In Stage 2, the team will start to build relationships allowing a more consistent intake of high-fidelity human-generated and semi-automated data flows.
Information received through automatic feeds, if appropriate, can be used to block activity. Careful consideration is required to select which feeds fall into this category. CTI personnel research which feeds best meet their requirements, ensuring that their budget is allocated properly.
As organizations mature, they will move away from merely sweeping on observables and move up the Pyramid of Pain. This incorporation of Operational and Strategic intelligence is gradually completed in Stage 2. Additionally, the incorporation of Operational and Strategic intelligence will most likely never be completed due to emerging technologies and other outside influences. Organizational maturity and technological advances will enable organizations to reach a stable state fitting their objectives and financial requirements, although they should periodically re-evaluate it.
The goal of moving further up the Pyramid of Pain is to increase the cost to the attacker, causing their campaigns to fail. Hashes, IP Addresses, and Domains are easily changed by threat actors, but disruption to their techniques, tools, and procedures causes much bigger disruption. Thus the capability must extend to identifying, researching, and blocking the attacker based on Operational and Strategic (TTPs). If done effectively, the attacker will have to change most aspects of their campaign, from process, tooling, and down to infrastructure.
At this stage, the team will start documenting the observable results of internal investigations and the corresponding analysis. In this way, they will be a collector and creator of raw intelligence. This can be leveraged at a later point to either discover larger campaigns or long-term trends. The CTI Team will start their knowledge management process and recognize that information from previous events helps to learn and develop better techniques for future events. At this point, the team will look at how to systematically collect, store, process, and disseminate data and implement a Threat Intelligence Platform (TIP).
At this stage, the team will develop analytic capability though it will be focused on analyzing and tying together multiple data sources and not so much on producing a product intended for external dissemination. This will also include incorporating data from underground forums provided through threat intelligence partners. In this phase, the direct collection will be avoided mostly due to the time it would require but also due to the lack of proper OPSEC training and supporting infrastructure.
At this stage, the organization will start to actively engage other teams across the industry.
Furthermore, the team will start providing input to the Risk Management and Business process. This is possibly the highest-value function that the CTI Team has at this stage. Providing this capability allows the CTI Team to create value for the company, allows its growth and maturing, and ensures its longevity. If the CTI Team is part of the RM process, they are directly supporting corporate security and mitigating risks as defined at the corporate and leadership level. Importantly, mitigating risks aligns the CTI Team with resources necessary to complete RM tasks X, Y, and Z. Simply stated, resources equals money, money for personnel, tooling, etc. CTI process support should align with organizational Risk Management / Mitigation (RM) Processes. Linking these two processes enables RM leaders to clearly identify their risks and quantitatively connect them with risk mitigation strategies. The Risk Mitigation strategies are then properly prioritized, which leads to a properly budgeted project. The RM leaders are then able to properly triage risks based on CTI and decide on what is the best mitigation method.
Structure within the CTI Team begins with documented analytical processes, how to request support, where to find their reporting, etc. It might be easiest to think of this document as a combination of Standard Operating Procedures and an Onboarding / New Hire guide. This will include how the CTI Team is using intelligence concepts (intelligence cycle, frameworks, etc.) and identifying the tactical, operational, and strategic intelligence they are providing. As part of the structure, the relationship between the Incident Response Team and the CTI Team will be formalized with inclusion into the RM Process as identified above.
Last but not least, some basic tasking will be initiated to gather and analyze information about specific threats. This process is indicative that the CTI Team has the capacity to move beyond supporting only incident response investigations and is now entering into Threat Landscape Reporting (TLR). TLR is necessary as it begins the process of supporting the RM process and strengthens the overall security with understanding. The biggest uncertainty most organizations face is “What does my environment contain and look like?” A TLR links the environment with likely threat actors who have targeted the organization before or who are active within the business vertical / sector. The TLR is a key element in building awareness about the organization's threats. The awareness grows into understanding. Once you understand the environment and threats within it, you can build solutions.