Full Report
IntroductionThis CTI Research Guide aims to help practitioners learn more about how to effectively perform the collection, processing, analysis, and production stages of the CTI lifecycle.It promotes a repeatable method to keep track of all your sources, categorise them, extract meaningful information, form meaningful takeaways from your research, and document your findings.It is also useful from a perspective of knowing and tracking what you have looked at and already digested.By refocusing on what is important for your organisation, you will notice improvements on output and stakeholder satisfaction.AcknowledgementsThanks to Curated Intelligence members Steve Ragan, Freddy Murstad, Parthiban Rajendran, Øystein Brekke-Sanderud, Xena Olsen, Chris Campbell, and Grace Chi for reviewing this research guide and providing their insights. * * *You can access The CTI Research Guide on our GitHub below:
Analysis Summary
# Best Practices: Cyber Threat Intelligence (CTI) Research and Lifecycle Management
## Overview
These practices focus on establishing a repeatable, structured methodology for Cyber Threat Intelligence (CTI) practitioners to effectively manage the CTI lifecycle, specifically covering collection, processing, analysis, and production. The goal is to improve research output, maintain robust source tracking, and ensure relevance to organizational needs.
## Key Recommendations
### Immediate Actions
1. **Access the CTI Research Guide:** Immediately locate and access the formal CTI Research Guide repository provided by Curated Intelligence to establish a baseline reference.
2. **Locate the Repository:** Navigate directly to the [CTI Research Guide on GitHub](https://github.com/curated-intel/The-CTI-Research-Guide) to download or clone the foundational documents.
3. **Establish Source Tracking:** Begin documenting *all* research sources used, categorizing them immediately upon initial use, as promoted by the guide.
### Short-term Improvements (1-3 months)
1. **Implement Feedback Loop:** Refocus research efforts based on organizational priorities to ensure CTI output directly addresses critical intelligence gaps, thereby improving stakeholder satisfaction.
2. **Systemize Information Extraction:** Develop a repeatable process for extracting meaningful information from gathered intelligence sources, standardizing fields for inclusion in analysis (e.g., TTPs, IoCs).
3. **Document Findings Rigorously:** Formalize the documentation template used for all finalized intelligence reports or analysis summaries, ensuring all digested information is recorded for future reference.
### Long-term Strategy (3+ months)
1. **Formalize Attribution Standards:** Review and adopt internal standards or guidelines for threat group naming and attribution, seeking to standardize how disparate data sets are clustered and labeled, mitigating counterproductive ambiguity.
2. **Mature the CTI Lifecycle:** Ensure all four stages—collection, processing, analysis, and production—have documented, reviewed, and consistently followed standard operating procedures (SOPs).
3. **Conduct Landscape Monitoring:** Establish formal, recurring research streams dedicated to tracking cyber activity surrounding major geopolitical events or high-impact threat actor campaigns that directly impact the organization’s sector or geography.
## Implementation Guidance
### For Small Organizations
- **Prioritize Source Categorization:** Focus immediate efforts on creating a simple spreadsheet or accessible document system to log every external source, noting collection reliability and relevance.
- **Lean Analysis Focus:** In the analysis phase, concentrate only on indicators and TTPs that are directly attributable to threats facing your specific technology stack or geographic location.
- **Use Community Naming:** Adopt widely accepted, external threat naming conventions (e.g., CISA, MITRE ATT&CK) rather than developing complex internal attribution schemes initially, to aid communication.
### For Medium Organizations
- **Develop Structured Documentation:** Begin converting initial source logs into a relational format or simple database (if available) to track relationships between sources, TTPs, and reported incidents.
- **Cross-Reference Threat Reports:** Mandate that all new intelligence findings be checked against historical organizational intelligence and known threat actor profiles to validate findings and track campaign evolution.
- **Semi-Formal Attribution:** Establish a draft policy for internal threat group naming based on analyst consensus, ensuring internal reports are consistent even if not fully conforming to major external standards yet.
### For Large Enterprises
- **Automate Source Ingestion (Processing):** Implement tools or scripts to automate the initial collection and processing stages, mapping ingestion data directly to required analysis fields.
- **Establish Attribution Working Group:** Form a dedicated working group to define, pilot, and formalize organizational standards for threat actor attribution, balancing internal telemetry findings with open-source intelligence (OSINT).
- **Integrate CTI into Defense Planning:** Ensure the output of the CTI lifecycle directly informs security roadmap planning, budgeting, and red team exercise scoping for proactive defense posture alignment.
## Configuration Examples
*Since the article focuses on research methodology rather than technical security configurations, specific technical configurations are not provided. The structure should instead lean towards defining configuration for **processes**:*
**Process Configuration: Source Reliability Scoring (Example)**
| Field | Description | Value Range/Format |
| :--- | :--- | :--- |
| Source Name | Organization/Analyst Name | Text String |
| Collection Method | Primary access (e.g., Blog subscription, Dark Web forum access, Vendor feed) | Enumerated List |
| **Reliability Score** | Analyst trust level in the source's accuracy | Scale of 1 (Unconfirmed) to 5 (Verified Proprietary Data) |
| Relevance Score | Applicability to organizational assets/sector | Scale of 1 (Low) to 5 (Critical) |
| Last Verified Date | Date source reliability was last re-assessed | YYYY-MM-DD |
## Compliance Alignment
The methodologies promoted (repeatable process, documentation, categorization) inherently support compliance frameworks focused on continuous monitoring and documented security operations:
- **NIST SP 800-53 / RMF:** Requirements align with processes for CTI collection (CA-8), Analysis (RA-5), and Documentation (PM-9).
- **ISO/IEC 27001:** Supports Annex A.16 (Information Security Incident Management) by ensuring timely and verifiable analysis supports incident response.
- **MITRE ATT&CK Framework:** Implicitly supported by the need to cross-reference and categorize findings based on adversary Tactics, Techniques, and Procedures (TTPs).
## Common Pitfalls to Avoid
- **"Analysis Paralysis":** Getting stuck perpetually collecting data without moving to the analysis and production phases, leading to stale intelligence.
- **Ignoring Own Focus:** Researching globally significant threats that have zero direct applicability or impact on the organization's specific sector or technology stack, wasting resources.
- **Inconsistent Attribution:** Allowing different analysts to assign different names or narratives to the same threat actor group, confusing stakeholders and degrading historical tracking capabilities.
- **Discarding "Digested" Information:** Failing to document findings after initial review, leading to redundant research efforts later ("not knowing what you have already looked at").
## Resources
- **CTI Research Guide GitHub Repository:** [Link to the CTI Research Guide on GitHub] (Function: Central repository for methodology documentation).
- **Threat Group Naming Schemes Documentation:** (Guidance derived from related articles suggesting the need for structured attribution standards).
- **MITRE ATT&CK Framework:** (Reference material for standardizing TTP documentation).