Member-only story
Cyber Threat Intelligence
Collection Management Part 1 — Overview
Cyber Threat Intelligence Lifecycle
Prior to exploring collection management, it’s pertinent to define the cyber threat intelligence (CTI) lifecycle. The CTI lifecycle can broadly be identified under the following domains, each with specific objectives:
- Requirements
- Collection
- Processing
- Analysis
- Dissemination
- Feedback
For a quick introduction to each domain, the following resources provide a good overview:
Requirements
While CTI requirements are the most critical part of a CTI program, this domain will be addressed in later stories as I often find leaders uncertain how to best articulate requirements when there isn’t a basic familiarity with CTI or cyber risk. I’ve found that providing an end-to-end example of a CTI lifecycle often helps with more targeted and realistic requirements.
For the story, I’ll use a broad CTI requirement:
The organization employs countermeasures to detect and prevent actor tactics, techniques, and procedures (TTPs), which mitigate the risk of an intrusion that results in a material data exfiltration or impact to operations.
Collection
As a broad definition, CTI collection are all processes and management of sources that directly support CTI requirements.
A formal collection management strategy ensures:
- Stakeholder visibility into CTI collection sources
- Consistent approaches to evaluating a collection source value
- Eliminating duplicate CTI collection efforts
- Consistent approaches to collection automation
