You are on page 1of 3

9/10/2017 F3EAD: Find, Fix, Finish, Exploit, Analyze and Disseminate the alternative intelligence cycle Digital Shadows

F3EAD: Find, Fix, Finish, Exploit, Analyze and Disseminate

the alternative intelligence cycle /blog-and-research/f3ead-find-fix-finish-exploit-analyze-and-disseminate-the-alternative-

The F3EAD cycle (Find, Fix Finish, Exploit, Analyze and Disseminate) is an alternative intelligence cycle commonly
used within Western militaries within the context of operations that typically result in lethal action, such as drone strikes
and special forces operations. A basic summary of the phases of the cycle is as follows:

1. Find: essentially picking up the scent of the opponent, with the classic Who, What, When, Where, Why
questions being used within this phase to identify a candidate target
2. Fix: verification of the target(s) identified within the previous phase, which typically involves multiple triangulation
points. This phase effectively transforms the intelligence gained within the Find phase into evidence that can be
used as basis for action within the next stage
3. Finish: based on the evidence generated from the previous two phases the commander of the operation
imposed their will on the target
4. Exploit: deconstruction of the evidence generated from the finish phase
5. Analyze: fusing the exploited evidence with the wider intelligence picture
6. Dissemination: finally publishing the results of the research to key stakeholders

Looking at the above cycle from an information security perspective, it becomes obvious that this cycle can be applied
within the cyber security context. This statement is borne out by making small changes to the above narrative i.e.
replace Kill or capture with remove or restrict. Many security teams do the practice of "find-remove-on to the next"
and, while that is at the core of the F3EAD cycle, there is still value in defining the process within the confines of the

Some may ask, is F3EAD merely reinventing the wheel of the intelligence cycle? I would argue no and that F3EAD is
far more tactical in practice than the more strategic intelligence cycle and its less defined boundaries of Direction,
Collection, Analysis and Dissemination.

What the existence and simulations of both these intelligence frameworks cycles show is that intelligence as a
professional practice spans a number of levels within the organization, from the high-level strategic decision making that
the intelligence cycle caters to, down to the tactical, minute by minute style of operation that the F3EAD cycle supports.
Within this context, both cycles could be implemented within an organization. Shown below is a simple example of a
hypothetical organization using both cycles to combat an Advanced Persistent Threat group, the intention of this is to
show how the cycle interlink and provide mutual support to each other and some of the key stakeholders invested in

The Intelligence Cycle

Phase Action
9/10/2017 F3EAD: Find, Fix, Finish, Exploit, Analyze and Disseminate the alternative intelligence cycle Digital Shadows

Direction Board level identification of APT groups as the core cyber security threat to the business

Collection The companys threat intelligence team collects data gathered from internal response cases and
fuses it with data provided by the external threat intelligence provider.

Analysis A full fusion and analysis of collected data over a strategic period of time (6 months to 1 year)

Dissemination Results communicated back to the board and the wider threat intelligence community around the
specific APT threat that has targeted the company


Phase Action

Find Suspect activity identified on a number of hosts

Fix Multiple common indicators of suspicious activity identify a cluster of infected hosts

Finish Hosts are taken offline and employees are given new machines

Exploit Based on analysis of malware found within the infected hosts a number of specific Indicators of
Compromise (IOCs) are identified by the team

Analyse Fusing the IOCs found in house with the IOCs provided by the third part intelligence provider feeds
into the wider picture of the APT threat and leads to further identification of anomalous behavior on the
companys network

Disseminate The results of the analysis are disseminated to both tactical consumers (SOC etc) and the strategic
sponsors of the project i.e. the members of the c suite with an interest in the issue

What can be seen from the above example is that the intelligence cycle and the F3EAD cycle can be employed closely
together to fulfill the overall companys intelligence requirements, both tactical and strategic. One way of visualizing
9/10/2017 F3EAD: Find, Fix, Finish, Exploit, Analyze and Disseminate the alternative intelligence cycle Digital Shadows

these two cycles is as cogs turning together within the intelligence process, with intersections between the intelligence
cycles "Collection" phase and the F3EAD cycles "Find" phase. This relationship is shown below.

To learn how more about intelligence and Digital Shadows, watch our video demo here.