Forgot About Feedback: Threat Intelligence Lifecycle
A key model in implementing and maintaining a healthy threat intelligence program is the threat intelligence lifecycle. The lifecycle is a continuous and iterative process with multiple stages.
Depending on your source, these stages can differ slightly but in general encompass the following areas: Planning, Collection, Processing, Analysis, Dissemination, and Feedback.
Each stage has its own challenges in implementation but one of them in particular is often overlooked – and not necessarily at the fault of the practitioner.
Evident by its name, the threat intelligence lifecycle is meant to be…a lifecycle. In many intelligence programs the process ends with dissemination, but in the true spirit of a lifecycle, the process should continue.
The feedback stage according to Mastering Cyber Intelligence (Jean Nestor Dahj M.) is “a bridge between the dissemination and the initial phases”. Stakeholders must evaluate and assess the product (intelligence produced by the team) and determine whether it fulfills their needs or not.
Once feedback is collected, it is “then used as the initial objectives for the next cyber threat intelligence (CTI) cycle’s planning and direction phase”, potentially utilizing new sources as needed and the process continues its cycle.
Most threat intelligence practitioners are aware of this phase even if it’s not currently embedded in their process. This phase is typically handled by the intel manager (or collections manager) which a smaller team just might not have. In general, CTI is viewed as a mature function of an information security program and a lack of processes or tools can simply be a result of underfunding.
Nonetheless, it’s important to be aware of the benefits of the feedback stage and assess whether it can be a stage you or your team can implement or iterate on.
Benefits of Feedback
– Implementing the feedback stage into a CTI program can first and foremost reduce the amount of wasted resources and narrow down focus areas. Analysts spend hours collecting and processing data, analyzing, and disseminating actionable intelligence. When reports are fired out to stakeholders and no feedback is given, it’s easiest to assume the status quo. However, a lack of communication at this stage can lead to misunderstandings and unfulfilled expectations. Understanding stakeholder needs ensures reports are targeted, relevant, and most importantly – aren’t a waste of time.
– Feedback can be mistakenly viewed through a narrow lens; practitioners sometimes consider feedback as being only relevant to the final product. This is far from the case as feedback can highlight gaps in earlier stages such as data collection or analysis. Stakeholders may provide feedback that reveals a lack of intelligence on threat actors, malware types, attack vectors, etc. This might mean your collections are lacking or the analysis methods need updating.
Or, feedback could reveal that reports were not actionable, only informational. This could indicate a similar revelation as our previous example or it could mean a revisit to the planning stage in the intelligence lifecycle to improve directives. With countless more examples like the above, one can begin to seriously understand the iterative and cyclic nature of the CTI function.
– Feedback can also help embed stakeholders into the threat intelligence program. As simple recipients of a weekly or monthly report, it’s easy to become detached from the program. The threat intelligence team becomes an automated feed, its intelligence something to glance over and ignore.
When stakeholders see their feedback incorporated they become more invested in the process. This helps build trust and engagement. Their input is valuable and becomes a part of the threat intelligence program. When we play our favorite games or use our favorite platforms and we see its developers take an active approach to listening to its community and implementing feedback, we become more attached. We’re not just being sold a product, we’re improving a process together.
Implementing Feedback
Implementing this stage of the threat intelligence lifecycle is easier said than done or it wouldn’t be overlooked so often. There are numerous challenges to this stage with a primary obstacle being a lack of stakeholder engagement. However, it’s important to remember that your stakeholders are human and may require multiple prompts to engage with your program.
It may be beneficial to implement multiple channels for feedback. What works for one stakeholder may not work for another. Some teams implement simple Google forms alongside their threat intelligence reports while others provide checkbox response fields. Other channels could include dedicated forums or interviews.
Whatever medium you offer for feedback, it’s important to evaluate its capability to capture actionable responses. Like the rest of the intelligence lifecycle, this process should be iterative and improve upon itself as you gain more metrics and a better understanding of how your stakeholders like to provide feedback.
Demonstrating how previous feedback was used to improve the intelligence process should be highlighted too. This can be provided alongside prompts for feedback as a gentle reminder to stakeholders that their voices matter and that they are a part of the intelligence program.
Utilizing “champions” can be another effective measure in incentivizing feedback. Champions are those stakeholders who are most engaged and can act as your inside liaison between your team and other stakeholders. Relationships with champions should be nurtured as they can be a valuable “extension” of your program internally.
Finally, running feedback training sessions may help drive effective feedback. Some stakeholders might happily engage but be unsure how to give valuable responses. These training sessions can provide guidance.
The feedback stage is an integral part of the threat intelligence lifecycle; it’s the bridge between the end and the beginning. This stage is crucial in implementing improvements to the intelligence function by tying everything together. While not always simple to implement, solutions and methodologies do exist to help soothe related challenges.
Remembering the often overlooked feedback stage could help your threat intelligence program become a powerhouse for your organization.
