The
intelligence lifecycle is a process to transform raw information into finished
intelligence for decision making and action. You will see many slightly
different versions of the intelligence cycle in your research, but the
goal is the same, to guide a cybersecurity team through the development and
execution of an effective threat intelligence program.
Threat
intelligence is challenging because threats are constantly evolving requiring
business to quickly adapt and take decisive action. The intelligence cycle
provides a framework to enable teams to optimize their resources and
effectively respond to the modern threat landscape. The intelligence cycle
consists of six steps resulting in a feedback loop to encourage continuous
improvement:
Let’s
explore the 6 steps below:
1. Requirements
The requirements
stage is crucial to the threat intelligence lifecycle because it sets the
roadmap for a specific threat intelligence operation. During this planning
stage, the team will agree on the goals and methodology of their intelligence
program based on the needs of the stakeholders involved. The team may set out
to discover:
- who the attackers are and their motivations
- what is the attack surface
- what specific actions should be taken to strengthen their defenses against a future attack
2. Collection
Once the
requirements are defined, the team then sets out to collect the data required
to satisfy those objectives. Depending on the goals, the team will usually seek
out traffic logs, publicly available sources, relevant forums, social media,
and industry or subject matter experts.
3. Processing
After the
raw data has been collected, it will have to be processed into a format
suitable for analysis. Most of the time, this entails organizing data points
into spreadsheets, decrypting files, translating information from foreign
sources, and evaluating the data for relevance and reliability.
4. Analysis
Once the
dataset has been refined, the team must then conduct a thorough analysis to
find answers to the questions posed in the requirements phase. During the
analysis phase, the team also works to decipher the dataset into action items
and valuable recommendations for the stakeholders.
5. Dissemination
The
dissemination phase requires the threat intelligence team to translate their
analysis into a digestible format and present the results to the stakeholders.
How the analysis is presented depends on the audience. In most cases the
recommendations should be presented concisely, without confusing technical
jargon, either in a one-page report or a short slide deck.
6. Feedback
The final stage of the threat intelligencelifecycle involves getting feedback on the provided report to determine whether
adjustments need to be made for future threat intelligence operations.
Stakeholders may have changes to their priorities, the cadence at which they
wish to receive intelligence reports, or how data should be disseminated or
presented.