managing-intelligence-lifecycle

Managing Intelligence Lifecycle

When to Use

Use this skill when:

• Establishing a formal CTI program and defining its operational model
• Conducting quarterly intelligence requirements reviews with business stakeholders
• Evaluating CTI program maturity against established frameworks (FIRST CTI-SIG maturity model)

Do not use this skill for day-to-day IOC triage or incident-specific intelligence tasks — those use operational intelligence workflows, not lifecycle management.

Prerequisites

• Executive sponsorship and defined CTI team structure (1+ dedicated analysts)
• Stakeholder map identifying intelligence consumers (SOC, IR, executive team, vulnerability management)
• Existing feed subscriptions or ISAC memberships for collection baseline
• CTI platform (MISP, ThreatConnect, OpenCTI) for lifecycle management

Workflow

Step 1: Planning and Direction

Define Priority Intelligence Requirements (PIRs) with stakeholders:

• Interview SOC leads, IR team, CISO, risk management, and product security
• Document PIRs in structured format: "What is the current capability and intent of [threat actor] to attack [critical asset] using [technique]?"
• Prioritize 5–10 PIRs for the quarter, reviewed monthly

Example PIR: "Is ransomware group Cl0p currently targeting organizations in our sector using MoveIT or GoAnywhere vulnerabilities?"

Step 2: Collection Planning

Map PIRs to required collection sources:

• Technical sources: commercial feeds, TAXII, ISAC data, honeypot telemetry, darkweb monitoring
• Human sources: vendor threat briefings, industry working groups, law enforcement partnerships
• Internal sources: SIEM logs, EDR telemetry, phishing submission mailbox

Document collection gaps and associated costs to fill them.

Step 3: Processing and Normalization

Implement automated processing pipeline:

• Ingest → normalize to STIX 2.1 → deduplicate → enrich → score confidence
• Reject unverifiable or duplicate indicators before analysis
• Tag all processed data with source, collection date, and expiration

Step 4: Analysis and Production

Produce intelligence at three levels:

• Strategic: Quarterly threat landscape report for executives; sector trends, geopolitical context
• Operational: Weekly campaign reports for security leadership; active campaigns, adversary activity
• Tactical: Daily IOC bulletins for SOC; actionable indicators with block/monitor recommendations

Apply structured analytic techniques: Analysis of Competing Hypotheses (ACH), Key Assumptions Check, Devil's Advocacy.

Step 5: Dissemination

Match product format to audience:

• Executives: 1-page PDF with risk ratings, business impact, recommended decisions
• SOC analysts: SIEM-ready IOC list, Sigma rules, MISP events
• Vulnerability management: CVE lists with EPSS scores and exploitation likelihood
• IT/Security leadership: Full intelligence report with technical appendix

Apply TLP classifications and distribution lists per product type.

Step 6: Feedback and Evaluation

Collect feedback within 5 business days of dissemination:

• Did the product address the PIR?
• Was actionability sufficient?
• What data was missing?

Track metrics quarterly: PIR coverage rate, IOC true positive rate, time-to-disseminate, stakeholder satisfaction score (NPS or structured survey).

Key Concepts

Term	Definition
PIR	Priority Intelligence Requirement — specific, actionable question driving intelligence collection and analysis
Intelligence Lifecycle	Six-phase iterative process: Planning → Collection → Processing → Analysis → Dissemination → Feedback
Strategic Intelligence	Long-term threat trend analysis for executive decision-making; time horizon 6–24 months
Operational Intelligence	Campaign-level analysis for security program decisions; time horizon 1–6 months
Tactical Intelligence	Specific IOCs and TTPs for immediate detection and blocking; time horizon hours to days
FIRST CTI-SIG	Forum of Incident Response and Security Teams — CTI Special Interest Group maturity model

Tools & Systems

• ThreatConnect: TIP with built-in intelligence lifecycle workflows, PIR tracking, and stakeholder reporting dashboards
• MISP: Open-source TIP supporting intelligence lifecycle from collection through sharing
• OpenCTI: Graph-based CTI platform with workflow management for intelligence products
• Recorded Future: Commercial platform with structured intelligence reports aligned to the intelligence lifecycle

Common Pitfalls

• Collection without direction: Ingesting every available feed without PIRs produces data overload and no actionable intelligence.
• Missing feedback loops: Without structured feedback, CTI teams produce reports that don't meet stakeholder needs and lose organizational relevance.
• Tactical-only focus: Overemphasis on IOC sharing neglects strategic intelligence that informs security investment and risk decisions.
• No metrics program: Cannot demonstrate CTI program value without tracking detection contributions, true positive rates, and stakeholder satisfaction.
• Underfunded collection: PIRs cannot be answered without appropriate collection sources; document and escalate gaps rather than producing low-confidence estimates.