The CTI Process Lifecycle: Achieving Better Results Through Execution

In previous posts, we’ve discussed the foundational elements of Cyber Threat Intelligence (CTI) programs: 1) Organizational Threat Profile, 2) Stakeholder Analysis, and 3) Intelligence Requirements. These initial components are essential to inform the organization of relevant threats, identify key stakeholders across the business, decipher how these stakeholders will consume and apply the intelligence, and provide a knowledge baseline for developing and implementing CTI practices.

While executing these elements using a requirements-based approach positions an organization to become a proactive, intelligence-led operation, in order for a CTI program to reach its full potential, it’s imperative for organizations to adopt a core process framework.

Owning a well-defined process framework ensures structured and repeatable collection, processing, analysis, production, and dissemination of CTI. Establishing the expected program capabilities certifies that end-state business objectives, goals, and outcomes are clearly pinpointed and agreed upon – all while maintaining alignment to business needs to reduce risk and threat exposure.

To help organizations better understand and implement a core process framework, Mandiant analyzed government agency and intelligence community best practices to further refine the traditional intelligence process – forming a cyber-specific narrative that we call the CTI Process Lifecycle. The lifecycle’s components and associated practices (depicted in Figure 1) can be technical or non-technical, and should be aligned towards:

  • Tasks people must perform, coupled with respective knowledge areas required to accomplish those tasks
  • Supporting standards, requirements, and guidelines that must be adhered to
  • Implementation, usage, and interconnection of supporting technology, key data and information
image1
Figure 1: CTI Process Lifecycle

Using an organized CTI process ensures structured and consistent practices across the organization. To reap the full business and risk management benefits of this approach, the CTI process lifecycle and key program components should be handled at the executive level (C-suite) and fulfilled against these five phases:

  1. Planning & Requirements – Define a clear CTI mission that speaks to the goals of the program. Highlight the use of a requirements-based approach with continuous management of its execution. This will drive the lifecycle process and reduce organizational risk through informed direction of resources.
  2. Collections & Processing – Using a data acquisition strategy, determine how, when, why, and what should be collected to fulfill requirements. Normalize, de-dupe and enrich threat data to produce information that’s consumable and applicable. To reduce processing time, automated collection systems – such as a Threat Intelligence Platform (TIP) – are increasingly utilized across today’s enterprises.
  3. Analysis – Evaluate, analyze and interpret the processed information against your program’s requirements to provide sound analytic judgments that determine confidence, relevance, likelihood, and threat impact. Assess collection gaps to satisfy requirements.
  4. Production – Produce finished intelligence products such as briefings and technical reports that are timely, relevant, actionable, and trace back to stakeholder needs – whether operational, tactical or strategic. Document any product deficiencies against stakeholder requirements.
  5. Dissemination & Feedback – Deliver finished intelligence products to internal or external stakeholders at defined frequencies and methods. Products should outline expected courses of action and provide a means for stakeholders to evaluate the product received.   

Implementing a Cyber Threat Intelligence capability will significantly enhance an organization’s risk posture. Though, when the novelty wears off, maintaining momentum is key. Assuring the program is aligned to a defined process lifecycle will help guide the organization to achieve its stated mission. The value of CTI will also be realized when the program and its personnel can provide relevant, accurate, and timely intelligence that elevates decision making processes to reduce critical cyber risks.

To round things out, the foundational components of a cyber intelligence program serve as guidance, while the CTI Process Lifecycle supports and enriches the security program’s people, processes, and technologies with relentless execution. 

Visit our Cyber Threat Intelligence Services homepage for more information on how Mandiant can help your organization improve its threat intelligence capabilities.