NTU Cyber Threat Intelligence Lifecycle Production PDF
Document Details
Uploaded by CooperativeJacksonville
Nanyang Technological University
Tags
Related
Summary
This presentation explores the production aspect of cyber threat intelligence lifecycles. It covers the importance of clear communication in intelligence, when to create an intelligence product, and various types of intelligence products, aiming to provide a practical guide on handling intelligence products.
Full Transcript
Cyber Threat Intelligence Lifecycle Production ©2023 Mastercard. Proprietary and Confidential FlexiMasters in Cybersecurity and Digital Trust Copyright 2024 Mastercard The information provided herein by Mastercard (the “Presentation”), as well as...
Cyber Threat Intelligence Lifecycle Production ©2023 Mastercard. Proprietary and Confidential FlexiMasters in Cybersecurity and Digital Trust Copyright 2024 Mastercard The information provided herein by Mastercard (the “Presentation”), as well as all materials, concepts, processes and methodologies employed by Mastercard or a Mastercard supplier in connection with the Presentation, are and will remain the sole and exclusive property of Mastercard (or such Mastercard Supplier). Mastercard hereby grants to meeting participants a limited, non-exclusive right to use the Presentation without the right to assign, transfer or sublicense the Presentation in any way. The Presentation is confidential, provided for informational, non-commercial purposes only. The recipient may use the Presentation for its own internal business purposes. Except with the prior written permission of Mastercard, the Presentation shall not be used for any other purpose and shall not be published or disclosed to third parties, in whole or part. Mastercard makes no warranties concerning the Presentation and disclaims all express and implied warranties to the extent permitted by law, including but not limited to ay implied warranty of merchantability, course of dealing, or fitness for a particular purpose. Recipient is responsible for its use of the Presentation, and Mastercard assumes no responsibility or liability with respect thereto. In addition, all meeting participants are reminded that this meeting must adhere to competition law rules and, as such, no confidential or commercially sensitive information ought to be shared directly or indirectly between competitors. If any member feels that a discussion includes prohibited topics, they should raise an objection immediately as to stop discussion on such matter pending advice regarding the application of competition law. Agenda Introduction Importance of Intelligence Production When to Create an Intelligence Product Types of Intelligence Products Developing Product Lines Intelligence Production Best Practices Intelligence Production Process 3 Overview of the Intelligence Lifecycle The Intelligence Lifecycle is a Dissemination Requirements foundational model for & Feedback & Planning conceptualizing and organizing the processes associated with the production of finished intelligence products and services. This version of the Intelligence Cycle has been tailored for cyber threat intelligence purposes Analysis & Collection Production Processing & 4 Ingestion Production Dissemination Requirements & Feedback & Planning Intelligence is an inherently communications-focused discipline The communication of intelligence is generally referred to as production CTI products are generally delivered in few formats: – Finished intelligence products Analysis & Collection Production – Technical intelligence products – Intelligence briefings Processing & Ingestion 5 Why is production important? “If you are not able to clearly communicate the results of all the research, analysis, and other grunt work you have put in, then, from the reader’s viewpoint, none of that mattered.” - James S. Major, Communicating with Intelligence, Rowman & Littlefield, 2014 6 Reduced to its simplest terms, intelligence is knowledge and foreknowledge of the world around us—the prelude to decision and action by policymakers. 7 When should you create a product? Cyber Threat Answers Actionable New 8 When should you create a product? Cyber Threat Answers Actionable New Probable or plausible threat Avoid veering into Geopolitical or Military analysis* Avoid veering into risk or vulnerability analysis* 9 *Unless this is a defined part of your mission space or you are directly tasked to do so by stakeholders When should you create a product? Cyber Threat Answers Actionable New Probable or Answers an plausible threat Intelligence Requirement Avoid veering – Standing into – Ad-Hoc Geopolitical or – Implied Military analysis* Avoid chasing the cyber news Avoid veering cycle* into risk or vulnerability Avoid analysis* becoming the general research team* 10 1 0 *Unless this is a defined part of your or you are directly tasked to do so by stakeholders When should you create a product? Cyber Threat Answers Actionable New Probable or Answers an Serves as a plausible threat Intelligence prelude to an Requirement action or Avoid veering – Standing decision into – Ad-Hoc Geopolitical or – Implied Consider the Military mission and analysis* Avoid chasing authorities of the cyber news stakeholders Avoid veering cycle* into risk or Consider the vulnerability Avoid level of detail analysis* becoming the required for general actionability by research team* stakeholders 11 1 1 *Unless this is a defined part of your mission or you are directly tasked to do so by stakeholders When should you create a product? Cyber Threat Answers Actionable New Probable or Answers an Serves as a New incidents, plausible threat Intelligence prelude to an threats, Requirement action or disruptive Avoid veering – Standing decision technologies, into – Ad-Hoc etc. Geopolitical or – Implied Consider the Military mission and Has this analysis* Avoid chasing authorities of already been the cyber news stakeholders actioned? Avoid veering cycle* into risk or Consider the vulnerability Avoid level of detail analysis* becoming the required for general actionability by research team* stakeholders 12 1 2 *Unless this is a defined part of your mission or you are directly tasked to do so by stakeholders What type of product should you create? Generally, more appropriate for policymakers, strategic decision-makers, and security leaders Strategic Longer lead times to impact or crystallization May be technical or non-technical Operational Tactical 13 1 3 What type of product should you create? Generally, more appropriate for policymakers, strategic decision-makers, and security leaders Strategic Longer lead times to impact or crystallization May be technical or non-technical Generally appropriate for program managers, team leads, and incident commanders Operational Moderate lead times to impact or crystallization Generally technical in nature Tactical 14 1 4 What type of product should you create? Generally, more appropriate for policymakers, strategic decision-makers, and security leaders Strategic Longer lead times to impact or crystallization May be technical or non-technical Generally appropriate for program managers, team leads, and incident commanders Operational Moderate lead times to impact or crystallization Generally technical in nature Current Generally appropriate for network defenders and Tactical incident responders (hands-on-keyboard) Shorter lead times to impact or crystallization Generally, the most technical in nature 15 1 5 Developing intelligence product lines 16 1 6 Developing intelligence product lines Intelligence product lines have specific branding, formatting, and style that communicates a specific audience and purpose for the products in that line Product lines may be strategic, operational, or tactical in nature, or include multiple product types Product lines allow you to quickly communicate with your audience on the type of intelligence, the level of technical detail, and the applications they can expect from any given product within that line 17 1 7 Product format Product line name and Sharing publication restrictions date 18 1 8 Product format Product line name and Sharing publication restrictions date Analytic title Summary that provides paragraph key takeaway Bullet points Paragraphs are factual are analytic and support the paragraph Major analytic lines are in different paras 19 1 9 Intelligence writing fundamentals Best practices: Bottom Line Up Front (BLUF) U.S. Intelligence Community, February 6 2023 20 2 0 Intelligence writing fundamentals Best practices: Bottom Line Up Front (BLUF) Active Voice Probabilistic language and confidence statements U.S. Intelligence Community, February 6 2023 21 2 1 Intelligence writing fundamentals Best practices: Bottom Line Up Front (BLUF) Active Voice Probabilistic language and confidence statements Spell out acronyms and explain technical terms Include specific dates, figures, and other references, where possible U.S. Intelligence Community, February 6 2023 22 2 2 Intelligence writing fundamentals Best practices: Bottom Line Up Front (BLUF) Active Voice Probabilistic language and confidence statements Spell out acronyms and explain technical terms Include specific dates, figures, and other references, where possible Consistent style and organizational voice U.S. Intelligence Community, February 6 2023 23 2 3 Production process Key Research & Drafting & Peer Style & QA Concept Judgement Publication Analysis Editing Review Review Review Research & Concept Analysis 24 2 4 Production process Key Research & Drafting & Peer Style & QA Concept Judgement Publication Analysis Editing Review Review Review 25 2 5 Conclusion Importance of Intelligence Production When to Create an Intelligence Product Types of Intelligence Products Developing Product Lines Intelligence Production Best Practices Intelligence Production Process 26 2 6 Questions? Chris Carsten: [email protected] 27 2 7