The Cyber Threat Intelligence Life Cycle: A Case Study (Part 3)
Recap
Objectives
In this blog series, we explore how to practically apply all five stages of the CTI life cycle to a hypothetical scenario involving two fictional institutions of higher education: Maplewood University and Pine Grove University.
In this installment of the series, we will focus on the second stage of the CTI life cycle, and you will learn how to collect, store, organize, and process data from the sources outlined in your collection requirements.
The Case Study
You are a CTI analyst at Maplewood University. After a campus-wide spear-phishing attack on the nearby Pine Grove University, the President of Maplewood approaches your team, concerned that your institution may be the next victim. She has instructed you to determine the likelihood that Maplewood will also be targeted by this spear-phishing campaign and to identify measures the University can implement to defend against any future phishing attacks.
❗Disclaimer: Although the case study presented here is based on real events, the names, entities, and data included are not intended to be representative of real people, organizations, or incidents and should not be interpreted as such. This scenario is entirely fictitious and was devised by me specifically for use during this exercise.
The CTI Life Cycle | Stage 2: Collection
Key Concepts
The second stage of the CTI life cycle is “Collection”. During this stage, analysts gather the data necessary to answer their intelligence questions, as outlined by their previously established collection requirements.
At this point in the CTI life cycle, raw data is not only acquired and stored but also processed in preparation for analysis. (For this reason, some versions of the CTI life cycle include an additional “Processing” stage after “Collection”.)
Data Acquisition
The raw data available to your organization depends on its operational environment and the resources at its disposal. The following chart includes a non-exhaustive list of common data sources and examples of the types of data that can be acquired from them:
Data Storage
Once the necessary data has been gathered, it must be stored somewhere. Storage solutions vary according to personal preference and available resources but may include everything from simple spreadsheets to sophisticated threat intelligence platforms (TIPs).
Data Processing
The transformation of raw data into information primed for analysis occurs as a result of multiple processing techniques, including:
- Normalization: Standardizing data formats for consistency
- Deduplication: Removing any duplicate data entries
- Cleaning: Eliminating any unnecessary data
- Validation: Verifying the accuracy of the data and the reliability of the data sources
These processes create the necessary conditions for analysis in the subsequent stage of the CTI life cycle.
Case Study Example
To review, your team has identified the following intelligence requirements and the corresponding collection requirements according to the needs of your intelligence consumer, the President of Maplewood University:
With these requirements in mind, let’s consider what Stage 2 of the CTI life cycle might look like for the Maplewood University threat intelligence team.
Note: The following sections are summaries of the collection process and necessarily omit certain steps and details for the sake of readability.
Data Acquisition: Production Requirement #1
You begin your collection efforts by consulting the Higher Education Networks Information Sharing and Analysis Center (HEN-ISAC) for emerging information regarding the attack on Pine Grove University. The HEN-ISAC Threat Intelligence System (TIS) serves over 600 institutions of higher education and compiles industry-related threat intelligence to help members better defend their institutions.
However, you discover that HEN-ISAC has not yet published information on the attack, so you reach out to the Pine Grove University threat intelligence and incident response teams directly. Pine Grove and Maplewood are both members of HEN-ISAC and frequently share threat intelligence due to their close proximity. Your goal is to gather more information about the attack in order to determine the intentions and TTPs of the adversary and, ultimately, the likelihood that they will also attack your university.
Upon contacting the teams at Pine Grove, a CTI analyst from the University informs you that the phishing emails distributed to their staff members claimed to be from the “Payroll Department” and instructed all employees to immediately update their banking information or their direct deposit servicing would be terminated.
The analyst also provides you with the malicious domain linked in the phishing email, which directs unsuspecting employees to a spoofed Pine Grove University login page, as well as the email address used to send the message. In the following stage of the CTI life cycle, your team can pivot off this domain to discover more information about the adversary’s motives and capabilities.
Next, your team gathers open-source intelligence (OSINT) to identify any indicators that Maplewood will be victimized by the same phishing campaign. You monitor popular social platforms like X and reddit as well as dark web forums for any chatter implicating Maplewood in future phishing attacks, but none is observed.
You also search the dark web for university-branded phishing kits and uncover a host of phishing templates tailored to the Research and Education industry, though none targeting Maplewood University, specifically.
Having discovered no explicit adversary intentions to target Maplewood University with a phishing campaign, your team returns to the HEN-ISAC Threat Intelligence System and other threat feeds to determine whether there have been similar phishing campaigns against other American institutions of higher education within the last 180 days.
Although HEN-ISAC reveals that dozens of phishing campaigns had been reported by universities across the nation within this time period, none appear to significantly overlap with the recent Pine Grove attack. However, enrichment of this data during the next stage of the life cycle is needed to confirm this.
To assess what factors contributed to the success of previous phishing campaigns against Maplewood University, your team reviews the reports produced in response to these historical incidents. Within the past year, there has been just one large-scale phishing attack against Maplewood University: a DocuSign-branded bulk phishing email with the subject “Document For Review”.
According to the incident report, this DocuSign phishing template could be purchased as a kit on the dark web and was observed in multiple industries over the course of several months. The malicious email instructed victims to click a link to sign a fake “DocuSign Updated Terms and Conditions” document within 24 hours or risk the permanent deletion of their DocuSign account on the grounds of “non-compliance”. The message appeared to come from DocuSign due to a falsified sender address, and an estimated one-third of recipients at Maplewood clicked the malicious link as a result of the impersonation.
Data Acquisition: Production Requirement #2
By reviewing the HEN-ISAC TIS and other threat reporting, your team determines that there have been multiple types of phishing campaigns against similar American institutions of higher education within the past 180 days, including bulk phishing, spear-phishing, business email compromise (BEC), and ransomware attacks.
However, according to the annual Proofpoint “State of the Phish” report, other organizations have found success defending against each of these phishing campaigns by employing a combination of multi-factor authentication (MFA); robust end-user training and security awareness measures; targeted phishing simulations with logical consequence-reward models; and an organizational culture that promotes computer security as a priority for all employees. These defensive strategies were reiterated across threat reports and in conversation with other HEN-ISAC members who successfully thwarted a variety of phishing campaigns against their institutions over the previous year.
Data Storage and Processing
After the necessary data has been acquired, your team opts to store it in a commercial Threat Intelligence Platform (TIP). From here, the collected data can undergo the necessary processes to be converted into contextualized information primed for analysis. In this case, the data will be normalized for upload to the TIP; cleaned and deduplicated to remove any unnecessary information; and finally validated for accuracy and reliability.
Once these processes are complete, it is time to transform the processed information into actual threat intelligence in the next stage of the CTI life cycle.
Conclusion
The second stage of the CTI life cycle is “Collection”. At this point in the CTI life cycle, analysts acquire, store, and process data from the relevant data sources outlined in their collection requirements.
By the end of this process, analysts will have transformed raw data into contextualized information that can be used to produce the analytical judgments necessary to meet the production requirements established by the intelligence consumer.
Looking Ahead
In the next installment of this blog series, we will explore the third stage of the CTI life cycle — Analysis — by practically applying it to this case study.
You will learn how to convert information into actionable intelligence that can be leveraged by the intelligence consumer.
📍 To jump straight to Part 4, click here.
If you found value in this blog series, please consider:
👏🏻 Clapping for this article,
📩 Sharing it with others, or
💬 Commenting your thoughts below
About the Author:
Casey Hennings is a security analyst and educator who writes about cybersecurity, threat intelligence, and security awareness.
She is currently seeking an entry-level cybersecurity position where she can apply her skills and continue growing as part of a passionate, purpose-driven team of security professionals.
To connect, you can find her at @cyberwithcasey on X (Twitter) and here on LinkedIn.
