Post #2 Intelligence Life Cycle – Collection

The collection phase helps respond to Intelligence requirements (including PIRs) and supports decision-makers and the Intelligence team. In this phase, the Intelligence team can develop a strategy to collect data directly related to the requirements. The data can either be sourced internally or externally.

What or where will a cyber-criminal target or attack ?YesInternet facing applications/systemInternal
What methods can a cyber-criminal use to target those systems ?NoYes. Here we are looking for TTPs. The HowExternal
Which cyber-criminals have capabilities to target those systems?No Yes. The who. Financially motivated threat actors, nation state actors External
Do we have historical data of the attempts against those systems?NoYes. Known exploitation attempts – includes The What, The How and The Who (if there was a successful attribution) Internal

Requirements Mapped to Sources

The following table shows some examples of Internal vs External sources.

Internal sourcesExternal Sources
Internal business units – if applicablePeer Industries
Configuration management database (CMDB)Government sectors
Security Operations team Vendors
Internal technical support teamLaw enforcement agences
Accounts and payroll teamClosed sourced communities

Sample Data Sources

Using the above table, we can infer the following.

  1. Intelligence team are to collect information on all internet facing application from internal sources,
  2. Intelligence team then looks for known methods (TTPs) used by the cyber-criminals known to target those systems from external sources.
  3. Assess the TTPs and disseminate the information to relevant teams with context responsible to protect internet facing systems.
  4. Repeat in identifying further IRs associated to given PIR.

Above is just one PIR mapped to sources. An organisation can have multiple PIRs provided priority is attached to it and relates to the organisation or business unit’s mission statement.

Side Note: Recently, I was asked how to select vendors. Vendors are considered external sources. Based on the above example, we can see that the Intelligence team should map their requirements to sources they will require when designing their collection strategy. Once they are mapped, the Intelligence team can evaluate vendor offerings (must do a Proof-of-Value) and rate the content against the requirements. Remember vendors will give you data (a good starting point); it is up to the intelligence team to make sense of it and provide organisational context for decision-makers.

Take care and be safe!