The Cyber Threat Intelligence Cycle
The cyber threat intelligence cycle (sometimes called lifecycle) is a cycle of steps CTI analysts use to generate, share, and improve threat intel. It’s based on the intelligence cycle used by the intelligence community for traditional (non-cyber) intelligence.
Planning & Direction
Define the intelligence requirements (IRs); the main goals of the CTI efforts. Define the questions that the intel should answer, so you know the purpose of the intel. Set the timeline and priorities. Define the audience(s) that will receive the intel. Define key performance indicators (KPIs). Define the methods you’ll use.
These tasks will help you know what data to collect.
Gather raw data from a variety of internal and external sources to meet the goals defined in the previous step.
Data sources can include internal logs, IoCs, the surface web, the deep web, the dark web, threat feeds, etc.
Organize the collected data so it’s ready to be analyzed to support the requirements previously defined. Filter out redundant info, false positives, and false negatives. Make data usable using normalization, indexing, translation, enrichment, filtering, prioritization, visualization, deduplication, decryption, etc. Apply metadata tags to aid analysis.
Analysis & Production
Analyze the processed data using structured analytical techniques. Assess the meaning of the data to answer the questions from the Direction step. Add context.
Transform the data to information, then into intelligence that can be used to inform decisions. Make recommendations as warranted. Make the intel ready to share. Based on the intended audience, choose the appropriate format(s) for the intel (feeds, reports, charts, graphs, presentations, dashboards, etc.).
Sometimes you’ll see Analysis and Production shown as a single step, and sometimes you’ll see them shown as separate steps.
Dissemination (or Distribution)
Share the intel with the relevant audience(s), in the appropriate format(s).
Gather feedback from the audience(s), to ensure the intel adequately answered their questions. If it hasn’t, start the cycle over, focusing on the unanswered questions.
Use the feedback to see how you can improve your CTI accuracy, relevance, efficiency, and timeliness for future operations.
Based on the feedback, decide if you should plan future CTI operations around the original intelligence requirements.
Sometimes you’ll see Dissemination and Feedback shown as a single step, and sometimes you’ll see them shown as separate steps.
Applying the CTI Cycle
In the video below, Katie Nickels walks through the CTI cycle, showing how it’s used by CTI analysts. She covers many other CTI concepts, including intelligence requirements, cyber kill chain, ATT&CK, Diamond Model, TIPs, bias, and structured analytic techniques.
Understanding the Cyber Threat Intelligence Cycle
A threat is the possibility of undesired or even dangerous activity that causes damage, and in the digital world…
The Five Phases of the Threat Intelligence Lifecycle
We examine five phases of the threat intelligence lifecycle and how fraud, physical, and cybersecurity programs embed…
The Threat Intelligence Lifecycle: A Complete Guide
In any adversarial engagement, whether military, business, sport, or information security, it's essential to identify…
The (Cyber Threat) Intelligence cycle
The Intelligence Cycle is the process of developing raw information into finished intelligence for policymakers to use…
5 Stages of The Threat Intelligence Lifecycle - SOCRadar® Cyber Intelligence Inc.
Real-time and reliable cyber threat intelligence is essential for the security functions of organizations. It is…
5 Phases of the Threat Intelligence Lifecycle | Recorded Future
Facts in the intelligence community have a limited shelf life. Threat intelligence is nearly always contextual and…