Word count: 1200 Due Date: 1 September Tips - Do not copy and paste chunks of text from the ASD website. - Only choose one mitigation - Focus on tactical intelligence Lecture NOTE • Intelligence Lifecycle To establish an intelligence process in an organisation an intelligence model is required (Cyber Threat Intelligence 2013). This means the organisation must first establish what threats are faced, the risk they pose and what responses are required (Cyber threat Intelligence 2013). There are different models to choose from although most contain similar elements. Law enforcement agencies have been using intelligence models and processes for many years and it is possible to adapt these to the business environment (Cyber Threat Intelligence 2013). The FBI propose an intelligence cycle with the following elements; requirements, planning, processing, analysis/production, and dissemination (Intelligence Cycle n.d.). This intelligence cycle is designed to turn raw information or data into a meaningful intelligence product that can be used by decision makers (Intelligence Cycle n.d.). Importantly, the steps between processes are fluid allowing information to flow both forwards and backwards as required (Intelligence Cycle n.d.). KPMG has used the experience of law enforcement agencies to develop a business specific intelligence model with four key steps; setting priorities, gathering information, analysis and action (Cyber Threat Intelligence 2013). Relating the Intelligence Cycle to Information Security The key to the intelligence cycle is the production of actionable information, that is information that has meaning and is understandable (Dandurand, Davidson, Kacha, Kaplan, Kompanek, Van Horenbeek & Grobauer 2015). Actionable information possesses set properties that distinguish it from raw data; it is relevant, timely, accurate, and specific (Johnson, Badger & Waltermire 2014 & Dandurand et al. 2015). In terms of business, actionable information may be applied to infosec where information is used to mitigate cyber threats and vulnerabilities (Dandurand et al. 2015). This is essentially the purpose of the application of the intelligence cycle to infosec, namely to detect attacks before (if possible) and during the event (Shackleford 2015). The strength of the intelligence cycle applied to infosec is the creation of cyber threat intelligence (CTI). Cyber threat intelligence if properly used can identify delivery mechanisms, indicators of compromise (IOC’s), malicious actors and motivations across all levels of infrastructure (Shacklford 2015). Cyber threat intelligence provides information that is both strategic and tactical which can be used to protect and defend against attacks (Farnham 2013). Strategic intelligence includes, motivations of attackers and tactical intelligence includes the tactics, techniques and procedures (TTP’s) used during an attack (Farnham 2013). • The Lifecycle The intelligence cycle is a circular and repeated process to convert data into intelligence useful to meeting a goal of a user or customer; it has the following steps: 1. Planning and direction – Determine what your requirements are. To appropriately create any amount of intelligence out of information you should have a defined goal and intentions. This could be something as simple as wanting to know the command and control servers of a piece of malware so that you can block it on your network to wanting to know the type of information systems your target uses so that you can infiltrate them. As you move through the intelligence cycle you can go back and address the steps again (as an example if you get new data which reveals something you did not know, an intelligence gap, you may define a new goal). 2. Collection – Where and how you acquire the data and information to process. This can be honeypots, Firewall logs, Intrusion Detection System logs, scans of the Internet, etc. You should know most of your available collection options while in the planning and direction phase so you can make reasonable goals or intelligence needs. 3. Processing – The conversion of your collected information into something you can use. E.g. being able to access and parse through the data you collected. This may apply to how you store and access the data or the actual parsing of data such as converting it to human readable information such as ASCII from binary data. 4. Production – This is the step in which you will take your data and turn it into an intelligence product. This is done through analysis and interpretation and thus is heavily dependent on the analyst. All produced reports should meet a defined intelligence need or goal from your planning and direction phase. 5. Dissemination – Supplying your customer or user with the finished intelligence product. If your users cannot access your product or cannot use it then it is useless and does not meet a goal. JP 2-0 does not directly include “feedback” as part of the intelligence cycle but all organizations and analysts should consider feedback and make sure that your planning and direction phase lined up correctly with what was produced. Source: http://www.tripwire.com/state-of-security/security-data-protection/introduction-cyber-intelligence/ Reference not more than 8