Managing Intelligence Lifecycle
When to Use
Use this skill when:
- Establishing a formal CTI program and defining its operational model
- Conducting quarterly intelligence requirements reviews with business stakeholders
- Evaluating CTI program maturity against established frameworks (FIRST CTI-SIG maturity model)
Do not use this skill for day-to-day IOC triage or incident-specific intelligence tasks — those use operational intelligence workflows, not lifecycle management.
Prerequisites
- Executive sponsorship and defined CTI team structure (1+ dedicated analysts)
- Stakeholder map identifying intelligence consumers (SOC, IR, executive team, vulnerability management)
- Existing feed subscriptions or ISAC memberships for collection baseline
- CTI platform (MISP, ThreatConnect, OpenCTI) for lifecycle management
Workflow
Step 1: Planning and Direction
Define Priority Intelligence Requirements (PIRs) with stakeholders:
- Interview SOC leads, IR team, CISO, risk management, and product security
- Document PIRs in structured format: "What is the current capability and intent of [threat actor] to attack [critical asset] using [technique]?"
- Prioritize 5–10 PIRs for the quarter, reviewed monthly
Example PIR: "Is ransomware group Cl0p currently targeting organizations in our sector using MoveIT or GoAnywhere vulnerabilities?"
Step 2: Collection Planning
Map PIRs to required collection sources:
- Technical sources: commercial feeds, TAXII, ISAC data, honeypot telemetry, darkweb monitoring
- Human sources: vendor threat briefings, industry working groups, law enforcement partnerships
- Internal sources: SIEM logs, EDR telemetry, phishing submission mailbox
Document collection gaps and associated costs to fill them.
Step 3: Processing and Normalization
Implement automated processing pipeline:
- Ingest → normalize to STIX 2.1 → deduplicate → enrich → score confidence
- Reject unverifiable or duplicate indicators before analysis
- Tag all processed data with source, collection date, and expiration
Step 4: Analysis and Production
Produce intelligence at three levels:
-
Strategic: Quarterly threat landscape report for executives; sector trends, geopolitical context
-
Operational: Weekly campaign reports for security leadership; active campaigns, adversary activity
-
Tactical: Daily IOC bulletins for SOC; actionable indicators with block/monitor recommendations
Apply structured analytic techniques: Analysis of Competing Hypotheses (ACH), Key Assumptions Check, Devil's Advocacy.
Step 5: Dissemination
Match product format to audience:
- Executives: 1-page PDF with risk ratings, business impact, recommended decisions
- SOC analysts: SIEM-ready IOC list, Sigma rules, MISP events
- Vulnerability management: CVE lists with EPSS scores and exploitation likelihood
- IT/Security leadership: Full intelligence report with technical appendix
Apply TLP classifications and distribution lists per product type.
Step 6: Feedback and Evaluation
Collect feedback within 5 business days of dissemination:
- Did the product address the PIR?
- Was actionability sufficient?
- What data was missing?
Track metrics quarterly: PIR coverage rate, IOC true positive rate, time-to-disseminate, stakeholder satisfaction score (NPS or structured survey).
Key Concepts
| Term |
Definition |
| PIR |
Priority Intelligence Requirement — specific, actionable question driving intelligence collection and analysis |
| Intelligence Lifecycle |
Six-phase iterative process: Planning → Collection → Processing → Analysis → Dissemination → Feedback |
| Strategic Intelligence |
Long-term threat trend analysis for executive decision-making; time horizon 6–24 months |
| Operational Intelligence |
Campaign-level analysis for security program decisions; time horizon 1–6 months |
| Tactical Intelligence |
Specific IOCs and TTPs for immediate detection and blocking; time horizon hours to days |
| FIRST CTI-SIG |
Forum of Incident Response and Security Teams — CTI Special Interest Group maturity model |
Tools & Systems
-
ThreatConnect: TIP with built-in intelligence lifecycle workflows, PIR tracking, and stakeholder reporting dashboards
-
MISP: Open-source TIP supporting intelligence lifecycle from collection through sharing
-
OpenCTI: Graph-based CTI platform with workflow management for intelligence products
-
Recorded Future: Commercial platform with structured intelligence reports aligned to the intelligence lifecycle
Common Pitfalls
-
Collection without direction: Ingesting every available feed without PIRs produces data overload and no actionable intelligence.
-
Missing feedback loops: Without structured feedback, CTI teams produce reports that don't meet stakeholder needs and lose organizational relevance.
-
Tactical-only focus: Overemphasis on IOC sharing neglects strategic intelligence that informs security investment and risk decisions.
-
No metrics program: Cannot demonstrate CTI program value without tracking detection contributions, true positive rates, and stakeholder satisfaction.
-
Underfunded collection: PIRs cannot be answered without appropriate collection sources; document and escalate gaps rather than producing low-confidence estimates.
