Collection management is the disciplined process of planning, organizing, and optimizing the gathering of information needed to produce intelligence. In cyber threat intelligence, collection management determines what data you gather, from which sources, how often, and how you evaluate its quality. Without structured collection management, CTI teams either drown in low-value data or miss critical intelligence because they never looked in the right place.
Learning Objectives
- Understand the collection management framework and how it connects to intelligence requirements
- Identify and categorize source types relevant to cyber threat intelligence
- Apply the Admiralty Code (NATO System) to evaluate source reliability and information credibility
- Conduct collection gap analysis to identify and address blind spots
- Manage feed volume and avoid collection overload
The Collection Management Framework
Collection management sits between intelligence requirements (PIRs/EEIs) and analysis in the intelligence cycle. Its purpose is to ensure that collection activities are focused, efficient, and aligned with what the organization needs to know.
The collection management framework consists of several interconnected components:
- Requirements mapping: Linking each EEI to one or more collection sources
- Source management: Maintaining an inventory of all collection sources with their capabilities and limitations
- Collection planning: Scheduling and prioritizing collection activities
- Tasking: Directing specific collection activities against specific requirements
- Monitoring: Tracking whether collection activities are producing the needed information
- Gap analysis: Identifying requirements that cannot be met by current sources
Key Definition: A Collection Management Framework (CMF) is the organizational structure, processes, and tools used to manage the end-to-end collection effort. In mature CTI programs, the CMF is maintained by a dedicated collection manager or is a shared responsibility of the CTI team lead.
Collection Plan Development
A collection plan is a structured document or system that maps intelligence requirements to sources and schedules. It answers four questions for every EEI:
- What information is needed? (The EEI)
- Where will it come from? (The source)
- When will it be collected? (The schedule)
- Who is responsible? (The assigned analyst or automated process)
A practical collection plan might look like this:
| EEI | Source | Collection Method | Frequency | Owner | Status |
|---|---|---|---|---|---|
| Active threat groups targeting healthcare | Recorded Future, Mandiant Advantage | Automated feed + monthly review | Daily (auto) / Monthly (manual) | Analyst A | Active |
| New CVEs in our tech stack | NVD, vendor advisories | Automated alerts | Daily | Automation | Active |
| Dark web mentions of our organization | Dark web monitoring service | Automated alerts + weekly review | Continuous | Analyst B | Active |
| TTPs of identified threat groups | MITRE ATT&CK, vendor reports | Manual research | Quarterly | Analyst A | Active |
| Indicators from sector ISACs | H-ISAC (Health ISAC) | Email + portal monitoring | Daily | Analyst C | Active |
The collection plan should be a living document, reviewed alongside PIRs during regular review cycles.
Source Types in Cyber Threat Intelligence
Traditional intelligence disciplines translate into cyber-relevant source categories. Understanding source types helps analysts diversify their collection and avoid over-reliance on any single category.
Internal Sources (Analogous to TECHINT/SIGINT)
Internal sources are data generated within your own organization. They are often the most valuable because they reflect your actual threat exposure.
- SIEM logs: Endpoint, network, authentication, DNS, proxy, and email logs
- EDR telemetry: Process execution, file creation, network connections, registry modifications
- Firewall and IDS/IPS logs: Blocked connections, triggered signatures, traffic flows
- Vulnerability scan results: Known vulnerabilities in your environment
- Incident data: Previous incidents, forensic findings, and post-incident reports
- Help desk tickets: Reports of suspicious emails, unusual behavior, or system issues
Open Source Intelligence (OSINT)
Publicly available information that can be collected without special access or authorization.
- Government advisories: CISA alerts, FBI Private Industry Notifications (PINs), NSA cybersecurity advisories
- Vendor threat reports: Mandiant M-Trends, CrowdStrike Global Threat Report, Microsoft Digital Defense Report
- Security research: Blog posts, conference presentations, academic papers
- Social media: Twitter/X security community, researcher disclosures
- Code repositories: GitHub (for malware analysis, proof-of-concept exploits, tool releases)
- Passive DNS and certificate transparency: Historical DNS records, SSL certificate registrations
- Shodan, Censys: Internet-wide scanning data
Commercial Threat Intelligence (Analogous to Contracted HUMINT/SIGINT)
Paid services that provide curated, enriched, or exclusive intelligence.
- Threat intelligence platforms: Recorded Future, Mandiant Advantage, Intel 471, Flashpoint
- Indicator feeds: Commercial IOC feeds (IP addresses, domains, hashes)
- Dark web monitoring: Paid services that monitor underground forums, marketplaces, and paste sites
- Managed intelligence services: Analyst-produced reports on specific threats or actors
Community and Information Sharing
Collaborative intelligence sharing through trusted communities.
- ISACs and ISAOs: Sector-specific sharing organizations (FS-ISAC, H-ISAC, IT-ISAC, etc.)
- MITRE ATT&CK: Community-maintained knowledge base of adversary techniques
- Malware Information Sharing Platform (MISP): Open-source threat intelligence sharing platform
- Trusted circles: Private sharing groups among peer organizations
- Government sharing programs: CISA's Automated Indicator Sharing (AIS), FBI InfraGard
Human Intelligence (HUMINT) in Cyber Context
Human sources of intelligence specific to cyber operations.
- Industry contacts: Relationships with analysts at peer organizations, vendors, and government agencies
- Conference networking: Information gathered through professional relationships at events
- Undercover operations: Law enforcement infiltration of criminal forums (not typically available to private sector CTI teams)
- Insider knowledge: Former employees of adversary organizations (handled carefully for legal and ethical reasons)
Source Evaluation: The Admiralty Code
Not all intelligence is created equal. The Admiralty Code, also known as the NATO System for evaluating intelligence, provides a standardized method for assessing both the reliability of the source and the credibility of the information.
Source Reliability (A through F)
| Rating | Description | Meaning |
|---|---|---|
| A | Completely reliable | Source has a proven track record; no doubt about reliability |
| B | Usually reliable | Source has been reliable in the past with minor exceptions |
| C | Fairly reliable | Source has provided reliable information in the past but not consistently |
| D | Not usually reliable | Source has provided unreliable information in the past |
| E | Unreliable | Source has a history of providing inaccurate information |
| F | Reliability cannot be judged | New source or insufficient history to assess |
Information Credibility (1 through 6)
| Rating | Description | Meaning |
|---|---|---|
| 1 | Confirmed by other sources | Information verified independently by multiple sources |
| 2 | Probably true | Information is consistent with known facts and logical |
| 3 | Possibly true | Information is plausible but not confirmed |
| 4 | Doubtful | Information is inconsistent with known facts or illogical |
| 5 | Improbable | Information contradicts known facts |
| 6 | Truth cannot be judged | Insufficient basis to evaluate |
Applying the Admiralty Code
An intelligence item rated B2 comes from a usually reliable source and the information is probably true — this is high-confidence intelligence suitable for action. An item rated D4 comes from a not usually reliable source and the content is doubtful — this should not drive decisions without significant additional corroboration.
In practice, CTI teams apply this system when:
- Evaluating new threat intelligence feeds before integrating them
- Assessing individual reports or indicators
- Deciding whether to act on a warning or tip
- Communicating confidence levels to stakeholders
Important: Source reliability and information credibility are independent assessments. A completely reliable source (A) can occasionally provide information that is only possibly true (3) — for example, an established vendor reporting on a new, unconfirmed threat. Similarly, an unproven source (F) might provide information that is confirmed by others (1).
Collection Gap Analysis
Collection gap analysis identifies where your current sources cannot answer your intelligence requirements. It is one of the most valuable outputs of the collection management process.
Conducting Gap Analysis
- List all active EEIs from your PIR framework
- Map each EEI to current sources using your collection plan
- Identify EEIs with no sources — these are absolute gaps
- Identify EEIs with only one source — these are single-point-of-failure risks
- Assess source quality — an EEI covered only by an unreliable source (D/E) is effectively a gap
- Prioritize gaps based on the priority of the parent PIR
Addressing Gaps
Options for closing collection gaps include:
- Acquire new sources: Subscribe to additional feeds, join ISACs, procure new tools
- Task existing sources differently: Refine search queries, adjust monitoring parameters
- Develop internal capabilities: Build custom collection tools, deploy additional sensors
- Establish new relationships: Join sharing communities, develop analyst-to-analyst contacts
- Reformulate the requirement: If an EEI is truly unanswerable, adjust the PIR to something achievable
Managing Collection Resources
Feed Management
Most CTI teams consume multiple intelligence feeds. Managing these feeds requires discipline:
Commercial feeds provide curated, enriched data but come with licensing costs. Evaluate them based on:
- Relevance to your specific industry and threat landscape
- Timeliness of indicator delivery
- False positive rate
- Enrichment quality (context provided with indicators)
- Integration capability with your tools (SIEM, TIP, SOAR)
Open-source feeds are free but typically require more processing. Evaluate based on:
- Community reputation and maintenance status
- Data quality and freshness
- Format compatibility (STIX/TAXII, CSV, JSON)
- Volume and noise level
Community sharing provides context-rich intelligence from peers facing similar threats. The value is proportional to your active participation — sharing communities expect members to contribute, not just consume.
Avoiding Collection Overload
One of the most common failures in CTI collection is gathering more data than the team can process. Signs of collection overload include:
- Analysts cannot keep up with incoming reports and alerts
- Indicators are ingested into the SIEM but never reviewed or validated
- Intelligence reports pile up unread
- Most collected data is never used in analysis or products
Countermeasures:
- Ruthlessly prioritize: Only collect what directly supports active PIRs
- Automate processing: Use automation for indicator ingestion, deduplication, and enrichment
- Set retention policies: Old indicators lose value — define aging and expiration rules
- Measure utilization: Track what percentage of collected intelligence actually appears in finished products or drives actions
- Review and cull feeds: Regularly assess each feed's contribution and eliminate those that produce more noise than signal
Key Takeaways
- Collection management bridges the gap between intelligence requirements and finished intelligence products
- A collection plan maps every EEI to specific sources, schedules, and owners
- Source types in CTI include internal telemetry, OSINT, commercial feeds, community sharing, and human contacts
- The Admiralty Code provides a standardized system for evaluating source reliability (A-F) and information credibility (1-6) independently
- Collection gap analysis identifies where current sources cannot answer intelligence requirements and drives resource acquisition decisions
- Collection overload is a real risk — collect only what supports active requirements, automate processing, and regularly cull low-value feeds
Practical Exercise
Build a collection management inventory for your current (or fictional) CTI program:
- Inventory your sources: List every intelligence source you currently use (feeds, tools, communities, manual research, internal logs)
- Categorize each source: Internal, OSINT, Commercial, Community, or HUMINT
- Rate each source using the Admiralty Code reliability scale (A-F) based on your experience
- Map sources to PIRs: For each PIR or EEI in your framework, identify which sources contribute to answering it
- Identify gaps: Which PIRs/EEIs have no source coverage? Which have only one source?
- Propose solutions: For the top 3 gaps, recommend a specific source or capability that could close the gap, including estimated cost (free, low, medium, high)
Further Reading
- Clark, R. M. (2019). Intelligence Analysis: A Target-Centric Approach (6th ed.). CQ Press. (Chapter on collection management and the collection process)
- NATO. STANAG 2022: Intelligence Reports. (Defines the Admiralty Code / NATO Evaluation System)
- Phythian, M. (2013). Understanding the Intelligence Cycle. Routledge. (Academic treatment of collection within the intelligence cycle)
- CISA Automated Indicator Sharing (AIS): https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/automated-indicator-sharing-ais