The Cyber Threat Intelligence Life Cycle: A Case Study (Part 5)

(Image by Author)

Recap

Objectives

In this blog series, we explore how to practically apply all five stages of the CTI life cycle to a hypothetical scenario involving two fictional institutions of higher education: Maplewood University and Pine Grove University.

In this installment of the series, we will focus on the fourth stage of the CTI life cycle, and you will learn how to produce intelligence deliverables tailored to the individual needs and prior knowledge of your intelligence consumers.

The Case Study

You are a CTI analyst at Maplewood University. After a campus-wide spear-phishing attack on the nearby Pine Grove University, the President of Maplewood approaches your team, concerned that your institution may be the next victim. She has instructed you to determine the likelihood that Maplewood will also be targeted by this spear-phishing campaign and to identify measures the University can implement to defend against any future phishing attacks.

❗Disclaimer: Although the case study presented here is based on real events, the names, entities, and data included are not intended to be representative of real people, organizations, or incidents and should not be interpreted as such. This scenario is entirely fictitious and was devised by me specifically for use during this exercise.

The CTI Life Cycle | Stage 4: Production

Figure 1: The fourth stage of the CTI life cycle is “Production”. (Image by Author)

Key Concepts

The fourth stage of the CTI life cycle is “Production”. During this stage, the analyst creates relevant, actionable, and timely intelligence products for the intelligence consumer based on the production requirements outlined during the first stage of the CTI life cycle. These production requirements determine what type of threat intelligence will be generated and, in turn, the nature of the resulting intelligence deliverables.

There are three types of threat intelligence: strategic intelligence; operational intelligence; and tactical intelligence. Each type serves a different purpose and audience:

• Strategic intelligence helps executives understand the broader landscape of cyber threats and often informs strategic decisions related to security, risk management, and resource allocation.
• Operational intelligence supports the day-to-day security operations of an organization and helps security teams detect, respond to, and mitigate active threats.
• Tactical intelligence provides insight into threat actor tactics, techniques, and procedures (TTPs) and is commonly used to engineer detection rules.

Analysts can leverage these distinctions to produce actionable intelligence deliverables that align with the needs and prior knowledge of their intelligence consumer. This is significant because intelligence is not universally actionable; intelligence that is meaningful to one consumer may be completely irrelevant to another. Consider, for example, the vast differences between the intelligence needs of an executive and a SOC analyst — to the executive, a list of indicators is likely meaningless, even though to the analyst, it holds tremendous value.

Case Study Example

In response to the spear-phishing attack on Pine Grove University, the President of Maplewood established two new production requirements and thus set the CTI life cycle into motion. She directed your team to:

1. “determine the likelihood that Maplewood will also be targeted by this spear-phishing campaign,” and
2. “identify measures the University can implement to defend against any future phishing attacks”.

In this case, the President is the intelligence consumer and is seeking strategic intelligence to inform her risk management and security strategies.

To effectively communicate this intelligence to the President, your team develops a short executive report and corresponding briefing slides, which can be viewed here:

You chose this method to disseminate the intelligence to the President because it is a familiar channel of communication; executives are accustomed to receiving information in the form of written reports and formal briefings. By adhering to these professional standards, you increase the likelihood that the intelligence deliverables will be actionable for the President.

Once these intelligence deliverables have been developed, you are ready to progress to the last stage of the CTI life cycle: Dissemination & Feedback.

Conclusion

The fourth stage of the CTI life cycle is “Production”. At this point in the CTI life cycle, analysts develop relevant, actionable, and timely intelligence products tailored to the needs of the intelligence consumer.

By the end of this process, the analyst is prepared to disseminate their finished intelligence deliverables to the intelligence consumer in the fifth and final stage of the CTI life cycle.

Looking Ahead

In the next installment of this blog series, we will explore the fifth and final stage of the CTI life cycle — Dissemination and Feedback — and conclude this case study.

You will learn how to both disseminate timely intelligence deliverables to key stakeholders and collect feedback to inform and improve future intelligence cycles.

📍 To jump straight to Part 6, click here.

If you found value in this blog series, please consider:

👏🏻 Clapping for this article,

📩 Sharing it with others, or

💬 Commenting your thoughts below

About the Author:

Casey Hennings is a security analyst and educator who writes about cybersecurity, threat intelligence, and security awareness.

She is currently seeking an entry-level cybersecurity position where she can apply her skills and continue growing as part of a passionate, purpose-driven team of security professionals.

To connect, you can find her at @cyberwithcasey on X (Twitter) and here on LinkedIn.