The F3EAD intelligence process is a powerful tactical tool that provides a roadmap for security teams to assess vulnerability and infection issues on their networks while executing the greater intelligence cycle loops. It is a targeting process used to identify and solve a specific problem.

The process comes from military special forces units which use the loop as a toolkit for formalizing their operations. This process begins with intelligence gathering (as part of the intelligence cycle). The process moves to collection and analysis (where F3EAD overlaps the intelligence cycle). Finally, the process ends with disseminating that intelligence to stakeholders and decision-makers.

What is F3EAD?

F3EAD compliments the intelligence cycle, acting as a sort of inner cycle directing the intelligence cycle’s Collection and Analysis phases. The first three steps are part of the “operational phase”, whereas the second half is the “intelligence phase” and maintains significant overlap with the intelligence cycle.

  • Find – The find phase involves finding a problem to solve. This problem may come from questions posed in the PIR or identify during the collection phase of the intelligence cycle.
  • Fix – The fixed phase is perhaps better to read as “fixate”, as “fix” implies applying a solution, rather than focusing on the previously identified (“found”) problem. The fixed phase involves identifying and understanding the scope and scale of the problem.
  • Finish – The finish phase uses the information gathered in the Find and Fix phases to reach a specific objective, often determined ahead of time by policies laid out in incident response plans or other organizational policies.
  • Exploit – The exploit phase seeks to collect and enhance all of the information gathered during the operational phase of F3EAD. During this stage, analysts research similar problems and use this research to build out a deeper understanding of the problem identified in the “Find” phase.
  • Analyze and Disseminate – The analyze and disseminate phases of F3EAD overlap with the intelligence cycle stages of the same names.

The intelligence cycle is a basic loop, comprised of four nodes – Direction -> Collection -> Analysis -> and dissemination – before looping back to the beginning. Direction refers to specific questions which guide the analyst in their search for specific information.

Collection is the process of building information gathering capabilities and employing those capabilities to gather relevant information for further analysis. The third stage, analysis, is where the analyst interprets the information and produces an actionable intelligence product. The dissemination step involves packaging that intelligence and delivering it to key stakeholders and decision-makers. The intelligence cycle is simple enough but can be broken down further in a manner that helps guide the analyst in their efforts to collect relevant information.

Using F3EAD to Build Defensive Capabilities

The use of F3EAD is typically in the context of routing out potentially malicious activity on an organization’s network. However, alongside the MITRE Pre-ATT&CK framework, F3EAD provides a powerful toolkit for solving problems identified via an organization’s PIR. For example, one section of the PIR may involve identifying the digital footprint of the organization’s senior leadership. The digital footprint includes:

  • Social media profiles.
  • Traditional media and content.
  • Websites hosting public records.

Collect the profiles, articles, data points, and other online markers to build a full profile of each individual – F3EAD’s “find” step. 

As each piece of content is gathered, check for specific indicators to step into the second degree of connection (people, places, and things). This step into the second degree of connection is called the “fix” step. Next, as per this organization’s predetermined security protocols, the analyst will document these exposures. The security team will notify the member of leadership to remove these exposures from the footprint – the “finish” phase. The analyst will then determine how the remaining information can be exploited and identify various avenues of potential attack. This identification, the “exploit” phase, allows the security team to understand how threat actors will use the information in the future. Finally, the analyst will analyze all gathered information to produce a final intelligence product that must disseminate to the organization’s key stakeholders and decision-makers.

The challenges may be simple or highly complex. With workflow and tagging features, DigitalStakeout Scout assists the analyst with every process stage. DigitalStakeout Scout maintains the collection capability while providing real-time alerts when new information occurrences appear online.