What is the Threat Intelligence Lifecycle?
The threat intelligence lifecycle serves as a framework to outline and implement security measures more effectively and efficiently. The threat intelligence lifecycle is a continuous and iterative process of producing intelligence from raw data that allows organizations to develop defensive processes for averting emerging threats and risks. The threat intelligence lifecycle informs the development of a threat intelligence platform (TIP)- a software solution that enables security teams to collect, organize, and manage threat data and threat intelligence. An automated TIP scans for threats and alerts security teams to weaknesses. Automated TIPs are beneficial as they reduce instances of human error, improve efficiency, and facilitate informed decision-making. The threat intelligence lifecycle process that informs the development of the TIP includes the following six phases1:
Direction. The direction phase refers to the goals set for the TIP, which involves understanding business assets and processes that require protection, assessing the impacts of asset loss or process interruption, and the kind of threat intelligence that is needed.
Collection. The collection phase is the process of accumulating information to address intelligence requirements. The information may be obtained through the extraction of logs and metadata from security devices and internal networks, through various threat data feeds, or via communication with knowledgeable sources.
Processing. The processing phase refers to the transformation of gathered information into a comprehensible format. The raw data may be processed by humans or machines, and processing methods may vary for different data collection methods.
Analysis. The analysis process is the phase where processed information is converted into intelligence for decision-making. The decision-making process may involve investigating potential threats, identifying actions needed to avert an attack, reinforcing security controls, and more. The information must be transformed into threat intelligence reports that specific audiences will find comprehensible.
Dissemination. Dissemination refers to the process of sharing threat intelligence outputs with different teams that can benefit from the threat intelligence.
Feedback. The feedback phase refers to the process of soliciting and receiving feedback in order to understand the requirements of security teams. This phase is important as it informs intelligence priorities and requirements of the teams that will consume threat intelligence.
Arriving at decisions about emerging threats to an organization requires the coordination of many processes so that many different teams can derive benefits from the intelligence collected. Early identification of business needs and expectations from finished intelligence can help ensure that the threat intelligence lifecycle process progresses as effectively and efficiently as possible.
1 Cyware, 2021, “What is the Threat Intelligence Lifecycle?”