Threat Intelligence Operations
Threat intelligence operations is the practice of collecting, processing, analyzing, and operationalizing information about cyber threats to inform defensive decision-making.
Continue your mission
Threat intelligence operations is the practice of collecting, processing, analyzing, and operationalizing information about cyber threats to inform defensive decision-making.
# Threat Intelligence Operations
Threat intelligence operations is the practice of collecting, processing, analyzing, and operationalizing information about cyber threats to inform defensive decision-making. Threat intelligence answers the question that raw security data cannot: not just what is happening, but who is behind it, why they are doing it, what they will do next, and how the organization should prepare.
Raw data (a suspicious IP address, a malware hash, a phishing domain) becomes intelligence only when it is analyzed in context: whose infrastructure is this IP associated with? What campaign is using this malware? What sector is this phishing operation targeting? Intelligence is data plus analysis plus context. Without analysis and context, it is just data.
The distinction between data and intelligence determines whether threat information is actionable. A feed of 500,000 malicious IP addresses is data. An analysis that identifies APT41 targeting pharmaceutical companies in your region using a specific initial access technique is intelligence. The data tells you what to block. The intelligence tells you what to prepare for.
Threat intelligence operates at three levels, each serving a different audience and decision timeframe:
Strategic intelligence informs executive decision-making and long-term planning. It answers: who are our adversaries? What are their objectives? How is the threat landscape evolving? What investments should we prioritize?
Strategic intelligence is consumed by the CISO, executive leadership, and the board. It is expressed in business language, not technical language. "Chinese state-sponsored actors are targeting pharmaceutical companies to steal research data. Our industry peer had a $50M breach attributed to APT41 last quarter. Our threat profile includes these actors, and our detection coverage for their documented techniques is 38%." This is strategic intelligence that drives investment decisions: improve detection coverage for the specific techniques Chinese actors use against pharmaceutical companies.
CDA's founder has produced strategic intelligence through the Irregular Warfare Initiative, analyzing the cybersecurity strategies of China, Russia, North Korea, and Iran. This is the type of intelligence that informs organizational threat posture at the highest level.
Operational intelligence informs security operations and tactical planning for specific campaigns or threat actors. It answers: what campaigns are active right now? What techniques are being used? Which of our systems are targeted? What indicators should we look for?
Operational intelligence is consumed by the SOC manager, detection engineers, and threat hunters. It is expressed in technical language with enough context for operational decision-making. "APT29 is conducting a campaign targeting cloud identity infrastructure in government and technology sectors. They are using OAuth application abuse (T1550.001) for initial access and SAML token forging (T1606.002) for persistence. Monitor Azure AD logs for suspicious OAuth application registrations and anomalous SAML token activity."
Tactical intelligence informs immediate defensive actions. It answers: what indicators of compromise (IOCs) should be blocked or detected right now? Tactical intelligence includes IP addresses, domain names, file hashes, email addresses, URLs, and other indicators that can be directly loaded into security tools for blocking and detection.
Tactical intelligence is consumed by SIEM rules, firewall blocklists, EDR policies, and email gateway filters. It is machine-readable and high-volume. The challenge: tactical intelligence has the shortest shelf life (IOCs change rapidly as adversaries rotate infrastructure) and the highest volume (thousands of indicators per day from commercial feeds). Without context (which actor, which campaign, which technique), tactical intelligence is a blocklist without strategic value.
Threat intelligence follows a structured production cycle:
Planning and direction. Define the intelligence requirements: what does the organization need to know? Intelligence requirements are driven by the threat profile (which actors target the organization's industry and geography), the detection gaps (which techniques are not detected), and the business context (upcoming events, M&A activity, market expansion that may change the threat profile).
CDA's TID-R01 mission (Threat Landscape Assessment, 20 hours) produces the intelligence requirements that drive the rest of the cycle. Without defined requirements, intelligence collection is undirected and the analysis produces interesting but non-actionable findings.
Collection. Gather raw data from intelligence sources:
Open-source intelligence (OSINT): government advisories (CISA, NSA, FBI), vendor threat reports (Mandiant, CrowdStrike, Microsoft, Recorded Future), security research publications, social media (threat actor communications on forums and messaging platforms), and dark web monitoring.
Commercial intelligence feeds: curated threat data from intelligence vendors (Recorded Future, Mandiant Advantage, CrowdStrike Intelligence, Intel 471). Commercial feeds provide higher-quality, pre-analyzed intelligence but at significant cost ($50,000 to $500,000+ annually).
Industry sharing groups: Information Sharing and Analysis Centers (ISACs) for specific sectors (FS-ISAC for financial services, H-ISAC for healthcare, IT-ISAC for technology). ISACs share threat intelligence among member organizations, providing sector-specific intelligence that commercial feeds may not cover.
Internal telemetry: the organization's own security data (SIEM alerts, EDR detections, incident investigations, threat hunting findings) provides intelligence about what is actually happening in the environment, not just what is happening globally.
Processing. Convert raw collected data into a usable format: normalize IOC formats, deduplicate indicators, validate data quality (are these indicators current? are they associated with confirmed threats or false positives?), and structure the data for analysis. Processing is largely automated through threat intelligence platforms (TIPs).
Analysis. The human-intensive phase where processed data becomes intelligence. Analysts evaluate the data in context: attribute activity to threat actors, assess the relevance to the organization, identify trends and patterns, and produce assessments with confidence levels. Analysis transforms "these 50 IP addresses are associated with malicious activity" into "these IPs are command-and-control infrastructure operated by FIN7, which is actively targeting retail and hospitality organizations using point-of-sale malware. Our retail operations are in scope."
Dissemination. Deliver the intelligence to the appropriate audience in the appropriate format. Strategic intelligence goes to the CISO and board in executive briefing format. Operational intelligence goes to SOC managers and detection engineers in technical advisory format. Tactical intelligence goes to security tools in machine-readable format (STIX/TAXII, CSV, API feeds).
Feedback. Consumers of intelligence report back on its utility: was the intelligence actionable? Did it result in detection or prevention? Was the context sufficient? Feedback refines the intelligence requirements and improves the next cycle.
Intelligence that is not operationalized is analysis without impact. Operationalization connects intelligence to defensive actions:
Detection rule development. Operational and tactical intelligence feeds detection engineering. An intelligence report describing APT29's use of specific Kerberos ticket manipulation techniques translates into SIEM detection rules that look for those techniques in the organization's environment.
Threat hunting hypotheses. Operational intelligence generates hunting hypotheses. "APT41 is targeting healthcare organizations using supply chain compromise. Hypothesis: if our healthcare SaaS vendor was compromised, we would expect to see anomalous API activity from the vendor's IP ranges in our cloud audit logs." The hypothesis drives the hunt.
IOC blocking. Tactical intelligence feeds blocklists in firewalls, DNS filters, email gateways, and EDR platforms. Blocking known C2 domains, malicious IPs, and malware hashes provides immediate protection against known threats.
Vulnerability prioritization. Intelligence about which vulnerabilities are actively exploited (CISA KEV, threat actor reporting) prioritizes patching. A vulnerability that APT29 is actively exploiting against organizations in the same sector receives emergency priority regardless of its CVSS score.
Risk assessment context. Strategic intelligence informs risk assessment: the probability of a specific threat scenario is informed by intelligence about which actors are targeting the organization's sector, what techniques they use, and how frequently they succeed. Without intelligence, risk assessment is guessing. With intelligence, risk assessment is estimation.
Threat-informed defense prioritizes security investments based on the specific threats the organization faces. Without intelligence, security investments are distributed based on generic best practices. With intelligence, investments are concentrated on the techniques, actors, and vulnerabilities that are most relevant to the organization.
A financial services organization whose intelligence assessment identifies FIN7 and APT38 as primary threat actors prioritizes detection coverage for the techniques those groups use. A defense contractor whose intelligence assessment identifies APT29 and Volt Typhoon prioritizes different techniques. Intelligence determines where the limited security budget produces the greatest risk reduction.
Organizations that operationalize threat intelligence detect threats faster. IOC-based detection blocks known infrastructure before the attacker uses it. Technique-based detection catches the specific methods the attacker employs. Intelligence-driven hunting searches for the specific threats that the organization's threat profile indicates are most likely. Each capability reduces the time between attacker entry and defender detection.
Intelligence sharing through ISACs and informal networks provides collective defense. When one financial institution detects a new FIN7 campaign and shares the indicators through FS-ISAC, every member institution can block those indicators before the campaign reaches them. The attacker must now compromise 500 institutions simultaneously rather than one at a time. Intelligence sharing transforms individual defense into collective defense.
Threat intelligence operations are the analytical engine of the TID (Threat Intelligence and Defense) domain in the Planetary Defense Model. TID is the atmosphere: the detection and intelligence layer. Threat intelligence is the meteorological data that the atmosphere's sensors collect and the analysts interpret: what weather systems are forming, where are they heading, and how severe will the impact be?
CDA's Predictive Defense Intelligence (PDI) methodology makes intelligence the foundation of every TID operation. "See the threat before it sees you." Detection without intelligence is reactive (detect what appears). Detection with intelligence is predictive (detect what intelligence says is coming).
The Roman parallel is the speculatores and exploratores: Rome's military intelligence corps who operated ahead of the legions, identifying threats before they reached the frontier. They did not wait for barbarians to attack. They gathered intelligence about barbarian movements, assessed intentions, and reported to the commanding general who adjusted the legion's disposition accordingly. CDA's threat intelligence operations serve the same function: gather intelligence about adversary activity, assess the threat to the client, and adjust the detection and response posture accordingly.
Four TOP missions connect to threat intelligence:
CDA approaches threat intelligence with one emphasis: intelligence must be relevant to the client's specific threat profile. Generic threat feeds that include every global indicator produce noise. Intelligence that identifies the specific actors targeting the client's industry, geography, and technology stack produces actionable focus. CDA's TID-R01 mission produces the threat profile that filters all subsequent intelligence consumption. The filter ensures the client's SOC analyzes intelligence about their threats, not the internet's threats.
Word count: 1,978
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.