GitBook: Introducing Cyber Threat Intel Lifecycle Hub
A conceptual structure that utilizes the common 6 point Cyber Threat Intel Lifecycle framework to help manage and drive your CTI Program.
Background
The Cyber Threat Intel Lifecycle Hub or CTILH (See-till) has been an item I’ve been building out personally for quite sometime whilst researching and learning more about CTI - more specifically, its derived through reading the 📘 Recorded Future | The Intelligence Handbook (PDF).
The idea of CTILH is not new nor proprietary its a structure derived from existing opensource concepts, frameworks and research available. Highly recommend reading 📘 Recorded Future | The Intelligence Handbook (PDF).
I've created CTILH for my self whilst continuing to educate on the subject and understand how elements of Threat Intelligence Lifecycle can be applied day to day.
What is it?
Whilst researching and learning more around CTI I’ve been battling finding a consistent structure for processes, obligations and record keeping and how this can be simplified but also be of value at a day to day level.
I’ve been asking myself:
How can the lifecycle associated with CTI and its offerings be ‘containerized/packaged’?
How could elements of the CTI lifecycle be tracked - not only for organizations but also for those wanting to learn CTI processes / governance?
How can you position the CTI lifecycle front and center to consumers? Enabling them to understand and reference key stages or subsections?
This is how I came up with the CTILH and its inherent structure.
CTILH is not new, its not proprietary; its applications, solution agnostic - its based on the common 6 point lifecycle for Threat Intelligence - that simple.
What’s the intent?
The intention of CTILH is to act/become your primary hub or portal for your Threat Intelligence Program.
You build out the structure around the 6 lifecycle stages and create subsections under each for specific key areas needing to be tracked/matured and add the appropriate content and adjust the layout as required.
The hub becomes your go to area for all things relating to how and why you run a CTI Program. You can share elements to respective parties or consumers, and you have a centralized point of reference to easily find and recall specific items.
What’s the value?
Just to name a few…
CTILH provides a structure that can be used to manage and maintain your CTI Program.
Its a starting point for people to build on.
It allows those new to CTI to understand the most important thing - the lifecycle, what is being derived from CTI, who consumes it and track maturity of the program over time.
It enables you to establish a singular point to execute all elements of your CTI program from. (Governance).
Additional CTILH allows you to reference the stages and subsections in documents, discussions and for auditing type purposes i.e. “CTI401 - Threat Actors and eCriminals” and can help build out relationships between items.
How to access
If your expecting the CTILH to be a silver bullet program on how to plan and execute a CTI Program, your looking in the wrong place.
Navigate to https://m1019.gitbook.io/kb/
Under “Concepts, Frameworks & Structures” you will find CTILH.
What I’ve put together is a conceptual structure that only provides explanations/example ideas on what you might want to have or include based on my own personal research and knowledge of the CTI space.
This should act as a guide for you to follow and adapt to your requirements.
Take the structure and build it out in SharePoint, GitBook, Google Drive - it doesn’t matter, the main thing is to first consider if it could work for you and your requirements around your CTI Program or CTI education.
Highly recommending checking out the simple ‘How to get started’ section.
Additionally these resources:
🌐 Recorded Future | Threat Intelligence Lifecycle Phases (Web).
🎓 Recorded Future | Threat Intelligence Fundamentals Training (Web).
Hope this helps someone as it will help me as I continue to explore the CTI lifecycle.
Till next time…