The collection phase helps respond to Intelligence requirements (including PIRs) and supports decision-makers and the Intelligence team. In this phase, the Intelligence team can develop a strategy to collect data directly related to the requirements. The data can either be sourced internally or externally.
|What or where will a cyber-criminal target or attack ?||Yes||Internet facing applications/system||Internal|
|What methods can a cyber-criminal use to target those systems ?||No||Yes. Here we are looking for TTPs. The How||External|
|Which cyber-criminals have capabilities to target those systems?||No||Yes. The who. Financially motivated threat actors, nation state actors||External|
|Do we have historical data of the attempts against those systems?||No||Yes. Known exploitation attempts – includes The What, The How and The Who (if there was a successful attribution)||Internal|
Requirements Mapped to Sources
The following table shows some examples of Internal vs External sources.
|Internal sources||External Sources|
|Internal business units – if applicable||Peer Industries|
|Configuration management database (CMDB)||Government sectors|
|Security Operations team||Vendors|
|Internal technical support team||Law enforcement agences|
|Accounts and payroll team||Closed sourced communities|
Sample Data Sources
Using the above table, we can infer the following.
- Intelligence team are to collect information on all internet facing application from internal sources,
- Intelligence team then looks for known methods (TTPs) used by the cyber-criminals known to target those systems from external sources.
- Assess the TTPs and disseminate the information to relevant teams with context responsible to protect internet facing systems.
- Repeat in identifying further IRs associated to given PIR.
Above is just one PIR mapped to sources. An organisation can have multiple PIRs provided priority is attached to it and relates to the organisation or business unit’s mission statement.
Side Note: Recently, I was asked how to select vendors. Vendors are considered external sources. Based on the above example, we can see that the Intelligence team should map their requirements to sources they will require when designing their collection strategy. Once they are mapped, the Intelligence team can evaluate vendor offerings (must do a Proof-of-Value) and rate the content against the requirements. Remember vendors will give you data (a good starting point); it is up to the intelligence team to make sense of it and provide organisational context for decision-makers.
Take care and be safe!