools such as OpenCTI’s investigations/enrichment portals and structured analytic techniques like hypothesis testing. They then arrive at an analytic conclusion in response to a PIR or its associated EEIs. Analysts should use assessment language, such as “The Threat Intelligence Team assesses that Scattered Spider will likely target our organization over the next 6 to 12 months”, which could have significant implications if not mitigated. This stage also marks the transition of evidence/information (indicators, TTPs, observables) into intelligence (actionable insights that address a PIR to inform decision-making).
In OpenCTI, analysts can conduct this analysis in multiple ways, including proactively investigating top threat actors by placing them or their intrusion sets into containers, launching investigations, and identifying or pivoting on the malware and tools used by these actors. The finding will inform threat hunting and defensive measures. Analysts can draft and produce finished intelligence reports using assessment language directly from OpenCTI via Reports or the content tab within Groupings or Requests for Information.
Dissemination
After analysis, the findings are disseminated to relevant stakeholders. Dissemination can take various forms, from strategic reports for leadership to tactical intelligence for security tools.
OpenCTI facilitates this process by enabling analysts to export reports or send tactical results to integrated security tools via live streams and connectors.
Feedback
The final, and often overlooked, step of the intelligence life-cycle is feedback. After disseminating intelligence, it’s crucial for analysts to gather feedback from the stakeholders to evaluate the effectiveness of the provided intelligence. Organizations can assess impact by determining if the analysis addressed the PIRs and whether tactical intelligence improved metrics like Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR). Finally, members of the intel program can request feedback from the leadership team and other teams within the organization that received the intelligence.
Although the intelligence cycle is iterative, there may be instances when analysts need to loop back to a previous step. For example, during processing, if analysts identify the need for additional information, they may return to the collection phase to gather more data.
Conclusion
In today’s cybersecurity environment, instituting a Threat Intelligence program is imperative. Such a program enables organizations to prioritize their security efforts, moving away from a reactive, “whack-a-mole” approach. It facilitates the proactive identification, assessment, and mitigation of threats, ultimately safeguarding the organization from potential financial and reputational damage.
Lastly, a threat intelligence program enables organizational leadership to make informed cyber security and business decisions.
If you have any question, request, comment or feedback to share with us, don’t hesitate to join us on Slack!
Read more
Explore related topics and insights