Threat Intelligence
About 4 min read
Last updated: 2026-03-01
What Is Threat Intelligence
Threat intelligence refers to insights derived from collecting and analyzing information about cyber threats and processing it into a form that supports organizational decision-making. It is not merely an accumulation of threat data, but actionable information with context that answers "what threatens our organization and how should we respond."
Threat intelligence is classified into three levels. Strategic intelligence is for executives, presenting the overall threat landscape and risk trends. Tactical intelligence is for security managers, analyzing attacker TTPs (Tactics, Techniques, and Procedures). Operational intelligence is for SOC operators, providing specific detection indicators as IoCs (Indicators of Compromise) such as IP addresses, domains, and file hashes.
By leveraging threat intelligence as part of incident response preparation, you can strengthen your defenses before an attack occurs.
Collection Sources and Analysis Frameworks
Threat intelligence sources are broadly categorized into four types: open-source information (OSINT), commercial feeds, industry-shared information, and internal data.
OSINT (Open Source Intelligence): Publicly available sources such as CVE databases, security vendor blogs, malware analysis reports, and threat information on social media. Free to use, but reliability assessment is required.
Commercial Threat Intelligence Feeds: Paid threat information services provided by security vendors. These include automated IoC delivery, attacker profiles, and industry-specific threat reports.
Industry-Shared Information: Threat information shared with peers through ISACs (Information Sharing and Analysis Centers) and CSIRT communities. Automated sharing in STIX/TAXII format has been standardized.
MITRE ATT&CK is widely used as an analysis framework. ATT&CK is a knowledge base that systematically classifies attacker tactics and techniques, and can be used for gap analysis of your organization's defensive coverage and for designing SIEM detection rules.
Practical Application of Threat Intelligence
Here are practical approaches to ensure threat intelligence is not just collected but actually applied to your organization's defenses.
Automated IoC Application: Automatically apply malicious IP addresses, domains, and file hashes obtained from threat intelligence feeds to firewalls, IDS/IPS, and SIEM. Using the STIX/TAXII protocol, you can automate the entire process from collection to application.
Threat Hunting: Beyond known IoCs, proactively search for undetected threats in your organization's logs and network traffic based on ATT&CK TTPs. Leverage SIEM query capabilities and EDR hunting features.
Integration with Vulnerability Management: Use threat intelligence to identify vulnerabilities that are actively being exploited, and apply this to prioritize patching. By considering actual exploitation status (Exploit in the Wild) in addition to CVSS scores, you can focus limited resources on the highest-risk vulnerabilities.
Executive Reporting: As strategic intelligence, regularly report to executives on trends of attack groups targeting your industry, attack technique trends, and changes in risk.
Building a Threat Intelligence Program
A phased approach for introducing a threat intelligence program into your organization.
Phase 1: Requirements Definition - Define what constitutes a threat to your organization and what information is needed. Identify threats to prioritize monitoring based on your industry, assets, and past incident history.
Phase 2: Build Collection Infrastructure - Set up information collection channels including OSINT tools, commercial feeds, and industry ISAC membership. Deploy a TIP (Threat Intelligence Platform) to centrally manage information from multiple sources.
Phase 3: Analysis and Distribution - Analyze collected information and extract threats relevant to your organization. Distribute analysis results in formats appropriate for each audience, such as SOC, CSIRT, and executives.
Phase 4: Feedback and Improvement - Evaluate how intelligence has contributed to actual defense and continuously improve collection and analysis processes. Regularly review information sources and analysis methods to address emerging threats such as zero-day attacks.
To learn more about this topic, see Supply Chain Attacks: The New Threat Exploiting Trust.
Common Misconceptions
- Threat intelligence is just a list of IoCs (IP addresses and hash values)
- IoCs are only one part of threat intelligence. True threat intelligence is contextual insight that analyzes attacker motivations, capabilities, and TTPs, and indicates specific risks and countermeasures for your organization. IoCs alone become useless the moment an attacker changes their methods.
- You need an expensive commercial service to use threat intelligence
- Useful threat intelligence can be built from OSINT alone (CVE databases, security vendor blogs, MITRE ATT&CK, AlienVault OTX, etc.). Commercial services excel in information coverage and automation, but starting with free sources and gradually expanding is a realistic approach.