Threat Intelligence Lifecycle

Introduction

The Threat Intelligence Lifecycle is a systematic process that ensures the effective creation and management of intelligence. This module explores each phase in detail and how they work together to create actionable intelligence. You may see the model with less or more stages in it. They are all correct, I have used the one which displays the most phases to exapnd further. To avoidd confusion you will also see the Intelligence Lifecycle model with the following. (Direction, Collection, Analysis, Dissemination, Feedback)

Planning and Direction Phase Overview

What You'll Learn

The six phases of the intelligence lifecycle
How to implement each phase effectively
Common challenges and solutions
Best practices for each phase

Planning and Direction

This is the first phase of the lifecycle which focuses on defining intelligence requirements and planning the collection strategy, also this is really where we want to be setting out the high level objectives

Some things I think are important to consider at this stage and "get out of the way" first are what constraints could there be? For example, What role will the intelligence function take? Will it be to inform decisions or make decisions. Will it be able to meet its customers proposed needs due to legal, ethical or practical constraints? Who will/has the accountability and ownership of the intelligence funciton? Of course, all these questions can be easily answered by discussing them with the right stakeholders.

Customer requirements are generally broken down. Long terms directives, Medium term directives and short term directives, which we shal disuss later in this section.

✔ Goal: Define what intelligence is required, why it's needed, and how it will be used.
✔ Outcome: A structured intelligence plan that aligns with business objectives and security priorities.

The Direction phase is where intelligence operations begin. It involves identifying and prioritizing intelligence requirements to ensure that intelligence collection and analysis efforts are aligned with the organizational needs. There should be nothing random happening, it should all be planned effectively. All intelligence picked for collection should have an end purpose.

You will want to begin making sure you are able to get all the appropriate key stakeholders together. Direction initially will come from them ( The Customer) The customer(s) will be the ones consuming the intelligence. At this stage you will also define how the intelligence will be presented and disseminated.

It is important to note that sometimes the customer does not know what they need, or might think they need A but require B, or they may have a great understanding. It is our job as intelligence producers to understand the reasons for the requirement in the first place. We need to be able to elicit requirements and understand the customers mind set to better align with their goals.

To help us navigate this with a client we can use the MoSCoW method or something similar which will allow appropriate planning to take place with something that is well understood by most organisations. If you're not familiar with MoSCoW then check out this link This method helps intelligence teams rank PIRs based on their urgency, impact, and relevance. We can then use the SMART method to ensure that PIRs are well-defined, actionable, and measurable by making them

Understanding how customers consume and apply threat intelligence is essential for delivering actionable intelligence that aligns with their security operations, risk management strategies, and compliance requirements. Before mapping intelligence consumption, CTI teams must assess customer requirements, which vary based on industry, security maturity, and threat landscape.

Customer Requirements

✔ Industry-Specific Risks, Financial institutions vs. healthcare organizations have different threat priorities.
✔ Regulatory & Compliance Needs, CBEST, TIBER-EU, GDPR, NIST, ISO 27001 compliance may drive intelligence consumption.
✔ Organizational Maturity, Is the customer mature with a SOC, TIP, and automated feeds, or do they rely on manual processes?
✔ Decision-Making Levels, Intelligence must be tailored to different stakeholders (SOC teams, CISOs, risk managers, executive boards).

Examples can be varying. But a few could be, a SOC analyst needs real-time tactical threat feeds to block active threats. a CISO needs strategic intelligence reports for board level risk assessments, or a Risk Manager required long-term trend analysis to inform security investments.

Different teams within an organization consume and apply threat intelligence differently. Intelligence must be structured to ensure it reaches the right people in the right format. We will discuss this a length in this section.

Understanding the Customer’s Security Position & Requirements

Before defining scope, CTI teams must assess the organization’s current threat landscape, security maturity, and intelligence needs. I like to do this by asking very basic questions, som examples below

✔ What are the biggest security concerns for leadership (CISO, risk teams, SOC) What is the business priorities?

✔ What controls, logging, and detection capabilities are already in place?Existing defenses are useful to understand? Are the existing defenses capable, well configured?

✔ Does the organization have a SOC, TIP, SIEM, or intelligence-sharing capability?What is the current security maturity level? Is a prgramme of work underway?

✔ Compliance with CBEST, TIBER-EU, GDPR, ISO 27001, NIST CSF. Is there any lean on Industry or Regulatroy needs? Is the business in a highly regu;ated industry.

Scoping the Intelligence Project to Achieve Key Outcomes

We will be delving into this topic in much more depth depth within this chapter. But for a quick overview we will cover some points below to get you thinking.

✔ What will be the primary cyber threat intelligence objective?
✔ Who will be the consumers of the intelligence?
✔ What intelligence sources will be used?
✔ Will there be any operational security requirements?
✔ How will you deliver the output?

Accurate Timescale Scoping & Resource Planning

Effective threat intelligence projects require careful planning of time, personnel, and technical resources.

✔ What will be the urgency of the intelligence? Long/short term?
✔ How frequently will it be delivered? Daily, Weekly etc
✔ How big will the team be? What skillsets are required?
✔ What data processing power will be needed? Will it be bulk data or specific?

Defining Rules of Engagement, Limitations & Constraints

Rules of engagement (RoE) ensure CTI activities follow legal, ethical, and operational guidelines. Here are some considerations

✔ What legal frameworks must be followed?
✔ What intelligence methods will be approved? Passive/Active etc
✔ Are there any geographical restrictions?
✔ How long can you collect and store intelligence?
✔ What are the reporting and escalations procedures?

Requirements Overview

Key Explicit Requirements

Explicit requirements are clearly defined, directly stated, and formally documented intelligence needs. They are often provided by stakeholders, regulatory bodies, or business leadership and are typically tied to specific risks, compliance mandates, or operational security goals. The characteristics are clearly defined and measurable.

✔ Stated in formal intelligence requests, compliance documents, or business policies.
✔ Have direct implications for intelligence collection and reporting.

Examples

“Monitor dark web forums for stolen corporate credentials and report findings weekly.”
“Identify ransomware groups targeting the financial sector in Q2.”

Implicit Requirements

Implicit requirements are unstated, inferred, or indirectly necessary for fulfilling intelligence objectives. They may arise during intelligence collection, analysis, or from contextual understanding of an organization’s threat landscape. Not directly stated but inferred from explicit requirements

✔ Arise based on evolving threats, trends, or intelligence gaps.
✔ Often derived from past experiences, industry best practices, or analyst intuition.

Examples

If an explicit requirement states, “Monitor for ransomware threats against our cloud infrastructure,” an implicit requirement could be:

“Assess vulnerabilities in third-party cloud service providers that attackers might exploit.”
“Track emerging ransomware TTPs that target cloud storage systems.”

Essential Elements of Information

(EEI) Essential Elements of Information help break down broad intelligence questions into specific and measurable data points.

Understanding how to define and apply EEIs effectively is a key skill for Cyber Threat Intelligence.

Essential Elements of Information (EEIs) are critical intelligence data points required to satisfy Priority Intelligence Requirements (PIRs) and guide threat intelligence collection efforts. They help intelligence teams focus on specific data sets that provide actionable insights.

In the context of Cyber Threat Intelligence (CTI), EEIs act as the building blocks that support both Explicit and Implicit Intelligence Requirements, ensuring intelligence teams collect only relevant, high-value information rather than overwhelming security teams with excessive, unstructured data.

EEI's Example Structure

🔹 Explicit Requirement: "Identify ransomware groups targeting financial institutions."
🔹 Implicit Requirement: "Analyze attack vectors used by these ransomware groups."

Corresponding EEI's

✔ Which ransomware groups are active? (Threat Actor Profiling)
✔ What TTPs (Tactics, Techniques, and Procedures) do they use? (Mitre ATT&CK Mapping)
✔ What malware variants are associated with these groups? (YARA Rules, Malware Hashes)
✔ Which industries/geographies are most affected? (Target Sector Analysis)
✔ Which IPs, domains, and C2 infrastructure are linked? (Technical Indicators of Compromise - IoCs)

Introduction to Priority Intelligence Requirements (PIRs)

Now we have broken down how requirements can be formed, we now need to create PIR's. Priority Intelligence Requirements. Fundementally we should now have a set of well thought out and understood requirements. The task now is to place these requirements in a an order of priority. Generally, as already mentioned, these can be broken down into Long-term, Medium-term and Short-terms requirements. The key here really is to understand that it's likely not all intelligence requirements can be met, nor sufficient data can be collected, so whilst choosing the priority we also have to fator in the practicality.

PIRs help intelligence teams prioritize data collection, focus analytical efforts, and align intelligence outputs with business and security objectives.

PIRs are classified based on their time horizon and strategic impact

Long-Term PIRs – Strategic intelligence (6 months to multiple years)
Medium-Term PIRs – Operational intelligence (weeks to months)
Short-Term PIRs – Tactical intelligence (real-time to a few weeks)

Requirements can come from interviews, questionairre's, Feedback, Observations, Bunsiness planning and a plethora of other means. The key really is to draft good intelligence requirements.

The Direction and Planning phase is essential for ensuring cyber threat intelligence (CTI) is effective, targeted, and valuable.

Key Takeaways

✔ PIRs drive intelligence collection and must be prioritized using MoSCoW and SMART.
✔ EEIs refine PIRs into specific intelligence data points for collection.
✔ An Intelligence Collection Plan (ICP) ensures intelligence gathering is structured, validated, and actionable.
✔ Intelligence must continuously evolve to address new threats and security challenges.

Without a clear direction, structured intelligence requirements, and effective planning, intelligence teams risk collecting irrelevant data, missing critical threats, and failing to support business security objectives. By implementing best practices in PIRs, EEIs, MoSCoW prioritization, and SMART refinement, organizations can ensure intelligence-driven security decision-making that proactively mitigates cyber risks.

Data collection in Cyber Threat Intelligence (CTI) is a critical process that must be efficient, agile, robust, and legally compliant. The ability to gather, validate, and analyze intelligence from both technical and human sources is fundamental to detecting, preventing, and mitigating cyber threats.

Some important things to consider: You cannot collect & monitor for everything! Therefore you need to find a balance and you will find yourself balancing the breadth against depth. Borad collection but shallow and detailed and narrow.

Topics we will cover

✔ Collection planning

✔ Legal frameworks

✔ Data storage implications

✔ Assessing data reliability

✔ Counterintelligence concerns

✔ Data varacity and availability

✔ Secure intelligence collection

✔ Bulk data collection

✔ Intelligence sources

Collection Sources

Intelligence can come from many sources. Below we list the most common. It is important to note that depending on the souce you choose (of which could be multiple) then it is likely that one or more could change the dynaics of your intelligence collection. We will discuss legal frameworks later in this section, but for now it must be something you must factor in to your plan.

HUMINT

(Human Intelligence) – Intelligence collected from human sources through interviews, informants, or social engineering.

CHIS

(Covert Human Intelligence Sources) – Undercover agents or confidential informants who provide sensitive intelligence on criminal or cyber activities.

OSINT

(Open-Source Intelligence) – Intelligence gathered from publicly available sources such as news, social media, forums, and leaked databases.

SIGINT

(Signals Intelligence) – Intelligence derived from intercepted communications, network traffic, or electronic signals.

COMINT

(Communications Intelligence) – A subset of SIGINT focusing specifically on intercepted voice, radio, and digital communications.

ELINT

(Electronic Intelligence) – Intelligence gathered from non-communication electronic signals, such as radar systems, satellites, and military sensors.

TECHINT

(Technical Intelligence) – Intelligence related to foreign weapons, malware, encryption methods, and cyber attack capabilities.

FININT

(Financial Intelligence) – Intelligence tracking financial transactions, fraud, money laundering, and cryptocurrency flows to uncover cybercriminal or terrorist financing.

Legal Considerations

When collecting intelligence you must comply with legal and regulatory, particularly for HUMINT, SIGINT. Even with OSINT you should understand that there is still legal implications of collection. I suspect the majority of you reading this will be performing some sort of OSINT. Below I will detail some general legal considerations, pertaining to the UK. This should however prompt you to think about any laws or regulations relevant to your conuntry.

Legal OSINT collection means only gathering information that is publicly available, legally accessible, and compliant with UK data protection laws.

Illegal OSINT collection includes hacking, unauthorized access to systems, deceptive data gathering, and privacy law violations.

General Considerations

✔ The legality of accessing the data – Is the information genuinely public?
✔ The purpose of data collection – Is it for cybersecurity, corporate research, or investigative journalism?
✔ Data protection laws – Are personal details being processed, stored, or shared?
✔ Whether consent is required – Is data being collected from platforms that require explicit consent?

General Data Protection Regulation (UK GDPR) & Data Protection Act 2018

Specific to the above and to OSINT they cover the collection, processing, and storage of personal data.

Unlawful processing of personal data could result in fines. Scraping social media etc for personal information could also land you in trouble. Best practice is would be to anonymize or aggregate OSINT data to avoid processing personal inforamtion. You can read more on the Data Protection Action 2018 HERE & the UK GDPR HERE

Legal Considerations

✔ Organizations must ensure OSINT collection complies with GDPR’s data processing principles.
✔ Collecting personal data (e.g., names, email addresses, social media profiles) requires a lawful basis.
✔ Any data that identifies individuals (IP addresses, photos, phone numbers) is regulated.
✔ Using OSINT for profiling, automated decision-making, or tracking individuals may violate GDPR.

Computer Misuse Act 1990

✔ OSINT must not involve hacking, bypassing login credentials, or scraping data behind paywalls or authentication.
✔ Even if data is not protected by a password, using automated tools to bypass rate limits or terms of service may still be illegal
✔ Accessing leaked data from breaches may be unlawful, even if publicly available.

It goes without saying that any unauthorised access or using tools to extract data from computer systems without explcit permission is a big NO. Modifying (Addition, Deletions) to any data or meta data is not permitted. You can read more on the Computer Misuse Act 1990 HERE

Human Rights Act 1998 (Right to Privacy - Article 8)

✔ OSINT collection must not violate privacy expectations (e.g., scraping private social media groups).
✔ Even publicly available information may be subject to privacy rights if it is used to profile individuals.

The Human righs act protects individuls rights to privacy and personal data. Publishing OSINT data that invades that privacy could lead to legal claims. Using that data for doxxing, exposure or harrassment may also violate provacy rights. Always Avoid collecting and publishing OSINT data in ways that compromise individual privacy. You can read more on the Human Rights Act 1998 act HERE

Regulation of Investigatory Powers Act 2000 (RIPA)

✔ Government agencies (police, intelligence services) must obtain legal authorization to use OSINT for surveillance
✔ Private investigators and companies cannot engage in covert surveillance without legal justification.
✔ Tracking individuals’ online activities (e.g., social media monitoring) must comply with proportionality and necessity tests.

Monitoring individuals’ online behavior without lawful authority is illegal, intercepting privte communications is also illegal, any unapproved network monitoring is illegal and yes so is Phishing someone :) For more information on RIPA 2000 visit HERE

There are other legislations to consider also but I have focused on the main ones and while OSINT is a powerful tool, its use in the UK is regulated by strict legal frameworks to prevent privacy violations, unauthorized access, and misuse. By staying within legal and ethical boundaries, OSINT can be a valuable and lawful intelligence asset without exposing individuals or organizations to legal liability.

Data Varacity

In the conteext of cyber threat intelligence data veracity refers to the accuracy, reliability, and credibility of collected intelligence. In Cyber Threat Intelligence, ensuring data veracity is critical for making informed security decisions, preventing misinformation, and avoiding response efforts based on false or misleading intelligence.

Poor intelligence can lead to misattribution, wasted resources, and ineffective threat mitigation amongst many other issues. Threat actors can intentionnalu spread disinformation and deceptive content, plant flase flags to try and mislead analysis. It is crucial that you have a method to validate data before acting upon the intelligence.

I am firm believer that veracity is an ongoing continous process that applies to before, during and after intelligigence collection and analysis.

What impacts data veracity

✔ False or misleading intelligence – Can be intentional (disinformation) or accidental (misreported intelligence)
✔ Unverified sources – Unchecked OSINT, social media rumors, and manipulated threat reports.
✔ Outdated or stale data – Indicators of Compromise (IoCs) that are no longer valid.
✔ Deliberate deception – Cybercriminals using anti-forensics and false flag techniques.

As already mentioned, you need to make sure collected incoming data is credible and worth analyzing. So how could we do this?

Things to consider

✔ Evaluating source reliability – Ensuring that the intelligence comes from a trusted or verifiable source
Cross-checking multiple sources – Avoiding reliance on a single data stream to prevent bias or misinformation.
✔Filtering out fake or misleading data – Using automated tools (e.g., anomaly detection, signature matching, and heuristic analysis) to remove junk intelligence.
Tracking data freshness – Ensuring IoCs, attack indicators, and adversary behavior patterns are still active and relevant.

There are a couple of frameworks and resources we can use to our advantage. Two of which are failry well known and understood. Firstly there is the Admirality Code and the 5x5x5 National Intelligence Model

Admiralty Code - Source Reliability & Intelligence Credibility

Code	Source Reliability
A	Completely reliable
B	Usually reliable
C	Fairly reliable
D	Not usually reliable
E	Unreliable
F	Reliability cannot be judged

Code	Intelligence Credibility
1	Confirmed by multiple independent sources
2	Probably true, confirmed by one source
3	Possibly true
4	Doubtful
5	Improbable, suspected deception
6	Credibility cannot be judged

5x5x5 National Intelligence Model

Source Reliability	Information Credibility	Handling Code
A - Always Reliable B - Usually Reliable C - Fairly Reliable D - Not Usually Reliable E - Unreliable F - Cannot be judged	1 - Confirmed by multiple independent sources 2 - Probably true, confirmed by one source 3 - Possibly true 4 - Doubtful 5 - Improbable, suspected deception	1 - No restrictions on dissemination 2 - Only disseminate to specific groups 3 - Only disseminate to law enforcement or military 4 - Confidential, requires approval 5 - Secret, highly restricted access

Variety, and Velocity of Data in Cyber Threat Intelligence

The 3 V's - (Volume, Variety & Velocity) must be considered when collecting data. The sheer amount of data that can be collected can get overwhelming very quickly. Volume refers to the amount of data collected. Variety refers to the different types and formats of data and the Velocity refers to the speed ata which data is generated, processed and dissemintated. We have a more in-depth look at processing in a later moodule.

Managing Large-Scale Intelligence Data

There are definitely challenges to consider when dealing with volume. Storage and Scalability, do you have the capacity to store and scale data collection? Do you understand or even prepareed for the costs? How will you collect data without overwhelming infrastructure?

Data Filtering Understanding that you will need to account for duplicate data, false positives and irelevant data.

Processing Power High-volume data requires advanced computing for analysis (e.g., Big Data, AI, ML). You can think about using automated filtering, AI-driven analytics, and scalable cloud storage to handle high-volume cyber threat intelligence.

Handling Different Intelligence Data Types

Variety refers to the diverse types of data collected in CTI, including structured, semi-structured, and unstructured data.

Types of Data in Cyber Threat Intelligence (CTI)

Data Type	Example	Source
Structured Data	IoCs (IPs, hashes, domains), SIEM logs	Threat Intelligence Platforms, Firewalls
Semi-Structured Data	XML, JSON threat feeds	OSINT APIs, TAXII/STIX feeds
Unstructured Data	Dark web discussions, PDFs, Emails, Reports	HUMINT, Dark Web Forums, Incident Reports

Challenges of variety can include Data Standardisation in that different formats require conversion and normalization, for example STIX and TAXII. (We will talk about these in detail later). Bein able to correlate across different data sources is also something to consider. Linking for example structured data with unstructed data to form a detection or pattern. There is also challenges around using different languages, understanding native context and slang especially when analysing text-based intelligence.

Some solutions could be use Threat Intelligence Platforms that are able to link events together. AI-Driven correlation and data enrichment toolsets.

Keeping Intelligence Fresh and Actionable

Velocity is an important factor. Timliness is key when it comes to cyber threat intelligence. The landscape shifts so quickly. Velocity refers to the speed at which cyber threat intelligence data is generated, collected, processed and acted upon. Challenges do rpesent themselves as with anything else. Real-time threat detection for exampple. Cyber threats evolve rapidly requiring instant near real-time data processing, Threat actors adapt quickly frequently changing IOC's, TTPs and C2 infrastructure. Being able to automate threat intelligence sharing is key to helpl prevent attacks and inform others.

Using real-time data pipelines, SIEM integration, SOAR automation, and threat-sharing communities (FS-ISAC, CERTs, MISP).

Collecting Data Securely

Secure data collection in Cyber Threat Intelligence is essential for protecting the confidentiality, integrity, and availability of intelligence sources and its operations. Whether collecting from open-source intelligence, human intelligence or any other, CTI teams must implement security measures to protect against exposure, legal violations, and adversary counterintelligence efforts.

You have to make some considerations, you should have at least thought about these in the planning & direction stage to some extent. Operation security and staying anonymous, especially making sure your analysts are protected from tracking, retaliation or accidental exposure. We've touched on the legal and ethical side of things. Preventing data breached and unauthorised access with appropriate storage, and awareness of anti forensic techniques and being able to scale efficiently.

Raw data is transformed into a format suitable for analysis through various technical and manual processes.

1. Data Normalization

Standardizing data formats and structures

2. Data Validation

Verifying accuracy and relevance

3. Data Enrichment

Adding context and additional information

The critical phase where processed data is converted into actionable intelligence through various analytical techniques.

Analysis Methods

Pattern Analysis
Trend Analysis
Impact Assessment
Risk Analysis

The process of delivering intelligence products to stakeholders in an appropriate and timely manner.

Strategic Reports

Long-form analysis for executive stakeholders

Tactical Advisories

Specific guidance for security teams

Alerts

Immediate notifications for active threats

The continuous improvement phase where stakeholder feedback is collected and incorporated into the process.

Collecting Feedback

Methods for gathering stakeholder input

Measuring Effectiveness

Metrics and KPIs for intelligence products

Process Improvement

Implementing changes based on feedback