The Cyber Threat Intelligence Life Cycle: A Case Study

(Image by Author)

The cyber threat intelligence (CTI) life cycle is a framework for the collection, analysis, and distribution of intelligence. It offers analysts a strategic and systematic approach to their intelligence efforts and includes five stages:

1. Planning & Direction;
2. Collection;
3. Analysis;
4. Production; and
5. Dissemination & Feedback

Figure 1: The Cyber Threat Intelligence (CTI) Life Cycle includes 5 stages: Planning & Direction; Collection; Analysis; Production; and Dissemination & Feedback. This model illustrates the cyclical nature of CTI. (Image by Author)

In the following blog series, we will explore how to practically apply all five stages of the CTI life cycle to a hypothetical scenario involving two fictional institutions of higher education: Maplewood University and Pine Grove University.

The purpose of this exercise is to demonstrate exactly how analysts leverage the CTI life cycle to evolve intelligence requirements into actionable intelligence deliverables that support the success and security of their organization in a rapidly evolving threat landscape.

This blog series will be divided into the following six posts:

• Part 1: Introduction (You are here!)
• Part 2: Planning & Direction
• Part 3: Collection
• Part 4: Analysis
• Part 5: Production
• Part 6: Dissemination & Feedback

With the exception of the Introduction, every post will concentrate on one stage of the CTI life cycle. Each post will begin with a brief explanation of key concepts and end with a practical example of its application in the context of this hypothetical scenario.

❗Disclaimer: Although the case study presented here is based on real events, the names, entities, and data included are not intended to be representative of real people, organizations, or incidents and should not be interpreted as such. This scenario is entirely fictitious and was devised by me specifically for use during this exercise.

The Case Study

You are a CTI analyst at Maplewood University, a large American institution of higher education. Located on the East Coast of the United States, Maplewood University boasts an impressive enrollment of over 40,000 students from around the world and employs more than 10,000 staff, researchers, and student workers. As a nationally recognized research institution, the University invests significantly in research initiatives and the development of sophisticated laboratories across diverse fields of study.

This morning, a tech news outlet reported that a nearby university, Pine Grove, was recently the target of a campus-wide spear-phishing campaign.

Figure 2: The (fictional) news article covering the Pine Grove University phishing attack (Image by Author)

According to the article, thousands of staff and student workers received emails claiming to be from the University “Payroll Department”. These messages urgently directed workers to log into their university-issued accounts and immediately update their “outdated” banking information or risk not receiving their due pay.

Pine Grove University promptly responded to the article, stating in a press release that hundreds of university accounts had been compromised as a result of the attack and that the incident was under investigation. These accounts contained a wealth of personally identifiable information (PII), including such critical information as individuals’ social security numbers and bank account details.

Alarmed by the attack on Pine Grove, the President of Maplewood University approaches your team, concerned that your institution may be in imminent danger. She wants you to determine the likelihood that Maplewood will also be targeted by this spear-phishing campaign and identify measures the University can implement to defend against any future phishing attacks.

And thus the CTI life cycle begins!

Looking Ahead

In the next installment of this blog series, we will explore the first stage of the CTI life cycle — Planning & Direction — by practically applying it to this case study.

You will learn how to effectively define the scope and priorities of your intelligence efforts by writing intelligence requirements for the fictional Maplewood University.

📍 To jump straight to Part 2, click here.

If you found value in this blog series, please consider:

👏🏻 Clapping for this article,

📩 Sharing it with others, or

💬 Commenting your thoughts below

About the Author:

Casey Hennings is a security analyst and educator who writes about cybersecurity, threat intelligence, and security awareness.

She is currently seeking an entry-level cybersecurity position where she can apply her skills and continue growing as part of a passionate, purpose-driven team of security professionals.

To connect, you can find her at @cyberwithcasey on X (Twitter) and here on LinkedIn.