Threat Intelligence

Threat intelligence is the collection, analysis, and dissemination of information about potential or current attacks that threaten an organization. It transforms raw data about threats into actionable insights that security teams can use to make informed decisions. Effective threat intelligence helps organizations move from reactive to proactive security postures, enabling them to anticipate and prevent attacks rather than simply responding to them. It encompasses understanding threat actors, their motivations, capabilities, and tactics, techniques, and procedures (TTPs).

Threat intelligence is typically categorized into four types: Strategic intelligence provides high-level analysis for executives and board members, focusing on trends and risks that affect business decisions. Tactical intelligence focuses on threat actor TTPs and is used by security architects and defenders. Operational intelligence provides details about specific attacks or campaigns, including timing and targets. Technical intelligence includes specific indicators of compromise (IOCs) like malware hashes, malicious IP addresses, and domain names used by attackers.

Building an effective threat intelligence program requires several key steps: First, define clear intelligence requirements aligned with business objectives and risk profile. Second, establish collection capabilities from diverse sources including open-source intelligence (OSINT), commercial feeds, information sharing communities (ISACs), and internal telemetry. Third, develop analysis capabilities with skilled analysts who can contextualize data. Fourth, create processes for disseminating intelligence to appropriate stakeholders in actionable formats. Finally, measure effectiveness through metrics like mean time to detect (MTTD) and mean time to respond (MTTR).

Assessing threat intelligence quality involves evaluating several factors: Source reliability considers the track record and access level of the information source. Information credibility examines how the data was collected and corroborated. Relevance determines if the intelligence applies to your organization's technology stack, industry, and geography. Timeliness assesses whether the intelligence is current enough to be actionable. Many organizations use frameworks like the Admiralty Code or Traffic Light Protocol (TLP) to standardize these assessments.

Indicators of Compromise (IOCs) are forensic artifacts that indicate a potential intrusion or malicious activity. Common IOCs include file hashes (MD5, SHA-256), IP addresses, domain names, URLs, email addresses, registry keys, and file paths. Security teams use IOCs to detect threats by integrating them into security tools like SIEMs, firewalls, and endpoint detection systems. However, IOCs have limitations - sophisticated attackers frequently change their infrastructure, making IOCs ephemeral. This is why behavioral detection and TTP-based hunting are increasingly important.

While closely related, threat hunting and threat intelligence serve different purposes. Threat intelligence is about gathering and analyzing information about threats to inform defensive decisions. Threat hunting is the proactive process of searching through networks and systems to detect and isolate advanced threats that evade existing security solutions. Think of threat intelligence as providing the "what to look for," while threat hunting is the "actively looking for it." Effective threat hunting leverages threat intelligence to form hypotheses and guide investigations.

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. It provides a common taxonomy for describing attacker behaviors across the attack lifecycle, from initial access through exfiltration and impact. Security teams use ATT&CK to understand threat actor behaviors, assess security coverage gaps, prioritize defensive investments, and communicate about threats consistently. The framework covers Enterprise, Mobile, and ICS (Industrial Control Systems) matrices.

Initial access vectors vary by threat actor sophistication and target. Common methods include phishing emails with malicious attachments or links, exploitation of public-facing applications and vulnerabilities, compromised credentials from data breaches or password spraying, supply chain compromises through trusted vendors or software, and physical access attacks. Advanced persistent threat (APT) groups often combine multiple techniques. Understanding which initial access vectors are most likely based on your organization's profile helps prioritize defenses.