Cyber Threat Intelligence: Integrating the

Intelligence Cycle

Elias Fox and Michael Norkus, Cyber Threat Intelligence Analysts

January 2017
 CLASSIFICATION MARKS

The Global Domain

Network
Domain

The internet offers global connectivity to all the good things contained therein…and to all the
bad things, as well.
CLASSIFICATION MARKS 2
 Situational Awareness

Risk and opportunity management is a core function of every organization. Situational

awareness is key to improved business decisions.
3
 CLASSIFICATION MARKS

The Value of Cyber Threat Intelligence

Proper CTI should extend our vision and allow us to take steps that normally we would not.

CLASSIFICATION MARKS 4
 CLASSIFICATION MARKS

Noblis Definition and Vision

Requirements-Driven Methodology
Traditional and Non-Traditional Intelligence Techniques

Holistic Cyber Threat Picture Proactively Diminish Threats

Tactical Operational Strategic

Technical Expertise Analytic Tradecraft

Timely Accurate

Our vision incorporates network defense data and all-source intelligence to provide a holistic
cyber threat picture.
CLASSIFICATION MARKS 5
 CLASSIFICATION MARKS

The Three Levels of Threat Intelligence

STRATEGIC LONG-TERM TRENDS

OPERATIONAL SHORT-TERM TRENDS

TACTICAL TIMEFRAME IMMEDIATE

“tactics are concerned with ‘doing the job right,’ and higher levels of strategy are concerned
with ‘doing the right job’.” (Drew and Snow, 2006)
CLASSIFICATION MARKS 6
 Cyber Threat Intelligence: A Holistic Picture
Tactical Operational Strategic

Reactive

Focused on Focused on Next Focused on Years

Today/Tomorrow Week/Month Ahead
Feeds and IoCs Adversary TTP Planning and Risk

7
 Man in the Middle
DDoS
Proactive Defense Measures!
Risk Mitigation: Social Engineering
What do we have that they
want?
How do we protect our data?

8
 Incorporating the Traditional Intelligence Cycle

Monitoring and Response Requirements and Planning

Dissemination Collection

Analysis and Production Processing and Exploitation

Incorporating the traditional Intelligence Cycle into analysts’ workflow will expand the
precision with which we can identify, defend against, and prevent cyber threats.
9
NETFLOW Industrial
Attacks

10
 Monitoring and Response Integration

Integrating CTI, network operations and security, and business operations enables more
effective decisions to balance risk, response, and allocation of resources.
11
12
IdealWorks: Risk Assessment

13
 Incorporating the Traditional Intelligence Cycle

Monitoring and Response Requirements and Planning

Dissemination Collection

Analysis and Production Processing and Exploitation

Incorporating the Intelligence Cycle into analysts’ workflow allows the company to
proactively identify threats and intelligence gaps.
14
 Job
TTP Economic Applications Military
Military
Opportunity Market Modernization
Modernization Job Access
Applications Agreements

Market
Industrial Access
Leaps in R&D
TTP
Attacks Agreements

Economic
Leaps in R&D Gaps
Opportunity

Industrial
NETFLOWNETFLOW
Attacks Traffic Traffic

15
 Incorporating the Traditional Intelligence Cycle

Monitoring and Response Requirements and Planning

Dissemination Collection

Analysis and Production Processing and Exploitation

Incorporating the Intelligence Cycle into analysts’ workflow allows the company to
proactively identify threats and intelligence gaps.
16
 Monitoring and Response Integration

A Monitoring and Response framework links the organization’s intelligence support with its
network operations division – and drives information flow.
17
 Cyber Threat Intelligence: A Holistic Picture
Tactical Operational Strategic

Reactive Proactive

Focused on Focused on Next Focused on Years

Today/Tomorrow Week/Month Ahead
Feeds and IoCs Adversary TTP Planning and Risk

18
Benefits of Integrating People and Tools

19
 CLASSIFICATION MARKS

Knowledge, Skills, and Abilities: Integrating People

Cyber Threat Intelligence Analyst

(Foundational Skills)

CND Analyst Open Source Analyst

(Technical Track) (Analytical Track)

Just as people and tools are behind these threats, people and tools are required to resolve
these threats – automation and machine learning provide only half of the solution.
CLASSIFICATION MARKS 20
 CLASSIFICATION MARKS

Knowledge, Skills, and Abilities: Integrating People

Open Source Analyst

Cyber Threat Intelligence Analyst
(Analytical Track)
(Foundational Skills)

Cyber Threat Intelligence Analyst

CND Analyst Open
(Foundational Source Analyst
Skills)
(Technical Track) (Analytical Track)

Just as people and tools are behind these threats, people and tools are required to resolve
these threats – automation and machine learning provide only half of the solution.
CLASSIFICATION MARKS 21
 Now
remember,
Proactive
Man says:

22