Monitoring deep, dark and surface web to detect exposure of your sensitive data, secret projects and initiatives, privileged users, critical systems, IT infrastructure, and more.
Monitoring and alerting of third party data breaches impacting your employees’ emails, usernames, and personally identifiable information.
Assess the risk footprint and security posture of key business relationships to get a handle on external risk introduced through your extended attack surface.

Sign Up for Updates

Digital risk monitoring of key personnel with telemetry and risk metrics. VIPRecon provides broad coverage of social media, deep and dark web, as well as physical threat assessments.
Our Ransomware Response Readiness Assessment, Playbook and Table Top Exercise gives your organization the best chance to survive and recover.
Gain visibility of your digital footprint by reaching into the most active areas of the cyber underground.
Fully managed and tailored Threat Intelligence services that becomes an extension of your current security processes and provides real-time visibility on new threats.
Providing research and investigations into known threats, to save security teams time and stress during a cyber emergency.

Sign Up for Updates

GroupSense offers a comprehensive package of services for assessing and responding to ransomware attacks, including negotiations with threat actors.
Actively researching and monitoring threats from vendors or third-party companies that can affect organizational security.
Monitoring for threats to elections, VIPs, and more on social media to proactively prevent or mitigate digital risk.
Focusing on the threats and risks that matter to your security processes and providing intelligence and insights to prevent or mitigate digital risk.
Taking the next step in security services, by proactively taking down phishing sites or anonymously interacting with threat actors to provide better intelligence.
Active monitoring of your brand's digital assets to protect its reputation and stop further brand abuse from targeting unsuspecting victims.

Sign Up for Updates

Combining your cyber and fraud programs to effectively fight threat actors continually scamming or threatening assets within an organization.
Executives are prime targets for fraudulent activities, but with a proactive approach, any attacks or threats can be neutralized before causing any damage.
Governments, political parties and candidates must all act now to activate cyber threat intelligence services to harden their information security and get ahead of inevitable cyber threats to the election process.
5 min read

How To Use The Threat Intelligence Cycle To Secure Your Brand

Oct 9, 2017 9:30:00 AM

One of the most fundamental aspects in the world of intelligence is the application of a process known as The Intelligence Cycle. It enables intelligence professionals regardless of the area of focus – from Counterterrorism to Cybersecurity – to establish a plan of action and execute on that plan to deliver a high-quality intelligence product to the client.

​GroupSense applies the Intelligence Cycle by gathering client requirements, collecting and filtering out the “noise” or irrelevant data, analyzing the risk, and producing a compelling product. We believe that delivering tailored intelligence to our clients facilitates well-informed decisions on the most relevant business and security risks threatening their brand, reputation, employees, infrastructure, and third parties.

What is The Intelligence Cycle?

The Intelligence Cycle is an interactive and iterative process that controls the scope and pace of the overall production of finished intelligence. It consists of five primary steps: planning and direction, collection, processing, analysis and production, and dissemination and feedback.


The below represents an abbreviated description of the Intelligence Life Cycle

Planning & Direction: This initial stage is critical to the success of any intelligence program and its application by the decision-making authority that drives the intelligence cycle.  It is important to note that proper direction of the intelligence effort is the responsibility of senior management who informs the intelligence team what is needed to satisfy the client’s requirement(s).

Once a clearly defined requirement is obtained the intelligence team can effectively execute by leveraging what they already know about the issue and what they need to find out from available collection resources such as internal telemetry data, honeynet, Surface, Deep, and Dark Web, or community relationships.

Collection: Using the original requirement and devised plan as a guiding force, the collection phase helps you determine where and how you conduct data acquisition and information gathering.  If you’re fortunate enough to have a tool such as GroupSense’s proprietary engine – TracelightTM - to aid in the “hunting and gathering” phase, then you would craft a keyword search in the platform and click the “easy” button to retrieve the necessary data and information to answer the client’s requirement(s).

However, as any good intelligence analyst can tell you, there is a wide array of open and closed tools and sources for retrieving the data and information such as Internet research, underground forums, social media, news media, blogs, radio stations, honeynets, telemetry data, internal logs, VirusTotal, Shodan and external relationships.

Processing: The processing step involves the collation, validation, and evaluation of the collected data and information to confirm its usefulness and relevance, a precursor to analysis. The timeliness and accuracy of the processing depend on the type of collected data or information and the type of processing and exploitation system available.

For instance, the processing requirements for data conversion and correlation are different for scraped websites than they would be for system or network logs before they can be intelligible to the human analyst.

By filtering out the “noise” and converting raw data, intelligence professionals can focus on evaluating, analyzing, and interpreting the data and information to produce a finished intelligence product.

Analysis & Production: This is the phase where the intelligence analysts shine by transforming the processed data and information into a fused, complete intelligence product.  Through evaluation, analysis, and interpretation, the analysts should produce the finished intelligence in a timely manner and contextualized, easily digestible format that answers the client’s requirement and facilitates their decision-making process.

The key components of this phase are relevance, accuracy, and completeness in satisfying the original requirement, or else you fall into the threat intelligence trap where the deliverable is interesting but not compelling enough to act, wasting both parties' time and resources.  This cannot be stressed enough since repeating this mistake too often, you’ll eventually learn through churn.

Dissemination & Feedback: In this final step, the intelligence team employs what I call the four “rights” rule: delivered in the “right” format, placed in the “right” hands, given at the “right” time, and provided through the “right” medium.  These elements are important because the product is only valuable if it is delivered in a timely fashion in an appropriate medium and meets - preferably exceeds - the client’s requirement.

As a closed loop system, the intelligence cycle ends when the originator of the request provides feedback as to the value of the product. Feedback can be provided via dialogue in a ticketing system, email correspondence, phone call, video conferencing, or an in-person meeting.

The Intelligence Cycle in Action: A Case Study

A popular e-Commerce company is facing a continual threat of phishing emails and credential harvesting websites originating from threat actors mimicking their brand’s domain name and official customer login page.  Recognizing the need for enhanced detection, alerting, and remediation of the issue, they seek external vendor support.

As a reputable managed threat intelligence provider, GroupSense is hired to serve as an extension of the client’s security team and help them protect their brand from typosquatting and phishing threats.  During the initial engagement, GroupSense collaborates with the client to better understand their business need, develop intelligence requirements, and formulate an intelligence collection plan (Planning & Direction).

Using the collection plan, GroupSense analysts establish alerting criteria in Tracelight™ to detect newly registered domains (NRDs) (Collection).  Additionally, they perform keyword searches in Tracelight™ to retrieve all actively registered domain name variants and phishing campaigns targeting the client, their partners, and their customers (Collection).

On Day 1, GroupSense receives an automated alerted of NRDs and previously created domains (newly observed domains) mimicking the client’s brand (Processing).  The intelligence team uses these domains as "seed" data to further enrich it using Tracelight™ by gathering Whois information, retrieving the hosted website’s HTML code and taking a screenshot, obtaining the SSL certificate, the IP address resolution, and performing reverse lookup data i.e. reverse Whois, Passive DNS, etc. (Analysis).

After filtering out false positives and non-credible threats, the lead analyst writes their findings into an intelligence report to include recommended actions on minimizing the client’s risk exposure via our internal dissemination system (Dissemination).

Once the customer reviews the report, they confirm the threat and request GroupSense initiates a domain take-down (Feedback). The team acknowledges the request and initiates the domain take-down process (Feedback).  

Upon deletion of the offender domain by the Registrar, GroupSense re-engages the client to inform them about the neutralization of the threat.

Subscribe to our blog to stay updated


In this blog, we briefly introduced The Intelligence Cycle and the vital role that it plays in delivering insightful, actionable intelligence that satisfies the client’s intelligence need. Implementing this process ensures intelligence professionals remain within the scope of the client’s requirements, allowing them to proactively deliver finished intelligence to clients to help them strengthen their risk posture.

Topics: Blog

Written by Editorial Team