A collection management framework template provides the structure you need to catalog your data sources. It lays the groundwork for your cyber threat intelligence team to comprehensively document their intelligence collection sources and how they can be used to fulfill intelligence requirements and investigate cyber incidents.
Your team must extract the most value possible from their data sources and understand how to use each effectively. A collection management framework (CMF) is ideal for this job.
This FREE template has everything necessary to create a thorough CMF for your organization. It includes scaffolding to develop internal and external CMFs, processes for adding new data sources, and much more!
To get started, download the packaged PDF or Word Document and customize it to your organization’s needs. Download and enjoy!
Collection Management Framework Template
| Collection Management Framework | |
| Approved By | <approver name> |
| Owner | Head of CTI |
| Author | <your name> |
| Audit | Cyber Security Team |
| Issue Date | <issue data> |
| Document Name | Collection Management Framework |
| Version | 1.0 |
| Document Classification | TLP:AMBER+STRICT |
| Distribution | <Google Drive | OneDrive | Sharepoint> |
| Document Revision History | |||
| Version | Author | Notes | Date |
| 1.0 | <your name> | Document Creation | <date> |
Introduction
Cyber threats are on the rise, both in frequency and sophistication. As new and advanced technologies evolve, they provide threat actors with unprecedented opportunities to execute highly sophisticated and targeted cyber attacks against <company name>.
This increasing complexity of threats demands vigilant and proactive measures to protect against potential breaches and ensure the security of sensitive data and systems.
Cyber Threat Intelligence (CTI) is crucial in defending against this rise in sophisticated threats. It allows the <company name> to proactively identify threats, prepare and counter various attack techniques, and tailor its defensive strategies to the organization’s specific threats.
To be successful, a CTI program must have a Collection Management Framework (CMF) that documents the data sources available to the CTI team and how they can be used to fulfill intelligence requirements. This framework is fundamental to all CTI processes at <company name> and requires continuous maintenance to ensure it aligns with current business objectives.
This document outlines the CMFs used by the CTI team at <company name> to guide them in collecting, analyzing, and distributing threat intelligence. It is intended to provide visibility into the data sources at the team’s disposal.
Purpose
The purpose of the Collection Management Framework outlined in this document is to define the data sources available for the CTI team to use during an investigation to resolve an intelligence requirement or Request for Information (RFI).
The CMFs detailed in this document allow the user to identify the available data sources at <company name>, what information they can derive from each data source, and the period for which the information is available. This information is then used to guide a user during their investigation.
The document also includes a list of data sources available at <company name> and a process for adding new data sources to this list. As such, the document requires ongoing maintenance as new data sources are added or old ones are removed.
The document does not offer prescriptive advice on investigating a cyber incident or fulfilling an intelligence requirement. It is designed to establish the data sources available at <company name> and provide context for their use.
Scope
This document has been created for the <company name>’s CTI team to provide guidance on the data sources available for intelligence collection. It has also been designed to offer other cyber security teams and key stakeholders insight into the intelligence collection capabilities at the CTI team’s disposal.
To achieve these objectives, this document covers the following key areas:
- Data Sources: The internal and external data sources the CTI team can use to gather intelligence to investigate cyber incidents and fulfill intelligence requirements. This includes tools, platforms, and infrastructure.
- Internal Collection Management Framework: A matrix that includes internal data sources a user can query for information and what intelligence can be derived from these sources.
- External Collection Management Framework: A matrix that includes external data sources a user can query for information and what intelligence can be derived from these sources.
- Adding New Data Sources: This is the agreed-upon process for creating and adding a new data source to this document.
- Training and Awareness: A record of when this document was reviewed and updated.
- Maintenance and Review: The training and awareness programs at <company name> to ensure employees are aware of the CMFs in this document and can use them effectively.
Only key <company name> stakeholders can formally request access to view this document. Only members of the CTI Team can add a new data source to this document using the process outline in Section 8 – Adding New Data Sources. These restrictions are to ensure sensitive data is handled appropriately and in accordance with the data protection regulations at <company name>.
Definitions and Acronyms
The Collection Management Framework document describes the organization’s intelligence collection process using the following key terms. Ensure you are familiar with their definitions.
| Key Term | Definition |
| Identity and Access Management (IAM) | Technology to ensure that the right individuals have appropriate access to the resources they need within <company name>. |
| Web Application Firewall (WAF) | A security solution designed to protect web applications by monitoring, filtering, and analyzing HTTP/HTTPS traffic between a web application and the internet |
| Cyber Threat Intelligence (CTI) | The process of gathering, analyzing, and disseminating information about current or potential threats to an organization’s digital infrastructure. |
| Intelligence Requirement (IR) | Specific information needs that guide the collection, analysis, and dissemination of cyber threat intelligence within an organization. |
| Request for Information (RFI) | A formal inquiry to gather specific information or clarification on a particular subject. This is another type of intelligence requirement. |
| Collection Management Framework (CMF) | A tool for identifying data sources available to analysts and what information they can get from them during an investigation. |
| Cyber Kill Chain | A framework that outlines the stages of a typical cyber attack, from initial reconnaissance to actions on the objective. |
| MITRE ATT&CK Framework | A comprehensive and widely-used knowledge base that catalogs the tactics, techniques, and procedures (TTPs) used by threat actors to perform cyber attacks. |
| Malware | Any software intentionally designed to cause damage, disrupt operations, steal sensitive information, or gain unauthorized access to computer systems. |
| Netflow | A network protocol developed by Cisco that collects and monitors IP traffic data as it crosses a network. It provides detailed information about network traffic patterns. |
| Uniform Resource Locator (URL) | An address used to access resources on the internet. |
| Internet Protocol (IP) | A set of rules that govern how data is transmitted over a network. IP addresses are assigned to devices to identify them on a network. |
| Command and Control (C2) | The infrastructure and methods used by threat actors to communicate with compromised systems within a target network. |
| JA3 and JA3S | Techniques to create fingerprints of SSL/TLS (Secure Sockets Layer/Transport Layer Security) client and server connections. Used to identify and track malicious activity. |
| Sigma | A generic and open standard for creating detection rules that identify suspicious or malicious activities within network or system logs. |
| YARA | A tool and language for identifying and classifying malware samples based on patterns and characteristics found in their code or behavior. |
| Virtual Private Server (VPS) | A virtualized server used to host infrastructure or applications in a cloud environment that <company name> uses for business use cases. |
| Stakeholder | An individual, group, or organization with an interest, concern, or influence in a particular issue or project. Stakeholders can be internal or external, and it is important to identify and communicate critical decisions with them. |
| Security Information and Event Management (SIEM) | A software system that allows you to collect, store, and analyze security-related data from various log sources within an organization’s IT environment. |
| Endpoint Detection Response (EDR) | A security tool installed on endpoint devices (e.g., laptops, desktops, mobile phones) to detect and block malicious activities. |
| Intrusion Detection System / Intrusion Prevention System (IDS / IPS) | IDS is a security tool installed within a network to detect potentially malicious activity. An IPS is installed in a network to block potentially malicious activity. |
| Indicator of Compromise (IOC) | A piece of data or evidence that indicates a malicious activity has occurred within a network or on a computer system. |
| Tactic, Technique, Procedure (TTP) | A way to describe and categorize the behavior of adversaries to help organizations anticipate, detect, and respond to cyber threats. |
| Data Source | Any system, tool, or platform from which you can gather information. |
| Threat Intelligence Platform (TIP) | A software application used to aggregate, analyze, and manage cyber threat intelligence data from multiple sources to help organizations identify, assess, and respond to threats more effectively. |
| Threat Actor | An individual, group, or organization that threatens the security, confidentiality, integrity, or availability of <company name>’s systems, network, or data. They could be a criminal gang, nation-state, or political activist. |
Data Sources
A data source is any system, tool, or platform <company name> has made available for the CTI team to collect information. This includes sources that contain data internal to the company (e.g., generated by a security tool) and external data from threat intelligence platforms or other data repositories. Guidance on what intelligence is discoverable through each data source is included in each CMF.
This list of data sources should be updated, along with the organization’s Intelligence Requirements document, whenever a new data source is added or removed.
| Collection Source | Intelligence Type | Location | Owner |
| EDR | Internal system data | Web application | Security Operations Team |
| AlienVault | External open-source atomic indicators | Website | CTI Team |
Internal Collection Management Framework
Internal Collection Management Frameworks (CMFs) include internal data sources to <company name> that a framework user can query for information. These sources hold data generated by the organization’s systems, users, and software. When a threat actor attacks <company name>, evidence can be found within these data sources.
The CTI team at <company name> uses two internal CMFs, one focusing on endpoint logs and the other focusing on network logs. This has been done to group data into two main asset categories and make subsequent investigations clearer.
Endpoint Logs CMF
<Company name>’s Endpoint Logs CMF holds information generated by endpoint computer systems (e.g., employee workstations, laptops, mobile devices, servers, and virtual machines). It should be used when collecting internal intelligence for company systems or investigating incidents impacting an endpoint device.
| EDR | Windows Systems | Linux Servers | VPS Logs | |
| Data Type | EDR console alerts | Sysmon | Auditd | AWS CloudTrail |
| Kill Chain Coverage | Exploitation, Installation | Exploitation, Installation, Actions | Internal Recon, Delivery, C2 | Internal Recon, Delivery, C2 |
| Follow on Collection | Malware samples | Files, timelines, persistence techniques | Services, scheduled tasks, network connections | Cloud access logs |
| Data Retention | 30 days | 60 days | 60 days | 60 days |
Network Logs CMF
<Company name>’s Network Logs CMF holds information generated by the network traffic that interacts with <company name> ‘s network infrastructure. This includes data generated by network devices and network-related security systems. Identity and Access Management (IAM) data is also included here.
| Network | Firewall | WAF | IAM | |
| Data Type | Netflow | Netskope | Imperva | Okta |
| Kill Chain Coverage | External Recon, Delivery, C2 | Exploitation, Delivery | External Recon, Delivery, C2 | Actions |
| Follow on Collection | Packet capture | Netflow | Web server logs | Application access logs |
| Data Retention | 15 days | 30 days | 30 days | 90 days |
External Collection Management Framework
External Collection Management Frameworks (CMFs) include external data sources to <company name> that a framework user can query for information. These sources hold data generated by external systems and threat intelligence providers, which <company name> subscribes to. These data sources are primarily used to fulfill intelligence requirements or gain additional context about a security incident.
The CTI team at <company name> uses two external CMFs, one for endpoint indicators and the other for network indicators. This has been done to group data into two main asset categories and make subsequent investigations clearer.
Endpoint Indicators CMF
<Company name>’s Endpoint Indicators CMF includes data sources that can be queried for information regarding artifacts found on endpoint devices. It includes the indicator attribute (e.g., filename, MD5 hash, etc.), which can be queried to provide additional information using the data source. An X indicates that the indicator attribute can be queried using said data source.
It also includes whether that data source can be searched using YARA rules or provides YARA rules for detection purposes.
| Data Source | Filename | MD5 | SHA1 | SHA256 | Malware Analysis | Registry Key | YARA Rules |
| Alien Vault | X | X | X | X | X | ||
| Intezer Analyze | X | X | X | X | X | ||
Network Indicators CMF
<Company name>’s Network Indicators CMF includes data sources that can be queried for information regarding data found in the network logs of <company name>. It includes the indicator attribute (e.g., IPv4 address, domain name, etc.), which can be queried to provide additional information using the data source. An X indicates that the indicator attribute can be queried using said data source.
It also includes whether that data source provides Sigma rules for detection purposes.
| Data Source | IPv4 | IPv6 | Domain | URL | Certificate | JA3 | JA3s | Sigma Rules |
| Grey Noise | X | X | X | X | ||||
| Virus Total | X | X | X | X | ||||
Adding New Data Sources
<Company name> is dedicated to staying ahead of cyber threats and providing its security team with the necessary resources to combat them. To do this, the data sources used by <company name> are regularly reviewed to ensure the appropriate intelligence is being collected and utilized.
The following process is used to add a new data source to <company name>’s list of current data sources. This includes both internal and external data sources. The implementation details of each data source will vary. As such, this process does not contain technical information or prescriptive advice.
Addition Process
- A request is raised to add a new data source using the form in Appendix A.
- The CTI team reviews the request to determine whether the data source provides reliable and relevant information that can be used to help fulfill intelligence requirements or investigate incidents.
- If the data source is deemed fit for purpose, the CTI team will make a request to add it to their list of data sources. This request is raised to <relevant stakeholder>, who performs a final review to determine if <company name> wants to invest resources in adding the data source.
- If approved, the data source is added to the relevant CMF, this document is updated, and an email is sent to relevant parties who may use it to inform them of the changes.
Some internal data sources may require additional steps, such as testing and deployment. This is left up to <relevant stakeholder>, the CTI team, and the requester to collaborate on an ad-hoc basis.
Training
To effectively collect data and fulfill <company name>’s intelligence requirements, <company name> is dedicated to providing employees with the appropriate training. This includes ensuring employees are aware of each CMF, know how to use each CMF to investigate cyber incidents or fulfill intelligence requirements, and can assess and add new data sources.
To meet these objectives, <company name> has the following employee training programs to ensure the CMFs outlined in this document are used effectively.
- <training program 1>
- <training program 2>
- <training program 3>
Maintenance and Review
The Collection Management Framework document will be reviewed and updated regularly.
| Auditor | CTI Team Manager |
| Review Period | Annually or as required |
| Review Date | <review date> |
| Next Review Date | <next review date> |
Appendices
Appendix A: New Data Source Form
Provide a form for adding a new data source.
Appendix B: Contact Lists
Cyber Threat Intelligence Team Contacts
| Role | Name | Title | Phone | |
| Head of CTI | ||||
| CTI Manager | ||||
| CTI Lead | ||||
| CTI Analyst | ||||
| CTI Analyst | ||||
| CTI Analyst |
Internal Data Source Contacts
| Data Source | Name | Title | Phone | |
External Data Source Contacts
| Data Source | Name | Title | Phone | |
Conclusion
A well-documented collection management framework is a cornerstone of all successful cyber threat intelligence programs. These frameworks allow you to accurately assess the value of your data sources, discover what questions you can ask, and identify any collection gaps your organization needs to fill.
The collection management framework template described in this article provides a blueprint for creating a custom framework tailored to your organization’s specific needs and data sources.
Use the form below to download this template’s PDF or Word document version and start strengthening your threat intelligence processes today!
