F3EAD Cycle in Cyber Threat Intelligence
The F3EAD Cycle is a combination of the cyber threat intelligence cycle and the security operations (SecOps) cycle. F3EAD is an acronym for Find, Fix, Finish, Exploit, Analyze, Disseminate. The first 3 steps are part of the security operations cycle, and the last 3 are part of the intelligence cycle.
The F3EAD Cycle as used in information security is based on the F3EAD Cycle developed by US special operations forces for use in conventional warfare.
CTI analysts can use the F3EAD Cycle to study the adversary and provide intel that decision-makers can use to outmaneuver the adversary. CTI analysts can use the F3EAD Cycle to collaborate with incident response (IR) teams when responding to an incident.
F3EAD Cycle Steps
Identify the adversary, proactively and/or reactively. Determine the threats you need to address. Define the problems you need to solve. Use internal and external intel to define these items.
Think fixate or fix your eyes on. Identify the adversary’s presence in the network. Determine what systems they’ve compromised, how they’re moving through the network, what communications channels they’re using, etc. Identify problems you encounter.
Stop the adversary’s activity in the network (contain, mitigate, or eradicate them). Solve the problems you’ve identified in the previous steps.
This is the Collection step from the intelligence cycle. Gather the relevant raw data from the previous steps so that you can analyze it in the next step. Collect IoCs and TTPs.
This is the Analysis step from the intelligence cycle. Analyze the data from the Exploit step to understand the adversary and their TTPs. Use structured analytical techniques. Prepare suggestions on how to detect, mitigate, and remediate the adversary. Make the intel ready to share.
If during analysis you discover additional items that require investigation, ensure that it’s done, sooner or later.
This is the Dissemination step from the intelligence cycle. Share the intel with the relevant audience(s), in the appropriate format(s). Ensure that it’s actionable.
This page contains one or more affiliate links. As an Amazon Associate, I earn from qualifying purchases.
Intelligence-Driven Incident Response: Outwitting the Adversary
Amazon.com: Intelligence-Driven Incident Response: Outwitting the Adversary eBook : Roberts, Scott J, Brown, Rebekah…
Practical Cyber Intelligence: How action-based intelligence can be an effective response to…
Amazon.com: Practical Cyber Intelligence: How action-based intelligence can be an effective response to incidents eBook…
Methods and Methodology / Cyber Threat Intelligence SIG Curriculum
The intelligence lifecycle is a core method that sits behind Intelligence in general. Some texts explain intelligence…