Intelligence Requirements in Cyber Threat Intelligence

Photo by Carlos Esteves on Unsplash

Intelligence Requirements in the CTI Cycle

  1. Planning & Direction: define the IRs
  2. Collection: gather data relevant to the IRs
  3. Processing: make data ready to analyze for relevance to the IRs
  4. Analysis & Production: assess the meaning of the data relevant to the IRs
  5. Dissemination/Distribution: share intel relevant to the IRs
  6. Feedback: gather input about how well the intel matched the IRs

Example Intelligence Requirements

  • What vulnerabilities are being exploited?
  • What vulnerabilities can we detect?
  • What exploits can do we need to watch for?
  • What exploits can we defend against?
  • What vulnerabilities are threat actors targeting?
  • What assets do we need to defend?
  • What threat actors do we need to watch for?
  • What threats is our industry facing?
  • What threats is our geographic area facing?
  • What security concerns keep executives up at night?

Prioritizing Intelligence Requirements

Types of Intelligence Requirements

  • General Intelligence Requirements (GIRs): Most granular. Operational, tactical; focused on specific facts and activities. Often related to specific attributes of attack or threat actor. Very short-term. Example: Describe the specific attributes associated with all REvil ransomware binaries observed in incidents today.
  • Priority Intelligence Requirements (PIRs): Less granular than SIRs, more granular than GIRs. Determine and outline priority of IRs. Time-based. Focus on specific activity/event. Example: Where along the perimeter will the adversary attack?
  • Specific Intelligence Requirements (SIRs): Most general. Example: How is ransomware being hosted, distributed, and installed?

Benefits of Intelligence Requirements

  • By focusing efforts, IRs enable more efficient use of InfoSec resources.
  • By setting clear requirements, IRs make it easier to measure the success of CTI.
  • By enabling the measurement of CTI success, IRs make it easier to justify the expense of CTI operations.

Additional Resources



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chad Warner

Chad Warner

Cyber threat intelligence (CTI), cybersecurity, & privacy enthusiast. Seeking a CTI job. Bookworm. Fan of Tolkien & LEGO.