What the Heck is Threat Intelligence?

  • Threat intelligence is not a “magic bullet.” When an intelligence consumer requests additional information or context on a particular topic, there must be the expectation and understanding that the intelligence team may not have any additional information. There is often a perception that those who practice intelligence can draw upon secret stores of knowledge (often referred to as the “deep web” or the “dark web” by marketing personnel and product feature lists alike). The reality is that while these so-called deep and dark web sources exist, they are not fonts of secret knowledge, and much of intelligence is conducted using publicly available data and information.
  • Threat intelligence is not “brand monitoring,” or at least it isn’t usually. The aforementioned article identified that threat intelligence is not brand monitoring and any efforts such as that should be handled by a dedicated team, and that statement is true. However, there are absolutely cases where brand monitoring may contribute to intelligence analysis, and the intelligence team should absolutely consume and analyze the results of brand monitoring, including the creation of fake social media profiles and fraudulent websites masquerading as an organization.
  • No part of threat intelligence is a “secondary duty.” Some organizations attempt to assign threat intelligence duties to their line analysts, such as collection of reporting and other data, however threat intelligence is a specialty, much like incident response or digital forensics, and as such it requires specific training and knowledge. It is not a task that can be distributed among other teams, and when it is distributed it takes analysts away from their primary responsibility.
  • Threat intelligence is not monitoring for compromised credit cards or credentials, but the results of that monitoring can serve as another input for threat intelligence. Much like brand monitoring, monitoring for stolen credit cards and compromised credentials is often a task that can be offloaded to various third-party services (or indeed implemented in-house with many open source tools). However, a threat intelligence team should absolutely monitor the results of that third-party collection for wider analysis, especially during incident response investigations.
  • Threat intelligence is not simply blindly reading and ingesting polished reports released by various vendors. While these reports may serve as a further input, intelligence analysis requires that such sources and reporting be assessed, collated, correlated, and analyzedto determine if the reporting aligns with existing bodies of knowledge on the subject, and if not, why. Unfortunately, this practice remains very common in various security operations centers globally, and often plays a significant factor in analyst fatigue and often contributes to the decreased perceived value of threat intelligence. After all, if all an analyst does is collect, read, and ingest vendor reporting, what value are they adding?
  • Intelligence Reporting — these are typically glossy and prosaic reports which are designed for human consumption. They may be written for a variety of audiences (C-level, managerial, or technical) and may include a variety of details or may be relatively sparse. The challenge many organizations face with this format, however, is that in times of incident response and investigation, analysts’ time can be monopolized sorting through various reports in an effort supplement their investigation.
  • Threat Feeds — these are typically feeds which leverage automated distribution and will include various indicators of compromise and varying levels of tagging. This format can also challenge organizations, as the feeds often feature out-of-date information and lack any significant contextualization, resulting in analyst fatigue and frustration as well as a surge in false positive results.

Definition & Planning

  • What actors target the financial sector?
  • Who is targeting us?
  • Are actors actively targeting a known vulnerability in our web application?
  • What malware is known to exploit EternalBlue?
  • Requirements set out by intelligence consumers and stakeholders.
  • Sources, resources and challenges are identified; sources and resources are ranked according to value, and challenges are identified and plans to work around them (where possible) are included.
  • Priorities are established, with specific requirements and sources holding different priorities according to the established requirements.
  • Taskings are formal directives tasking specific resources with collection and analysis. This ensures that workloads are appropriately managed and that all requirements are addressed by specific subject matter experts.
  • Ongoing Evaluation will occur and have overall progress of individual tasks and overall PIRs tracked.
  • Deep Web
  • Dark Web
  • Social Media
  • Paste Sites
  • News Sites
  • Vendor Reporting



Analysis & Production






Cyborg Security is a pioneer in cybernetic threat hunting, delivering an advanced, actionable threat hunting platform.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} A To Z Guide For Rubik's Cube Hack Free Resources Generator

Why Do Hackers Hack?

{UPDATE} TriPeaks - Solitaire Hack Free Resources Generator

Using Microsoft Teams Safely and Securely in Your Company

Using Microsoft Teams Safely and Securely in Your Company

10 Best Apps for Employee Monitoring 2019

Meta rewrites privacy policy but says it won’t collect data in ‘new ways’ : Gadget Game News

{UPDATE} Slots - Golden Hero Casino Hack Free Resources Generator

Bluetooth Low Energy recon using Bettercap

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cyborg Security

Cyborg Security

Cyborg Security is a pioneer in cybernetic threat hunting, delivering an advanced, actionable threat hunting platform.

More from Medium

Fixing the Zeek Add-on for Splunk in DetectionLab

D3T3CT to PRoT3CT — Infostealer Malware — FFDroider

OSCD: Threat Detection Sprint #1, results (EN)

Figures for 6 of December 2019, when final PR from OSCD to Sigma master branch has been created

Red Team Tools 2(FireEye Breach) LetsDefend DFIR Challenge