The Cyber Threat Intelligence Life Cycle: A Case Study (Part 6)

(Image by Author)

Recap

Objectives

In this blog series, we explore how to practically apply all five stages of the CTI life cycle to a hypothetical scenario involving two fictional institutions of higher education: Maplewood University and Pine Grove University.

In this installment of the series, we will focus on the final stage of the CTI life cycle, and you will learn how to both disseminate timely intelligence deliverables to key stakeholders and collect feedback to inform and improve future intelligence cycles.

The Case Study

You are a CTI analyst at Maplewood University. After a campus-wide spear-phishing attack on the nearby Pine Grove University, the President of Maplewood approaches your team, concerned that your institution may be the next victim. She has instructed you to determine the likelihood that Maplewood will also be targeted by this spear-phishing campaign and to identify measures the University can implement to defend against any future phishing attacks.

❗Disclaimer: Although the case study presented here is based on real events, the names, entities, and data included are not intended to be representative of real people, organizations, or incidents and should not be interpreted as such. This scenario is entirely fictitious and was devised by me specifically for use during this exercise.

The CTI Life Cycle | Stage 5: Dissemination & Feedback

Figure 1: The fifth stage of the CTI life cycle is “Dissemination & Feedback”. (Image by Author)

Key Concepts

The fifth and final stage of the CTI life cycle is “Dissemination & Feedback”. During this stage, the analyst distributes their finished intelligence deliverables to the intelligence consumers for review and feedback. The priority at this stage is to communicate relevant, actionable intelligence in a timely manner to enable quick and effective decision-making. To achieve this, the dissemination of intelligence deliverables should be tailored to the specific needs, responsibilities, and prior knowledge of the intelligence consumer. Depending on the intended audience and the sensitivity of the intelligence, methods of distributing intelligence deliverables might include:

• Email;
• Team communication platforms (e.g. Slack, Microsoft Teams);
• Secure file sharing platforms;
• In-person briefings and meetings; or
• Video conferences

Oftentimes, the dissemination of intelligence includes communicating technical information to non-technical stakeholders. For analysts, this can be a challenge; however, there are many practical strategies for accommodating non-technical individuals, such as:

• Using plain language and avoiding technical jargon or acronyms that may be unfamiliar;
• Using analogies and metaphors to relate technical concepts to familiar everyday situations;
• Including visuals like charts, graphs, and diagrams to aid understanding; and
• Prioritizing the key points that are most relevant to the stakeholder and limiting unnecessary technical details

📌 Remember: Intelligence must be properly communicated in order to be actionable.

The CTI life cycle concludes with the collection of feedback from intelligence consumers on the relevance and usefulness of the intelligence in supporting decision-making. Because threat intelligence is produced expressly to meet the needs of stakeholders, it is important to consistently assess the value added by seeking input from stakeholders themselves. By collecting and integrating feedback into subsequent intelligence processes, analysts can iteratively improve the quality of future intelligence products. This feedback can be used to continuously refine analysis processes, enhance the relevance of the intelligence shared, and address any identified gaps or areas for improvement.

There are many potential approaches to the collection of both formal and informal stakeholder feedback, including:

• Email;
• Portals;
• Wikis;
• Surveys;
• Peer-to-peer conversations; and
• Regular performance reviews

However, according to the “Cyber Intelligence Tradecraft Report” produced by Carnegie Mellon University, “append[ing] surveys to finished cyber intelligence reports” is one of the most effective strategies for consistently generating stakeholder feedback (95).

Case Study Example

To disseminate your intelligence deliverables, you first email a copy of the finished Executive Report to the Maplewood University President and then schedule a short meeting with her later in the week to debrief it. Providing the President with the Executive Report up front ensures the timely delivery of intelligence and creates the opportunity for her to prepare questions and feedback to be addressed during the meeting.

During the subsequent intelligence briefing, you lead a short presentation that summarizes your analysis and recommendations, taking care to use language and visuals that support the President as a non-technical stakeholder. At the end of the meeting, the President offers feedback on the intelligence deliverables, effectively concluding the current CTI life cycle and initiating the next iteration.

Conclusion

The fifth and final stage of the CTI life cycle is “Dissemination & Feedback”. At this point in the CTI life cycle, analysts distribute their finished intelligence deliverables to stakeholders and collect feedback that can be used to inform future iterations of the life cycle. The primary focus of this stage is ensuring the timely and effective communication of actionable intelligence that supports decision-making. To continually improve this process, it is imperative that analysts also collect and integrate stakeholder feedback in response to these intelligence deliverables. It is this prioritization of stakeholder input and continual improvement that leads to more effective and efficient intelligence processes.

Putting It All Together

In this blog series, we have explored how to practically apply all five stages of the CTI life cycle to a hypothetical scenario involving two fictional institutions of higher education: Maplewood University and Pine Grove University.

The purpose of this exercise was to demonstrate exactly how analysts leverage the CTI life cycle to evolve intelligence requirements into actionable intelligence deliverables that support the success and security of their organization in a rapidly evolving threat landscape.

I thoroughly enjoyed bringing this case study to life, and I hope you learned something new as a result.

If you found value in this blog series, please consider:

👏🏻 Clapping for this article,

📩 Sharing it with others, or

💬 Commenting your thoughts below

About the Author:

Casey Hennings is a security analyst and educator who writes about cybersecurity, threat intelligence, and security awareness.

She is currently seeking an entry-level cybersecurity position where she can apply her skills and continue growing as part of a passionate, purpose-driven team of security professionals.

To connect, you can find her at @cyberwithcasey on X (Twitter) and here on LinkedIn.