5 Phases of the Threat Intelligence Lifecycle
January 3, 2018 • RFSID
Facts in the intelligence community have a limited shelf life. Threat intelligence is nearly always contextual and temporal: Threats come at a definite time and place, attacking specific vulnerabilities in particular systems. To develop effective threat intelligence, it is essential that you identify the elements — beyond mere data — that actually comprise it, and understand how the intelligence lifecycle unfolds.
Intelligence and Threat Intelligence
Intelligence is the product of a process that includes collecting data, analyzing it, and viewing it in context, and it generally includes predictions of future behavior and recommended courses of action. Thus, even today, when automated systems can collect and parse data far faster than any team of people, the human element remains essential to make sense of that data by providing context and direction.
In its recent market guide of threat intelligence products and services, the technology research company Gartner defines threat intelligence as “evidence-based knowledge — including context, mechanisms, indicators, implications, and action-oriented advice — about an existing or emerging hazard to IT or information assets.” The purpose of threat intelligence is ultimately to inform decisions about how to respond to those hazards.
The Intelligence Lifecycle
The intelligence lifecycle is a process first developed by the CIA, following five steps: direction, collection, processing, analysis and production, and dissemination. The completion of a cycle is followed by feedback and assessment of the last cycle’s success or failure, which is then iterated upon.
- Direction: First, the objectives of this intelligence cycle must be defined, generally by an authoritative figure. Objectives are identified based on certain essential elements of information (EEIs) needed to make timely and accurate decisions. Those EEIs might include things like the nature of the attack, the actors involved, the space where an attack will happen, and so on.
- Collection: Next, in response to the criteria laid out in the EEIs, data is gathered from multiple sources, including human intelligence, imagery, electronic sources, intercepted signals, or publicly available sources.
- Processing: After data is gathered, it must be processed into a comprehensible form. That can include translating it from a foreign language, decrypting it, or sorting data based on how reliable or relevant it is.
- Analysis and Production: The processed data must then be converted into a coherent whole. Contradictory data must be evaluated against each other, and the patterns and implications of inconclusive or insufficient data must be considered. The products of this stage are assessments and reports that summarize the data for decision makers. This takes an expert touch — good analysts will not be replaced by automated systems any time soon.
- Dissemination: The finished product of this process must get to the right hands to be effective, so the intelligence cycle must loop back upon itself. These reports and assessments are delivered to clients or the leadership who commissioned the cycle in the first place.
- Feedback: After review of this new intelligence, authority figures will take action, including issuing new directions to gather further intelligence. The process is refined with the aim of producing more accurate, relevant, and timely assessments based on the success of previous intelligence.
The Threat Intelligence Lifecycle
The goal of any threat intelligence product or service is to provide knowledge about and recommend solutions to information security threats. In broad terms, this means identifying attackers and understanding their motivations, methods, and characteristics.
Intelligence related to cyber threats in particular are generally identified from two categories of sources: technical sources, like network traffic, files retrieved from malware archives, and databases both public and private; and human sources, through infiltrating hacker and fraud groups, social media chatter, and by the sharing of information across other industry groups or law enforcement agencies. The automated systems offered by some threat intelligence products and services are efficient at gathering data from technical sources, but evaluating that data or the information drawn from human sources will always require a human touch to be effective. As the sheer volume of technical data grows day by day, it becomes increasingly difficult to sort the wheat from the chaff without some form of analysis.
The threat intelligence lifecycle Gartner defines for cybersecurity therefore closely resembles its CIA parent, but some of the specifics vary or take place in digital spaces rather than physical ones:
- Direction: Just as in the wider intelligence community, direction comes from above — an organization’s CISO, for example, or the leader of an organization’s security operations center (SOC). The essential elements of information needed to give proper direction transfer from the physical to the digital realm: Where a government intelligence agency might focus on a certain geographical area, a SOC might choose to focus on the direct threats to their network and identifying indicators of compromise.
- Collection: Data is gathered from technical and human sources. These days, when it might take millions or even billions of individual data points to build a sufficiently large sample size from which to identify reliable patterns, the automation offered by threat intelligence products helps in the collection stage. Data from only public sources is often not enough — cooperating with other organizations to share private data from the deep web and even having an active presence on the dark web leads to more complete data sets.
- Processing: Just as the large sets of data make automation necessary in the collection phase, automation is also necessary to process that data into something comprehensible — and many threat intelligence products offer effective automated tools to produce reports and other resources. But strong teaming between humans and machines goes a long way here, too — an expert eye can provide the context and intuition needed to eliminate ambiguity. In an industry where seconds, let alone days, can make all the difference in responding to a threat, the right direction provided by a human expert can help even the fastest automated process do a smart and efficient search rather than rely on brute force alone.
- Analysis and Production: As before, the processed data must be made coherent and sorted effectively, and again, no automation can really make up for an expert touch. As defined above, intelligence includes an analysis of motivations and predictions about future behavior, and that kind of analysis can only be done well by personnel armed with the right technology.
- Dissemination: The finished product goes back to the top, starting the cycle again.
- Feedback: The effectiveness of one cycle of threat intelligence will determine the essential elements of information needed for the next cycle, including what spaces to focus on when collecting data and how fast action needs to be taken.
Respond Quickly, Flexibly, and Intelligently
The author Robert Penn Warren once wrote that “reality is not a function of the event as event, but of the relationship of that event to past, and future events.” Visualizing intelligence as having a lifecycle places an emphasis on process over product and context over raw information. Threats in this industry are exceptionally diverse, coming and going at blistering speeds. To have operational resilience, the cybersecurity team in any organization must work to refine its processes and learn how to respond quickly, flexibly, and intelligently to any threat.
To learn more about popular use cases for threat intelligence, as well as a comparison of vendor capabilities, download a complimentary copy of Gartner’s “Market Guide for Security Threat Intelligence Products and Services.”