The F3EAD intelligence process is a powerful tactical tool which provides a roadmap for security teams to assess vulnerability and infection issues on their networks while executing the greater intelligence cycle loops. It is a targeting process, used to identify and solve a specific problem.
The process comes from military special forces units which use the loop as a toolkit for formalizing their operations, beginning with intelligence gathering (as part of the intelligence cycle), moving to collection and analysis (where F3EAD overlaps into the intelligence cycle), and finally ending with dissemination of that intelligence to stakeholders and decision makers.
What is F3EAD?
F3EAD is a compliment to the intelligence cycle, acting as a sort of inner cycle directing the intelligence cycle’s Collection and Analysis phases. The first three steps are part of the “operational phase”, whereas the second half of the process is the “intelligence phase” and maintains significant overlap with the intelligence cycle.
- Find – The find phase involves finding a problem to solve. This problem may come from questions posed in the PIR or identified during the collection phase of the intelligence cycle.
- Fix – The fix phase is perhaps better read as “fixate”, as “fix” implies applying a solution, rather than focusing on the previously identified (“found”) problem. The fix phase involves identifying and understanding the scope and scale of the problem.
- Finish – The finish phase uses the information gathered in the Find and Fix phases to reach a specific objective, often determined ahead of time by policies laid out in incident response plans or other organizational policies.
- Exploit – The exploit phase seeks to collect and enhance all of the information gathered during the operational phase of F3EAD. During this stage, analysts conduct research into similar problems and use this research to build out a deeper understanding of the problem identified in the “Find” phase.
- Analyze and Disseminate – The analyze and disseminate phases of F3EAD overlap with the intelligence cycle stages of the same names.
The intelligence cycle is a basic loop, comprised of four nodes – Direction -> Collection -> Analysis -> and Dissemination – before looping back to the beginning. Direction refers to specific questions which guide the analyst in his or her search for specific information. These question appear in the form of a Priority of Information Requirements (PIR – see Threat Intelligence Vs Threat Information: Building a Robust Capability).
Collection is the process of building information gathering capabilities and employing those capabilities to gather information which will be relevant to further analysis. The third stage, analysis, is where the analyst attempts to interpret the information and produce an actionable intelligence product. The dissemination step involves packaging that intelligence and delivering it to key stakeholders and decision makers.
The intelligence cycle is simple enough but can be broken down further in a manner which helps guide the analyst in his or her efforts to collect relevant information.
Using F3EAD to Build Defensive Capabilities
F3EAD is generally used in the context of routing out potentially malicious activity on an organization’s network. However, alongside the MITRE Pre-ATT&CK framework, F3EAD provides a powerful toolkit for solving problems identified via an organization’s PIR.
For example, one section of the PIR may involve identifying the digital footprint of the organization’s senior leadership. This includes social media, traditional media (especially regarding negative commentary), databases with personally identifiable information, and other relevant information that may lead a threat actor to gather enough information to potentially stage an attack against the individual.
This is the direction, as described in the intelligence cycle. Next, the analyst will collect the profiles, articles, data points, and other online markers to build out a full profile of each individual – F3EAD’s “find” step. During this step, as each piece is identified, the analyst will check for specific indicators – spouse or children’s names or links to their profiles, pictures of family members, information identifying preferred vacation spots or intentions to travel to certain places, high praise for a specific neighborhood store, etc. This is the “fix” step.
Next, as per this organization’s predetermined security protocols, the analyst will document these compromises and the security team will notify the member of leadership in order to remove these indicators of compromise from the footprint – the “finish” phase.
The analyst will then determine how the remaining information can be exploited and identify various avenues of potential attack. This identification, the “exploit” phase, allows the security team to understand how any remaining vulnerabilities may be used against the individual and/or organization in the future. Finally, the analyst will complete an analysis of all gathered information to produce a final intelligence product which will subsequently be disseminated to the organization’s key stakeholders and decision makers.
Depending on the individual targeted in this process, the challenges may be simple or highly complex. DigitalStakeout provides the only platform that assists the analyst with every stage of the process while also maintaining the capability for real time alerting of potential future occurrences of such information appearing online. What collection and coverage gaps do you have in your current intelligence cycle and F3EAD process? See a live demo of how we solve common collection and coverage gap problems.