Proposal of a Framework for Quality Improvement in the Production of Cyber Threat Intelligence
Threat Intelligence, Intelligence Cycle, Methodological Analysis
In cyberspace, boundaries are constantly being crossed in the name of progress and convenience, invariably paving the way for new vulnerabilities and potential attacks. Traditional security approaches are not able to contain the dynamic nature of new techniques and threats, which are increasingly adaptive and complex. In this scenario, threat intelligence sharing is growing. However, the heterogeneity and the large volume of threat data make it difficult to identify the relevant data, imposing significant limitations on security analysts. Among the factors contributing to the low quality of Cyber Threat Intelligence (CTI), the lack of direction and planning stands out, resulting in the production of inaccurate, incomplete, or outdated information that leads to reactive actions. However, quality threat intelligence has a positive impact on the response time to an incident. The proposed solution to overcome this limitation is the adoption of a knowledge production process based on the intelligence cycle, supported by situational awareness and the 5W3H model for context creation. The direction and planning phase isthe least addressed phase in scientific research, but when executed properly it directly contributes to the relevance, accuracy and timeliness of the intelligence produced, as it defines the purpose and scope of the subsequent steps. The next phases of the process aims at the progressive refinement of data, which starts with a large volume and low relevance and, by means of evaluation, search for correlations, analysis, context formation, and interpretation, ends up with a low volume, but capable of being used for decision making.