Threat Intelligence
Threat intelligence transforms raw security data into actionable knowledge about adversaries, their tactics, and indicators, enabling proactive defense and informed security decisions.
Continue your mission
Threat intelligence transforms raw security data into actionable knowledge about adversaries, their tactics, and indicators, enabling proactive defense and informed security decisions.
# Threat Intelligence
Threat intelligence is the disciplined practice of transforming raw data about adversaries, campaigns, and vulnerabilities into finished, actionable knowledge that security teams can apply to defend specific assets. It exists because reactive security, waiting for an attack to announce itself before responding, consistently fails against capable adversaries who conduct reconnaissance, establish persistence, and move laterally long before detection. Threat intelligence inverts that dynamic. By understanding who is attacking, what techniques they favor, which infrastructure they operate, and what outcomes they seek, defenders can anticipate intrusion attempts, prioritize controls, and make resource allocation decisions grounded in evidence rather than assumption. The core problem it solves is decision-making under uncertainty: every security team operates with incomplete information, and structured intelligence reduces that gap systematically.
---
Threat intelligence is evidence-based knowledge about existing or emerging threats to an organization's assets, derived from systematic data collection, processing, correlation, and analysis. The output is finished intelligence: contextualized, attributed (where possible), and formatted for a specific consumer, whether that consumer is a CISO making a budget decision, an incident responder triaging an alert, or a SIEM rule ingesting an indicator feed.
Threat intelligence is not the same as threat data. Raw logs, unprocessed IP reputation lists, and unverified open-source reports are data. Intelligence requires human or automated analysis to assess reliability, assign confidence levels, and produce a judgment that a decision-maker can act on. Threat intelligence is also not vulnerability management, though the two are closely related. Vulnerability intelligence is a subtype that focuses on the exploitability, weaponization status, and active exploitation of specific CVEs, feeding directly into patch prioritization. General threat intelligence encompasses a broader view: actor motivations, campaign patterns, geopolitical context, and tradecraft.
Threat intelligence divides across three tiers. Strategic intelligence addresses high-level trends, nation-state actor motivations, industry-sector targeting patterns, and geopolitical risk drivers; it informs executive decisions about security investment and business risk tolerance. Operational intelligence focuses on active campaigns, adversary infrastructure, and attack timelines; it supports hunt team planning, incident response preparation, and red team scenario development. Tactical intelligence is machine-readable: indicators of compromise (IOCs) such as IP addresses, domain names, file hashes, and URL patterns that feed directly into detection tools, firewalls, and endpoint protection platforms.
Threat intelligence is not a product you purchase and deploy passively. Commercial feeds provide raw material, but without internal context, organizational asset mapping, and analyst judgment, they produce noise rather than insight.
---
The threat intelligence lifecycle is a closed-loop process consisting of six phases: direction, collection, processing, analysis, dissemination, and feedback. Each phase depends on the previous one, and the feedback loop ensures the process continuously refines itself against real operational needs.
Direction defines the intelligence requirements: what decisions need to be made, what assets are in scope, what threat actors are relevant to this organization's sector and geography, and what questions the intelligence program must answer. Without clearly defined requirements, collection becomes indiscriminate and analysis becomes unfocused. A financial services firm might define a priority intelligence requirement (PIR) as: "Which threat groups are currently targeting SWIFT messaging infrastructure, and what TTPs do they use?"
Collection gathers raw data from multiple source categories. Open-source intelligence (OSINT) draws from security researcher blogs, threat actor forums, paste sites, code repositories, and public vulnerability databases. Commercial feeds provide curated, processed indicator data from vendors with visibility into malware infrastructure. Information Sharing and Analysis Centers (ISACs) distribute sector-specific intelligence among trusted member organizations. Dark web collection monitors criminal marketplaces and forums for credential dumps, exploit sales, and targeted attack discussions. Internal telemetry, often the most valuable and underused source, pulls from SIEM logs, endpoint detection data, DNS queries, and firewall denies to surface indicators specific to the organization's environment.
Processing normalizes and structures collected data into a consistent format. This includes deduplication, tagging by source and confidence level, format conversion to standards such as STIX 2.1 (Structured Threat Information Expression) and TAXII (Trusted Automated Exchange of Intelligence Information), and triage to remove clearly erroneous or expired indicators.
Analysis is where raw data becomes finished intelligence. Analysts correlate indicators across sources, map observed behaviors to MITRE ATT&CK techniques and sub-techniques, assess actor attribution with appropriate confidence caveats, and produce analytic products ranging from brief indicator reports to comprehensive threat actor profiles. Confidence levels are typically expressed on a structured scale (high, medium, low) based on source reliability and information corroboration.
Dissemination delivers finished intelligence to the right consumer in the right format. A threat brief for a CISO is a narrative document with business risk framing. A tactical IOC report for a SOC analyst is a structured list with integration instructions. An automated STIX bundle sent to a SIEM or SOAR platform requires no human intermediary.
Feedback closes the loop. Consumers report on whether the intelligence was actionable, whether indicators produced valid detections, and whether analytic assessments proved accurate. This input adjusts future collection priorities and analytic focus.
Concrete scenario: A healthcare organization's threat intelligence team identifies, through dark web monitoring, that a ransomware group known to target hospitals is actively selling access to VPN credentials for an organization matching their sector and geographic profile. The team cross-references the credential dump against their own Active Directory and identifies two valid domain accounts. The operational response: force password resets, review VPN access logs for anomalous authentication patterns over the previous thirty days, and push indicators associated with the group's known command-and-control infrastructure to firewall block lists and EDR exclusion watchlists. The strategic response: brief the CISO on the group's tactics, quantify the potential operational impact of a ransomware event, and accelerate a planned MFA rollout. Intelligence drove action at three levels simultaneously, four to six weeks before the adversary would likely have initiated their intrusion.
Implementation considerations: Threat Intelligence Platforms (TIPs) such as MISP (Malware Information Sharing Platform), ThreatConnect, and Anomali aggregate feeds, score indicators by confidence and age, and provide API integrations to push enriched data into SIEMs, SOAR playbooks, and firewall management consoles. Indicator aging is a critical configuration parameter: an IP address associated with a command-and-control server may be reassigned within days, and stale indicators generate false positives that erode analyst trust in the feed. Effective TIP configurations enforce automated expiration windows (typically 30 to 90 days for network indicators) and require human review before re-activation.
---
Security teams that operate without structured threat intelligence make resource allocation decisions based on generic best practices and vendor marketing rather than evidence about the specific threats targeting their organization. The result is a mismatch: hardening attack surfaces that adversaries are not using while leaving gaps in the paths they are actively exploiting.
The 2020 SolarWinds supply chain compromise illustrates the consequence of an intelligence gap at scale. The SUNBURST backdoor was operational in production environments for months before detection. Organizations with mature threat intelligence programs that monitored for anomalous DNS beaconing patterns and maintained robust network baseline data had a structural advantage in detecting the anomaly, though few caught it in real time. The broader lesson is not that threat intelligence would have prevented the attack, but that it provides the contextual baseline and detection hypotheses that make attacker activity detectable against normal operational noise. Post-incident, the STIX-formatted IOCs and MITRE ATT&CK mappings published by CISA and FireEye allowed organizations to rapidly query their environments for evidence of compromise, a capability that requires an existing threat intelligence infrastructure to operationalize quickly.
A persistent misconception is that threat intelligence is primarily a large-enterprise capability, too resource-intensive for mid-market or small organizations. This is incorrect. Community-sourced platforms like MISP, free ISAC membership tiers, and CISA's Automated Indicator Sharing (AIS) program make baseline tactical intelligence accessible at low cost. The discipline required is not headcount; it is defined requirements, consistent processes, and integration with existing detection tooling.
A second misconception is that purchasing a commercial threat feed constitutes having a threat intelligence capability. Feed data without analysis, without organizational context, and without integration into detection workflows is expensive noise. Intelligence is a process, not a subscription.
Without threat intelligence, patch prioritization relies on CVSS scores alone, ignoring whether a vulnerability is actively being exploited by adversaries targeting the organization's sector. Incident response proceeds without actor attribution or TTP context, meaning responders cannot anticipate lateral movement paths or data staging behaviors. Security investments are made against hypothetical threats rather than documented adversary behavior.
---
The Cyber Defense Alliance approaches threat intelligence through the Planetary Defense Model (PDM) framework, specifically within the Threat Intelligence Domain (TID), with supporting integration across the Vulnerability and System Defense (VSD) and Risk Governance and Architecture (RGA) domains.
CDA's methodology is Predictive Defense Intelligence (PDI), framed operationally as: "See the threat before it sees you." PDI is not a posture of passive monitoring and reporting. It is a forward-leaning analytical discipline that requires organizations to model adversary decision cycles, not just their technical artifacts. Where conventional threat intelligence programs focus heavily on IOC ingestion and SIEM integration, PDI places equal emphasis on adversary intent modeling, campaign trajectory analysis, and pre-attack indicator identification.
In practice, CDA's TID domain work includes building sector-specific threat actor libraries that document not only TTPs in ATT&CK framework notation but also the business conditions that trigger campaign activation: mergers and acquisitions activity, public earnings announcements, regulatory filings, and geopolitical events that correlate historically with targeted intrusion campaigns against specific industries. This context allows CDA-supported organizations to elevate their defensive posture proactively, before observable attacker activity, based on environmental conditions that historically precede attack campaigns.
CDA integrates TID outputs directly into VSD through structured vulnerability intelligence workflows. When a new CVE is published, the TID function immediately assesses whether threat actors relevant to the client's profile have the capability and apparent interest to exploit it, adjusting patch priority recommendations accordingly rather than waiting for NVD CVSS scoring to complete.
In the RGA domain, CDA uses finished strategic intelligence products to inform risk quantification exercises. Board-level risk discussions are grounded in specific actor profiles and documented attack costs from comparable incidents, replacing generic risk matrices with evidence-based probability and impact assessments.
The operational difference is specificity. Generic threat intelligence tells an organization that ransomware groups target healthcare. CDA's PDI methodology identifies which specific groups are active against organizations with the client's size, revenue profile, and technology stack, and what observable pre-attack indicators to monitor for in the current quarter.
---
---
---
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Editorial
Found an issue? Help improve this article.