In any adversarial engagement, whether military, business, sport, or information security, it’s essential to identify opponents and their objectives, and to evaluate their methods, strengths, and weaknesses. The same rule applies to cybersecurity professionals, who need to spot malicious actors, understand their techniques, and predict adverse events.
With digital attack surfaces increasing in both size and complexity, it’s more important than ever for security teams to direct their efforts and resources toward the issues that have the greatest impact on their security posture. Using well-curated threat intelligence, security teams can take proactive steps to reduce the number of security incidents that occur, and gain a better understanding of emerging threats and cyber risk trends.
Because new threats and security gaps continually arise over time, the process of creating actionable threat intelligence is an ongoing lifecycle, consisting of the six stages outlined below.
1. Direction
The threat intelligence lifecycle begins with establishing and prioritizing which assets and business processes need to be protected, and understanding the consequences of their becoming compromised. During this stage, which is often guided by the Chief Information Security Officer (CISO), security teams must also determine what information they need to meet their goals and address the specific challenges they face.
To do so effectively, the right questions need to be asked:
- What types of attacks are the organization and its industry peers most vulnerable to?
- Which malicious actors are initiating these attacks and why?
- Who will ingest the threat intelligence once it is gathered—i.e. a cyber analyst or a non-technical board member?
- How will the cyber intelligence program support stakeholders’ business objectives?
2. Collection
Once critical assets requiring protection have been established, data types and sources of information on what poses a threat to those assets must be identified. In addition to commonly collected forms of threat data, ie. malicious IP’s and domains, vulnerability data such as personally identifiable information (PII) and information from news and social media sources can be considered.
The raw data needed to address the requirements outlined in stage one can be sourced from a variety of both internal and external sources:
- Network and firewall event logs
- Industry threat data feeds
- Cybersecurity vendors
- Internal and external malware analysis
- News and blogs
- Information sharing communities
- Subject matter expert reporting
- Dark web forums
3. Processing
Following collection, raw threat data needs to be organized and cleansed to eliminate false positives and redundancies, and to be translated into a usable format. Data processing can also include decryption, sorting by accuracy and relevance, and translation from foreign languages.
Even organizations with smaller digital footprints collect far too much data—hundreds of thousands of indicators on a daily basis—for humans to manually process, making automation particularly important to this time-consuming phase of the intelligence lifecycle.
4. Analysis
The main objective of this stage is to identify potential security issues and develop actionable insights based on the needs outlined in the direction phase. Data is packaged into reports and assessments to be consumed by decision makers. Often taking the form of Powerpoint presentations, memos, threat lists, or live feeds, threat intelligence is curated to inform decisions such as whether or not to examine a potential threat, bolster security controls, or adjust the deployment of resources. Analysis is where, through contextualization, information becomes intelligence.
5. Dissemination
Most organizations have numerous teams that rely on cyber threat intelligence to manage enterprise risk. The specific operational needs and level of expertise of each team need to be considered when determining the most understandable and actionable means of relaying intelligence. While security teams tend to be most concerned with technical information such as malware findings and high-risk IP addresses, executive teams want to understand how cyber threats impact business risk, liability, and profit.
Tools like security ratings platforms deliver information in a format, and on a timeline that suits multiple end users. Technical teams can access up-to-the-minute data feeds to help carry out their day-to-day tasks, while security leaders can pull high-level board summary reports in moments for periodic meetings with the board of directors.
6. Feedback
This phase is closely related to the initial direction phase, as it gives end users an opportunity to guide the following intelligence cycle. Ongoing feedback from all teams ensures that their intelligence needs are being met, and allows security leaders to make adjustments in response to shifting priorities. Periodic team surveys should be supplemented with an ongoing channel of communication via internal collaboration platforms. The goal is to constantly refine the intelligence gathering process, so that relevant and accurate information can be delivered to those who need it as quickly as possible.
How SecurityScorecard can help
SecurityScorecard gives organizations access to the world’s most comprehensive source of cybersecurity data. Our proprietary search engine non-intrusively gathers and analyzes a wide range of threat signals from a battery of honeypots and sinkholes, as well as over 1.3 million companies and millions of public-facing assets. With advanced machine learning algorithms, we reliably predict risk via optimally-tuned factor weights that let you know which vulnerabilities are most critical, precisely attribute our findings, and calculate a meaningful, universally-understood A-F Security Rating.

