The threat intelligence lifecycle is a framework that outlines and implements security measures more efficiently and effectively. It continuously produces intelligence from raw data, allowing organizations to build defensive mechanisms against emerging risks and threats.

In sum, the threat intelligence lifecycle helps and guides intelligence teams in building an efficient threat intelligence platform. It comprises six phases—direction, collection, processing, analysis, dissemination, and feedback.

Other interesting terms…

Read More about “Threat Intelligence Lifecycle

As mentioned earlier, the threat intelligence lifecycle has six stages, which we’ll describe in greater detail in the next section.

What Are the Six Phases of the Threat Intelligence Lifecycle?

The following diagram shows the threat intelligence lifecycle stages:


Phase 1: Direction

In this stage, the developer sets the goals for the threat intelligence application. As such, he needs to understand and identify the business assets and processes that require protection. He must also study the potential effect of asset loss or process interruption to determine the threat intelligence an organization needs. Once all that is done, an organization can form questions that the program will answer.

Direction answers questions like:

  • Which assets, processes, and personnel are at risk?
  • How will threat intelligence improve operational efficiency?
  • What other systems and applications could benefit?

Phase 2: Collection

Here, the developer accumulates information to address the significant intelligence requirements. Data gathering can be done via extracting logs and metadata from security devices and internal networks, subscribing to multiple threat data feeds, or communicating with knowledgeable sources. The information comprises both processed and raw data.

Collection addresses questions including:

  • What are the internal and external blindspots?
  • What technical and automated collection techniques can be used?
  • How well can cybercriminal forums and closed sources on the Dark Web be infiltrated?

Phase 3: Processing

This stage allows the developer to transform the information collected into a format that any user in the organization can consume. The raw data is processed either by humans or computers.

Phase 4: Analysis

In this stage, the processed information is transformed into intelligence for decision-making in processes like investigating potential threats, taking action to thwart ongoing attacks, enriching threat intelligence to find more meaningful and relevant data, and reinforcing security controls. The data must, however, be presented and delivered in a format that decision-makers can understand.

Analysis answers questions like:

  • What are the most important findings of the analysis?
  • What’s the best way to illustrate them?
  • How reliable, relevant, and accurate is the analysis?
  • Are there clear and concrete recommendations or next steps?

Phase 5: Dissemination

Here, the data that has been collected, processed, and analyzed is distributed to the different teams.

Dissemination addresses questions including:

  • Which stakeholders will benefit from the threat intelligence reports?
  • What is the best way to present the intelligence, and at what delivery frequency?

Phase 6: Feedback

Every team in an organization has different functions and uses varied data points. To ensure the efficiency and effectiveness of threat intelligence platforms, the developer needs feedback from the data consumers. Obtaining constant feedback helps make threat intelligence as accurate as possible.

Feedback answers questions like:

  • How valuable is the threat data?
  • How actionable is the threat intelligence?
  • Does it enable making informed security decisions? 
  • How can the data be improved?

What Are the Usual Sources of Threat Intelligence?

There are three major sources of threat intelligence used for phase 1 of the lifecycle, namely:

  • Internal sources: Network traffic, logs, and scans.
  • Technical sources: Vulnerability databases and threat feeds.
  • Human sources: Dark Web, social media, and forums.

What Are the Typical Uses of Threat Intelligence?

Security analysts and researchers benefit most from threat intelligence. They are the ones who use threat intelligence platforms to collect, process, analyze, and disseminate data to those who need to make decisions regarding:

  • Incident response
  • Security operations
  • Vulnerability management
  • Risk analysis
  • Fraud management
  • Security leadership

The threat intelligence lifecycle should be an ongoing process. It is, after all, the foundation that security teams rely on to strategize and implement security programs more efficiently and effectively. At the end of the day, threat intelligence will allow your security team to refine processes to respond to threats quickly and proactively.