Back to Details

managing-intelligence-lifecycle

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Managing Intelligence Lifecycle

情报生命周期管理

When to Use

适用场景

Use this skill when:
  • Establishing a formal CTI program and defining its operational model
  • Conducting quarterly intelligence requirements reviews with business stakeholders
  • Evaluating CTI program maturity against established frameworks (FIRST CTI-SIG maturity model)
Do not use this skill for day-to-day IOC triage or incident-specific intelligence tasks — those use operational intelligence workflows, not lifecycle management.
在以下场景使用本技能:
  • 建立正式的CTI项目并定义其运营模式
  • 与业务利益相关者开展季度情报需求评审
  • 对照既定框架(FIRST CTI-SIG成熟度模型)评估CTI项目成熟度
请勿使用本技能处理日常IOC分类或特定事件的情报任务——这些场景应使用运营情报工作流,而非生命周期管理。

Prerequisites

前置条件

  • Executive sponsorship and defined CTI team structure (1+ dedicated analysts)
  • Stakeholder map identifying intelligence consumers (SOC, IR, executive team, vulnerability management)
  • Existing feed subscriptions or ISAC memberships for collection baseline
  • CTI platform (MISP, ThreatConnect, OpenCTI) for lifecycle management
  • 高管支持和明确的CTI团队架构(至少1名专职分析师)
  • 已识别情报使用者(SOC、IR、高管团队、漏洞管理部门)的利益相关者图谱
  • 用于收集基线的现有数据源订阅或ISAC成员资格
  • 用于生命周期管理的CTI平台(MISP、ThreatConnect、OpenCTI)

Workflow

工作流

Step 1: Planning and Direction

步骤1:规划与指导

Define Priority Intelligence Requirements (PIRs) with stakeholders:
  • Interview SOC leads, IR team, CISO, risk management, and product security
  • Document PIRs in structured format: "What is the current capability and intent of [threat actor] to attack [critical asset] using [technique]?"
  • Prioritize 5–10 PIRs for the quarter, reviewed monthly
Example PIR: "Is ransomware group Cl0p currently targeting organizations in our sector using MoveIT or GoAnywhere vulnerabilities?"
与利益相关者定义优先情报需求(PIR):
  • 访谈SOC负责人、IR团队、CISO、风险管理部门和产品安全团队
  • 以结构化格式记录PIR:"[威胁Actor] 当前使用[技术手段]攻击[关键资产]的能力和意图如何?"
  • 为本季度确定5–10个优先PIR,每月进行评审
示例PIR:"勒索软件团伙Cl0p目前是否正在利用MoveIT或GoAnywhere漏洞针对我们行业的组织发动攻击?"

Step 2: Collection Planning

步骤2:收集规划

Map PIRs to required collection sources:
  • Technical sources: commercial feeds, TAXII, ISAC data, honeypot telemetry, darkweb monitoring
  • Human sources: vendor threat briefings, industry working groups, law enforcement partnerships
  • Internal sources: SIEM logs, EDR telemetry, phishing submission mailbox
Document collection gaps and associated costs to fill them.
将PIR映射到所需的收集来源:
  • 技术来源:商业数据源、TAXII、ISAC数据、蜜罐遥测、暗网监控
  • 人力来源:供应商威胁简报、行业工作组、执法部门合作渠道
  • 内部来源:SIEM日志、EDR遥测、钓鱼邮件提交邮箱
记录收集缺口及填补这些缺口的相关成本。

Step 3: Processing and Normalization

步骤3:处理与标准化

Implement automated processing pipeline:
  • Ingest → normalize to STIX 2.1 → deduplicate → enrich → score confidence
  • Reject unverifiable or duplicate indicators before analysis
  • Tag all processed data with source, collection date, and expiration
实施自动化处理流水线:
  • 摄入 → 标准化为STIX 2.1 → 去重 → 情报增强 → 置信度评分
  • 在分析前剔除无法验证或重复的指示器
  • 为所有已处理数据标记来源、收集日期和过期时间

Step 4: Analysis and Production

步骤4:分析与产出

Produce intelligence at three levels:
  • Strategic: Quarterly threat landscape report for executives; sector trends, geopolitical context
  • Operational: Weekly campaign reports for security leadership; active campaigns, adversary activity
  • Tactical: Daily IOC bulletins for SOC; actionable indicators with block/monitor recommendations
Apply structured analytic techniques: Analysis of Competing Hypotheses (ACH), Key Assumptions Check, Devil's Advocacy.
产出三个层级的情报:
  • 战略层:面向高管的季度威胁态势报告;包含行业趋势、地缘政治背景
  • 运营层:面向安全领导层的每周活动报告;包含活跃攻击活动、对手行为
  • 战术层:面向SOC的每日IOC公告;包含可执行的指示器及阻断/监控建议
应用结构化分析技术:竞争假设分析(ACH)、关键假设检查、魔鬼代言人法。

Step 5: Dissemination

步骤5:传播

Match product format to audience:
  • Executives: 1-page PDF with risk ratings, business impact, recommended decisions
  • SOC analysts: SIEM-ready IOC list, Sigma rules, MISP events
  • Vulnerability management: CVE lists with EPSS scores and exploitation likelihood
  • IT/Security leadership: Full intelligence report with technical appendix
Apply TLP classifications and distribution lists per product type.
根据受众匹配产品格式:
  • 高管:1页PDF,包含风险评级、业务影响、建议决策
  • SOC分析师:可直接导入SIEM的IOC列表、Sigma规则、MISP事件
  • 漏洞管理部门:带有EPSS评分和利用可能性的CVE列表
  • IT/安全领导层:完整情报报告及技术附录
根据产品类型应用TLP分类和分发列表。

Step 6: Feedback and Evaluation

步骤6:反馈与评估

Collect feedback within 5 business days of dissemination:
  • Did the product address the PIR?
  • Was actionability sufficient?
  • What data was missing?
Track metrics quarterly: PIR coverage rate, IOC true positive rate, time-to-disseminate, stakeholder satisfaction score (NPS or structured survey).
在传播后的5个工作日内收集反馈:
  • 产品是否满足了PIR的需求?
  • 可执行性是否足够?
  • 缺少哪些数据?
每季度跟踪指标:PIR覆盖率、IOC真阳性率、传播耗时、利益相关者满意度得分(NPS或结构化调查)。

Key Concepts

核心概念

TermDefinition
PIRPriority Intelligence Requirement — specific, actionable question driving intelligence collection and analysis
Intelligence LifecycleSix-phase iterative process: Planning → Collection → Processing → Analysis → Dissemination → Feedback
Strategic IntelligenceLong-term threat trend analysis for executive decision-making; time horizon 6–24 months
Operational IntelligenceCampaign-level analysis for security program decisions; time horizon 1–6 months
Tactical IntelligenceSpecific IOCs and TTPs for immediate detection and blocking; time horizon hours to days
FIRST CTI-SIGForum of Incident Response and Security Teams — CTI Special Interest Group maturity model
术语定义
PIR优先情报需求——驱动情报收集与分析的具体、可执行问题
Intelligence Lifecycle六阶段迭代流程:规划→收集→处理→分析→传播→反馈
Strategic Intelligence面向高管决策的长期威胁趋势分析;时间跨度6–24个月
Operational Intelligence面向安全项目决策的活动级分析;时间跨度1–6个月
Tactical Intelligence用于即时检测与阻断的特定IOC和TTP;时间跨度数小时至数天
FIRST CTI-SIG事件响应与安全团队论坛——CTI特别兴趣组成熟度模型

Tools & Systems

工具与系统

  • ThreatConnect: TIP with built-in intelligence lifecycle workflows, PIR tracking, and stakeholder reporting dashboards
  • MISP: Open-source TIP supporting intelligence lifecycle from collection through sharing
  • OpenCTI: Graph-based CTI platform with workflow management for intelligence products
  • Recorded Future: Commercial platform with structured intelligence reports aligned to the intelligence lifecycle
  • ThreatConnect:内置情报生命周期工作流、PIR跟踪和利益相关者报告仪表盘的TIP平台
  • MISP:支持从收集到共享全生命周期的开源TIP平台
  • OpenCTI:带有情报产品工作流管理的基于图的CTI平台
  • Recorded Future:提供与情报生命周期对齐的结构化情报报告的商业平台

Common Pitfalls

常见误区

  • Collection without direction: Ingesting every available feed without PIRs produces data overload and no actionable intelligence.
  • Missing feedback loops: Without structured feedback, CTI teams produce reports that don't meet stakeholder needs and lose organizational relevance.
  • Tactical-only focus: Overemphasis on IOC sharing neglects strategic intelligence that informs security investment and risk decisions.
  • No metrics program: Cannot demonstrate CTI program value without tracking detection contributions, true positive rates, and stakeholder satisfaction.
  • Underfunded collection: PIRs cannot be answered without appropriate collection sources; document and escalate gaps rather than producing low-confidence estimates.
  • 无方向的收集:在没有PIR指导的情况下摄入所有可用数据源,会导致数据过载且无法产出可执行情报。
  • 缺失反馈循环:如果没有结构化反馈,CTI团队产出的报告将无法满足利益相关者需求,进而失去组织内的相关性。
  • 仅关注战术层:过度强调IOC共享会忽略为安全投资和风险决策提供依据的战略层情报。
  • 无指标体系:如果不跟踪检测贡献、真阳性率和利益相关者满意度,就无法证明CTI项目的价值。
  • 收集资源不足:没有合适的收集来源就无法回答PIR;应记录并上报缺口,而非产出低置信度的评估结果。