CINXE.COM

Machine and Human Analysis Techniques (and Intelligence Cycle) / Cyber Threat Intelligence SIG Curriculum

<!doctype html><html lang="en" class="web tlp-clear" data-studio-config="eyJ4aHJDcmVkZW50aWFscyI6ZmFsc2UsInhockhlYWRlcnMiOnt9fQo="><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Machine and Human Analysis Techniques (and Intelligence Cycle) / Cyber Threat Intelligence SIG Curriculum</title> <meta property="og:title" content="Machine and Human Analysis Techniques (and Intelligence Cycle) / Cyber Threat Intelligence SIG Curriculum" /> <meta property="og:type" content="website" /> <meta property="og:image" content="https://www.first.org/_/img/first-big-icon.png" /> <meta property="og:url" content="https://www.first.org/global/sigs/cti/curriculum/machine-human" /> <meta property="og:site_name" content="FIRST — Forum of Incident Response and Security Teams" /> <meta property="fb:profile_id" content="296983660669109" /> <meta property="twitter:card" content="summary" /> <meta property="twitter:site" content="@FIRSTdotOrg" /><meta name="viewport" content="initial-scale=1,maximum-scale=1.0,user-scalable=no" /><link rel="icon" type="image/png" href="/1st.png" /><link rel="apple-touch-icon" sizes="128x128" href="/favicon.png" /><link rel="stylesheet" type="text/css" href="/_/web.css?20241031194005" /></head><body><header><div id="header" data-studio="CU52CV1W8g"><div id="c3" data-studio="Yu8FjCC11g"><div id="topbar"> <div class="sites right"> <ul> <li><a href="https://support.first.org" class="kb-datalist"><img src="/_/img/icon-portal_support.svg" alt="FIRST Support" title="FIRST Support" /></a></li> <li><a href="https://portal.first.org" class="button"><span class="no-tiny">Member </span>Portal</a></li> </ul> </div> <div class="first-logo"> <p><a href="/"><img src="/_/img/first-org-simple-negative.svg" alt="FIRST.Org" title="FIRST" /></a></p> </div> <div class="nav"> <ul class="navbar"><li><a href="/about">About FIRST</a><ul><li><a href="/about/mission">Mission Statement</a></li><li><a href="/about/history">History</a></li><li><a href="/about/sdg">Sustainable Development Goals</a></li><li><a href="/about/organization">Organization</a><ul><li><a href="/about/organization/directors">Board of Directors</a></li><li><a>Operations Team</a><ul><li><a href="/about/organization/ccb">Community &amp; Capacity Building</a></li><li><a href="/about/organization/events">Event Office</a></li><li><a href="/about/organization/executive-director">Executive Director</a></li><li><a href="/about/organization/infrastructure">Infrastructure</a></li><li><a href="/about/organization/secretariat">Secretariat</a></li></ul></li><li><a href="/about/organization/committees">Committees</a><ul><li><a href="/about/organization/committees/compensation-committee">Compensation Committee</a></li><li><a href="/about/organization/committees/conference-program-committee">Conference Program Committee</a></li><li><a href="/about/organization/committees/membership-committee">Membership Committee</a></li><li><a href="/about/organization/committees/rules-committee">Rules Committee</a></li><li><a href="/about/organization/committees/standards">Standards Committee</a></li></ul></li><li><a href="/events/agm">Annual General Meeting</a></li><li><a href="/about/organization/reports">Annual Reports and Tax Filings</a></li></ul></li><li><a href="/about/policies">FIRST Policies</a><ul><li><a href="/about/policies/anti-corruption">Anti-Corruption Policy</a></li><li><a href="/about/policies/antitrust">Antitrust Policy</a></li><li><a href="/about/policies/bylaws">Bylaws</a></li><li><a href="/about/policies/board-duties">Board duties</a></li><li><a href="/about/bugs">Bug Bounty Program</a></li><li><a href="/about/policies/code-of-conduct">Code of Conduct</a></li><li><a href="/about/policies/conflict-policy">Conflict of Interest Policy</a></li><li><a href="/about/policies/doc-rec-retention-policy">Document Record Retention and Destruction Policy</a></li><li><a href="/newsroom/policy">FIRST Press Policy</a></li><li><a href="/about/policies/gen-event-reg-refund-policy">General Event Registration Refund Policy</a></li><li><a href="/about/policies/event-site-selection">Guidelines for Site Selection for all FIRST events</a></li><li><a href="/identity">Identity &amp; Logo Usage</a></li><li><a href="/about/policies/mailing-list">Mailing List Policy</a></li><li><a href="/about/policies/media">Media Policy</a></li><li><a href="/about/policies/privacy">Privacy Policy</a></li><li><a href="/about/policies/registration-terms-conditions">Registration Terms &amp; Conditions</a></li><li><a href="/about/policies/terms">Services Terms of Use</a></li><li><a href="/about/policies/standards">Standards Policy</a></li><li><a href="/about/policies/diversity">Statement on Diversity &amp; Inclusion</a></li><li><a href="/about/policies/translation-policy">Translation Policy</a></li><li><a href="/about/policies/travel-policy">Travel Policy</a></li><li><a href="/about/policies/uniform-ipr">Uniform IPR Policy</a></li><li><a href="/about/policies/whistleblower-policy">Whistleblower Protection Policy</a></li></ul></li><li><a href="/about/partners">Partnerships</a><ul><li><a href="/global/partners">Partners</a></li><li><a href="/global/friends">Friends of FIRST</a></li><li><a href="/global/supporters/">FIRST Supporters</a></li><li><a href="/about/sponsors">Sponsors</a></li></ul></li><li><a href="/newsroom">Newsroom</a><ul><li><a href="/newsroom/news">What&#039;s New</a></li><li><a href="/newsroom/releases">Press Releases</a></li><li><a href="/newsroom/news/media">In the News</a></li><li><a href="/podcasts">Podcasts</a><ul><li><a href="/newsroom/news/first-impressions/">FIRST Impressions Podcast</a></li><li><a href="/newsroom/news/podcasts/">FIRSTCON Podcast</a></li></ul></li><li><a href="/newsroom/newsletters">Newsletters</a></li><li><a href="/newsroom/policy">FIRST Press Policy</a></li></ul></li><li><a href="/about/procurement">Procurement</a></li><li><a href="/about/jobs/">Jobs</a></li><li><a href="/contact">Contact</a></li></ul></li><li><a href="/members">Membership</a><ul><li><a href="/membership/">Becoming a Member</a><ul><li><a href="/membership/process">Membership Process for Teams</a></li><li><a href="/membership/process-liaisons">Membership Process for Liaisons</a></li><li><a href="/membership/#Fees">Membership Fees</a></li></ul></li><li><a href="/members/teams">FIRST Teams</a></li><li><a href="/members/liaisons">FIRST Liaisons</a></li><li><a href="/members/map">Members around the world</a></li></ul></li><li><a href="/global">Initiatives</a><ul><li><a href="/global/sigs">Special Interest Groups (SIGs)</a><ul><li><a href="/global/sigs/framework">SIGs Framework</a></li><li><a href="/global/sigs/academicsec" class="borderb">Academic Security SIG</a></li><li><a href="/global/sigs/ai-security">AI Security SIG</a></li><li><a href="/global/sigs/automation">Automation SIG</a></li><li><a href="/global/sigs/bigdata">Big Data SIG</a></li><li><a href="/cvss">Common Vulnerability Scoring System (CVSS-SIG)</a><ul><li><a href="/cvss/calculator/4.0">Calculator</a></li><li><a href="/cvss/v4.0/specification-document">Specification Document</a></li><li><a href="/cvss/v4.0/user-guide">User Guide</a></li><li><a href="/cvss/v4.0/examples">Examples</a></li><li><a href="/cvss/v4.0/faq">Frequently Asked Questions</a></li><li><a href="/cvss/v4-0">CVSS v4.0 Documentation &amp; Resources</a><ul><li><a href="/cvss/calculator/4.0">CVSS v4.0 Calculator</a></li><li><a href="/cvss/v4.0/specification-document">CVSS v4.0 Specification Document</a></li><li><a href="/cvss/v4.0/user-guide">CVSS v4.0 User Guide</a></li><li><a href="/cvss/v4.0/examples">CVSS v4.0 Examples</a></li><li><a href="/cvss/v4.0/faq">CVSS v4.0 FAQ</a></li></ul></li><li><a href="/cvss/v3-1">CVSS v3.1 Archive</a><ul><li><a href="/cvss/calculator/3.1">CVSS v3.1 Calculator</a></li><li><a href="/cvss/v3.1/specification-document">CVSS v3.1 Specification Document</a></li><li><a href="/cvss/v3.1/user-guide">CVSS v3.1 User Guide</a></li><li><a href="/cvss/v3.1/examples">CVSS v3.1 Examples</a></li><li><a href="/cvss/v3.1/use-design">CVSS v3.1 Calculator Use &amp; Design</a></li></ul></li><li><a href="/cvss/v3-0">CVSS v3.0 Archive</a><ul><li><a href="/cvss/calculator/3.0">CVSS v3.0 Calculator</a></li><li><a href="/cvss/v3.0/specification-document">CVSS v3.0 Specification Document</a></li><li><a href="/cvss/v3.0/user-guide">CVSS v3.0 User Guide</a></li><li><a href="/cvss/v3.0/examples">CVSS v3.0 Examples</a></li><li><a href="/cvss/v3.0/use-design">CVSS v3.0 Calculator Use &amp; Design</a></li></ul></li><li><a href="/cvss/v2">CVSS v2 Archive</a><ul><li><a href="/cvss/v2/guide">CVSS v2 Complete Documentation</a></li><li><a href="/cvss/v2/history">CVSS v2 History</a></li><li><a href="/cvss/v2/team">CVSS-SIG team</a></li><li><a href="/cvss/v2/meetings">SIG Meetings</a></li><li><a href="/cvss/v2/faq">Frequently Asked Questions</a></li><li><a href="/cvss/v2/adopters">CVSS Adopters</a></li><li><a href="/cvss/v2/links">CVSS Links</a></li></ul></li><li><a href="/cvss/v1">CVSS v1 Archive</a><ul><li><a href="/cvss/v1/intro">Introduction to CVSS</a></li><li><a href="/cvss/v1/faq">Frequently Asked Questions</a></li><li><a href="/cvss/v1/guide">Complete CVSS v1 Guide</a></li></ul></li><li><a href="/cvss/data-representations">JSON &amp; XML Data Representations</a></li><li><a href="/cvss/training">CVSS On-Line Training Course</a></li><li><a href="/cvss/identity">Identity &amp; logo usage</a></li></ul></li><li><a href="/global/sigs/csirt">CSIRT Framework Development SIG</a></li><li><a href="/global/sigs/cyberinsurance">Cyber Insurance SIG</a><ul><li><a href="/global/sigs/cyberinsurance/events">Cyber Insurance SIG Webinars</a></li></ul></li><li><a href="/global/sigs/cti">Cyber Threat Intelligence SIG</a><ul><li><a href="/global/sigs/cti/curriculum/">Curriculum</a><ul><li><a href="/global/sigs/cti/curriculum/introduction">Introduction</a></li><li><a href="/global/sigs/cti/curriculum/cti-introduction">Introduction to CTI as a General topic</a></li><li><a href="/global/sigs/cti/curriculum/methods-methodology">Methods and Methodology</a></li><li><a href="/global/sigs/cti/curriculum/pir">Priority Intelligence Requirement (PIR)</a></li><li><a href="/global/sigs/cti/curriculum/source-evaluation">Source Evaluation and Information Reliability</a></li><li><a href="/global/sigs/cti/curriculum/machine-human">Machine and Human Analysis Techniques (and Intelligence Cycle)</a></li><li><a href="/global/sigs/cti/curriculum/threat-modelling">Threat Modelling</a></li><li><a href="/global/sigs/cti/curriculum/training">Training</a></li><li><a href="/global/sigs/cti/curriculum/standards">Standards</a></li><li><a href="/global/sigs/cti/curriculum/glossary">Glossary</a></li><li><a href="/global/sigs/cti/curriculum/cti-reporting/">Communicating Uncertainties in CTI Reporting</a></li></ul></li><li><a href="/global/sigs/cti/events/">Webinars and Online Training</a></li><li><a href="/global/sigs/cti/cti-program">Building a CTI program and team</a><ul><li><a href="/global/sigs/cti/cti-program/program-stages">Program maturity stages</a><ul><li><a href="/global/sigs/cti/cti-program/stage1">CTI Maturity model - Stage 1</a></li><li><a href="/global/sigs/cti/cti-program/stage2">CTI Maturity model - Stage 2</a></li><li><a href="/global/sigs/cti/cti-program/stage3">CTI Maturity model - Stage 3</a></li></ul></li><li><a href="/global/sigs/cti/cti-program/starter-kit">Program Starter Kit</a></li><li><a href="/global/sigs/cti/cti-program/resources">Resources and supporting materials</a></li></ul></li></ul></li><li><a href="/global/sigs/digital-safety">Digital Safety SIG</a></li><li><a href="/global/sigs/dns">DNS Abuse SIG</a><ul><li><a href="/global/sigs/dns/policies">Code of Conduct &amp; Other Policies</a></li><li><a href="/global/sigs/dns/dns-abuse-examples">Examples of DNS Abuse</a></li></ul></li><li><a href="/global/sigs/ethics">Ethics SIG</a><ul><li><a href="/global/sigs/ethics/ethics-first">Ethics for Incident Response Teams</a></li></ul></li><li><a href="/epss/">Exploit Prediction Scoring System (EPSS)</a><ul><li><a href="/epss/model">The EPSS Model</a></li><li><a href="/epss/data_stats">Data and Statistics</a></li><li><a href="/epss/user-guide">User Guide</a></li><li><a href="/epss/research">EPSS Research and Presentations</a></li><li><a href="/epss/faq">Frequently Asked Questions</a></li><li><a href="/epss/who_is_using">Who is using EPSS?</a></li><li><a href="/epss/epss_tools">Open-source EPSS Tools</a></li><li><a href="/epss/api">API</a></li><li><a href="/epss/papers">Related Exploit Research</a></li><li><a>Blog</a><ul><li><a href="/epss/articles/prob_percentile_bins">Understanding EPSS Probabilities and Percentiles</a></li><li><a href="/epss/articles/log4shell">Log4Shell Use Case</a></li><li><a href="/epss/articles/estimating_old_cvss">Estimating CVSS v3 Scores for 100,000 Older Vulnerabilities</a></li></ul></li><li><a href="/epss/partners">Data Partners</a></li></ul></li><li><a href="/global/sigs/msr/">FIRST Multi-Stakeholder Ransomware SIG</a></li><li><a href="/global/sigs/hfs/">Human Factors in Security SIG</a></li><li><a href="/global/sigs/ics">Industrial Control Systems SIG (ICS-SIG)</a></li><li><a href="/global/sigs/iep">Information Exchange Policy SIG (IEP-SIG)</a></li><li><a href="/global/sigs/information-sharing">Information Sharing SIG</a><ul><li><a href="/global/sigs/information-sharing/misp">Malware Information Sharing Platform</a></li></ul></li><li><a href="/global/sigs/le">Law Enforcement SIG</a></li><li><a href="/global/sigs/malware">Malware Analysis SIG</a><ul><li><a href="/global/sigs/malware/ma-framework">Malware Analysis Framework</a></li><li><a href="/global/sigs/malware/ma-framework/malwaretools">Malware Analysis Tools</a></li></ul></li><li><a href="/global/sigs/metrics">Metrics SIG</a><ul><li><a href="/global/sigs/metrics/events">Metrics SIG Webinars</a></li></ul></li><li><a href="/global/sigs/netsec/">NETSEC SIG</a></li><li><a href="/global/sigs/passive-dns">Passive DNS Exchange</a></li><li><a href="/global/sigs/policy">Policy SIG</a></li><li><a href="/global/sigs/psirt">PSIRT SIG</a></li><li><a href="/global/sigs/red-team">Red Team SIG</a></li><li><a href="/global/sigs/cpg">Retail and Consumer Packaged Goods (CPG) SIG</a></li><li><a href="/global/sigs/ctf">Security Lounge SIG</a></li><li><a href="/global/sigs/tic/">Threat Intel Coalition SIG</a><ul><li><a href="/global/sigs/tic/membership-rules">Membership Requirements and Veto Rules</a></li></ul></li><li><a href="/global/sigs/tlp">Traffic Light Protocol (TLP-SIG)</a></li><li><a href="/global/sigs/transport">Transportation and Mobility SIG</a></li><li><a href="/global/sigs/vulnerability-coordination">Vulnerability Coordination</a><ul><li><a href="/global/sigs/vulnerability-coordination/multiparty">Multi-Party Vulnerability Coordination and Disclosure</a></li><li><a href="/global/sigs/vulnerability-coordination/multiparty/guidelines">Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure</a></li></ul></li><li><a href="/global/sigs/vrdx">Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)</a><ul><li><a href="/global/sigs/vrdx/vdb-catalog">Vulnerability Database Catalog</a></li></ul></li><li><a href="/global/sigs/wof">Women of FIRST</a></li></ul></li><li><a href="/global/governance">Internet Governance</a></li><li><a href="/global/irt-database">IR Database</a></li><li><a href="/global/fellowship">Fellowship Program</a><ul><li><a href="https://portal.first.org/fellowship">Application Form</a></li></ul></li><li><a href="/global/mentorship">Mentorship Program</a></li><li><a href="/hof">IR Hall of Fame</a><ul><li><a href="/hof/inductees">Hall of Fame Inductees</a></li></ul></li><li><a href="/global/victim-notification">Victim Notification</a></li><li><a href="/volunteers/">Volunteers at FIRST</a><ul><li><a href="/volunteers/list">FIRST Volunteers</a></li><li><a href="/volunteers/participation">Volunteer Contribution Record</a></li></ul></li><li><a href="#new">Previous Activities</a><ul><li><a href="/global/practices">Best Practices Contest</a></li></ul></li></ul></li><li><a href="/standards">Standards &amp; Publications</a><ul><li><a href="/standards">Standards</a><ul><li><a href="/cvss">Common Vulnerability Scoring System (CVSS-SIG)</a></li><li><a href="/tlp">Traffic Light Protocol (TLP)</a><ul><li><a href="/tlp/use-cases">TLP Use Cases</a></li></ul></li><li><a href="/standards/frameworks/">Service Frameworks</a><ul><li><a href="/standards/frameworks/csirts">CSIRT Services Framework</a></li><li><a href="/standards/frameworks/psirts">PSIRT Services Framework</a></li></ul></li><li><a href="/iep">Information Exchange Policy (IEP)</a><ul><li><a href="/iep/iep_framework_2_0">IEP 2.0 Framework</a></li><li><a href="/iep/iep-json-2_0">IEP 2.0 JSON Specification</a></li><li><a href="/iep/iep-polices">Standard IEP Policies</a><ul><li><a href="https://www.first.org/iep/2.0/first-tlp-iep.iepj">IEP TLP Policy File</a></li><li><a href="https://www.first.org/iep/2.0/first-unknown-iep.iepj">IEP Unknown Policy File</a></li></ul></li><li><a href="/iep/iep_v1_0">IEP 1.0 Archive</a></li></ul></li><li><a href="/global/sigs/passive-dns">Passive DNS Exchange</a></li><li><a href="/epss">Exploit Prediction Scoring System (EPSS)</a></li></ul></li><li><a href="/resources/papers">Publications</a></li></ul></li><li><a href="/events">Events</a></li><li><a href="/education">Education</a><ul><li><a href="/education/first-training">FIRST Training</a><ul><li><a href="/education/trainings">Training Courses</a></li><li><a href="/education/trainers">FIRST Trainers</a></li></ul></li></ul></li><li><a href="/blog">Blog</a></li></ul> </div> </div> <div id="home-buttons"> <p><a href="/join" data-title="Join"><img alt="Join" src="/_/img/icon-join.svg"><span class="tt-join">Join<span>Details about FIRST membership and joining as a full member or liaison.</span></span></a> <a href="/learn" data-title="Learn"><img alt="Learn" src="/_/img/icon-learn.svg"><span class="tt-learn">Learn<span>Training and workshop opportunities, and details about the FIRST learning platform.</span></span></a> <a href="/participate" data-title="Participate"><img alt="Participate" src="/_/img/icon-participate.svg"><span class="tt-participate">Participate<span>Read about upcoming events, SIGs, and know what is going on.</span></span></a></p> </div></div></div></header><div id="body" data-studio="CU52CV1W8g"><div id="c1" data-studio="Yu8FjCC11g" class="toc-h2 toc-h3 toc-h4 block-example image-center data-preview"><h1 id="Machine-and-Human-Analysis-Techniques-and-Intelligence-Cycle">Machine and Human Analysis Techniques (and Intelligence Cycle)</h1> <h2 id="Analysis-Techniques">Analysis Techniques</h2> <h3 id="Strategic-Intelligence-Analysis">Strategic Intelligence Analysis</h3> <p>In order to understand how to analyze information we must first understand the information hierarchy also known as the Data, Information, Knowledge, and Wisdom pyramid.</p> <p><img src="../img/Machine-Human-Analysis-Techniques-01.png" alt="Strategic Intelligence Analysis" /> </p> <p>This pyramid is a graphical representation of how data is transformed into wisdom:</p> <ul> <li>The Data and Information levels are located within the Information Management section because we will need to gather data based on the Priority Information Requirements</li> <li>This data needs to be managed so that we can filter out the unnecessary pieces to obtain information</li> <li>After all of the information has been analyzed, it can then be moved and maintained in the Knowledge Management section</li> <li>From all of the information that has been gathered, the intelligence that has been developed will support the commander in making a decision</li> </ul> <h4 id="How-does-this-look-in-an-information-security-organization">How does this look in an information security organization?</h4> <p><img src="../img/Machine-Human-Analysis-Techniques-02.png" alt="Information Security Organization" /> </p> <ul> <li>The Data level, we will begin by gathering information from the security tools that we implement within the environment.</li> <li>At the Information level, we will filter out information based on our PIRs. Examples can be KPIs or pattern recognition from AI or machine learning tools.</li> <li>Once the information is filtered, we can move it through our risk analysis processes and weigh what our options are.</li> <li>We will then be able to present to our stakeholders with the information necessary to make a decision.</li> </ul> <h4 id="Intelligence-and-Cyber-Security">Intelligence and Cyber Security</h4> <p>“Cyber intelligence is the ability to gain knowledge about an enterprise and its existing conditions and capabilities in order to determine the possible actions of an adversary when exploiting inherit critical vulnerabilities. It uses multiple information security disciplines (threat intelligence, vulnerability management, security configuration management, incident response, and so on) and tool sets to gather information about the network through monitoring and reporting to provide decision makers at all levels to prioritize risk mitigation.”</p> <h4 id="Priority-Information-Requirements">Priority Information Requirements</h4> <p><img src="../img/Machine-Human-Analysis-Techniques-03.png" alt="Priority Information Requirements" /></p> <p>Military commanders make decisions based on specific pieces of data that pertain to solving a specific question. Gathering of that information for the commander is based on a term called Priority Information Requirements (PIRs). These PIRs are what drives intelligence gathering operations as it provides guidance on what information is the most important to the commander so that they can plan for the next steps.</p> <p>Good PIRs have three criteria:</p> <ol> <li>They ask only one question</li> <li>They focus on a specific fact, event, or activity</li> <li>They provide intelligence required to support a single decision</li> </ol> <p>Military examples:</p> <ul> <li>What size force is defending objective A?</li> <li>Will enemy battalion X arrive before Y time on Z date?</li> <li>How many obstacles are on D road that will impede our movement?</li> </ul> <p>The same logic can be used within private organizations with the use of Key Performance Indicators or Key Risk Indicators. Leaders will have to provide targets, the means to measure them in order to validate whether or not they have met thresholds that are within or out of defined thresholds. Having a top-down approach when defining specific information to be derived from multiple security tools, will fuel an organization’s capability to prioritize and analyze information to be accurate, timely, and actionable.</p> <p>Below are examples from the first two Center for Internet Security Controls</p> <ol> <li>Do we have an inventory of authorized and unauthorized devices?</li> </ol> <ul> <li>Tactical: Do we have a complete list of authorized devices? <ul> <li>Operational: How are we continuing to gather this list?</li> </ul></li> <li>Tactical: Do we have the capability of identifying unauthorized devices? <ul> <li>Operational: Where are we finding these devices?</li> </ul></li> </ul> <ol start="2"> <li>Do we have an inventory of authorized and unauthorized software?</li> </ol> <ul> <li>Operational: Where are these located?</li> <li>Operational: What security tools are in place to ensure that the information does not get compromised?</li> <li>Operational: Where do the systems with this software exist? <ul> <li>Tactical: Do we have a list of authorized software?</li> <li>Tactical: What are our most critical applications?</li> <li>Tactical: How are we protecting these?</li> <li>Tactical: Do we have a list of unauthorized software?</li> </ul></li> </ul> <p>The above scenarios provided multiple points of intelligence gathering to provide a holistic view of an organization’s risk exposure and propensity to exploited by adversaries.</p> <p><img src="../img/Machine-Human-Analysis-Techniques-04.png" alt="image 04" /></p> <p>The Defense Acquisition Guidebook (DAG), Chapter 7, provides guidance to Program Managers (PMs) on how to use intelligence information and data to ensure maximum warfighting capability at a minimum risk to cost and schedule.</p> <p>“The ‘intelligence cycle’ is a process which forms the basis of operations in government organizations like the CIA and the NSA. It very broadly outlines the stages of developing raw information into finished intelligence for policy makers to use in decision making.”</p> <h4 id="The-Intelligence-Cycle">The Intelligence Cycle</h4> <p><img src="../img/Machine-Human-Analysis-Techniques-05.png" alt="The Intelligence Cycle" /></p> <ol> <li>Planning and Direction</li> </ol> <ul> <li>This category includes the receipt, identification, and prioritization of intelligence requirements; the development of concepts of intelligence operations and architectures; tasking appropriate intelligence elements for the collection of information or the production of finished intelligence; and submitting requests for collection, exploitation, or all-source production support to external, supporting intelligence entities.</li> </ul> <ol start="2"> <li>Collection</li> </ol> <ul> <li>Collection includes those activities related to the acquisition of data needed to satisfy specified requirements. This is managed by collection managers, whose duties include selecting the most-appropriate, available asset(s) and associated processing, exploitation, and dissemination (PED) and then tasking selected asset(s) and associated PED to conduct collection missions.</li> </ul> <ol start="3"> <li>Processing and Exploitation</li> </ol> <ul> <li>Data initially received from the sensor arrives in various forms, depending on the nature of the sensing device. Depending on the source, the raw input may be in the form of digitized data, unintelligible voice transmissions, or large digital files containing un-rectified images of the Earth. This collection output is converted by sensor-specific processing measures into visual, auditory, or textual information that is intelligible to humans, and can then be used by intelligence analysts and other consumers. The data conversion may be automated using algorithmic fusion, cuing, data analytics, and automated exploitation. Exploitation entails the further translation and contextualizing of information resulting from collection and initial processing into a product the planner, decision-maker, or intelligence analyst can assimilate cognitively.</li> </ul> <ol start="4"> <li>Analysis and Production</li> </ol> <ul> <li>During analysis and production, intelligence is produced from the information gathered by collection capabilities, and from the refinement and compilation of intelligence received from external organizations. All available processed information is integrated, evaluated, analyzed, and interpreted to create products that will satisfy requesters or users.</li> </ul> <ol start="5"> <li>Dissemination and Feedback</li> </ol> <ul> <li>The Right Format: Choose to present your intelligence in a format that your stakeholders can consume and understand. For example, you may not need to include everything you discovered for decision making, so work on summarizing information.</li> <li>The Right Hands: Intelligence can only be applied when made available to the correct people. Map types of intelligence not only to job titles, but to team responsibilities.</li> <li>The Right Time:Even the most relevant intelligence can be rendered useless if it’s out of date. This means you need to balance the time it will take to produce intelligence with any action that needs to be taken.</li> <li>The Right Medium: It’s not just what you communicate, but how. Choose communication methods that will reach your relevant stakeholders the most quickly and effectively.</li> <li>This category involves the timely distribution of critical information and finished intelligence, readily accessible by the user, to the appropriate consumer. The movement toward a net-centric environment has reduced the technical challenges related to information dissemination. Nevertheless, intelligence infrastructure (such as intelligence networks, systems, and software) and intelligence resources</li> </ul> <h4 id="Technical-Intelligence-analysis">Technical Intelligence analysis</h4> <p>Technical intelligence need to be accurate, timely, and actionable. Analysis methodologies are designed to provide with better ways to operationalize technical data in support of security operations.</p> <p>Intelligence at this level is focused mostly on indicators of compromise (IOCs) and signatures.<a href="#fn-1" id="fnref-1"><sup>1</sup></a></p> <p>The analysis phase of the threat intelligence lifecycle aims at evaluating, analyzing and interpreting the processed information against the program’s requirements (planning phase) to provide analytic judgments that determine confidence, relevance and threat impact of the collected data.</p> <h3 id="Structured-Human-Analysis-Techniques">Structured Human Analysis Techniques</h3> <p><em>CONTENT UNDER DEVELOPMENT</em></p> <h4 id="Direction-Collection-Processing-Analysis-Dissemination-Feedback-Review">Direction, Collection, Processing, Analysis, Dissemination, Feedback (Review)</h4> <p><img src="../img/Machine-Human-Analysis-Techniques-06.png" alt="Direction, Collection, Processing, Analysis, Dissemination, Feedback (Review)" /></p> <p>Collecting threat data is the first step in producing threat intelligence.</p> <p>It is fundamental to highlight the difference between indicators and signatures as well as the difference between atomic and composite indicators.</p> <p>A signature should be thought of as a fingerprint (something that have a high confidence) whereas indicators are not as precise and need to be further analyzed and contextualized to produce valuable information.</p> <p>As a result of analyzing indicators we try to move from atomic indicators (a piece of information e.g. an ip) to composite indicators (putting atomic information together).</p> <p>Composite information is much richer in content and can better support security operations.</p> <p>The data collected is going to be as good as the use that you have of it and the analysis phase helps assessing how relevant it is to your environment.</p> <p>Moving from atomic to composite indicators to climb the pyramid of pain.<a href="#fn-2" id="fnref-2"><sup>2</sup></a></p> <h4 id="Data-preparation-steps">Data preparation steps</h4> <p>Def: Data Preparation is the process of (collecting), cleaning, and consolidating data into one file or data table, primarily for use in analysis.</p> <ol> <li> <p>Data consolidation refers to the collection and integration of data from multiple sources into a single destination. During this process, different data sources are put together, or consolidated, into a single data store.&lt;br/ &gt; Adding more context to the atomic data to leverage pivoting points for aggregation, correlation and visualization capabilities.&lt;br/ &gt; Sources for network atomic indicators enrichment:</p> <ul> <li>pDNS (A, AAAA, PTR... records)</li> <li>AS</li> <li>ASN</li> <li>Geolocation data</li> <li>BGP lookups</li> <li>…</li> </ul> </li> </ol> <p>Enriched technical indicators’ keys:<br />Standards#AtomicNetworkIndicators</p> <ol start="2"> <li> <p>Data cleansing:</p> <p>Data cleansing or data cleaning is the process of detecting and correcting (or removing) corrupt or inaccurate records from a record set, table, or database and refers to identifying incomplete, incorrect, inaccurate or irrelevant parts of the data and then replacing, modifying, or deleting the dirty or coarse data.(wiki)</p> <p>Removing well-known indicators that can be associated to potential false positives, errors or mistakes.</p> <p>MISP offers a list of 31 sources for data cleansing.<a href="#fn-3" id="fnref-3"><sup>3</sup></a> .</p> </li> </ol> <p><br /></p> <hr /> <p>ref: </p> <ol> <li><a id="fn-1"></a> Practical Cyber Intelligence <a href="#fnref-1">^</a></li> <li><a id="fn-2"></a> <a href="https://www.dau.mil/guidebooks/Shared%20Documents%20HTML/Chapter%207%20Intelligence%20Support%20and%20Acquisition.aspx#toc35">Intelligence Support and Acquisition</a> <a href="#fnref-2">^</a></li> <li><a id="fn-3"></a> <a href="https://www.recordedfuture.com/government-intelligence-cycle/">Applying Government Intelligence Strategies to Commercial Organizations</a> <a href="#fnref-3">^</a></li> </ol></div></div><div id="navbar" data-studio="CU52CV1W8g"><div id="c4" data-studio="Yu8FjCC11g"><ul class="navbar"><li><a href="/global/sigs/cti">Cyber Threat Intelligence SIG</a><ul><li><a href="/global/sigs/cti/curriculum/">Curriculum</a><ul><li><a href="/global/sigs/cti/curriculum/introduction">Introduction</a></li><li><a href="/global/sigs/cti/curriculum/cti-introduction">Introduction to CTI as a General topic</a></li><li><a href="/global/sigs/cti/curriculum/methods-methodology">Methods and Methodology</a></li><li><a href="/global/sigs/cti/curriculum/pir">Priority Intelligence Requirement (PIR)</a></li><li><a href="/global/sigs/cti/curriculum/source-evaluation">Source Evaluation and Information Reliability</a></li><li><a href="/global/sigs/cti/curriculum/machine-human">Machine and Human Analysis Techniques (and Intelligence Cycle)</a></li><li><a href="/global/sigs/cti/curriculum/threat-modelling">Threat Modelling</a></li><li><a href="/global/sigs/cti/curriculum/training">Training</a></li><li><a href="/global/sigs/cti/curriculum/standards">Standards</a></li><li><a href="/global/sigs/cti/curriculum/glossary">Glossary</a></li><li><a href="/global/sigs/cti/curriculum/cti-reporting/">Communicating Uncertainties in CTI Reporting</a></li></ul></li><li><a href="/global/sigs/cti/events/">Webinars and Online Training</a></li><li><a href="/global/sigs/cti/cti-program">Building a CTI program and team</a><ul><li><a href="/global/sigs/cti/cti-program/program-stages">Program maturity stages</a><ul><li><a href="/global/sigs/cti/cti-program/stage1">CTI Maturity model - Stage 1</a></li><li><a href="/global/sigs/cti/cti-program/stage2">CTI Maturity model - Stage 2</a></li><li><a href="/global/sigs/cti/cti-program/stage3">CTI Maturity model - Stage 3</a></li></ul></li><li><a href="/global/sigs/cti/cti-program/starter-kit">Program Starter Kit</a></li><li><a href="/global/sigs/cti/cti-program/resources">Resources and supporting materials</a></li></ul></li></ul></li></ul></div></div><div id="sidebar" data-studio="CU52CV1W8g"><div id="c5" data-studio="Yu8FjCC11g" class="h3labels subbox"><div id="toc" class="not-floating"></div></div></div><footer><div id="footer" data-studio="CU52CV1W8g"><div id="c2" data-studio="Yu8FjCC11g"><div class="content"> <div class="support"> <div class="kbsearch bottom"> <p><a href="https://support.first.org"><img src="/_/img/icon-portal_support.svg" alt="FIRST Support" title="FIRST Support" /></a> <input class="kb-search" type="search" placeholder="Do you need help?"></p> </div> </div> <div id="socialnetworks"><a href="/about/sdg" title="FIRST Supported Sustainable Development Goals (SDG)" class="icon-sdg"></a><a rel="me" href="https://infosec.exchange/@firstdotorg" target="_blank" title="@FIRSTdotOrg@infosec.exchange" class="icon-mastodon"></a><a href="https://twitter.com/FIRSTdotOrg" target="_blank" title="Twitter @FIRSTdotOrg" class="icon-tw"></a><a href="https://www.linkedin.com/company/firstdotorg" target="_blank" title="FIRST.Org at LinkedIn" class="icon-linkedin"></a><a href="https://www.facebook.com/FIRSTdotorg" target="_blank" title="FIRST.Org at Facebook" class="icon-fb"></a><a href="https://github.com/FIRSTdotorg" target="_blank" title="FIRST.Org at Github" class="icon-github"></a><a href="https://www.youtube.com/c/FIRSTdotorg" target="_blank" title="FIRST.Org at Youtube" class="icon-youtube"></a><a href="/podcasts" title="FIRST.Org Podcasts" class="icon-podcast"></a></div> <p><a href="/copyright">Copyright</a> © 2015—2024 by Forum of Incident Response and Security Teams, Inc. All Rights Reserved.</p> </div> <p><span class="tlp"></span></p></div></div></footer><script nonce="fbeHTQEyUHrkTNuJGeFdQg" async="async" src="/_/web.js?20241125212614"></script><script nonce="fbeHTQEyUHrkTNuJGeFdQg" async="async" src="/_/s.js?20241125-212616"></script></body></html>

Pages: 1 2 3 4 5 6 7 8 9 10