Organizations maintain threat intelligence teams to build tips to uncover the emerging threats that increase business risk. The threat intelligence lifecycle forms a basis for the threat intelligence teams to plan and execute tips more efficiently and effectively .
This section discusses the threat intelligence lifecycle, maturity model, and frameworks that assist and guide the intelligence teams in building an efficient TIP. It also discusses factors to be considered while buying a threat intelligence solution.
Threat Intelligence Lifecycle
The threat intelligence lifecycle is a continuous process of developing intelligence from raw data that supports organizations to develop defensive mechanisms to prevent emerging risks and threats. The higher-level executives of the organization will provide continuous support to the intelligence team by evaluating and giving feedback at every stage.
The threat intelligence lifecycle consists of five phases:
1. Planning and Direction
In this phase, proper plan is developed based on the strategic intelligence requirement, for example, what are the requirements for developing the threat intelligence, which intelligence information should be given priority, etc. This phase defines the entire intelligence program from data collection to delivery of final intelligence product and acts as a basis for the complete intelligence process. It also includes identifying the requirements of data, methods to be used to collect data, and establishing a collection plan.
The requirements are set in such a way that effective and genuine intelligence data can be gathered using the constant number of resources from various open sources of intelligence (OSINT). Along with the requirements, requests are sent to collect data from various internal and external sources. During this phase, an intelligence team is formed, and their key roles and responsibilities are also formulated. Also, the planning and requirements are set for the later stages of the cycle to provide proper support for its functioning.
In this phase, we need to focus more on collecting the desired intelligence that is defined in phase one. The data can be collected in different ways through either technical or human means. The collection of the information can be performed directly or secretly based on the confidentiality of the information. The intelligence is collected through sources like human intelligence (HUMINT), imagery intelligence (IMINT), measurement and signature intelligence (MASINT), signal intelligence (SIGNT), open source intelligence (OSINT), and loCs, and other third parties. This includes collecting data from critical applications, network infrastructure, security infrastructure, etc. Once the collection process is done, the data is transferred for processing in the next stage.
3. Processing and Exploitation
Until this phase, the data is not in a proper format, and it is in the form of raw data. The data obtained from previous phases is processed for exploitation and transformed into useful information that could be understood by the consumers. The raw data is converted into meaningful information by highly trained professionals using sophisticated technology and tools. This interpreted data is converted into a usable format that can be directly used in the data analysis phase.
The processing to be effective requires proper understanding of the data collection plan, requirements of the consumer, analytical strategy, and types of data that are being processed. Many automated tools are used to apply data processing functions such as structuring, decryption, language translation, parsing, data reduction, filtering, data correlation, and data aggregation.
4. Analysis and Production
After processing the intelligence into a proper format, analyzing the intelligence for getting refined information is performed in this phase. The analysis includes facts, findings, and forecasts, which enable the estimation and anticipation of attacks and results. The analysis should be objective, timely, accurate, and actionable. To extract timely and accurate information, analysts need to implement four types of reasoning techniques, which include deduction, induction, abduction, and scientific method based on confidence. As the information is obtained from different sources, analysts try to combine these various sources into a single entity in this phase.
The raw data is converted into information by applying various data analysis techniques such as qualitative and quantitative analyses, machine-based techniques, and statistical methods. When the analyzed information provides sufficient context for identifying a threat, then it is elevated to intelligence. This phase identifies potential threats to the organization and further helps in developing appropriate countermeasures to respond to the identified threats.
5. Dissemination and Integration
The analyzed information is then ready for the integration and distribution to the intended consumers, which is done either by automated means or by manual methods.
Major threat information types that are generally used for dissemination include threat indicators, adversary TIPs, security alerts, threat intelligence reports, and tool configuration information for using tools to automate all the phases of threat intelligence. Different intelligence reports are generated to meet the requirements of the management and higher-level executives at strategic, operational, tactical, and technical levels.
The strategic threat intelligence is consumed by high-level executives and management and focuses on high-level business strategies. The operational threat intelligence is consumed by cyber security professionals such as security managers and network defenders and mainly focuses on specific threats to the organizations. The tactical threat intelligence is consumed by cyber security professionals such as IT service and SOC managers, administrators and architects and focuses on adversary’s TIPs.
The technical threat intelligence is consumed by SOC staff and IR teams and includes information related to the identified loCs. The disseminated intelligence helps organizations in building defensive and mitigation strategies for the identified threats. Sharing threat intelligence internally and externally helps the organizations gain situational awareness and also to enhance the current security posture and risk management processes.
This phase also provides feedback giving more inputs to the information requirements thereby repeating the threat intelligence lifecycle. The feedback is an assessment that describes whether the extracted intelligence meets the requirements of the intelligence consumer. This feedback helps in producing more accurate intelligence through relevant and timely assessments.