Threat Intelligence: Concepts and Sources

Threat intelligence is the structured discipline of collecting, processing, and analyzing information about cyber threats to support defensive decision-making across organizations, sectors, and government entities. This page covers the formal definition and classification of threat intelligence, the operational process by which raw data becomes actionable intelligence, common deployment scenarios across enterprise and government contexts, and the decision boundaries that determine when and how different intelligence types apply. The subject sits at the intersection of cybersecurity operations, national security policy, and regulatory compliance, making precise definitional clarity essential for practitioners and researchers navigating the infosec service landscape.

Definition and scope

Threat intelligence, as defined by the National Institute of Standards and Technology (NIST), refers to threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for informed decision-making (NIST SP 800-150, "Guide to Cyber Threat Information Sharing"). This distinguishes intelligence from raw threat data: a log entry showing a malicious IP address is data; a structured analysis of that IP's association with a named threat actor, its targeting patterns, and its infrastructure relationships constitutes intelligence.

The scope of threat intelligence spans four formally recognized tiers:

1. Strategic intelligence — High-level analysis of threat actor motivations, geopolitical context, and long-term risk trends, produced for executive and board-level consumers.
2. Operational intelligence — Information about specific planned or ongoing attack campaigns, including threat actor intent and targeting priorities, consumed by security managers and incident response leadership.
3. Tactical intelligence — Details about threat actor tactics, techniques, and procedures (TTPs), typically mapped against the MITRE ATT&CK framework, which catalogs over 400 individual techniques across 14 tactic categories (MITRE ATT&CK Enterprise Matrix).
4. Technical intelligence — Machine-readable indicators of compromise (IOCs) such as file hashes, IP addresses, domain names, and URLs, consumed directly by security tools.

The Cybersecurity and Infrastructure Security Agency (CISA) operationalizes threat intelligence sharing through the Automated Indicator Sharing (AIS) program, which uses the Structured Threat Information eXpression (STIX) and Trusted Automated eXchange of Intelligence Information (TAXII) standards to enable machine-speed exchange of technical indicators between federal agencies and private-sector partners.

How it works

The intelligence lifecycle, as documented in NIST SP 800-150, follows a discrete set of phases that transform raw information into consumable intelligence products:

1. Planning and direction — Defining intelligence requirements based on organizational risk posture, sector threats, and decision-maker needs.
2. Collection — Gathering raw data from open-source intelligence (OSINT), commercial feeds, information sharing and analysis centers (ISACs), government advisories, and internal telemetry.
3. Processing — Normalizing collected data into standardized formats; STIX 2.1 is the dominant open standard maintained by OASIS Open.
4. Analysis — Applying analytical tradecraft to identify patterns, attribute activity, assess actor capabilities, and project threat behavior. The US intelligence community's analytic standards, documented in Intelligence Community Directive (ICD) 203 (Office of the Director of National Intelligence), provide a reference framework for structured analytic techniques applicable to cybersecurity contexts.
5. Dissemination — Distributing finished intelligence products to appropriate consumers in usable formats — reports, STIX bundles, platform feeds, or briefings.
6. Feedback — Consumers evaluate the utility and accuracy of intelligence products, informing the next planning cycle.

The contrast between human-produced and machine-produced intelligence is operationally significant. Strategic and operational products require human analysts with domain expertise. Technical indicators are produced, consumed, and acted upon largely through automated platforms using STIX/TAXII pipelines, enabling integration with security information and event management (SIEM) systems and endpoint detection platforms at machine speed.

Common scenarios

Threat intelligence applies across a range of organizational contexts with distinct consumption patterns:

Financial sector: Financial institutions participate in the Financial Services ISAC (FS-ISAC), which distributes sector-specific threat intelligence to over 4,500 member firms globally (FS-ISAC). Regulatory frameworks including the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool reference threat intelligence as a core component of a mature cybersecurity program.

Critical infrastructure: Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," directed NIST to develop the Cybersecurity Framework (CSF), which embeds threat intelligence sharing as a category under the "Identify" function. Operators of industrial control systems (ICS) draw on intelligence from CISA's ICS-CERT advisories.

Federal agencies: Agencies subject to the Federal Information Security Modernization Act (FISMA) are required under OMB Circular A-130 to implement threat awareness programs. The Einstein program, operated by CISA, provides automated intrusion detection and threat intelligence to civilian federal executive branch agencies.

Incident response: During active incidents, threat intelligence supports attribution, containment scoping, and post-incident reporting. Analysts cross-reference observed TTPs against the MITRE ATT&CK matrix to identify the full scope of a campaign beyond the initially detected intrusion vector. Professionals operating in this space are profiled in the infosec provider network by specialization.

Decision boundaries

Selecting the appropriate type or source of threat intelligence depends on three primary variables: consumer role, organizational maturity, and threat context.

Strategic intelligence requires no technical integration infrastructure but demands analytical expertise to interpret geopolitical and actor-motivation data. Technical intelligence requires mature tooling — SIEM, threat intelligence platforms, or security orchestration — to operationalize IOCs before they expire. IOC half-life is a known constraint: IP addresses associated with adversary infrastructure may rotate within 24 to 48 hours, making timeliness a hard operational requirement for technical feeds.

Organizations below a defined maturity threshold — typically organizations that lack a dedicated security operations center — derive limited value from raw technical feeds without the processing infrastructure to act on them. NIST SP 800-150 explicitly frames information sharing participation as a maturity-dependent activity. The provides context on how threat intelligence service providers are categorized within this reference structure.

Intelligence source selection also follows sector alignment. ISACs provide sector-specific context unavailable in generic commercial feeds; the Health Information Sharing and Analysis Center (H-ISAC) and Electricity ISAC (E-ISAC) serve sectors with distinct threat actor profiles and regulatory obligations that generic intelligence products do not address. Researchers and practitioners can explore how this resource is organized to locate sector-specific providers at the how to use this infosec resource page.