The Intelligence Cycle

The Intelligence Cycle is the standardized process used by intelligence agencies and cybersecurity teams to convert raw data into actionable insights. Following this cycle ensures that CTI teams remain focused on business requirements rather than getting lost in data collection.

The cycle consists of six iterative phases:

1. Planning and Direction

This is the most critical phase. Before collecting data, the intelligence team must define the Priority Intelligence Requirements (PIRs). These are specific questions from stakeholders, such as: "Is the ransomware group LockBit currently targeting the healthcare sector?"

2. Collection

Once the requirements are set, the team gathers raw data to answer them. Sources typically include:

• OSINT (Open Source Intelligence): News, social media, code repositories.
• TechINT: Malware analysis and telemetry from honeypots.
• Internal Telemetry: SIEM logs, EDR data, and firewall logs.

3. Processing

Raw data is often unstructured and noisy. Processing involves decrypting, translating, parsing, and normalizing data. In modern CTI, this is often automated using STIX and TAXII standards to ingest data into a Threat Intelligence Platform (TIP).

4. Analysis and Production

This is the human element. Analysts connect data points to create a narrative. They evaluate the reliability of sources and assess the validity of the data to produce Strategic or Operational Intelligence.

5. Dissemination

The finished intelligence product is delivered to the stakeholder. The format must be appropriate for the audience (e.g., a PDF report for executives or a JSON feed for a firewall). Dissemination often follows the Traffic Light Protocol (TLP) to ensure data security.

6. Feedback

The final phase involves reviewing the effectiveness of the intelligence. Did it answer the stakeholder's question? Was it timely? This feedback loop refines the Planning and Direction phase for the next cycle.