Regardless of where we work or what industry we’re in, we all have the same goal: to protect our most valuable assets. The only difference is in what we are trying to protect. Whether it’s data, money or even people, the harsh reality is that it’s difficult to keep them safe because, to put it simply, bad people do bad things.

Sometimes these malicious actors are clever, setting up slow-burning attacks to steal enterprise data over several months or even years. Sometimes they’re opportunistic, showing up in the right place at the wrong time (for us). If a door is open, these attackers will just waltz on in. If a purse is left unattended on a table, they’ll quickly swipe it. Why? Because they can.

The Intelligence Cycle

So how do we fight back? There is no easy answer, but the best course of action in any situation is to follow the intelligence cycle. Honed by intelligence experts across industries over many years, this method can be invaluable to those investigating anything from malware to murders. The process is always the same.

Stage 1: Planning and Direction

The first step is to define the specific job you are working on, find out exactly what the problem is and clarify what you are trying to do. Then, work out what information you already have to deduce what you don’t have.

Let’s say, for example, you’ve discovered a spate of phishing attacks — that’s your problem. This will help scope subsequent questions, such as:

  • What are the attackers trying to get?
  • Who is behind the attacks?
  • Where are attacks occurring?
  • How many attempts were successful?

Once you have an idea of what you don’t know, you can start asking the questions that will help reveal that information. Use the planning and direction phase to define your requirements. This codifies what you are trying to do and helps clarify how you plan on doing it.

Stage 2: Collection

During this stage, collect the information that will help answer your questions. If you cannot find the answers, gather data that will help lead to those answers.

Where this comes from will depend on you and your organization. If you are protecting data from advanced threats, for instance, you might gather information internally from your security information and event management (SIEM) tool. If you’re investigating more traditional organized crime, by contrast, you might knock on doors and whisper to informants in dark alleys to collect your information.

You can try to control the activity of collection by creating plans to track the process of information gathering. These collection plans act as guides to help information gatherers focus on answering the appropriate questions in a timely manner. Thorough planning is crucial in both keeping track of what has been gathered and highlighting what has not.

Stage 3: Processing and Exploitation

Collected information comes in many forms: handwritten witness statements, system logs, video footage, data from social networks, the dark web, and so on. Your task is to make all the collected information usable. To do this, put it into a consistent format. Extract pertinent information (e.g., IP addresses, telephone numbers, asset references, registration plate details, etc.), place some structure around those items of interest and make it consistent. It often helps to load it into a schematized database.

If you do this, your collected information will be in a standard shape and ready for you to actually start examining it. The value is created by putting this structure around the information. It gives you the ability to make discoveries, extract the important bits and understand your findings in the context of all the other information. If you can, show how attacks are connected, link them to bad actors and collate them against your systems. It helps to work with the bits that are actually relevant to the specific thing you’re working on. And don’t forget to reference this new data you collected against all the old stuff you already knew; context is king in this scenario.

This stage helps you make the best decisions you can against all the available information. Standardization is great; it is hard to work with information when it’s in hundreds of different formats, but it’s really easy when it’s in one.

Of course, the real world isn’t always easy. Sometimes it is simply impossible to normalize all of your collected information into a single workable pot. Maybe you collected too much, or the data arrived in too many varied formats. In these cases, your only hope is to invest in advanced analytical tools and analysts that will allow you to fuse this cacophony of information into some sensible whole.

Stage 4: Analysis Production

The analysis production stage begins when you have processed your information into a workable state and are ready to conduct some practical analysis — in other words, you are ready to start producing intelligence.

Think about the original task you planned to work on. Look at all the lovely — hopefully standardized — information you’ve collected, along with all the information you already had. Query it. Ask questions of it. Hypothesize. Can you find the answer to your original question? What intelligence can you draw from all this information? What stories can it tell? If you can’t find any answers — if you can’t hypothesize any actions or see any narratives — can you see what is missing? Can you see what other information you would need to collect that would help answer those questions? This is the stage where you may be able to draw new conclusions out of your raw information. This is how you produce actionable intelligence.

Actionable intelligence is an important concept. There’s no point in doing all this work if you can’t find something to do at the end of it. The whole aim is to find an action that can be performed in a timely manner that will help you move the needle on your particular task.

Finding intelligence that can be acted upon is key. Did you identify that phishing attack’s modus operandi (MO)? Did you work out how that insider trading occurred? It’s not always easy, but it is what your stakeholders need. This stage is where you work out what you must do to protect whatever it is you are safeguarding.

Stage 5: Dissemination

The last stage of the intelligence cycle is to go back to the stakeholders and tell them what you found. Give them your recommendations, write a report, give a presentation, draw a picture — however you choose to do it, convey your findings to the decision-makers who set the task to begin with. Back up your assertions with your analysis, and let the stakeholders know what they need to do in the context of the intelligence you have created.

Timeliness is very important. Everything ages, including intelligence. There’s no point in providing assessments for things that have already happened. You will get no rewards for disseminating a report on what might happen at the London Marathon a week after the last contestant finished. Unlike fine wine, intelligence does not improve with age.

To illustrate how many professionals analyze and subsequently disseminate intelligence, below is an example of an IBM i2 dissemination chart:

The analysis has already happened and, in this case, the chart is telling your boss to go talk to that Gene Hendricks chap — he looks like one real bad egg.

Then what? If you found an answer to your original question, great. If not, then start again. Keep going around the intelligence cycle until you do. Plan, collect, process, analyze, disseminate and repeat.

Gain an Edge Over Advanced Threats

We are all trying to protect our valued assets, and using investigation methodologies such as the intelligence cycle could help stop at least some malicious actors from infiltrating your networks. The intelligence cycle can underpin the structure of your work both with repetitive processes, such as defending against malware and other advanced threats, and targeted investigations, such as searching for the burglars who stole the crown jewels. Embrace it.

Whatever it is you are doing — and whatever it is you are trying to protect — remember that adopting this technique could give your organization the edge it needs to fight back against threat actors who jealously covet the things you defend.

To learn more, read the interactive white paper, “Detect, Disrupt and Defeat Advanced Physical and Cyber Threats.”

Read the white paper

More from Threat Hunting

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today