The Cyber Threat Intelligence Cycle
The cyber threat intelligence cycle (sometimes called lifecycle) is a cycle of steps CTI analysts use to generate, share, and improve threat intel. It’s based on the intelligence cycle used by the intelligence community for traditional (non-cyber) intelligence.
Planning & Direction
Define the intelligence requirements (IRs); the main goals of the CTI efforts. Define the questions that the intel should answer, so you know the purpose of the intel. Set the timeline and priorities. Define the audience(s) that will receive the intel. Define key performance indicators (KPIs). Define the methods you’ll use.
These tasks will help you know what data to collect.
Collection
Gather raw data from a variety of internal and external sources to meet the goals defined in the previous step.
Data sources can include internal logs, IoCs, the surface web, the deep web, the dark web, threat feeds, etc.
Processing
Organize the collected data so it’s ready to be analyzed to support the requirements previously defined. Filter out redundant info, false positives, and false negatives. Make data usable using normalization, indexing, translation, enrichment, filtering, prioritization, visualization, deduplication, decryption, etc. Apply metadata tags to aid analysis.
Analysis & Production
Analyze the processed data using structured analytical techniques. Assess the meaning of the data to answer the questions from the Direction step. Add context.
Transform the data to information, then into intelligence that can be used to inform decisions. Make recommendations as warranted. Make the intel ready to share. Based on the intended audience, choose the appropriate format(s) for the intel (feeds, reports, charts, graphs, presentations, dashboards, etc.).
Sometimes you’ll see Analysis and Production shown as a single step, and sometimes you’ll see them shown as separate steps.
Dissemination (or Distribution)
Share the intel with the relevant audience(s), in the appropriate format(s).
Feedback
Gather feedback from the audience(s), to ensure the intel adequately answered their questions. If it hasn’t, start the cycle over, focusing on the unanswered questions.
Use the feedback to see how you can improve your CTI accuracy, relevance, efficiency, and timeliness for future operations.
Based on the feedback, decide if you should plan future CTI operations around the original intelligence requirements.
Sometimes you’ll see Dissemination and Feedback shown as a single step, and sometimes you’ll see them shown as separate steps.
Applying the CTI Cycle
In the video below, Katie Nickels walks through the CTI cycle, showing how it’s used by CTI analysts. She covers many other CTI concepts, including intelligence requirements, cyber kill chain, ATT&CK, Diamond Model, TIPs, bias, and structured analytic techniques.
