The following is a basic example of how the intelligence cycle and F3EAD can be integrated.

Scenario:

RonV corporation started as a family business in Antarctica in 2018 and has transitioned into an organization with worldwide operations in the widget making industry. Due to increased concerns of cyber attacks, RonV is trying to centralize security services so that headquarters can monitor the security posture of the organization. Over the years, mergers and acquisitions increased the complexity of the IT architecture with each additional business. Following the CIS Critical Security Controls, the CIO of the company has already begun maturing the capability to inventory authorized hardware and software, as well as have a means to block unauthorized hardware and software from the network. Now the CIO is looking to find the most critical applications of the organization so that she has awareness of what the applications are and where they are located.

• CIO delivers a Strategic Level priority information requirement to his Tactical Level leaders:
  • What and where are our critical applications to the business?
  • Format: App Name, Region of the world it is located, Country where it resides

• Tactical Level leadership issues a priority information requirement to Operational Level leaders and requests information from the business divisions:
  • What and where are the critical applications to your business?
  • Format: App Name, Region of the world it is located, Country where it resides.

• Operational Level leadership will then take on the Tactical Level information requirements and go through the F3EAD process to:
  • Find: What and where are the critical applications to your business?
  • Fix: Navigating to the application registry and finding the applications labeled critical
  • Finish: Collecting the critical application information that is on hand
  • Exploit: Filtering out to only provide the information that is required and placing it in a centralized area in preparation for analysis
  • Analysis: Enriching the information and putting it in a usable format to deliver to the customer:
    • Format: App Name, Region of the world it is located, Country where it resides
  • Disseminate: Providing the information to tactical operations

• Once tactical operations receive the information from the Operational Level, further analysis is done to reconcile and combine information to be prepared to pass to the Strategic Level for action. The following are the results:
  • Business Division I:
    • App A, Region APAC, New Zealand
    • App B, Region APAC, Australia
    • App C, Region APAC, Japan
    • App A, Region EMEA, France
    • App B, Region EMEA, Germany
    • App C, Region EMEA, Switzerland
  • Business Division II:
    • App A, Region LATAM, Venezuela 
    • App C, Region LATAM, Chile
    • App B, Region NAM, USA
    • App C, Region NAM, Canada

Now that the CIO has the information that was provided from the tactical leaders in the requested format, they are now able to move forward with the next steps in their planning to protect these critical applications.

This scenario was very basic, but we need to understand how we can incorporate the F3EAD process within operations to protect the network, as well as build capability, using SMART targets and Capability Maturity Models. To further understand how F3EAD fits into the larger picture, we need to be able to relate it with the other processes and concepts that we've learned in the previous chapters, OODA, OPSEC, and the Cyber Kill Chain.