Threat Intelligence: Concepts and Sources

Threat intelligence is the discipline of collecting, analyzing, and applying structured knowledge about adversaries, attack methods, and threat actor behaviors to inform cybersecurity decisions. This page covers the functional definition of threat intelligence, its operational workflow, the source categories practitioners draw from, and the conditions that determine which intelligence type applies to a given organizational context. The field intersects with frameworks maintained by MITRE, CISA, and NIST, and feeds directly into security operations center functions, incident response programs, and vulnerability management processes.

Definition and scope

Threat intelligence is formally defined by NIST as "threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes" (NIST SP 800-150, Guide to Cyber Threat Information Sharing). This distinguishes processed intelligence from raw data feeds or uncontextualized logs.

The scope of threat intelligence spans four recognized tiers, each serving a distinct organizational audience:

  1. Strategic intelligence — High-level assessments of geopolitical threat landscapes, adversary motivations, and industry-targeting trends. Produced for executive and board-level decision-makers.
  2. Operational intelligence — Information about active or imminent campaigns, including adversary tools, techniques, and procedures (TTPs). Used by security managers and incident response leads.
  3. Tactical intelligence — Specific indicators of compromise (IOCs) such as malicious IP addresses, file hashes, and domain names. Consumed directly by security tools and analysts.
  4. Technical intelligence — Detailed technical artifacts — exploit code characteristics, malware signatures, protocol-level behaviors — used by threat hunters and reverse engineers.

The MITRE ATT&CK Framework, a publicly maintained knowledge base of adversary TTPs organized by tactic category, provides the dominant classification structure for operational and technical threat intelligence across both government and private-sector contexts.

Regulatory frameworks increasingly mandate threat intelligence integration. The Cybersecurity and Infrastructure Security Agency (CISA), operating under 6 U.S.C. § 659, requires critical infrastructure operators to participate in structured information-sharing mechanisms. The Financial Industry Regulatory Authority (FINRA) and the Department of Health and Human Services reference threat intelligence consumption as part of HIPAA cybersecurity requirements and sector-specific risk management obligations.

How it works

Threat intelligence production follows the intelligence lifecycle, a process model used by government and commercial security organizations alike. NIST SP 800-150 and the structured threat information expression (STIX) standard developed through OASIS describe this cycle in consistent terms:

  1. Direction — Define the intelligence requirements: which threat actors, asset types, or attack vectors are in scope based on organizational risk profile.
  2. Collection — Aggregate raw data from open-source intelligence (OSINT), commercial feeds, information-sharing communities (ISACs), internal telemetry, and dark web sources.
  3. Processing — Normalize, deduplicate, and format raw inputs into a structured schema. STIX 2.1 and TAXII 2.1 are the dominant machine-readable exchange standards.
  4. Analysis — Apply analytical frameworks — including diamond model analysis and kill chain mapping — to assess adversary intent, capability, and opportunity.
  5. Dissemination — Distribute finished intelligence to the appropriate consumer tier (executive report, SIEM rule, firewall block list) in the appropriate format.
  6. Feedback — Consumers evaluate the intelligence's operational utility, closing the loop to refine collection priorities.

The transition from step 2 to step 3 is where most operational failures occur — raw IOC feeds without context produce alert fatigue when fed directly into detection systems without enrichment.

Common scenarios

Sector-specific ISAC participation — Financial services organizations participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC), which distributes threat intelligence to member institutions under structured trust agreements. Healthcare organizations use the Health-ISAC. Both operate under frameworks recognized by CISA's National Critical Infrastructure Protection program.

Ransomware campaign attribution — When a ransomware incident occurs, operational threat intelligence enables attribution by matching observed TTPs against MITRE ATT&CK group profiles. Groups such as LockBit 3.0 and ALPHV/BlackCat have published adversary profiles maintained in the ATT&CK knowledge base, allowing analysts to anticipate lateral movement and exfiltration patterns based on documented group behavior.

Supply chain threat detection — Following the SolarWinds incident disclosed in December 2020, supply chain security programs integrated threat intelligence feeds focused on software build environments and trusted vendor communications. CISA issued Emergency Directive 21-01 in response, mandating specific detection actions for federal agencies.

Phishing infrastructure identification — Tactical intelligence feeds containing malicious domain registrations and certificate transparency log anomalies enable preemptive blocking before phishing and social engineering campaigns reach end users. Feeds from organizations such as the Anti-Phishing Working Group (APWG) are integrated into email security gateways and DNS filtering layers.

Dark web monitoring — Specialist providers conduct continuous monitoring of dark web forums, paste sites, and criminal marketplaces to surface early indicators of credential leakage, planned attacks against named targets, or sale of access credentials for specific organizations.

Decision boundaries

Selecting the appropriate intelligence tier and source depends on three structural factors:

Organizational maturity — Organizations without a dedicated security operations center lack qualified professionals capacity to operationalize raw tactical feeds. Strategic and operational intelligence in report format is more actionable for sub-mature programs.

Regulatory sector — Defense industrial base contractors subject to CMMC compliance requirements must align threat intelligence practices with NIST SP 800-171 controls, specifically control families SI (System and Information Integrity) and RA (Risk Assessment). Federal agencies follow FISMA requirements and CISA binding operational directives.

Tactical vs. strategic tradeoff — High-volume IOC feeds (tactical) degrade in value within 24 to 72 hours as adversaries rotate infrastructure. Strategic intelligence retains analytical value over quarters or years. Programs with limited processing capacity prioritize strategic and operational tiers while automating tactical IOC ingestion through SIEM platforms.

Internal vs. external sourcing — Internal telemetry (endpoint detection logs, firewall events, DNS queries) produces organization-specific intelligence unavailable from any external feed. The combination of internal telemetry with external ISAC data and commercial feeds represents the highest-fidelity posture, but requires integration architecture and normalized data schemas to function.

Intelligence sharing carries legal framing under the Cybersecurity Information Sharing Act (CISA 2015), codified at 6 U.S.C. §§ 1501–1510, which provides liability protections for private entities sharing cyber threat indicators with federal agencies through designated portals including the Automated Indicator Sharing (AIS) system operated by CISA.

References

📜 2 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Password Strength Calculator