What is Threat Intelligence?

Threat Intelligence Definition

Threat Intelligence is the collection, processing, and analysis of information about threats to support security decisions. TI provides context that transforms raw data (logs, alerts) into actionable knowledge about who is attacking, how, and why.

Threat Intelligence Pyramid

Strategic (Executive level):

• Geopolitical trends
• Threat actor motivations
• Long-term risks
• Audience: C-level, board

Operational (Analyst level):

• Campaign analysis
• TTPs of specific groups
• Incident context
• Audience: SOC managers, threat hunters

Tactical (Technical level):

• IOCs (indicators of compromise)
• Malware signatures
• Malicious IPs/domains
• Audience: SOC analysts, automation

Threat Intelligence Lifecycle

1. Planning: Defining intelligence needs
2. Collection: Gathering data from sources
3. Processing: Normalization and correlation
4. Analysis: Creating intelligence products
5. Dissemination: Delivery to stakeholders
6. Feedback: Evaluation of usefulness

TI Sources

Internal:

• Own incidents
• Logs and telemetry
• Threat hunting findings

External:

• Commercial TI feeds
• ISACs (sector-specific)
• Open source (OSINT)
• Government agencies (CERT, CISA)

TI in Security Operations

• SIEM: IOC correlation with events
• EDR: Threat hunting using TI
• Firewall: Blocking known malicious IPs
• Email gateway: Phishing domains
• Vulnerability management: Prioritization based on exploitation

Intelligence Requirements

Before implementing TI, define:

• What threats are relevant to the organization?
• Who will be the consumer of intelligence?
• What decisions will TI support?
• What sources to use?

TI Platforms (TIP)

TI management tools:

• IOC aggregation from multiple sources
• Deduplication and normalization
• SIEM/EDR integration
• Collaboration and sharing

Threat intelligence is essential for proactive security, enabling threats to be anticipated rather than merely reacted to.