Having a Threat Intelligence Platform (TIP) is a good thing for the CTI team. However, this raises the follow-up question:
How do you select the best TIP for your organisation?
The answer to the above questions lies in the requirements that the CTI team might have and the use cases/common tasks/analytical problems that CTI analysts spend time on. This is shown in the image below as the very first step! This blog post focuses on Threat Intelligence Platform (TIP) functional requirements.
As Pasquale Stirparo said during FIRST CTI 2019, “Your requirements are not my requirements”!! This practically means that different CTI teams have different needs in terms of technology enablement to support their CTI process. CTI teams should do their “homework” and document these requirements. The below blog post can help CTI teams to identify (or revise) their technology requirements (i.e. the technology enablement needed to support their CTI process).
Back in 2017, I have authored a report for the European Union’s Agency for Cyber Security (ENISA) that was related to Threat Intelligence Platforms (TIPs). The report was titled “The limitation and opportunities of current Threat Intelligence Platforms”. I was really nervous when this report was released and have been waiting for the feedback by the TIP vendors as well as the CTI community. The report was well received and I have been invited a number of times to present this research to TIP vendors. While the report provided a snapshot of the TIP landscape back in 2017, there is also something interesting that is still valid today. Annex B of the report contains a thorough list of functional requirements for Threat Intelligence Platforms grouped by the phase of the intelligence cycle.
Quoting Intel471’s Mark Arena, ”Your intelligence program’s maturity is based on your ability to do each part of the intelligence cycle”. What does this mean? CTI teams should implement every phase of the intelligence cycle in an efficient way and thus they need to identify the technology requirements they need in each phase of the intel cycle. The success and failure of one or more steps in the intelligence cycle may spawn a rippling effect on the entire cycle.
On 22nd January 2021, during my presentation at SANS CTI Summit 2021 I released an Excel document that contains the list of TIP function requirements group by intelligence cycle phase. Organisations are welcome to use it to identify or revise their technology requirements for each phase of their intelligence cycle process.
The Excel document includes the below columns:
- Requirement Number – functional requirements are numbered.
- Intelligence Cycle Phase – planning, collection, exploitation, analysis, dissemination.
- Category – for each intelligence phase there are sub-categories of the functional requirements.
- MuSCoW Rating – make sure to provide a priority for your identified requirements.
- Capability (New/Enhancement) – if the capability provided by the TIP is new for the CTI team or an enhancement to an existing one.
- Functional Requirement Description – the high level description of the functional requirement.
Currently, version 1.0 of the document is released but in case you have any feedback (e.g. enrich the document with non-functional requirements, etc.), feel free to reach out so that we can work on it. I hope you find this resource useful and, as always, any feedback is more than welcome!
GitHub repository – https://github.com/sfakiana/SANS-CTI-Summit-2021
Link to TIP Requirements Excel document (v1.0) – https://github.com/sfakiana/SANS-CTI-Summit-2021/blob/main/TIP_Functional_Requirements_v1.0.xlsx
SANS CTI Summit presentation slides: