F3EAD: Find, Fix, Finish, Exploit, Analyze and Disseminate – the alternative intelligence cycle

Stewart K. Bertram | 9 February 2017

The F3EAD cycle (Find, Fix Finish, Exploit, Analyze and Disseminate) is an alternative intelligence cycle commonly used within Western militaries within the context of operations that typically result in lethal action, such as drone strikes and special forces operations. A basic summary of the phases of the cycle is as follows:

  1. Find: essentially ‘picking up the scent’ of the opponent, with the classic “Who, What, When, Where, Why” questions being used within this phase to identify a candidate target
  2. Fix: verification of the target(s) identified within the previous phase, which typically involves multiple triangulation points. This phase effectively transforms the intelligence gained within the “Find” phase into evidence that can be used as basis for action within the next stage
  3. Finish: based on the evidence generated from the previous two phases the commander of the operation imposed their will on the target
  4. Exploit: deconstruction of the evidence generated from the finish phase
  5. Analyze: fusing the exploited evidence with the wider intelligence picture
  6. Dissemination: finally publishing the results of the research to key stakeholders

Looking at the above cycle from an information security perspective, it becomes obvious that this cycle can be applied within the cyber security context. This statement is borne out by making small changes to the above narrative i.e. replace “Kill or capture” with “remove or restrict.” Many security teams do the practice of "find-remove-on to the next" and, while that is at the core of the F3EAD cycle, there is still value in defining the process within the confines of the framework.

Some may ask, “is F3EAD merely reinventing the wheel of the intelligence cycle?” I would argue ‘no’ and that F3EAD is far more tactical in practice than the more strategic intelligence cycle and it’s less defined boundaries of Direction, Collection, Analysis and Dissemination. 

What the existence and simulations of both these intelligence frameworks cycles show is that intelligence as a professional practice spans a number of levels within the organization, from the high-level strategic decision making that the intelligence cycle caters to, down to the tactical, ‘minute by minute’ style of operation that the F3EAD cycle supports. Within this context, both cycles could be implemented within an organization. Shown below is a simple example of a hypothetical organization using both cycles to combat an Advanced Persistent Threat group, the intention of this is to show how the cycle interlink and provide mutual support to each other and some of the key stakeholders invested in both. 

 

The Intelligence Cycle

Phase

Action

Direction

Board level identification of APT groups as the core cyber security threat to the business

Collection

The company’s threat intelligence team collects data gathered from internal response cases and fuses it with data provided by the external threat intelligence provider.

Analysis

A full fusion and analysis of collected data over a strategic period of time (6 months to 1 year)

Dissemination

Results communicated back to the board and the wider threat intelligence community around the specific APT threat that has targeted the company

 

F3EAD

Phase

Action

Find

Suspect activity identified on a number of hosts

Fix

Multiple common indicators of suspicious activity identify a cluster of infected hosts

Finish

Hosts are taken offline and employees are given new machines 

Exploit

Based on analysis of malware found within the infected hosts a number of specific Indicators of Compromise (IOCs) are identified by the team 

Analyse

Fusing the IOCs found ‘in house’ with the IOCs provided by the third part intelligence provider feeds into the wider picture of the APT threat and leads to further identification of anomalous behavior on the company’s network

Disseminate

The results of the analysis are disseminated to both tactical consumers (SOC etc) and the strategic sponsors of the project i.e. the members of the ‘c suite’ with an interest in the issue

What can be seen from the above example is that the intelligence cycle and the F3EAD cycle can be employed closely together to fulfill the overall company’s intelligence requirements, both tactical and strategic. One way of visualizing these two cycles is as cogs turning together within the intelligence process, with intersections between the intelligence cycle’s "Collection" phase and the F3EAD cycle’s "Find" phase. This relationship is shown below.

 

F3EAD and Intelligence Cycle