In Stage 3, the organization will start focusing more on the data generated internally to actively discover threats and produce a product that can be shared outside of the company. At this point, the team will employ the full CTI cycle to create this product. This product with be internally - other business units or externally focused - customers, partners, and in some cases, the general public through online publication (blog posts, conference lectures, etc.), usually fulfilling a marketing role. The team will also keep track of particular adversary groups, tools, and techniques specific to their interest.
In this phase, the organization will be well connected to its peer teams in other companies. In the third stage, the majority of external feeds are used as pivot points for enriching, enhancing, and validating TI. Internally intelligence is generated based on raw security events, artifacts, SIGINT, OSINT, and HUMINT approaches. The organization thinks in terms of Strategic, Operational, Tactical, and Technical indicators, it uses several models and frameworks to trace TTPs, Campaigns, and Threat actors. Automation within the CTI team is significantly increased. Most repeatable processes are heavily automated, while human resources are mostly used for generating TI from TTPs level and above. Researchers reach the point where they see that repetitive tasks can be automated, thus reducing their workload and time spent on monotonous tasks; therefore, increasing the time researching areas where automation is not as successful. Using the Pyramid of Pain as a reference, the bottom layer, Tactical/Technical intelligence, can be largely automated. Operational Intelligence can be somewhat automated, and Strategic Intelligence is possibly the most difficult to automate. Automation will also include knowledge management within their preferred TIP. The use of AI with CTI has huge potential and could reduce analyst manual workload requirements, which will permit the CTI team to focus on deeper and higher-threat topics as determined within their corporate RM process.
The shift into automation significantly shifts the time spent hunting versus sweeping. Automation can be used to sweep based on Tactical and some Operational Intelligence. If AI is incorporated, it can be used to identify additional items based on Operational and Strategic intelligence. Additionally, as more tasks are automated, this permits CTI analysts to identify Operational and Strategic intelligence-based research for hunting and pivoting activities.
As mentioned earlier, in some cases, the product will be released to the general public. However, this requires a high level of support and prioritization from organizational leadership (Executives, Legal, etc.), which usually is the business model of some Security and Threat Intelligence service providers. Vendors and security researchers largely pursue publication and conference series as an integral part of their larger marketing and thought leadership campaigns.
The full impact and understanding of the differences within Tactical, Operational, and Strategic intelligence is realized. How intelligence is processed by the CTI Team’s different consumers (Technical and Non-Technical) is now a natural part of their internal workflow. Additionally, the incorporation of geo-political strategic events and how those could impact the organization’s business is included as part of their research focus. This means the CTI team is aware and has some input into corporate decisions. Additionally, this identifies that executive leadership is aware of the CTI and will utilize their knowledge.
With the increased understanding of strategic concerns, the CTI Team must incorporate geo-political awareness through following academic, mass media, and proprietary publications, as well as social media and other OSINT sources. They may even consider hiring analysts from other fields not related to cyber, such as geopolitics, economics, and other relevant fields of study. This increases the geopolitical and cultural awareness of what threat actors could be using within lures and, more importantly, brings an understanding of possible threat actor motivations. Understanding motivations is Strategic Intelligence and could be used to counter some aspects of threat actor’s campaigns. Or at least understand which threat actor groups might be geo-politically motivated to target the organizations based on public announcements or decisions.