Threat Intelligence
Threat intelligence transforms raw threat data into actionable knowledge across strategic, tactical, operational, and technical levels to inform security decisions.
Continue your mission
Threat intelligence transforms raw threat data into actionable knowledge across strategic, tactical, operational, and technical levels to inform security decisions.
# Threat Intelligence
Threat intelligence is the discipline of converting raw data about adversaries, their methods, and their infrastructure into knowledge that security teams can act on. It exists because defenders operate with incomplete information while attackers choose when, where, and how to strike. Without structured intelligence, security decisions default to reaction: patching after exploitation, detecting after breach, responding after damage. Threat intelligence reverses that posture by giving organizations a fact-based picture of who is likely to attack them, what methods those actors prefer, which assets are most exposed, and what early warning signals precede an attack. The goal is not to collect more data but to produce fewer, better-informed decisions faster than the adversary can adapt.
---
Threat intelligence is the output of a repeatable process that collects, normalizes, analyzes, and disseminates information about cyber threats in a form that is timely, accurate, relevant, and actionable for a specific organization. The formal definition in NIST SP 800-150 describes it as "threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes."
Threat intelligence is not the same as threat data. A list of malicious IP addresses is data. That same list annotated with the threat actor group responsible, their targeting history, the campaign timeline, and the detection rules that catch their tooling is intelligence. The distinction matters operationally: raw data without context creates alert fatigue; intelligence with context enables prioritization.
Threat intelligence is also distinct from vulnerability intelligence (which focuses on software weaknesses rather than adversary behavior), security monitoring (which generates internal telemetry rather than external threat context), and threat hunting (which is an analytical activity that consumes intelligence rather than producing it).
The discipline spans four recognized subtypes: strategic intelligence for executive risk decisions; tactical intelligence covering adversary TTPs mapped to frameworks such as MITRE ATT&CK; operational intelligence covering specific campaigns and actor infrastructure; and technical intelligence consisting of machine-readable indicators of compromise (IOCs) including IP addresses, domains, file hashes, YARA rules, and Sigma rules. Each subtype serves a different consumer and operates on a different time horizon, from strategic assessments updated quarterly to technical IOC feeds refreshed in minutes.
---
Threat intelligence production follows a structured lifecycle. Each phase has defined inputs, outputs, and failure modes. Skipping or shortcutting any phase degrades the quality of the final product.
The lifecycle begins with requirements. The intelligence team, in coordination with stakeholders across security operations, risk management, and the business, defines what questions the program must answer. Example requirements: Which ransomware groups are currently targeting healthcare organizations of our size? Are any threat actors scanning our external attack surface? Has our brand appeared in dark web marketplaces? Requirements must be specific enough to guide collection and specific enough to judge whether the resulting intelligence actually answers the question. Vague requirements produce vague intelligence.
Analysts gather raw data from sources matched to the requirements. Sources fall into several categories. Open-source intelligence (OSINT) includes publicly available information from security blogs, researcher disclosures, government advisories, and social media. Commercial threat feeds provide curated, high-confidence IOCs and actor profiles from vendors who invest in dedicated collection infrastructure. Information Sharing and Analysis Centers (ISACs) provide sector-specific intelligence shared among peer organizations under trust agreements. Dark web monitoring covers closed forums, ransomware leak sites, and initial access broker marketplaces where adversary activity surfaces before it becomes public. Internal telemetry, including SIEM logs, endpoint detection data, and firewall logs, provides organization-specific signals that external sources cannot see.
Collection quality depends heavily on source diversity and source trust ratings. A program that relies on a single commercial feed has a blind spot everywhere that feed lacks coverage. A program that accepts all external data uncritically will ingest deliberately seeded false indicators, a documented adversary counter-intelligence technique.
Raw collected data arrives in inconsistent formats: CSV files, PDF reports, JSON feeds, email alerts, forum posts. Processing normalizes this data into a structured, queryable format. Platforms such as MISP (Malware Information Sharing Platform) or commercial threat intelligence platforms (TIPs) automate much of this normalization. Processing also applies deduplication, removes expired or revoked indicators, and tags data with source, confidence level, and traffic light protocol (TLP) classification governing how it can be shared.
This is the highest-skill phase and the one most often underfunded. Analysts apply structured analytic techniques to answer the intelligence requirements. They correlate IOCs across campaigns to identify actor infrastructure patterns. They map observed TTPs to MITRE ATT&CK techniques to identify detection gaps. They assess actor intent and capability to estimate likelihood and impact of future attacks. They produce finished intelligence products tailored to their audience: a two-page executive brief for the CISO, a technical bulletin with Sigma rules for the SOC, a campaign report with STIX/TAXII-formatted data for automated ingestion into the SIEM.
Intelligence has no value sitting in an analyst's queue. Dissemination delivers the right product to the right consumer at the right time. Automated dissemination pushes technical IOCs directly into security tools within minutes of validation. Human-delivered briefings cover strategic and operational products on a scheduled cadence or in response to emerging threats.
Consumers report back on whether the intelligence was accurate, timely, and actionable. This feedback refines the requirements for the next cycle and helps the intelligence team measure program effectiveness.
Strategic intelligence provides high-level assessments of threat actor capabilities, intentions, and priorities to inform business risk decisions. These products typically span 3-12 month time horizons and answer questions about which threat actors pose the greatest risk to the organization's mission. They inform budget allocation, security strategy, and board-level risk discussions.
Tactical intelligence describes adversary tools, techniques, and procedures mapped to frameworks like MITRE ATT&CK. This intelligence helps security teams understand how an adversary operates and what defensive measures are most likely to detect or prevent their attacks. Tactical products have a 1-6 month shelf life and directly inform detection engineering and threat hunting activities.
Operational intelligence covers active campaigns, infrastructure, and attack timelines. This intelligence helps organizations understand whether they are currently being targeted and what specific indicators to watch for. Operational products are time-sensitive, often with a shelf life measured in days or weeks.
Technical intelligence consists of machine-readable indicators: IP addresses, domain names, file hashes, YARA rules, Sigma detection rules, and Snort signatures. These indicators are consumed directly by security tools to block known-bad activity automatically.
In 2023, multiple organizations in the maritime and engineering sectors received intelligence indicating that APT40, a Chinese state-sponsored group, was actively targeting intellectual property related to underwater technology. Organizations with mature threat intelligence programs responded as follows:
They pulled APT40's known TTPs from MITRE ATT&CK: initial access via spear-phishing (T1566.001), credential access through Mimikatz (T1003.001), and exfiltration through cloud storage (T1567.002). They cross-referenced these TTPs against their detection coverage, identifying gaps in their email security and cloud access monitoring. They deployed updated detection rules covering APT40's preferred web shells and command-and-control traffic patterns. They briefed executives on the specific intellectual property most likely to be targeted and implemented additional access controls on those systems.
The resulting defensive posture was informed by current, specific intelligence about an active threat rather than generic best practices. When APT40 did attempt access through phishing emails containing malicious attachments, the enhanced detection rules triggered alerts that led to rapid containment.
---
Security teams that operate without threat intelligence make decisions based on generic best practices and historical breach data rather than current, specific knowledge about who is actually targeting them and how. This produces two predictable failures: over-investment in defenses against low-probability threats and under-investment against high-probability ones.
The business impact of poor threat intelligence is measurable. The 2023 Verizon Data Breach Investigations Report found that 83% of data breaches involved external actors, yet many organizations still focus the majority of their security investment on insider threat prevention. The report also found that 61% of breaches involved stolen credentials, but organizations without threat intelligence programs often learn about credential theft only after attackers have moved laterally through their environment.
The 2020 SolarWinds supply chain compromise demonstrates this failure mode at scale. The adversary, later attributed to Russia's SVR, operated inside hundreds of networks for months. Their tooling, infrastructure, and some behavioral patterns were knowable through careful analysis of available indicators, but almost no organization had the intelligence collection or analysis capacity to surface them proactively. Most victims discovered the breach only after FireEye's public disclosure, not through their own detection capabilities informed by threat intelligence.
Organizations with mature threat intelligence programs demonstrate measurably better security outcomes. IBM's 2023 Cost of a Data Breach Report found that organizations with threat intelligence capabilities had an average breach cost of $3.15 million compared to $4.87 million for organizations without such capabilities. The difference stems from faster detection times, better-informed response decisions, and more effective prevention of repeat incidents.
The return on investment for threat intelligence programs is most visible in prevented business disruption. A manufacturing company that receives advance warning about a ransomware group targeting their sector can implement additional backup verification and network segmentation before an attack occurs. The cost of those preventive measures is typically 1-5% of the business disruption cost of a successful ransomware deployment.
The most damaging misconception is that threat intelligence is a feed. Purchasing an IOC feed and ingesting it into a firewall is data acquisition, not intelligence production. Many organizations do exactly this and believe they have a threat intelligence program. They do not. They have automated data ingestion with no analytical layer to contextualize, prioritize, or quality-control what they are blocking.
A second misconception is that threat intelligence is only relevant for large enterprises with dedicated teams. Small and mid-size organizations are disproportionately targeted precisely because adversaries expect weaker defenses. Free resources, including CISA advisories, FBI flash reports, and open-source ISAC memberships, make basic threat intelligence accessible to organizations without dedicated analysts.
A third misconception is that threat intelligence produces certainty. It produces probability and context, not guarantees. An actor's historical TTPs predict their likely future behavior; they do not determine it. Intelligence consumers who expect certainty will dismiss valid assessments as "not actionable" because they do not rule out every alternative scenario.
A fourth misconception is that more threat intelligence feeds automatically improve security posture. Organizations often subscribe to multiple commercial feeds expecting additive value but find instead that contradictory or overlapping data creates operational burden without corresponding security improvement. Quality and relevance matter more than quantity.
---
CDA's Planetary Defense Model addresses threat intelligence under the TID (Threat Intelligence and Detection) domain. The governing methodology is Predictive Defense Intelligence (PDI), summarized operationally as: "See the threat before it sees you."
Where most threat intelligence programs are reactive or at best concurrent with active threats, PDI is structured to identify attack precursors: the reconnaissance activity, infrastructure registration patterns, dark web discussions, and access broker listings that precede an attack by days or weeks. CDA analysts are trained to treat these signals as the primary intelligence requirement, not an afterthought to IOC collection.
CDA's implementation of the intelligence lifecycle differs from standard practice in three specific ways. First, CDA integrates threat intelligence requirements directly with the organization's crown jewel asset register. Intelligence requirements are derived from what an adversary would need to accomplish to cause catastrophic harm to the organization, not from generic threat categories. This means every intelligence product answers a question tied to a specific high-value target or critical business function.
Second, CDA applies a confidence scoring methodology to every intelligence product that forces analysts to document their sources, the quality of each source, and the assumptions embedded in their analysis. This makes the reasoning transparent and allows consumers to calibrate how much weight to place on an assessment. Many commercial products present conclusions without auditable reasoning chains; CDA's standard requires both.
Third, CDA uses adversary emulation exercises directly informed by current threat intelligence to validate detection coverage. When PDI analysis identifies a threat actor targeting a client's sector, CDA red team operators run that actor's known TTPs against the client's environment within a defined window. The exercise either confirms that detections fire as expected or reveals gaps that get remediated before a real attack tests them. This closes the loop between intelligence production and defense validation in a way that a purely analytical program cannot.
---
---
---
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Editorial
Found an issue? Help improve this article.