managing-intelligence-lifecycle

# Managing Intelligence Lifecycle ## When to Use Use this skill when: - Establishing a formal CTI program and defining its operational model - Conducting quarterly intelligence requirements reviews with business stakeholders - Evaluating CTI program maturity against established frameworks (FIRST CTI-SIG maturity model) **Do not use** this skill for day-to-day IOC triage or incident-specific intelligence tasks — those use operational intelligence workflows, not lifecycle management. ## Prerequisites - Executive sponsorship and defined CTI team structure (1+ dedicated analysts) - Stakeholder map identifying intelligence consumers (SOC, IR, executive team, vulnerability management) - Existing feed subscriptions or ISAC memberships for collection baseline - CTI platform (MISP, ThreatConnect, OpenCTI) for lifecycle management ## Workflow ### Step 1: Planning and Direction Define Priority Intelligence Requirements (PIRs) with stakeholders: - Interview SOC leads, IR team, CISO, risk management, and product security - Document PIRs in structured format: "What is the current capability and intent of [threat actor] to attack [critical asset] using [technique]?" - Prioritize 5–10 PIRs for the quarter, reviewed monthly Example PIR: "Is ransomware group Cl0p currently targeting organizations in our sector using MoveIT or GoAnywhere vulnerabilities?" ### Step 2: Collection Planning Map PIRs to required collection sources: - Technical sources: commercial feeds, TAXII, ISAC data, ...