Six Stages of the Threat Intelligence Lifecycle
As the cyber threat intensifies, businesses have become ever more reliant on threat intelligence, or threat information that’s been aggregated, transformed, analyzed, interpreted, or enriched. Of course, that process of turning threat information into the intelligence necessary for decision making isn’t static.
What’s the threat intelligence lifecycle all about? Read on to learn the six stages of the threat intelligence lifecycle.
What is the threat intelligence lifecycle?
For starters, the threat intelligence lifecycle is meant to be an ongoing process. Not a standalone process, either, the lifecycle should be part of an organization’s larger cybersecurity strategy, as well.
But what is the threat intelligence lifecycle, exactly?
Well, in its simplest terms, the threat intelligence lifecycle is the end-to-end cyber security and resilience process of (a) first procuring evidence-based intelligence about potential cyber threats, (b) then leveraging that information to build best-practice cyber defenses around your digital estate, (c) responding proactively to attacks before they become major cyber incidents, and finally(d) investigating how successful attacks happened to improve cyber resilience going forward.
The stages of the threat intelligence lifecycle
What does it comprise, though? The threat intelligence lifecycle itself consists of the following six stages:
In the direction phase, organizations determine which threats to focus on. This involves assessing the risk that different threats pose to an organization and prioritizing threats that are most serious.
Here, the most actionable threat intelligence is highly focused on specific events or activities. Organizations use a variety of different methodologies to determine which threats to focus on; they include:
- Threat risk assessments. Threat risk assessments involve assessing the likelihood and impact of a threat happening. This information can be used to create a risk profile for an organization and determine which threats are serious.
- Threat prioritization matrices. Threat prioritization matrices are used to compare different threats against each other to determine which ones are most important.
- Threat severity ratings. Threat severity ratings are used to measure how severe a threat is and determine how much attention it requires.
2. Information Collection
The collection phase of the threat intelligence lifecycle involves gathering information about threats. This can be done through open-source intelligence (OSINT), network scanning, consulting subject matter experts, and/or any other method. OSINT, for example, is the process of collecting information from publicly available sources, e.g., social media, news reports, blogs, and websites. Meanwhile, network scanning entails using tools to identify hosts and services on a network.
3. Organizing & Analyzing Collected Information
This phase of the threat intelligence lifecycle is all about organizing and analyzing collected information, which involves sorting through data, identifying patterns, and extracting meaning from it. Data mining, data analysis, and threat modeling are the most common methods employed during this stage. However, information yielded at this stage, whatever the methodologies used to acquire it, should be used to create mitigation plans and make decisions about security controls.
4. Transform Data into Intelligence
In this phase of the threat intelligence lifecycle, data is transformed into intelligence, at which time professionals review the collected information in security management software platforms, distilling it into actionable intelligence.
5. Intelligence Sharing
This phase is all about sharing intelligence with relevant stakeholders, be they partners, regulators, customers, etc. The best-practice for the presentation of analysis at this stage is contextually tailoring your work product (often a technical report) based on the technical experience of the audience in question.
6. Feedback & Continuous Improvement
The final feedback stage involves receiving feedback on the provided report to determine whether adjustments should be made to future threat intelligence priorities. Indeed, priorities might change, or the disseminated report might raise new questions that need to be addressed in the next report.
As layered as this threat intelligence lifecycle is, however, it should always be considered part of the company’s larger cyber security strategy.
Now, what’s the point of that strategy? A cyber security strategy should help an organization eliminate the potential risks and costs of an attack as well as build cyber resilience in the process. For more on cyber resilience and the digital strategies and tools needed to build and maintain it, download our Introductory Guide to Cyber Resilience.