Personal page dedicated to personal notes and knowledge references on Cyber Security Intelligence (CTI) and Threat Intellegence

gov.uk

https://securityprofession.blog.gov.uk/ - Government security

https://hodigital.blog.gov.uk/ - Home Office Digital, Data and Technology

https://hodigital.blog.gov.uk/wp-content/uploads/sites/161/2020/03/Cyber-Threat-Intelligence-A-Guide-For-Decision-Makers-and-Analysts-v2.0.pdf


Threat Intelligence Lifecycle

references:

https://www.flashpoint-intel.com/blog/threat-intelligence-lifecycle/

The threat intelligence lifecycle is considered to comprise five stages, each of which helps to ensure quality CTI data which can be utilised to support cyber defence.

1) Planning and direction: Set the scope and objectives for core intel roles and processes.

2) Collection: Deploy data gathering and processing techniques and sources.

3) Analysis: Translate raw intel into meaningful and taxonomized actors, events, and attributes.

4) Production: Assess intel significance and severity based on business and environmental context.

5) Dissemination and feedback: Report on finished intel, considering urgency and confidentiality.

Planning and direction

This stage involves defining a business strategy and goals which the CTI program will support.
It will cover the information and processes to be protected, priorities, and CTI required to complete this goal.

Collection

This stage involves defining what information should be collected in order to resolve a full picture of the threat landscape.
Threat data will be collected from numerous sources and formats; this data will need to be deduplicated and normalised before use.

Analysis

The analysis stage of the CTI lifecycle involves analysts processing the collected data against the guidance and requirements laid out in the planning and direction stage.
The analysis should determine the reliability and relevance of the data collected.

Production

The results of the analysis stage should be delivered to the necessary teams within the organisation.
The CTI should be distributed to stakeholders in a manner which is suitable for consumption, whether this is a report, presentation, or other format.

Dissemination and feedback

Teams that receive CTI should be part of the CTI lifecycle.
They should report whether the information proved to be valuable against the goals laid out in the planning and direction stages.
This feedback will be used in the next planning and direction cycle stage.