Stage 1 is unstructured, lacks the rigor of a formal process framework, and is the beginning of a CTI program. CTI support will focus on the lower levels of the Pyramid of Pain, as seen above. Early CTI Analysts will focus on the Tactical Intelligence of IP addresses, Domains, and Hashes. This is natural as those are the building blocks of a CTI analysis, and Tactical / Technical Intelligence is the easiest to understand and identify.
The CTI Analyst function and role is typically a secondary duty, not an official position within the incident response function. Its duties are fulfilled when time permits or in support of a security event. It is important to identify that the person(s) completing CTI tasks most likely do not have this role/function as their full-time position.
In Stage 1, the team will solely consume automated CTI feeds of observables to acquire some high-fidelity semi-automated sources.
During this stage, the capability to process those automated indicators will be built and tuned. Besides, those will be used for the enrichment of internal data sources, as well as flagging/alerting but not automated blocking.
In this stage, manual collection, categorization, and analysis will be ad hoc and opportunistic. This includes general education and overall environmental awareness, which could reveal trends. Early phases may help organizations to think through more defined intelligence requirements and their relative priorities that are useful in later stages.