5 Phases of the Threat Intelligence Lifecycle

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Facts in the intelligence community have a limited shelf life. Threat intelligence is nearly always contextual and temporal: Threats come at a definite time and place, attacking specific vulnerabilities in particular systems. To develop effective threat intelligence, it is essential that you identify the elements — beyond mere data — that actually comprise it, and understand how the intelligence lifecycle unfolds.

Intelligence and Threat Intelligence

Intelligence is the product of a process that includes collecting data, analyzing it, and viewing it in context, and it generally includes predictions of future behavior and recommended courses of action. Thus, even today, when automated systems can collect and parse data far faster than any team of people, the human element remains essential to make sense of that data by providing context and direction.

In its recent market guide of threat intelligence products and services, the technology research company Gartner defines threat intelligence as “evidence-based knowledge — including context, mechanisms, indicators, implications, and action-oriented advice — about an existing or emerging hazard to IT or information assets.” The purpose of threat intelligence is ultimately to inform decisions about how to respond to those hazards.

The Intelligence Lifecycle

The intelligence lifecycle is a process first developed by the CIA, following five steps: direction, collection, processing, analysis and production, and dissemination. The completion of a cycle is followed by feedback and assessment of the last cycle’s success or failure, which is then iterated upon.

  1. Direction: First, the objectives of this intelligence cycle must be defined, generally by an authoritative figure. Objectives are identified based on certain essential elements of information (EEIs) needed to make timely and accurate decisions. Those EEIs might include things like the nature of the attack, the actors involved, the space where an attack will happen, and so on.
  2. Collection: Next, in response to the criteria laid out in the EEIs, data is gathered from multiple sources, including human intelligence, imagery, electronic sources, intercepted signals, or publicly available sources.
  3. Processing: After data is gathered, it must be processed into a comprehensible form. That can include translating it from a foreign language, decrypting it, or sorting data based on how reliable or relevant it is.
  4. Analysis and Production: The processed data must then be converted into a coherent whole. Contradictory data must be evaluated against each other, and the patterns and implications of inconclusive or insufficient data must be considered. The products of this stage are assessments and reports that summarize the data for decision makers. This takes an expert touch — good analysts will not be replaced by automated systems any time soon.
  5. Dissemination: The finished product of this process must get to the right hands to be effective, so the intelligence cycle must loop back upon itself. These reports and assessments are delivered to clients or the leadership who commissioned the cycle in the first place.
  6. Feedback: After review of this new intelligence, authority figures will take action, including issuing new directions to gather further intelligence. The process is refined with the aim of producing more accurate, relevant, and timely assessments based on the success of previous intelligence.

To read the rest of the post, visit the Recorded Future blog.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Recorded Future
Recorded Future arms security teams with threat intelligence powered by patented machine learning to lower risk. Our technology automatically collects and analyzes information from an unrivaled breadth of sources and provides invaluable context that’s delivered in real time and packaged for human analysis or instant integration with existing security technology.
Promoted Content
Get Trending Threat Insights Delivered to Your Inbox With Our Free Cyber Daily
The web is rich with signals of new threats and vulnerabilities, but it’s nearly impossible to organize all of this information manually. We do the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?