Threat Intelligence
2025-01-01

Overview#

Threat intelligence (TI) turns raw signals about adversary behavior into actionable guidance. Effective TI clarifies which threats matter to the business, supplies indicators and TTP context to detection teams, and informs defensive prioritization.

Core objectives#

  • Define priority intelligence requirements (PIRs) tied to business assets and industry threats.
  • Curate multiple sources: commercial feeds, open-source intelligence, ISACs, sharing communities, and internal detections.
  • Deliver consumable outputs: indicator packages, threat summaries, attack-path hypotheses, and detection/response recommendations.
  • Measure impact by how TI improves detection coverage, response speed, and risk decisions.

Implementation notes#

  • Normalize indicators (IOCs) with context such as confidence, first/last seen, and required action (block, monitor, hunt).
  • Build playbooks for ingestion into SIEM, EDR, DNS, and email security, with de-duplication and expiry handling.
  • Provide strategic briefs for executives and product/security architecture to inform roadmap decisions.
  • Partner with detection engineering to translate TTPs into analytics mapped to ATT&CK.

Operational signals#

  • Leading indicators: time from feed arrival to control deployment, false-positive rates on new IOCs, and PIR coverage.
  • Lagging indicators: incidents detected via external notification instead of internal TI-driven detections, or repeated gaps against known actor techniques.
  • Feedback loops: quarterly PIR refresh, quality reviews with consumers, and retirement of unused feeds.

Runbook essentials#

  • New actor assessment: summarize motivation, capability, targeting; list observed IOCs and TTPs; propose hunts and detections.
  • IOC lifecycle: ingest → normalize → distribute to controls → monitor hits → expire or adjust confidence.
  • Sharing: contribute sanitized findings back to trusted communities, respecting legal and privacy constraints.
  • Detection engineering, incident response, and vulnerability management all depend on accurate, timely TI.
  • Red/blue team exercises validate whether TI-derived hypotheses hold in the environment.
  • Governance should ensure licensing and data-handling requirements for external feeds are met.