threat intelligence

Managing Intelligence Lifecycle

Manages the end-to-end cyber threat intelligence lifecycle from planning and direction through collection, processing, analysis, dissemination, and feedback to ensure intelligence products meet stakeholder requirements and continuously improve. Use when establishing or maturing a CTI program, defining intelligence requirements with business stakeholders, or building feedback loops between intelligence consumers and producers. Activates for requests involving CTI program maturity, intelligence requirements, PIRs, or intelligence lifecycle management.

ctiintelligence-lifecyclenist-csfnist-sp-800-150pirthreat-intelligence-program
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

Use this skill when:

  • Establishing a formal CTI program and defining its operational model
  • Conducting quarterly intelligence requirements reviews with business stakeholders
  • Evaluating CTI program maturity against established frameworks (FIRST CTI-SIG maturity model)

Do not use this skill for day-to-day IOC triage or incident-specific intelligence tasks — those use operational intelligence workflows, not lifecycle management.

Prerequisites

  • Executive sponsorship and defined CTI team structure (1+ dedicated analysts)
  • Stakeholder map identifying intelligence consumers (SOC, IR, executive team, vulnerability management)
  • Existing feed subscriptions or ISAC memberships for collection baseline
  • CTI platform (MISP, ThreatConnect, OpenCTI) for lifecycle management

Workflow

Step 1: Planning and Direction

Define Priority Intelligence Requirements (PIRs) with stakeholders:

  • Interview SOC leads, IR team, CISO, risk management, and product security
  • Document PIRs in structured format: "What is the current capability and intent of [threat actor] to attack [critical asset] using [technique]?"
  • Prioritize 5–10 PIRs for the quarter, reviewed monthly

Example PIR: "Is ransomware group Cl0p currently targeting organizations in our sector using MoveIT or GoAnywhere vulnerabilities?"

Step 2: Collection Planning

Map PIRs to required collection sources:

  • Technical sources: commercial feeds, TAXII, ISAC data, honeypot telemetry, darkweb monitoring
  • Human sources: vendor threat briefings, industry working groups, law enforcement partnerships
  • Internal sources: SIEM logs, EDR telemetry, phishing submission mailbox

Document collection gaps and associated costs to fill them.

Step 3: Processing and Normalization

Implement automated processing pipeline:

  • Ingest → normalize to STIX 2.1 → deduplicate → enrich → score confidence
  • Reject unverifiable or duplicate indicators before analysis
  • Tag all processed data with source, collection date, and expiration

Step 4: Analysis and Production

Produce intelligence at three levels:

  • Strategic: Quarterly threat landscape report for executives; sector trends, geopolitical context
  • Operational: Weekly campaign reports for security leadership; active campaigns, adversary activity
  • Tactical: Daily IOC bulletins for SOC; actionable indicators with block/monitor recommendations

Apply structured analytic techniques: Analysis of Competing Hypotheses (ACH), Key Assumptions Check, Devil's Advocacy.

Step 5: Dissemination

Match product format to audience:

  • Executives: 1-page PDF with risk ratings, business impact, recommended decisions
  • SOC analysts: SIEM-ready IOC list, Sigma rules, MISP events
  • Vulnerability management: CVE lists with EPSS scores and exploitation likelihood
  • IT/Security leadership: Full intelligence report with technical appendix

Apply TLP classifications and distribution lists per product type.

Step 6: Feedback and Evaluation

Collect feedback within 5 business days of dissemination:

  • Did the product address the PIR?
  • Was actionability sufficient?
  • What data was missing?

Track metrics quarterly: PIR coverage rate, IOC true positive rate, time-to-disseminate, stakeholder satisfaction score (NPS or structured survey).

Key Concepts

Term Definition
PIR Priority Intelligence Requirement — specific, actionable question driving intelligence collection and analysis
Intelligence Lifecycle Six-phase iterative process: Planning → Collection → Processing → Analysis → Dissemination → Feedback
Strategic Intelligence Long-term threat trend analysis for executive decision-making; time horizon 6–24 months
Operational Intelligence Campaign-level analysis for security program decisions; time horizon 1–6 months
Tactical Intelligence Specific IOCs and TTPs for immediate detection and blocking; time horizon hours to days
FIRST CTI-SIG Forum of Incident Response and Security Teams — CTI Special Interest Group maturity model

Tools & Systems

  • ThreatConnect: TIP with built-in intelligence lifecycle workflows, PIR tracking, and stakeholder reporting dashboards
  • MISP: Open-source TIP supporting intelligence lifecycle from collection through sharing
  • OpenCTI: Graph-based CTI platform with workflow management for intelligence products
  • Recorded Future: Commercial platform with structured intelligence reports aligned to the intelligence lifecycle

Common Pitfalls

  • Collection without direction: Ingesting every available feed without PIRs produces data overload and no actionable intelligence.
  • Missing feedback loops: Without structured feedback, CTI teams produce reports that don't meet stakeholder needs and lose organizational relevance.
  • Tactical-only focus: Overemphasis on IOC sharing neglects strategic intelligence that informs security investment and risk decisions.
  • No metrics program: Cannot demonstrate CTI program value without tracking detection contributions, true positive rates, and stakeholder satisfaction.
  • Underfunded collection: PIRs cannot be answered without appropriate collection sources; document and escalate gaps rather than producing low-confidence estimates.
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md2.0 KB

API Reference: Managing Intelligence Lifecycle

MITRE ATT&CK STIX/TAXII

Endpoint Description
cti-taxii.mitre.org/stix/collections/ TAXII server for ATT&CK STIX bundles
attack.mitre.org/versions/ ATT&CK version history and changelogs

Recorded Future API

Endpoint Method Description
/v2/alert/search GET Search intelligence alerts by rule and priority
/v2/entity/search GET Search threat actors, malware, and vulnerabilities
/v2/indicator/search GET Search IOCs with risk scores

MISP REST API

Endpoint Method Description
/events GET/POST List or create threat intelligence events
/attributes/restSearch POST Search for IOCs across all events
/feeds GET List configured intelligence feeds

OpenCTI GraphQL API

Query Description
stixCoreObjects Query threat actors, malware, and campaigns
reports List intelligence reports with confidence scores
indicators Query IOCs with STIX pattern matching

Key Libraries

  • stix2: Create and parse STIX 2.1 threat intelligence objects
  • taxii2-client: Connect to TAXII 2.1 servers for ATT&CK data
  • pymisp: Python client for MISP threat intelligence platform
  • requests: HTTP client for Recorded Future and custom feed APIs

Configuration

Variable Description
MISP_URL MISP instance URL
MISP_API_KEY MISP API authentication key
RF_API_TOKEN Recorded Future API token
OPENCTI_URL OpenCTI platform URL
OPENCTI_TOKEN OpenCTI API bearer token

References

Scripts 1

agent.py7.7 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
Cyber Threat Intelligence Lifecycle Management Agent
Manages the CTI lifecycle from requirements gathering through dissemination,
tracking PIRs, collection sources, and intelligence product metrics.
"""

import json
import os
import sys
from datetime import datetime, timezone


def load_intelligence_requirements(filepath: str) -> list[dict]:
    """Load Priority Intelligence Requirements (PIRs) from config."""
    if os.path.exists(filepath):
        with open(filepath, "r") as f:
            return json.load(f)

    return [
        {"id": "PIR-001", "requirement": "Which threat actors are actively targeting our industry sector?",
         "stakeholder": "CISO", "priority": "HIGH", "status": "active", "review_date": "2024-06-01"},
        {"id": "PIR-002", "requirement": "What new vulnerabilities affect our technology stack?",
         "stakeholder": "VP Engineering", "priority": "HIGH", "status": "active", "review_date": "2024-06-01"},
        {"id": "PIR-003", "requirement": "Are any of our credentials or data exposed on dark web?",
         "stakeholder": "CISO", "priority": "MEDIUM", "status": "active", "review_date": "2024-06-01"},
    ]


def evaluate_collection_sources(sources_file: str) -> list[dict]:
    """Evaluate intelligence collection source coverage and quality."""
    if os.path.exists(sources_file):
        with open(sources_file, "r") as f:
            return json.load(f)

    return [
        {"name": "MITRE ATT&CK", "type": "open-source", "category": "TTPs",
         "reliability": "A", "update_freq": "quarterly", "pirs_covered": ["PIR-001"]},
        {"name": "NVD/CVE", "type": "open-source", "category": "vulnerabilities",
         "reliability": "A", "update_freq": "daily", "pirs_covered": ["PIR-002"]},
        {"name": "Recorded Future", "type": "commercial", "category": "multi-source",
         "reliability": "B", "update_freq": "real-time", "pirs_covered": ["PIR-001", "PIR-002", "PIR-003"]},
        {"name": "VirusTotal", "type": "commercial", "category": "IOCs",
         "reliability": "B", "update_freq": "real-time", "pirs_covered": ["PIR-001"]},
        {"name": "ISAC Feeds", "type": "sharing-community", "category": "sector-specific",
         "reliability": "B", "update_freq": "weekly", "pirs_covered": ["PIR-001", "PIR-002"]},
    ]


def assess_pir_coverage(pirs: list[dict], sources: list[dict]) -> dict:
    """Assess how well collection sources cover PIRs."""
    coverage = {}
    for pir in pirs:
        pir_id = pir["id"]
        covering_sources = [s["name"] for s in sources if pir_id in s.get("pirs_covered", [])]
        coverage[pir_id] = {
            "requirement": pir["requirement"],
            "priority": pir["priority"],
            "sources_count": len(covering_sources),
            "sources": covering_sources,
            "gap": len(covering_sources) == 0,
        }

    total_pirs = len(pirs)
    covered_pirs = sum(1 for c in coverage.values() if not c["gap"])
    gap_pirs = [pid for pid, c in coverage.items() if c["gap"]]

    return {
        "total_pirs": total_pirs,
        "covered_pirs": covered_pirs,
        "coverage_pct": round(covered_pirs / max(total_pirs, 1) * 100, 1),
        "gaps": gap_pirs,
        "details": coverage,
    }


def track_intelligence_products(products_file: str) -> dict:
    """Track intelligence products and dissemination metrics."""
    if os.path.exists(products_file):
        with open(products_file, "r") as f:
            products = json.load(f)
    else:
        products = [
            {"id": "PROD-001", "type": "Weekly Threat Briefing", "audience": "SOC Team",
             "frequency": "weekly", "last_published": "2024-03-08", "feedback_score": 4.2},
            {"id": "PROD-002", "type": "Threat Actor Profile", "audience": "Executive Leadership",
             "frequency": "monthly", "last_published": "2024-03-01", "feedback_score": 3.8},
            {"id": "PROD-003", "type": "IOC Feed", "audience": "SIEM/EDR",
             "frequency": "daily", "last_published": "2024-03-15", "feedback_score": 4.5},
            {"id": "PROD-004", "type": "Vulnerability Intelligence", "audience": "Engineering",
             "frequency": "weekly", "last_published": "2024-03-10", "feedback_score": 4.0},
        ]

    overdue = []
    for prod in products:
        last = datetime.strptime(prod["last_published"], "%Y-%m-%d")
        freq_days = {"daily": 1, "weekly": 7, "monthly": 30, "quarterly": 90}
        expected_interval = freq_days.get(prod["frequency"], 30)
        days_since = (datetime.now() - last).days
        if days_since > expected_interval * 1.5:
            overdue.append({"product": prod["type"], "days_overdue": days_since - expected_interval})

    avg_feedback = sum(p["feedback_score"] for p in products) / max(len(products), 1)

    return {
        "total_products": len(products),
        "overdue_products": overdue,
        "avg_feedback_score": round(avg_feedback, 2),
        "products": products,
    }


def assess_maturity(pir_coverage: dict, products: dict, sources: list) -> dict:
    """Assess CTI program maturity using simplified FIRST CTI-SIG model."""
    scores = {}

    scores["planning_direction"] = min(5, 1 + (pir_coverage["total_pirs"] // 2))
    scores["collection"] = min(5, 1 + len(sources) // 2)
    scores["processing"] = 3 if products["total_products"] > 2 else 2
    scores["analysis"] = 3 if pir_coverage["coverage_pct"] > 80 else 2
    scores["dissemination"] = min(5, 1 + products["total_products"])
    scores["feedback"] = 4 if products["avg_feedback_score"] > 4.0 else 3

    overall = round(sum(scores.values()) / len(scores), 1)

    return {"dimension_scores": scores, "overall_maturity": overall, "maturity_level": (
        "Initial" if overall < 2 else "Developing" if overall < 3 else
        "Defined" if overall < 4 else "Managed" if overall < 4.5 else "Optimizing"
    )}


def generate_report(pirs: list, coverage: dict, products: dict, maturity: dict) -> str:
    """Generate CTI lifecycle management report."""
    lines = [
        "CYBER THREAT INTELLIGENCE LIFECYCLE REPORT",
        "=" * 50,
        f"Report Date: {datetime.now(timezone.utc).strftime('%Y-%m-%d %H:%M UTC')}",
        "",
        f"PIR COVERAGE: {coverage['coverage_pct']}%",
        f"  Total PIRs: {coverage['total_pirs']}",
        f"  Covered: {coverage['covered_pirs']}",
        f"  Gaps: {len(coverage['gaps'])}",
        "",
        f"INTELLIGENCE PRODUCTS:",
        f"  Active Products: {products['total_products']}",
        f"  Overdue: {len(products['overdue_products'])}",
        f"  Avg Feedback Score: {products['avg_feedback_score']}/5.0",
        "",
        f"PROGRAM MATURITY: {maturity['maturity_level']} ({maturity['overall_maturity']}/5.0)",
    ]
    for dim, score in maturity["dimension_scores"].items():
        lines.append(f"  {dim}: {score}/5")

    return "\n".join(lines)


if __name__ == "__main__":
    pir_file = sys.argv[1] if len(sys.argv) > 1 else "pirs.json"
    sources_file = sys.argv[2] if len(sys.argv) > 2 else "sources.json"
    products_file = sys.argv[3] if len(sys.argv) > 3 else "products.json"

    print("[*] CTI Lifecycle Management Assessment")
    pirs = load_intelligence_requirements(pir_file)
    sources = evaluate_collection_sources(sources_file)
    coverage = assess_pir_coverage(pirs, sources)
    products = track_intelligence_products(products_file)
    maturity = assess_maturity(coverage, products, sources)

    report = generate_report(pirs, coverage, products, maturity)
    print(report)

    output = f"cti_lifecycle_{datetime.now(timezone.utc).strftime('%Y%m%d')}.json"
    with open(output, "w") as f:
        json.dump({"pirs": pirs, "coverage": coverage, "products": products, "maturity": maturity}, f, indent=2)
    print(f"\n[*] Results saved to {output}")
Keep exploring