The Cyber Threat Intelligence Life Cycle: A Case Study (Part 2)
Recap
Objectives
In this blog series, we explore how to practically apply all five stages of the CTI life cycle to a hypothetical scenario involving two fictional institutions of higher education: Maplewood University and Pine Grove University.
In this installment of the series, we will focus on the first stage of the CTI life cycle, and you will learn how to define the scope and priorities of your intelligence efforts by writing intelligence requirements for Maplewood University.
The Case Study
You are a CTI analyst at Maplewood University. After a campus-wide spear-phishing attack on the nearby Pine Grove University, the President of Maplewood approaches your team, concerned that your institution may be the next victim. She has instructed you to determine the likelihood that Maplewood will also be targeted by this spear-phishing campaign and to identify measures the University can implement to defend against any future phishing attacks.
❗Disclaimer: Although the case study presented here is based on real events, the names, entities, and data included are not intended to be representative of real people, organizations, or incidents and should not be interpreted as such. This scenario is entirely fictitious and was devised by me specifically for use during this exercise.
The CTI Life Cycle | Stage 1: Planning & Direction
Key Concepts
To efficiently allocate limited time and resources, any new organizational process must start with an effort to outline its scope and priorities. In the CTI life cycle, this is called the “Planning and Direction” stage, and it begins with the development of requirements.
According to the Defense Technical Information Center, an intelligence requirement can be described as:
“any subject, general or specific, upon which there is a need for the collection of information, or the production of intelligence” (I-8).
In other words, requirements are the gaps in intelligence that define the scope and priorities of the intelligence cycle; they are the overarching questions that inform the intelligence process and give direction to the analyst’s actions.
However, as Chad Warner writes:
“These aren’t mere curiosities; the answers to these questions will provide information that defenders can act on to improve organizational security, which contributes to the organization’s survival and success”.
Because they should result in actionable intelligence, the requirements that drive the intelligence cycle are determined by stakeholders (with some guidance from the threat intelligence team). This ensures that the intelligence produced aligns with the broader business objectives and actually accommodates stakeholder needs.
In response to the Pine Grove University attack, a key stakeholder at Maplewood University–the President–establishes two new requirements, and, in doing so, propels the CTI life cycle into motion. She directs you to:
- “determine the likelihood that Maplewood will also be targeted by this spear-phishing campaign,” and
- “identify measures the University can implement to defend against any future phishing attacks”
These are production requirements–the answers and analytical judgments required by the intelligence consumer (in this case, the President) to make a decision and take action as a result of the intelligence process.
However, in order to arrive at these analytical judgments, many other gaps in intelligence must first be filled. To identify these intelligence gaps, ask yourself: what additional information is required for me to adequately answer the questions posed by the intelligence consumer? The answer to this question will help you write additional intelligence requirements that guide the CTI life cycle.
Note: For each production requirement, there will likely be many corresponding intelligence gaps that must first be addressed.
The intelligence requirements that result from this missing information lay the groundwork for the intelligence analysis. As with all requirements, they inform the scope and direction of the CTI life cycle and should ultimately lead to an analytical judgment that can be leveraged by the intelligence consumer to take an action or make a decision.
For each intelligence requirement, there are also corresponding collection requirements. These are the data and observables that must be collected in order to answer your intelligence requirements.
Collection requirements are a critical component of the CTI life cycle because they optimize collection efforts by narrowing the scope to only the relevant data sources. Without them, there is simply too much data for analysts to realistically collect and parse.
In addition, there are two other types of requirements that help analysts refine the priorities of the CTI life cycle. These are called high-level requirements and functional requirements.
High-level requirements relate to the overarching interests and strategic objectives of an organization. They help analysts determine what threats and intelligence are relevant to an organization according to factors like:
- Geography: where the organization is physically situated (e.g. California; South America)
- Industry: the industries or verticals in which the organization operates (e.g. Healthcare; Fintech)
- Critical Assets: the organizational assets that are most valued or targeted by adversaries (e.g. PII; Intellectual Property)
- Historical Incidents: the types of incidents previously experienced by an organization (e.g. account credential theft; corporate espionage)
- Adversary: the attackers most likely to target the organization (e.g. hacktivist; nation-state)
This allows analysts to narrow the scope of their requirements to include only that which is most significant to the organization. For example, as an American institution of higher education, Maplewood University likely would not be interested in nation-state actors targeting oil and gas companies operating in the Middle East.
Functional requirements are similar to high-level requirements, but they focus instead on the operational and technical interests of the organization, like what software is used and which devices have access to the internal network.
This offers greater insight into which cyber threats pose the greatest risk to an organization from a practical perspective and helps analysts further refine their requirements according to the organization’s technical landscape. This means if Maplewood University uses exclusively Microsoft systems running Windows 11, they probably do not need to be concerned about malware designed to compromise Apple devices.
Case Study Example
The President of Maplewood University has established two new production requirements in response to the attack on Pine Grove University, which initiates a new CTI life cycle. She instructs your team to:
- “determine the likelihood that Maplewood will also be targeted by this spear-phishing campaign,” and
- “identify measures the University can implement to defend against any future phishing attacks”.
To address these production requirements, your team begins by determining the additional intelligence requirements that will define the scope and priorities of the CTI life cycle and guide your actions throughout the intelligence process.
You identify these intelligence requirements by posing the following questions:
- What gaps in current intelligence must be filled in order for me to assess the likelihood that Maplewood will be targeted by the same spear-phishing campaign as Pine Grove?
- What other information does my team need to determine the best defensive courses of action for the University?
Based on these questions, your team defines eight additional intelligence requirements, as summarized by the following chart:
Each of these eight questions represents a current gap in intelligence that must be filled in order to produce actionable intelligence for the President.
Next, your team identifies the corresponding collection requirements for each intelligence requirement by considering what data and observables are needed to fill those intelligence gaps.
The chart below illustrates the relationship between each production requirement, intelligence requirement, and collection requirement:
Finally, to further scope the intelligence process, your team identifies the high level requirements and functional requirements for Maplewood University. The following charts provide a selection of the requirements most relevant to this case study:
With the requirements for your intelligence process determined, your team is now ready to progress to Stage 2 of the CTI life cycle: Collection.
Conclusion
The first stage of the CTI life cycle is “Planning and Direction”. During this stage, analysts define the objectives and limits of their intelligence efforts by identifying key questions called intelligence requirements that will guide their actions for the duration of the life cycle. There are several types of requirements that must be considered in order to fulfill the needs of the intelligence consumer, and each plays an important role in refining the scope and priorities of the CTI life cycle.
The requirements covered in this post have been summarized in the chart below:
Looking Ahead
In the next installment of this blog series, we will explore the second stage of the CTI life cycle — Collection — by practically applying it to this case study.
You will learn how to collect, store, organize, and process data from the sources outlined in your collection requirements.
📍 To jump straight to Part 3, click here.
If you found value in this blog series, please consider:
👏🏻 Clapping for this article,
📩 Sharing it with others, or
💬 Commenting your thoughts below
About the Author:
Casey Hennings is a security analyst and educator who writes about cybersecurity, threat intelligence, and security awareness.
She is currently seeking an entry-level cybersecurity position where she can apply her skills and continue growing as part of a passionate, purpose-driven team of security professionals.
To connect, you can find her at @cyberwithcasey on X (Twitter) and here on LinkedIn.
