In previous posts, we’ve discussed the foundational elements of Cyber Threat Intelligence (CTI) programs: 1) Organizational Threat Profile, 2) Stakeholder Analysis, and 3) Intelligence Requirements. These initial components are essential to inform the organization of relevant threats, identify key stakeholders across the business, decipher how these stakeholders will consume and apply the intelligence, and provide a knowledge baseline for developing and implementing CTI practices.
While executing these elements using a requirements-based approach positions an organization to become a proactive, intelligence-led operation, in order for a CTI program to reach its full potential, it’s imperative for organizations to adopt a core process framework.
Owning a well-defined process framework ensures structured and repeatable collection, processing, analysis, production, and dissemination of CTI. Establishing the expected program capabilities certifies that end-state business objectives, goals, and outcomes are clearly pinpointed and agreed upon – all while maintaining alignment to business needs to reduce risk and threat exposure.
To help organizations better understand and implement a core process framework, Mandiant analyzed government agency and intelligence community best practices to further refine the traditional intelligence process – forming a cyber-specific narrative that we call the CTI Process Lifecycle. The lifecycle’s components and associated practices (depicted in Figure 1) can be technical or non-technical, and should be aligned towards:
- Tasks people must perform, coupled with respective knowledge areas required to accomplish those tasks
- Supporting standards, requirements, and guidelines that must be adhered to
- Implementation, usage, and interconnection of supporting technology, key data and information
Figure 1: CTI Process Lifecycle
Using an organized CTI process ensures structured and consistent
practices across the organization. To reap the full business and risk
management benefits of this approach, the CTI process lifecycle and
key program components should be handled at the executive level
(C-suite) and fulfilled against these five phases:
Planning & Requirements – Define a clear CTI mission that
speaks to the goals of the program. Highlight the use of a
requirements-based approach with continuous management of its
execution. This will drive the lifecycle process and reduce
organizational risk through informed direction of resources.
Collections & Processing – Using a data acquisition
strategy, determine how, when, why, and what should be collected to
fulfill requirements. Normalize, de-dupe and enrich threat data to
produce information that’s consumable and applicable. To reduce
processing time, automated collection systems – such as a Threat
Intelligence Platform (TIP) – are increasingly utilized across
Analysis – Evaluate, analyze and interpret the processed
information against your program’s requirements to provide sound
analytic judgments that determine confidence, relevance, likelihood,
and threat impact. Assess collection gaps to satisfy
Production – Produce finished intelligence products such as
briefings and technical reports that are timely, relevant,
actionable, and trace back to stakeholder needs – whether
operational, tactical or strategic. Document any product
deficiencies against stakeholder requirements.
Dissemination & Feedback – Deliver finished intelligence
products to internal or external stakeholders at defined frequencies
and methods. Products should outline expected courses of action and
provide a means for stakeholders to evaluate the product received.
Implementing a Cyber Threat Intelligence capability will
significantly enhance an organization’s risk posture. Though, when the
novelty wears off, maintaining momentum is key. Assuring the program
is aligned to a defined process lifecycle will help guide the
organization to achieve its stated mission. The value of CTI will also
be realized when the program and its personnel can provide relevant,
accurate, and timely intelligence that elevates decision making
processes to reduce critical cyber risks.
To round things out, the foundational components of a cyber
intelligence program serve as guidance, while the CTI Process
Lifecycle supports and enriches the security program’s people,
processes, and technologies with relentless execution.
Visit our Cyber
Threat Intelligence Services homepage for more information on
how Mandiant can help your organization improve its threat