An intelligence requirement template provides the scaffolding you need to comprehensively define your organization’s intelligence requirements. It empowers you to focus on what matters, create good requirements, and not waste time figuring out what this important document should include or look like.
This is why we have created a FREE intelligence requirements template you can use right now!
The template includes everything you need to thoroughly document your organization’s intelligence requirements, including collection requirements, production requirements, and a process for generating new intelligence requirements.
Intelligence requirements are the foundation of every cyber threat intelligence program. Kickstart your journey to creating them with our template. It has been packaged and is now ready to use as a PDF or Word Document. Download and enjoy!
Intelligence Requirements Template
| Intelligence Requirements | |
| Approved By | <approver name> |
| Owner | Head of Cyber Threat Intelligence |
| Author | <your name> |
| Audit | Cyber Security Team |
| Issue Date | <issue data> |
| Document Name | Intelligence Requirements |
| Version | 1.0 |
| Document Classification | TLP:RED |
| Distribution | <Google Drive | OneDrive | Sharepoint> |
| Document Revision History | |||
| Version | Author | Notes | Date |
| 1.0 | <your name> | Document Creation | <date> |
Introduction
Cyber security threats are increasing in frequency and complexity. New and emerging technologies make it easier than ever for threat actors to conduct highly sophisticated cyber attacks against <company name>.
Cyber Threat Intelligence (CTI) plays a critical role in enabling <company name> to defend against these threats. It allows the <company name> to proactively identify threats, prepare and count specific attack techniques, and tailor its defensive strategies to specific threats the organization faces.
A fundamental pillar of a successful CTI program is well-formed intelligence requirements that the CTI team must fulfill. These requirements guide the CTI team in collecting, analyzing, and disseminating intelligence so that the intelligence products the team produces allow key stakeholders to make informed decisions.
To achieve this objective, this document outlines <company name>’s intelligence requirements to establish the organization’s unique needs and guide its CTI processes. It is intended to provide a comprehensive framework for collecting, analyzing, and leveraging threat intelligence to enhance the organization’s overall security posture.
Purpose
The purpose of the Intelligence Requirements outlined in this document is to define clear and actionable requirements for the CTI team to satisfy through their threat intelligence activities.
Each intelligence requirement is simple, focused, and supports a single decision that a key stakeholder will be required to make. They include technical and strategic requirements that various stakeholders within <company name> have formally recognized as a priority for the organization.
The document also defines the collection and dissemination of each intelligence requirement and how new requirements can be added. As such, it requires ongoing maintenance and periodic review to ensure it aligns with the organization’s current objectives.
This document is not intended as an exhaustive list of the threat intelligence processes at <company name> and does not offer prescriptive advice on completing each intelligence requirement. Instead, it is designed to establish the formal intelligence requirements that the CTI team at <company name> has been tasked with fulfilling.
Scope
The Intelligence Requirements outlined in this document apply to all departments that fall under <company name>’s cyber security domain and have been added at the request of each department manager (see Appendix B – Internal Contacts for details). Each requirement has a “Requester” for whom the requirement is for and “Production Requirements” that must be fulfilled by the CTI team to satisfy the requirement.
This document covers the following key areas:
- Data Collection Sources: The internal and external data sources the CTI team can use to gather intelligence to fulfill the stated requirements. This includes tools, platforms, and infrastructure, listed as “Collection Requirements” for each requirement. See the organization’s Collection Management Framework for more details.
- Intelligence Dissemination Channels: The available communication methods for distributing the intelligence generated by the CTI team to fulfill a requirement. Each requirement has “Production Requirements” detailing the channel used.
- Intelligence Requirements: A formal list of approved requirements the organization’s CTI team must fulfill to support decision-making and achieve organizational objectives. Each contains where the intelligence to satisfy it will be collected from and where the finished intelligence product will be shared, along with the team and manager who requested the requirement.
- Intelligence Requirement Generation: The agreed-upon process for creating and adding a new intelligence requirement to this document.
- Maintenance and Review: A record of when this document was reviewed and updated.
- Training and Awareness: The training and awareness programs at <company name> to ensure employees are aware of the intelligence requirements in this document and can use them effectively.
Anyone within <company name> can make a formal request to add a new intelligence requirement to this document using the process outlined in Section 8 – Intelligence Requirement Generation. This will then add the person’s department within the scope of this document.
Definitions and Acronyms
This Intelligence Requirements document uses the following key terms to describe the organization’s stated intelligence requirements. Ensure you are familiar with their definitions.
| Key Term | Definition |
| Intelligence Requirement (IR) | Specific information needs to guide the collection, analysis, and dissemination of cyber threat intelligence within an organization. |
| General Intelligence Requirement (GIR) | <company name>’s ongoing and standing information needs. They are broad in scope and encompass a wide range of topics. These are the main requirements in this document. |
| Priority Intelligence Requirement (PIR) | Mission critical intelligence requirements. They are key to <company name>’s security success and will change based on the need to address immediate threats or situations. |
| Request for Information (RFI) | A formal inquiry to gather specific information or clarification on a particular subject. This is another type of intelligence requirement. |
| Collection Requirement | The data sources (systems, tools, or platforms) required to fulfill an intelligence requirement successfully. |
| Production Requirement | The intelligence product that the CTI creates to satisfy an intelligence requirement. |
| Threat Actor | An individual, group, or organization that threatens the security, confidentiality, integrity, or availability of <company name>’s systems, network, or data. They could be a criminal gang, nation-state, or political activist. |
| Stakeholder | An individual, group, or organization with an interest, concern, or influence in a particular issue or project. Stakeholders can be internal or external, and it is important to identify and communicate critical decisions with them. |
| Threat | Any potential danger that could exploit a vulnerability to harm an <company name>’s assets, including its information systems, networks, or data |
| Security Information and Event Management (SIEM) | A software system that allows you to collect, store, and analyze security-related data from various log sources within an organization’s IT environment. |
| Endpoint Detection Response (EDR) | A security tool installed on endpoint devices (e.g., laptops, desktops, mobile phones) to detect and block malicious activities. |
| Intrusion Detection System / Intrusion Prevention System (IDS / IPS) | IDS is a security tool installed within a network to detect potentially malicious activity. An IPS is installed in a network to block potentially malicious activity. |
| Cyber Threat Intelligence (CTI) | The process of gathering, analyzing, and disseminating information about current or potential threats to an organization’s digital infrastructure. |
| Indicator of Compromise (IOC) | A piece of data or evidence that indicates a malicious activity has occurred within a network or on a computer system. |
| Tactic, Technique, Procedure (TTP) | A way to describe and categorize the behavior of adversaries to help organizations anticipate, detect, and respond to cyber threats. |
| Data Source | Any system, tool, or platform from which you can gather information. |
| Threat Intelligence Platform (TIP) | A software application used to aggregate, analyze, and manage cyber threat intelligence data from multiple sources to help organizations identify, assess, and respond to threats more effectively. |
Data Collection Sources
A data collection source is any system, tool, or platform <company name> has made available for the CTI team to gather information. This includes collection sources that contain data internal to the company (e.g., generated by a security tool) and external data from threat intelligence platforms or other data sources. A data collection source is included as part of an intelligence requirement.
This list of collection sources should be updated, along with the organization’s Collection Management Framework, whenever a new data source is added or removed.
| Collection Source | Intelligence Type | Location | Owner |
| EDR | Internal system data | Web application | Security Operations Team |
| AlienVault | External open-source atomic indicators | Website | CTI Team |
Intelligence Dissemination Channels
A dissemination channel is any means of sharing threat intelligence with an individual, team, or third party. It includes the format the intelligence is expected to be in and where the channel is accessible. The channel is included as part of a Requester’s intelligence requirement.
This list should be updated whenever a new dissemination channel is added or removed.
| Channel | Format | Location | Owner |
| Security Operations SharePoint Site | Report | Online SharePoint Website | Security Operations Team |
| Vulnerability Management Teams Channel | Text Message | Microsoft Teams | Vulnerability Management Team |
Intelligence Requirements
Intelligence requirements are specific information needs of teams within <company name>. Each requirement includes a type, the data collection source required to fulfill the requirement, the distribution method to share the intelligence generated, and the requester.
This list should be updated whenever a new intelligence requirement is added or removed. The addition of an intelligence requirement to this list should be performed using the Intelligence Requirement Generation Process as defined in Section 8 of this document.
| Intelligence Requirements | Type | Collection Requirements | Production Requirements | Last Updated | Requester |
| What malware does FIN7 currently use (within the last year)? | GIR | AlienVault, TIP, OSINT | An ongoing log in the organization’s threat database | <date> | Malware Analysis Team |
| What are the indicators of malware XYZ from incident 0922? | PIR | EDR, Malware Analysis Tool, SIEM | A report shared on security operations SharePoint site | <date> | Security Operations Team |
| How can an adversary exploit active directory certificates? | RFI | OSINT | An email to the IT team | <date> | IT Team |
Intelligence Requirement Generation Process
Effective intelligence requirements are simple and focused and support a single decision that a key stakeholder needs to make. To ensure these criteria are met, <company name> requires each intelligence requirement to be created using a well-defined requirement generation process that involves both the Requester and the CTI Team.
The requirement generation process follows three main steps. The implementation details of these steps will vary depending on the type of intelligence requirement being created. See below for more information.
General Intelligence Requirement
A General Intelligence Requirement (GIR) is a broad-scoped ongoing information need that should align with the organization’s medium to long-term business objectives.
This document records these requirements to provide formal visibility of the CTI team’s ongoing expectations and intelligence consumers within <company name>.
Priority Intelligence Requirement
A Priority Intelligence Requirement (PIR) is a mission-critical information need that is key to the organization’s security success. These requirements regularly change based on the <company name>’s need to address immediate threats or situations.
This document records these requirements to communicate the current priorities of the CTI team as they relate to key strategic objectives they are tasked with fulfilling for <company name>.
Request for Information
A Request for Information (RFI) is a formal inquiry to gather specific information or clarification on a particular subject. This is typically an ad hoc task the CTI team is asked to perform and is a lower priority than a PIR or GIR.
This document records these requests to track informational needs the CTI team has been tasked with completing. A specialist task management solution is recommended for managing these tasks.
Generation Process
The creation of a GIR requires the following steps:
- Determine the consumer: The consumer receives the intelligence product generated based on the intelligence requirement. GIRs are usually for both technical and non-technical teams, while a PIR is generally for a time-bound technical team.
- Identify the knowledge gaps to be filled: Here, the CTI team works with the requester to determine their intelligence needs, such as knowledge gaps, pain points, or use cases that can be enhanced with intelligence.
- Refine the knowledge gaps into an intelligence requirement: The CTI team refines the identified knowledge gap into an intelligence requirement that focuses on a specific fact, event, or activity, answers a single question to support a single decision, and is falsifiable. This is based on the criteria below.
An intelligence requirement should meet the following criteria after the CTI team and requester work through the above steps:
- Singular: The requirement should focus on one question and only one question.
- Atomic: The requirement should be specific to a particular fact, event, or activity.
- Decision Centric: The requirement should lead to making a single decision.
- Timeliness: The requirement should capture the timeframe for usable intelligence.
Maintenance and Review
The Intelligence Requirements document will be reviewed and updated regularly.
| Auditor | Cyber Security Team |
| Review Period | Annually or as required |
| Review Date | <review date> |
| Next Review Date | <next review date> |
Training and Awareness
To raise awareness of <company name>’s intelligence requirements and ensure they are used effectively, <company name> is dedicated to providing employees with the appropriate training. This includes ensuring employees are aware of ongoing intelligence requirements, know how to raise intelligence requirements and have the appropriate resources required to fulfill these requirements.
To meet these objectives, <company name> has the following programs in place to ensure intelligence requirements are used effectively.
Employee Awareness Programs:
- <awareness program 1>
- <awareness program 2>
- <awareness program 3>
Employee Training Programs:
- <training program 1>
- <training program 2>
- <training program 3>
Appendices
Appendix A: Intelligence Requirement Form
Provide a form for generating new intelligence requirements based on Section 8 – Intelligence Generation Process.
Appendix B: Contact Lists
Cyber Threat Intelligence Team Contacts
| Role | Name | Title | Phone | |
| Head of CTI | ||||
| CTI Manager | ||||
| CTI Lead | ||||
| CTI Analyst | ||||
| CTI Analyst | ||||
| CTI Analyst |
Internal Contacts
| Role | Name | Title | Phone | |
| Head of Security Operations | ||||
| Incident Response Manager (DFIR) | ||||
| Lead Security Analyst | ||||
| Lead Malware Analyst | ||||
| IT Representative | ||||
| Data Protection Officer | ||||
| CISO |
Conclusion
Intelligence requirements are a fundamental pillar in all cyber threat intelligence programs. They define the threat intelligence team’s expectations and guide them in collecting, processing, and analyzing intelligence.
The intelligence requirements template detailed in this article provides the scaffolding needed to document your organization’s intelligence requirements. You can customize this template as you see fit and mold it to fit your organization’s needs. Use the form below to pick up your FREE copy as a PDF or Word document.
