
The module drives continuous feedback loops throughout the lifecycle engaging users to follow structured methods of collection, data organization, production, analysis, and management. The Cyber Intelligence Lifecycle solution:
- Captures stakeholder needs including intelligence requirements
- Enables prioritization of those requirements
- Build manage and track collection plans
- Focuses on evidence-based intelligence analysis
- Drives structured analytic techniques such as:
- Key Assumptions
- Hypotheses Generation
- Analysis of Competing Hypotheses
- Scenario Analysis
- STEMPLES Plus with Indicators of Change and Hofstede Principles
- Social, Technical, Economic, Military, Political, Legal, Educational, Security (internal) with a catch-all Plus for Religion, Demographics, Psychological
- Indicators of Change providing an objective baseline for tracking events
- Indicators and Indicators Validation non-inclusively.
The module integrates and manages the cyber threat intelligence lifecycle functions in a contextually focused environment that helps author intelligence advisories, situation reports, and forecasts. The Cyber Intelligence Lifecycle solution enables teams:
- The ability to manage and track historical trends of adversaries and their campaigns with full data transparency
- Contextually align your cyber threat intelligence to your organizations as opposed to generic data feeds
- Minimize cycle time while reducing overhead and operational risk
- Enforce an iterative feedback loop enable continuous touchpoints between stakeholders and the cyber threat intelligence team.
The cyber intelligence lifecycle module enables collectors and analysts to work together on company-specific intelligence requirements, giving collection management the ability for continuous oversight supporting relevancy and rapidly redirect collection targets as needed. This will speed the decision making on threats helping to estimate possible next steps. Teams will be able to provide their own credibility, validity, and relevancy ratings to the data collected.

- The combination of Treadstone 71 training and education with the cyber intelligence lifecycle solution enables historical pattern and trend analysis while creating clear pictures of adversary tendencies. Treadstone 71 will provide discounted training rates to teams using the solution.
The solution is not meant to replace threat intelligence platforms but to provide an integrated series of modules that manages your intelligence program. We intend to enable the integration of strategic intelligence plans, policies, procedures, process flows, questionnaires, diagrams, presentations, reports, and briefs to managing the cyber threat intelligence lifecycle.
Contact Treadstone 71 at info @ treadstone71 dot com for more information or call 888.714.0071
Request for Information (RFI) – Cyber Threat Intelligence
The RFI process includes any specific time-sensitive ad hoc requirement for intelligence information or products to support an ongoing event or incident not necessarily related to standing requirements or scheduled intelligence production. When the Cyber Threat Intelligence Center (CTIC) submits an RFI to internal groups, there is a series of standard requirements for the context and quality of the data requested.
Request for Information (RFI) – Cyber Threat Intelligence
The RFI process includes any specific time-sensitive ad hoc requirement for intelligence information or products to support an ongoing event or incident not necessarily related to standing requirements or scheduled intelligence production.
When the Cyber Threat Intelligence Center (CTIC) submits an RFI to internal groups, there is a series of standard requirements for the context and quality of the data requested.

- The data is expected to be curated.
- Data curation is the organization and integration of data collected from various sources. It involves annotation, publication, and presentation of the data such that the value of the data is maintained over time, and the data remains available for reuse and preservation
- The data is expected to have been reviewed and validated.
- Data needs to be cited providing sources to the data (APA format per Microsoft Word).
- Data should be evaluated for the credibility of the sources and validation of the data (see Appendix A)
- The data follows the below format each time to speed cycle time. This format should be congruent with the incident response platform in use.
- Standards must be used such as those associated with NIST or other accepted standards as agreed upon for use within your organization.
- The data should be formatted to fit your internal processes and procedures. You may wish to consider how you apply the Diamond, Kill chain, and ATT&CK models using standard data fields.
- The data should be easy to extract, repeatable, and when applicable, quantifiable (cardinal number).
- The data should have a historical record so we can analyze month-to-month patterns, trends, and tendencies.
- The dates and times of when the data was created (not created by your organization with respect to the event or incident ingestion but action dates and times of event or incident activities.
- The data should be classified with standard internal classification levels and TLP designators.

When and where applicable, the data needs to answer the following questions:
- What exactly is or was the problem or issue?
- Why is this happening now, who is doing this, what is their intent/motivation?
- So what - why do we care and what does it mean to us and our clients?
- Impact so far if any to our data and systems or the data and systems of our clients?
- What do we expect to happen next? What is the expected outlook for continued actions if any?
- Supervisory Action (actions to be or that have been taken based upon data/information/analysis)
- What recommendations were made and what recommendations were executed?
- What was/were the course(s) of action?
- What was the result of the implemented recommendations?
- Were there any unanticipated implications to the recommendations?
- What opportunities are there for your organization going forward?
- Did we find any weaknesses?
- Did we identify any strengths?
- What gaps were found in our environment (people, process, technology)?
If the data you send does not come curated, reviewed, and validated with proper citations in the requested format, it may not make it to the report.
Source Credibility
We must treat each vendor report and data feed as nothing more than another source of data. Data that must be evaluated for credibility, reliability, and relevance. To do so, we can use the NATO Admiralty Code to help organizations evaluate sources of data and the credibility of the information provided by that source. Evaluate each vendor report using this coding method while documenting ease of data extraction, relevance to your organizational issues, type of intelligence (strategic, operational, tactical, and technical), and value in solving your security problems. Most publications provide the top-level scoring model. We provide the full model for auto-calculation built into the PDF.
Intelligence Games in the Power Grid – Russian Cyber and Kinetic Actions Causing Risk
Unusual purchasing patterns from a Russian firm selling PLCs from a Taiwanese company with massive holes in its product software download site. What could go wrong?
Strategic Intelligence Analysis
Forecasting, Estimative and Warning Intelligence
In-Person - 5 days
The Strategic Intelligence Analysis, Forecasting, Estimative, and Warning Intelligence (online and in-person) course follows the iterative processes of the intelligence lifecycle. Strategic analysis requires a breakdown of the complexity’s analysts face during data examination. Keeping the analysis and results relevant is difficult. Analysts need to find ways to organize, rank, and present their findings. Analyst’s always keeping a close eye on what the findings will mean to the stakeholders.
Stakeholders need to understand that analysts always work with incomplete and fragmented data. Adversaries work hard to deny analysts the data. Their methods include various types of deception.
This course provides analysts with a framework reducing many of the problems faced with fragmented data.
This course covers the following non-inclusively:
Strategic Intelligence Analysis, Forecasting, Estimative and Warning Intelligence |
Relevant actors and their capabilities |
Data, Information, Knowledge, and Intelligence |
Inference |
Knowledge Generation |
Adversary Courses of Action (CoA) |
Explicitly versus Tacit Knowledge |
CoA advantages and disadvantages |
Principles of Knowledge Management |
Likelihood and probability in Adversary CoA |
Monitoring your Business Environment |
Patterns, Trends, Tendencies |
Analysis Projects |
Estimative Intelligence |
Analysis Cycle |
The Role of Warning Intelligence |
Briefing |
Key Warning Factors in Preparations |
Collection Planning |
What Is Warning? |
Collecting from Unsuspecting Sources |
Indicator Lists: Compiling Indications |
Collection from Public Domain |
Fundamentals of Indications Analysis |
Collection from Images |
Use of Indicator Lists |
Collection from Things |
Extracting Indications Data |
Collection Outsourcing |
Indications Chronology |
Analysis |
Specifics of the Analytical Method |
Introduction |
How Might they Go to Cyber War? |
Attributes of strategic analysis |
Cyber Order of Battle Methods |
Collector - Analyst Relationship |
Analysis of Cyber Mobilization |
Collector-Analyst Differences |
Recognition of Cyber Buildup |
Corporate Alignment |
Preparation for Cyber Warfare |
Organizing a Strategic Analysis Function |
The preoccupation of Leadership / Stakeholders |
Organizing a solid team |
Cyber Readiness |
Towards a world-class strategic analysis org |
Magnitude and Redundancy of Preparations |
Profile of an analyst |
Cyber Wargaming |
Forecasting |
What is a Cyber Wargame |
Multiple Scenarios Generation |
Why run a Cyber Wargame |
Scenario analysis |
Principal Factors in Timing and Surprise |
Influencers |
Examples of Assessing Timing |
Link Analysis and Centrality |
Warning is Not a Forecast of Imminence |
Estimates for future planning |
The Problem of Deception |
|
Case Studies and Hands-on |
This course teaches students how to think independently and stay away from the low level tactical approaches we see in daily reports. Strategic, big-picture reviews and assessments that incorporate the social, technical, economic, military, political, legislative, educational, and security, plus demographics, religion and the psychometric (STEMPLES Plus) aspects of an adversary are lost in today's world of current news posing as intelligence. Lecture, Hands-on, Apprenticeship, in-class exercises, student presentations, analytic products, templates, course material—40 CPEs. Books provided by Treadstone 71 with some required read-ahead activities.
In-Person - 5 days
Subject: Request to Attend the Treadstone 71 NAME OF COURSE training
Dear [Decision Maker Name],
The Treadstone 71 Certified Threat Intelligence Analyst training takes place INSERT START DATE through INSERT END DATE at the LOCATION NAME in CITY, STATE, or COUNTRY. The training offers INSERT NUMBER OF DAYS of educational training from a former intelligence community professional. Intelligence professionals regard this class as the world’s leading training program for cyber and threat intelligence professionals. Therefore, I would like to request approval to attend, as I believe it will further develop my threat intelligence skills and build knowledge around greatly improving our cyber threat intelligence program.
The training offers comprehensive, innovative educational sessions following Intelligence Community standards from the International Association for Intelligence Education Standards for Intelligence Analyst Initial Training:
- Introduction to Intelligence
- Critical Thinking
- Analytic Writing
- Creative Thinking
- Analytic Briefing
- Structured Analytic Techniques.
- Analytic Issues
- Argument Mapping
- Case Studies
The course covers critical intelligence skill areas and emerging threat intelligence concepts facing our organization.
If I attend, I’ll receive:
- Over INSERT NUMBER OF HOURS of educational training and INSERT NUMBER OF CPEs.
- Hands-on with the latest open-source intelligence tools.
- Review of normally paid threat intelligence feed solutions (Intel471 and Recorded Future) while in the class.
- Operational security concepts, including a 30-day VPN license.
- Intensive training on:
- Stakeholder Analysis
- Collection Planning
- Collection Activities and Targeted Collection
- Intelligence Requirements Development
- Open Source Intelligence Methods
- Adversaries and Campaign Analysis
- Structured Analytic Techniques for Intelligence
- Methods and Types of Analysis
- Analytic Writing and Peer Review
- Analysis, Reporting, and Dissemination
- Mitre ATT&CK Analysis and Comparisons
- Forecasting and Estimative Reporting
- STEMPLES Plus Strategic Intelligence
- Synthesis and Fusion Methods.
- Advanced Adversary Targeting and Campaign Analysis
- Strategic Intelligence Analysis
- I’ll also have the chance to understand the methods used in intelligence agencies from an intelligence professional who has been teaching this course for 11 years.
- I’ll benefit from the instructor’s years of passive data collection on adversaries while maintaining operational security while networking with other students on their experiences in intelligence.
Costs
The approximate investment for my attendance is as follows (complete the information as appropriate):
Travel costs
|
|
Accommodation (### nights at (DOLLARS xxx/night*)
|
|
Full Training Pass (for ### days)
|
|
Payback: Our ROI
I believe the insights learned by Treadstone 71 Training will help speed incident response resolution, assist security operations in gaining insights into our cyber adversaries, and enhance our cyber threat intelligence program with intelligence community skills and knowledge. The cost of the course seems a small price to pay for actionable intelligence to help our business combat cyber threats and the reputational damage that results from even a minor compromise. Other courses from other companies in this field charge at least 25% more and usually 30-35% more and you get less from those courses.
When I return from the Treadstone 71 training, I will compile a short presentation covering what we covered in the class, applicable functions to consider for immediate use, methods of collection, how best to use analytic methods, and ways to quickly improve our written products.
[Add standard sign off]
HALF MOON BAY, Calif., June 10, 2019 (SEND2PRESS NEWSWIRE) -- Treadstone 71, the leading cyber and threat intelligence tradecraft company, today announced the availability of a new offering: Cyber Intelligence Lifecycle. The new module will enable teams to organize their cyber threat intelligence program, publish their strategic plans, build stakeholder models, establish collection plans, rate and verify data and sources, use structured techniques, and prepare for analytic writing peer reviews.
The module drives continuous feedback loops throughout the lifecycle engaging users to follow structured methods of collection, data organization, production, analysis, and management. The Cyber Intelligence Lifecycle solution captures stakeholder needs including intelligence requirements, their prioritization, collection planning and tracking while focusing on evidence-based intelligence analysis. The solution enables organizations to track how they got from A to B in the lifecycle, what worked and what did not while incorporating iterative methods of analysis.
“No longer will cyber threat intelligence teams have to kludge together methods of managing the cyber threat intelligence lifecycle,” said Jeff Bardin, Chief Intelligence Officer for Treadstone 71. “The ability to have continuous access to priority intelligence requirements, open source intelligence actions in various stages of collection, the development of new hypotheses based on usable data, directly input to structured analytic techniques as some of the final steps before analytic writing and review are huge.”
- The module integrates and manages cyber threat intelligence lifecycle functions in a contextually focused environment that helps author intelligence advisors, situation reports, and forecasts.
- The ability to manage and track historical trends of adversaries and their campaigns with full data transparency, from your own perspective and not that of generic data feeds, minimizes cycle time while reducing overhead and operational risk.
- The cyber intelligence lifecycle module enables collectors and analysts to work together on company-specific intelligence requirements, giving collection management the ability for continuous oversight supporting relevancy and rapidly redirect collection targets as needed.
- We see this as speeding the decision making on threats helping to estimate possible next steps.
“We plan to start offering the solution in August with a full rollout by mid-October,” continued Bardin. “Our training solutions enable this module providing organizations with the intelligence community skills necessary to more than adequately manage collection operations, analysis, and analytic writing. The need for this in the market is great.”
- Data verification is a hidden calculation in data and threat intelligence feeds. Bayesian algorithms aid in the process, but human interaction is still a core capability that most organizations do not have.
- Skills in this area are lacking.
- The combination of Treadstone 71 training and education with the cyber intelligence lifecycle solution enables historical pattern and trend analysis while creating clear pictures of adversary tendencies.
"For a long time,
we described threat intelligence as the core solution for cyber threat intelligence teams. What is missing are the core functions of intelligence that goes well beyond indicators of compromise and technical details, collected after a breach occurs,” added Bardin. “We know that intelligence is for warning and prevention. We know that intelligence forecasting and estimates are the keys to prevention. Something that is missing in organizations today. We are shifting the paradigm to mature intelligence programs assisting in your digital transformation the reduces risk.”
The solution is not meant to replace threat intelligence platforms but to provide an integrated series of modules that manages your intelligence program. We intend to enable the integration of strategic intelligence plans, policies, procedures, process flows, questionnaires, diagrams, presentations, reports, and briefs to managing the cyber threat intelligence lifecycle.
About Treadstone 71
Treadstone 71's Certified Threat Intelligence and CounterIntelligence Analyst training are the gold standard in the industry today derived from both academia, the intelligence community, and from Treadstone 71’s experience in building cyber and threat intelligence programs at Fortune 500 organizations worldwide. Treadstone 71 is delivering the only complete cyber threat intelligence lifecycle management solution enabling information sharing, internal intelligence communities of interest while empowering lifecycle management with an iterative feedback loop.
More information: https://www.treadstone71.com/