Request for Information (RFI) – Cyber Threat Intelligence
The RFI process includes any specific time-sensitive ad hoc requirement for intelligence information or products to support an ongoing event or incident not necessarily related to standing requirements or scheduled intelligence production.
When the Cyber Threat Intelligence Center (CTIC) submits an RFI to internal groups, there is a series of standard requirements for the context and quality of the data requested.
- The data is expected to be curated.
- Data curation is the organization and integration of data collected from various sources. It involves annotation, publication, and presentation of the data such that the value of the data is maintained over time, and the data remains available for reuse and preservation
- The data is expected to have been reviewed and validated.
- Data needs to be cited providing sources to the data (APA format per Microsoft Word).
- Data should be evaluated for the credibility of the sources and validation of the data (see Appendix A)
- The data follows the below format each time to speed cycle time. This format should be congruent with the incident response platform in use.
- Standards must be used such as those associated with NIST or other accepted standards as agreed upon for use within your organization.
- The data should be formatted to fit your internal processes and procedures. You may wish to consider how you apply the Diamond, Kill chain, and ATT&CK models using standard data fields.
- The data should be easy to extract, repeatable, and when applicable, quantifiable (cardinal number).
- The data should have a historical record so we can analyze month-to-month patterns, trends, and tendencies.
- The dates and times of when the data was created (not created by your organization with respect to the event or incident ingestion but action dates and times of event or incident activities.
- The data should be classified with standard internal classification levels and TLP designators.
When and where applicable, the data needs to answer the following questions:
- What exactly is or was the problem or issue?
- Why is this happening now, who is doing this, what is their intent/motivation?
- So what - why do we care and what does it mean to us and our clients?
- Impact so far if any to our data and systems or the data and systems of our clients?
- What do we expect to happen next? What is the expected outlook for continued actions if any?
- Supervisory Action (actions to be or that have been taken based upon data/information/analysis)
- What recommendations were made and what recommendations were executed?
- What was/were the course(s) of action?
- What was the result of the implemented recommendations?
- Were there any unanticipated implications to the recommendations?
- What opportunities are there for your organization going forward?
- Did we find any weaknesses?
- Did we identify any strengths?
- What gaps were found in our environment (people, process, technology)?
If the data you send does not come curated, reviewed, and validated with proper citations in the requested format, it may not make it to the report.
We must treat each vendor report and data feed as nothing more than another source of data. Data that must be evaluated for credibility, reliability, and relevance. To do so, we can use the NATO Admiralty Code to help organizations evaluate sources of data and the credibility of the information provided by that source. Evaluate each vendor report using this coding method while documenting ease of data extraction, relevance to your organizational issues, type of intelligence (strategic, operational, tactical, and technical), and value in solving your security problems. Most publications provide the top-level scoring model. We provide the full model for auto-calculation built into the PDF.