Opening Framing
Every day, security teams drown in data. Alerts flood dashboards, threat feeds deliver millions of indicators, and news reports breathlessly announce the latest breach. Yet despite this avalanche of information, organizations are still surprised by attacks. The problem isn't lack of data—it's lack of intelligence.
Threat intelligence transforms raw data into actionable knowledge. It answers the questions defenders need: Who is targeting us? What techniques do they use? Where should we focus our limited resources? Intelligence isn't just knowing that an IP address is malicious—it's understanding which adversary uses it, what campaign it's part of, what they're after, and how to detect and stop them.
This week introduces the fundamentals of threat intelligence: what it is, why it matters, and how it differs from raw security data. You'll learn the intelligence hierarchy, understand different intelligence types, and see how intelligence drives better security decisions across an organization.
Key insight: Data tells you what happened. Intelligence tells you what it means and what to do about it.
1) What is Threat Intelligence?
Threat intelligence is evidence-based knowledge about threats that enables informed decisions. Understanding this definition requires examining each component:
Threat Intelligence Definition:
"Evidence-based knowledge, including context, mechanisms,
indicators, implications, and actionable advice, about an
existing or emerging menace or hazard to assets that can
be used to inform decisions regarding the subject's
response to that menace or hazard."
— Gartner
Breaking Down the Definition:
┌─────────────────────────────────────────────────────────────┐
│ EVIDENCE-BASED │
│ - Grounded in observable facts │
│ - Not speculation or hype │
│ - Verifiable and attributable │
├─────────────────────────────────────────────────────────────┤
│ KNOWLEDGE (not just data) │
│ - Analyzed and contextualized │
│ - Connected to broader understanding │
│ - Interpreted for meaning │
├─────────────────────────────────────────────────────────────┤
│ CONTEXT │
│ - Who is the adversary? │
│ - Why are they doing this? │
│ - What is their capability? │
├─────────────────────────────────────────────────────────────┤
│ ACTIONABLE │
│ - Enables specific decisions │
│ - Drives defensive actions │
│ - Prioritizes resource allocation │
└─────────────────────────────────────────────────────────────┘Data vs. Information vs. Intelligence:
The Intelligence Hierarchy:
DATA (Raw facts):
"IP 10.0.0.50 connected to port 443"
- No context
- No meaning
- Just an observation
INFORMATION (Organized data):
"IP 10.0.0.50 is on a blocklist and connected to
our web server 47 times yesterday"
- Some context added
- Pattern recognized
- Still limited meaning
INTELLIGENCE (Analyzed information):
"IP 10.0.0.50 is a known Cobalt Strike C2 server
operated by APT29. The connection pattern matches
their standard beacon configuration. They typically
target organizations in our sector for intellectual
property theft. Our current detections would not
identify their lateral movement techniques."
- Full context
- Adversary attribution
- Capability assessment
- Defensive gap identified
- Actionable insight
The Transformation:
Data → (Collection) → Information → (Analysis) → Intelligence
↓
Decision/ActionWhy Threat Intelligence Matters:
Without Intelligence:
- React to every alert equally
- No prioritization of threats
- Defenders always behind attackers
- Security spending unfocused
- Same attacks succeed repeatedly
With Intelligence:
- Focus on relevant threats
- Prioritize by actual risk
- Proactive defensive posture
- Targeted security investments
- Learn from industry incidents
Business Value:
┌─────────────────────────────────────────────────────────────┐
│ Benefit │ Example │
├────────────────────────┼────────────────────────────────────┤
│ Faster detection │ Know what to look for │
│ Reduced false positives│ Context eliminates noise │
│ Better prioritization │ Focus on real threats │
│ Proactive defense │ Patch before exploitation │
│ Informed decisions │ Board-level risk communication │
│ Efficient spending │ Invest where threats exist │
└────────────────────────┴────────────────────────────────────┘Key insight: Intelligence is not a product you buy—it's a capability you build. Threat feeds provide data; your analysis creates intelligence.
2) Types of Threat Intelligence
Threat intelligence serves different purposes depending on its scope, audience, and timeframe:
Intelligence Types by Level:
┌─────────────────────────────────────────────────────────────┐
│ STRATEGIC INTELLIGENCE │
│ │
│ Audience: Executives, board, senior leadership │
│ Timeframe: Months to years │
│ Format: Reports, briefings, assessments │
│ │
│ Questions Answered: │
│ - What threat actors target our industry? │
│ - How is the threat landscape evolving? │
│ - What risks require board-level attention? │
│ - Where should we invest in security? │
│ │
│ Example: "State-sponsored actors are increasingly │
│ targeting the financial sector for economic espionage. │
│ Our current security posture has gaps in detecting │
│ supply chain compromises." │
├─────────────────────────────────────────────────────────────┤
│ OPERATIONAL INTELLIGENCE │
│ │
│ Audience: Security managers, IR teams, threat hunters │
│ Timeframe: Days to months │
│ Format: Campaign reports, adversary profiles │
│ │
│ Questions Answered: │
│ - Who is behind this campaign? │
│ - What are their TTPs? │
│ - What is their operational infrastructure? │
│ - How do similar attacks progress? │
│ │
│ Example: "APT29 is conducting a phishing campaign │
│ targeting COVID-19 vaccine research. They use │
│ WellMess malware delivered via spearphishing." │
├─────────────────────────────────────────────────────────────┤
│ TACTICAL INTELLIGENCE │
│ │
│ Audience: SOC analysts, detection engineers │
│ Timeframe: Hours to days │
│ Format: IOCs, detection rules, technical indicators │
│ │
│ Questions Answered: │
│ - What IPs/domains should we block? │
│ - What signatures should we deploy? │
│ - What artifacts indicate compromise? │
│ - How do we detect this specific technique? │
│ │
│ Example: "Block IP 10.0.0.50 (C2), hash SHA256:abc123 │
│ (WellMess dropper), domain update.healthcare-ede.com" │
└─────────────────────────────────────────────────────────────┘Intelligence Consumers:
Matching Intelligence to Consumer:
┌────────────────────┬────────────────────┬───────────────────┐
│ Consumer │ Needs │ Intelligence Type │
├────────────────────┼────────────────────┼───────────────────┤
│ CEO/Board │ Risk context │ Strategic │
│ CISO │ Program direction │ Strategic/Oper. │
│ Security Manager │ Team priorities │ Operational │
│ Threat Hunter │ Hunt hypotheses │ Operational/Tact. │
│ IR Team │ Investigation leads│ Operational/Tact. │
│ SOC Analyst │ Detection/triage │ Tactical │
│ Detection Engineer │ Rule development │ Tactical │
│ Vuln Management │ Patch priority │ Tactical/Oper. │
└────────────────────┴────────────────────┴───────────────────┘
Common Mistake:
Giving tactical IOCs to executives ("Here are 500 malicious IPs")
Giving strategic assessments to SOC analysts ("APT groups are evolving")
Both are useless without matching format to consumer.Technical vs. Non-Technical Intelligence:
Technical Intelligence:
- IP addresses, domains, URLs
- File hashes (MD5, SHA256)
- YARA rules
- Sigma detection rules
- Malware configurations
- Network signatures
- Exploit details
Non-Technical Intelligence:
- Adversary motivations
- Geopolitical context
- Industry targeting trends
- Attack likelihood assessments
- Risk prioritization
- Capability assessments
- Intent analysis
Complete Intelligence Requires Both:
"This IP (technical) is used by a financially-motivated
cybercrime group (non-technical) that targets retail
organizations (non-technical) using point-of-sale malware
with these characteristics (technical) typically during
holiday shopping seasons (non-technical)."Key insight: The most valuable intelligence combines technical precision with contextual understanding. Neither alone is sufficient.
3) The Intelligence-Driven Security Model
Intelligence-driven security integrates threat intelligence into all security functions, moving from reactive to proactive defense:
Traditional vs. Intelligence-Driven Security:
TRADITIONAL (Reactive):
┌─────────────────────────────────────────────────────────────┐
│ Attack → Detection → Response → Recovery → Lessons Learned │
│ │
│ - Wait for attacks to happen │
│ - Respond to what we find │
│ - Hope our defenses work │
│ - Learn after damage is done │
└─────────────────────────────────────────────────────────────┘
INTELLIGENCE-DRIVEN (Proactive):
┌─────────────────────────────────────────────────────────────┐
│ Intelligence → Preparation → Detection → Response → Intel │
│ ↑ │ │
│ └─────────────────────────────────────────────────┘ │
│ │
│ - Understand threats before attacks │
│ - Prepare defenses for likely adversaries │
│ - Detect based on known TTPs │
│ - Respond with adversary context │
│ - Feed findings back to intelligence │
└─────────────────────────────────────────────────────────────┘Intelligence Integration Points:
Where Intelligence Enhances Security:
SECURITY OPERATIONS:
┌─────────────────────────────────────────────────────────────┐
│ Function │ Intelligence Application │
├───────────────────────┼─────────────────────────────────────┤
│ Alert Triage │ Prioritize by threat actor relevance│
│ Detection Engineering │ Build rules for known TTPs │
│ Threat Hunting │ Hypothesis-driven searches │
│ Incident Response │ Adversary playbooks │
└───────────────────────┴─────────────────────────────────────┘
VULNERABILITY MANAGEMENT:
┌─────────────────────────────────────────────────────────────┐
│ Function │ Intelligence Application │
├───────────────────────┼─────────────────────────────────────┤
│ Patch Prioritization │ Focus on exploited vulnerabilities │
│ Risk Assessment │ Consider adversary capability │
│ Remediation Planning │ Timeline based on threat urgency │
└───────────────────────┴─────────────────────────────────────┘
SECURITY ARCHITECTURE:
┌─────────────────────────────────────────────────────────────┐
│ Function │ Intelligence Application │
├───────────────────────┼─────────────────────────────────────┤
│ Control Selection │ Counter relevant techniques │
│ Gap Analysis │ Map defenses to adversary TTPs │
│ Investment Priority │ Address highest-risk gaps │
└───────────────────────┴─────────────────────────────────────┘
RISK MANAGEMENT:
┌─────────────────────────────────────────────────────────────┐
│ Function │ Intelligence Application │
├───────────────────────┼─────────────────────────────────────┤
│ Threat Assessment │ Realistic adversary profiles │
│ Likelihood Estimation │ Evidence-based probability │
│ Board Reporting │ Contextualized risk communication │
└───────────────────────┴─────────────────────────────────────┘Threat-Informed Defense:
MITRE Threat-Informed Defense:
Concept:
Use knowledge of adversary behavior to drive:
- Defensive priorities
- Detection development
- Security testing
- Tool selection
Components:
1. Cyber Threat Intelligence (know your adversary)
2. Defensive Engagement (test your defenses)
3. Focused Sharing (collaborate with community)
Practical Application:
Step 1: Identify Relevant Threats
"Based on our industry and assets, APT groups X, Y, Z
are likely adversaries"
Step 2: Understand Their TTPs
"These groups commonly use techniques T1566, T1059,
T1055, T1021 from ATT&CK"
Step 3: Assess Current Detection
"We detect T1566 and T1059, but lack visibility
into T1055 and T1021"
Step 4: Prioritize Improvements
"Develop detections for T1055 (process injection)
first due to common use across all three groups"
Step 5: Validate Defenses
"Test detections using adversary emulation that
mimics these specific techniques"Key insight: Intelligence should drive action at every level of security operations. If intelligence doesn't change what you do, it's not being used effectively.
4) Intelligence Sources
Threat intelligence comes from various sources, each with different strengths, limitations, and reliability:
Intelligence Source Categories:
INTERNAL SOURCES (Highest Relevance):
┌─────────────────────────────────────────────────────────────┐
│ Source │ Value │
├───────────────────────┼─────────────────────────────────────┤
│ Security logs/SIEM │ What's targeting YOUR environment │
│ Incident data │ What has actually happened │
│ Threat hunting │ Discovered adversary activity │
│ Forensic analysis │ Detailed adversary TTPs │
│ User reports │ Phishing attempts, suspicious events│
└───────────────────────┴─────────────────────────────────────┘
COMMUNITY SOURCES (High Relevance):
┌─────────────────────────────────────────────────────────────┐
│ Source │ Value │
├───────────────────────┼─────────────────────────────────────┤
│ ISACs/ISAOs │ Industry-specific threats │
│ Trusted sharing groups│ Peer organization insights │
│ Government alerts │ National-level threat warnings │
│ Vendor notifications │ Technology-specific threats │
└───────────────────────┴─────────────────────────────────────┘
COMMERCIAL SOURCES (Variable Relevance):
┌─────────────────────────────────────────────────────────────┐
│ Source │ Value │
├───────────────────────┼─────────────────────────────────────┤
│ TI platforms │ Aggregated indicators and context │
│ Vendor research │ Deep adversary analysis │
│ Threat feeds │ Bulk indicators for blocking │
│ Dark web monitoring │ Credential leaks, targeting │
└───────────────────────┴─────────────────────────────────────┘
OPEN SOURCES (Broad Coverage):
┌─────────────────────────────────────────────────────────────┐
│ Source │ Value │
├───────────────────────┼─────────────────────────────────────┤
│ Security blogs │ Technique analysis, research │
│ Malware repositories │ Sample analysis, IOCs │
│ Social media │ Early warnings, researcher findings │
│ Government reports │ Attribution, strategic context │
│ Academic research │ Novel techniques, trends │
└───────────────────────┴─────────────────────────────────────┘Source Evaluation:
Evaluating Intelligence Sources:
ADMIRALTY SYSTEM (Reliability + Credibility):
Source Reliability:
A - Completely reliable (verified history)
B - Usually reliable (trusted, minor errors)
C - Fairly reliable (some verified reporting)
D - Not usually reliable (history of errors)
E - Unreliable (known problems)
F - Cannot be judged (new source)
Information Credibility:
1 - Confirmed by other sources
2 - Probably true (logical, consistent)
3 - Possibly true (not confirmed)
4 - Doubtful (inconsistent)
5 - Improbable (contradicted)
6 - Cannot be judged (insufficient info)
Example Rating: "B2"
= Usually reliable source, probably true information
Questions to Ask:
- Who produced this intelligence?
- What is their track record?
- What is their access to information?
- Is this confirmed by other sources?
- How timely is this information?
- Does this apply to my environment?Common Intelligence Sources:
Free/Open Sources:
Government:
- CISA Alerts and Advisories (cisa.gov)
- FBI Flash Reports
- NSA Cybersecurity Advisories
- UK NCSC Reports
- ASD ACSC Alerts (Australia)
Vendor Research:
- Mandiant (Google) Blog
- Microsoft Security Blog
- CrowdStrike Blog
- Recorded Future Blog
- Cisco Talos
Community:
- AlienVault OTX
- Abuse.ch (URLhaus, MalwareBazaar)
- VirusTotal
- MISP communities
- Twitter/X security research
Aggregators:
- The DFIR Report
- This Week in 4n6
- SANS ISC Diary
- BleepingComputer
Commercial Platforms:
- Recorded Future
- Mandiant Advantage
- CrowdStrike Falcon X
- Anomali ThreatStream
- ThreatConnect
- Intel 471Key insight: No single source provides complete intelligence. Effective programs combine internal observations with external context from multiple sources.
5) Intelligence Program Foundations
Building an effective threat intelligence capability requires clear objectives, defined processes, and organizational support:
Intelligence Program Maturity Levels:
LEVEL 0 - None:
- No dedicated intelligence function
- Reactive security only
- Ad-hoc threat feed consumption
LEVEL 1 - Basic:
- Consume external threat feeds
- Basic IOC blocking
- Limited analysis capability
- Intelligence as IT function
LEVEL 2 - Developing:
- Dedicated analyst(s)
- Multiple source aggregation
- Basic reporting to stakeholders
- Some integration with operations
LEVEL 3 - Defined:
- Formal intelligence team
- Defined requirements process
- Regular intelligence products
- Integration across security functions
- Threat hunting program
LEVEL 4 - Managed:
- Intelligence-driven operations
- Adversary tracking programs
- Proactive threat research
- Community contribution
- Measurable business value
LEVEL 5 - Optimizing:
- Industry-leading capability
- Original research publication
- Government/peer collaboration
- Continuous improvement cultureStarting a Program:
Minimum Viable Intelligence Program:
Essential Elements:
1. Clear Requirements
- What decisions need intelligence support?
- Who are the consumers?
- What threats are relevant?
2. Source Access
- SIEM/internal logs (primary)
- Free external sources (CISA, OTX, etc.)
- Industry sharing group (ISAC)
3. Analysis Capability
- At least one trained analyst
- Basic analysis tools
- Documentation system
4. Distribution Mechanism
- Regular reporting cadence
- Appropriate formats for consumers
- Feedback collection
5. Operational Integration
- IOC operationalization
- Detection rule deployment
- Hunt hypothesis development
Starting Resources:
- 1-2 analysts (can be partial role)
- TIP platform (open source: OpenCTI, MISP)
- Subscription to key sources
- Access to internal data
- Executive sponsorshipMeasuring Intelligence Value:
Intelligence Program Metrics:
Activity Metrics (Output):
- Reports produced
- Indicators shared
- Requests fulfilled
- Hunts conducted
Quality Metrics (Effectiveness):
- Accuracy of assessments
- Timeliness of warnings
- Consumer satisfaction
- Detection rate improvement
Business Metrics (Value):
- Incidents prevented/detected earlier
- Response time reduction
- False positive reduction
- Cost avoidance
Example Measurement:
"Intelligence-driven detections identified 3 attacks
that would have been missed by signature-based tools,
preventing an estimated $2M in potential damage and
reducing mean time to detect by 72%."
Challenges:
- Proving negatives (attacks prevented)
- Attribution of detection to intelligence
- Quantifying context value
- Long-term vs. short-term metricsKey insight: Start small and demonstrate value before expanding. One analyst delivering actionable intelligence is worth more than a large team drowning in data.
Real-World Context
Case Study: SolarWinds Supply Chain Attack
The SolarWinds attack (2020) demonstrated intelligence value at multiple levels: Tactical intelligence identified specific IOCs (SUNBURST malware hashes, C2 domains using .avsvmcloud.com pattern) enabling immediate blocking. Operational intelligence revealed the attack chain—compromised build system, trojanized update, delayed execution, sophisticated C2—enabling hunt teams to find affected systems. Strategic intelligence connected the campaign to Russian intelligence services (APT29/Cozy Bear), informed geopolitical context, and shaped long-term supply chain security investments. Organizations with mature intelligence programs detected and responded faster than those relying solely on vendor notifications.
Case Study: Ransomware Intelligence
A healthcare organization subscribed to an industry ISAC and monitored ransomware trends. Intelligence indicated that the Ryuk ransomware group was actively targeting hospitals during COVID-19. The intelligence included: TTPs (Emotet → TrickBot → Ryuk chain), timing patterns (attacks on weekends), and initial access methods (phishing with document macros). Armed with this intelligence, the organization enhanced email filtering, deployed specific detections for the attack chain, and increased monitoring during weekends. When a phishing email matching the pattern arrived, it was detected and blocked before execution—an attack prevented by intelligence.
Intelligence Impact Framework:
Levels of Intelligence Impact:
BLOCKING (Immediate):
- Deploy IOCs to firewalls/EDR
- Block known malicious indicators
- Immediate, measurable impact
DETECTING (Short-term):
- Develop detection rules from TTPs
- Hunt for adversary techniques
- Improve detection coverage
UNDERSTANDING (Medium-term):
- Profile adversary behavior
- Anticipate likely attacks
- Prepare response playbooks
STRATEGIZING (Long-term):
- Shape security investments
- Inform risk assessments
- Guide architecture decisions
Most Valuable Intelligence:
- Changes behavior or decisions
- Prevents or detects attacks
- Saves resources or reduces risk
- Enables proactive actionIntelligence value is measured in decisions enabled and outcomes improved—not in reports produced or indicators collected.
Guided Lab: Intelligence Source Evaluation
In this lab, you'll explore threat intelligence sources, evaluate their utility, and practice distinguishing data from actionable intelligence.
Lab Environment:
- Web browser with access to public intelligence sources
- Sample threat report (provided or from CISA)
- Spreadsheet for source evaluation
Exercise Steps:
- Access three different threat intelligence sources (e.g., CISA, OTX, vendor blog)
- Find a recent threat report or advisory from each
- Identify what intelligence type each provides (tactical/operational/strategic)
- Extract specific IOCs and contextual information
- Evaluate each source using the Admiralty System
- Determine how the intelligence could be used operationally
- Document gaps in the intelligence provided
Reflection Questions:
- Which source provided the most actionable intelligence?
- What additional context would improve the intelligence?
- How would you validate the accuracy of this intelligence?
Week Outcome Check
By the end of this week, you should be able to:
- Define threat intelligence and distinguish it from raw data
- Explain the intelligence hierarchy (data → information → intelligence)
- Identify strategic, operational, and tactical intelligence types
- Describe how intelligence integrates with security operations
- Evaluate intelligence sources using structured criteria
- Explain the components of a threat intelligence program
- Articulate the business value of threat intelligence
- Match intelligence products to appropriate consumers
📚 Building on Prior Knowledge
Connect this week to foundational concepts you've already learned:
- CSY101 Week 13 (Threat Modeling): Use STRIDE to frame actor goals and likely TTPs.
- CSY101 Week 01 (Risk Communication): Translate intelligence into business impact for stakeholders.
- CSY104 Week 11 (CVSS/EPSS): Prioritize indicators by likely impact and exploitability.
- CSY204 (SOC Operations): Feed intel into detection, triage, and response workflows.
🎯 Hands-On Labs (Free & Essential)
Practice turning data into actionable intelligence before moving to reading resources.
🎮 TryHackMe: Threat Intel
What you'll do: Work through threat intelligence fundamentals and IOC handling.
Why it matters: Establishes baseline terminology and workflow.
Time estimate: 1.5-2 hours
🛰️ AlienVault OTX: Threat Pulse Review
What you'll do: Review a pulse, extract IOCs, and summarize impact.
Why it matters: OTX is a common open intel source in real SOCs.
Time estimate: 60-90 minutes
📝 Lab Exercise: Intel Source Scoring
Task: Score three intel sources using the Admiralty System (A-F, 1-6).
Deliverable: Source table with confidence ratings and use cases.
Why it matters: Credibility assessment prevents bad decisions.
Time estimate: 60-90 minutes
🧩 Lab: Supply Chain Incident Snapshot
What you'll do: Summarize a supply chain breach (SolarWinds, 3CX, or MOVEit).
Deliverable: One-page brief with timeline, impacted parties, and intel
gaps.
Why it matters: Supply chain incidents reshape risk priorities fast.
Time estimate: 60-90 minutes
💡 Lab Tip: Always separate indicator validity from source credibility in your notes.
🧩 Supply Chain Threat Intelligence
Modern attackers target vendors, build systems, and dependencies. Threat intel must track third-party risk as a first-class concern.
Supply chain intel focus:
- Vendor exposure and dependency mapping
- Compromise of build systems and CI/CD
- Malicious updates and signed packages
- Third-party access abuse📚 Building on CSY101 Week-14: Link supplier risk to CIS Controls and ISO 27001 requirements.
Resources
Lab
Complete the following lab exercises to practice fundamental threat intelligence concepts.