What Is Threat Intelligence?
Threat intelligence (TI) is evidence-based knowledge about existing or emerging threats — including context, mechanisms, indicators, implications, and actionable advice about a threat. The goal is to make security decisions faster and with better information by knowing what adversaries are doing before (or while) they attack you.
Raw threat data (an IP address, a domain name, a file hash) isn't intelligence by itself. Intelligence requires context — who is using this IP, what campaigns has this domain been linked to, what malware family uses this hash. The process of turning raw data into actionable intelligence is the threat intelligence lifecycle: Plan → Collect → Process → Analyze → Disseminate → Feedback.
Indicator of Compromise (IOC): Artifact left after a compromise — a malicious file hash, a known C2 IP address, a suspicious registry key, a domain associated with malware. IOCs are reactive: by the time you find them, you may already be compromised.
Indicator of Attack (IOA): Behavioral patterns that suggest an attack is happening right now — unusual process spawning, lateral movement, privilege escalation attempts. IOAs are proactive: you can detect an attack in progress even without known IOCs.
Types of Indicators of Compromise
| IOC Type | Example | Use Case |
|---|---|---|
| File Hash | MD5, SHA-1, SHA-256 of a malicious binary | Block execution of known malware; match against threat feeds |
| IP Address | Known C2 server, TOR exit node, attacker scanner | Block in firewall, alert in SIEM if internal host connects to it |
| Domain / URL | Phishing domain, malware distribution URL | DNS sinkholing, proxy blocking, phishing detection |
| Email Indicators | Malicious sender address, subject line pattern, attachment type | Email filtering, phishing detection rules |
| Registry Key | Persistence mechanism added by malware (run key) | Host-based detection, EDR rules |
| Mutex / Artifact | Named mutex created by malware to prevent re-infection | Memory forensics, malware analysis |
| Network Pattern | Specific User-Agent string, beacon interval, protocol anomaly | IDS/IPS signatures, network monitoring |
STIX and TAXII
For threat intelligence to be useful at scale, organizations need a standard way to express it and a standard way to share it. That's where STIX and TAXII come in — they're complementary standards developed by MITRE and now maintained by OASIS.
STIX and TAXII are almost always tested together. The key distinction: STIX is the format/language (what threat data looks like), TAXII is the transport (how that data gets shared). You describe a threat actor using STIX; you share that STIX data using TAXII. A common wrong answer is to conflate the two or assign the wrong role to each.
Threat Intelligence Sources
Threat intelligence comes from a variety of sources, ranging from open and free to closed and expensive. The Security+ exam distinguishes between source types:
| Source Type | Description | Examples |
|---|---|---|
| OSINT | Open Source Intelligence — publicly available information gathered and analyzed for threat context | Shodan, VirusTotal, AlienVault OTX, government advisories, CVE databases |
| Closed / Proprietary | Paid, subscription-based feeds with curated, validated intelligence — higher quality, less noise | CrowdStrike Falcon Intelligence, Recorded Future, Mandiant Threat Intelligence |
| ISACs | Information Sharing and Analysis Centers — sector-specific communities that share intel between member organizations | FS-ISAC (financial), H-ISAC (healthcare), E-ISAC (energy), IT-ISAC |
| Government | Official government threat intelligence, advisories, and sharing programs | CISA, FBI, NSA advisories; US-CERT; NCSC (UK) |
| Dark Web | Monitoring underground forums, marketplaces, and criminal communities for early warning | Threat actors advertising new exploits, stolen credentials for sale |
| Internal | Intelligence generated from your own environment — logs, incidents, honeypots, EDR telemetry | Your SIEM alerts, previous incident reports, honeypot interactions |
MITRE ATT&CK Framework
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It's organized as a matrix where columns represent tactics (the adversary's goal — the "why") and rows within each column represent techniques (how they achieve it — the "how").
The 14 ATT&CK Enterprise tactics in kill-chain order: Reconnaissance → Resource Development → Initial Access → Execution → Persistence → Privilege Escalation → Defense Evasion → Credential Access → Discovery → Lateral Movement → Collection → Command and Control → Exfiltration → Impact. Each tactic contains multiple techniques and sub-techniques — over 400 in total.
ATT&CK is primarily used for three purposes in a security operations context: threat hunting (using known adversary techniques as hunt hypotheses), detection engineering (building SIEM and EDR rules for specific techniques), and red team exercises (simulating specific adversary techniques to test defenses). When a threat intelligence report says an APT group uses "T1566.001" (Spearphishing Attachment), that's an ATT&CK technique ID.
Pyramid of Pain
The Pyramid of Pain, developed by security researcher David Bianco, illustrates the relative difficulty for adversaries when defenders block different types of indicators. Higher up the pyramid = more pain for the attacker when you detect or block that indicator.
The practical implication: blocking file hashes and IPs is cheap for defenders but also cheap for attackers to evade. Detecting and disrupting adversary TTPs (the techniques they use) is much harder for attackers to work around — they have to fundamentally change how they operate. This is why MITRE ATT&CK focuses on techniques rather than indicators.
Threat Actor Categories
Exam Scenarios
Intelligence Types and Consumer Audiences
Not all threat intelligence serves the same audience. The Security+ exam distinguishes between different types of intelligence based on their intended consumer and time horizon.
Strategic intelligence is high-level, longer-term intelligence aimed at executives, board members, and senior security leadership. It addresses questions like "which threat actors are targeting our industry this year?" and "what are the trending attack techniques that our security program should prioritize?" Strategic intelligence is typically non-technical and focuses on business risk implications rather than technical indicators. It informs budget decisions, program priorities, and risk acceptance decisions at the executive level.
Operational intelligence focuses on specific ongoing campaigns or threat actor operations — providing context about a particular attack group's current activities, targets, and infrastructure. It helps security operations teams understand the nature and intent of attacks they may be facing. Operational intelligence is more timely than strategic intelligence and more actionable — it might describe a specific phishing campaign running right now, the lure documents being used, and the infrastructure hosting the C2 servers.
Tactical intelligence is the most actionable and short-lived type — specific indicators of compromise (IOCs) like malicious IP addresses, domain names, file hashes, and email subject lines associated with current threat campaigns. Tactical intelligence feeds directly into SIEM rules, firewall blocklists, and email security filters. It has a short shelf life — IOCs are rotated frequently by threat actors, so indicators from last month may already be irrelevant. The challenge with tactical intelligence is that it's reactive — it only protects against known, previously observed threats.
Technical intelligence overlaps with tactical but focuses specifically on the technical details of threat actor tools and techniques — malware analysis reports, vulnerability details, exploit code analysis. It's consumed by threat analysts, incident responders, and security engineers who need to understand how specific threats work to develop detections and defenses.
Threat Intelligence Lifecycle
Threat intelligence is not a product you buy and deploy — it's an ongoing process. The threat intelligence lifecycle describes how raw data becomes actionable insight for defenders.
The lifecycle typically has six stages. Planning and direction defines the intelligence requirements — what questions does the organization need answered? What threats are most relevant to the business? This stage prevents the common pitfall of collecting intelligence that nobody uses. Collection gathers raw data from the sources defined in the planning stage — threat feeds, dark web monitoring, honeypots, open source intelligence (OSINT), and human intelligence. Processing normalizes and structures the raw data — converting inconsistent formats, deduplicating indicators, and enriching data with context (geolocation, ownership data, malware family classification). Analysis is where raw processed data becomes intelligence — identifying patterns, attributing activity to threat actors, assessing likelihood and impact, and drawing conclusions that answer the intelligence requirements. Dissemination delivers the finished intelligence to the stakeholders who need it — in formats and at classification levels appropriate for each audience. Feedback closes the loop — stakeholders provide input on whether the intelligence was useful and whether the intelligence requirements need updating.
Threat Intelligence Integration — SIEM and SOAR
Threat intelligence's operational value comes from its integration with detection and response tools. Raw intelligence sitting in reports that nobody reads doesn't protect anything — it needs to be operationalized.
In a SIEM, threat intelligence feeds are ingested and matched against log data in real time. When a firewall log shows an outbound connection to an IP address that appears in a threat feed as a known C2 server, the SIEM generates an alert automatically. This correlation between observed network activity and known threat indicators is the core use case for operational threat intelligence. The quality of the intelligence feed directly affects alert quality — low-quality feeds with many false positives create alert fatigue; high-quality, curated feeds produce reliable, actionable alerts.
SOAR (Security Orchestration, Automation, and Response) platforms use threat intelligence to enrich alerts and automate initial investigation steps. When an alert fires, the SOAR can automatically query threat intelligence platforms for additional context about the indicator (which malware family uses this C2 IP? Which APT group? What other organizations have reported it?), look up internal asset data to understand what the affected host is and who owns it, and check vulnerability scanners to see if the affected host is patched against known exploits used by the attributed threat actor. This context is assembled and presented to the analyst before they begin their investigation, dramatically reducing time to triage.
Dark Web Monitoring
Dark web monitoring is a specialized form of threat intelligence collection that monitors hidden services and criminal forums on the Tor network and other anonymized platforms. For organizations, dark web monitoring provides early warning of several threat scenarios.
Credential exposure: when a third-party service is breached and user credentials are stolen, those credentials often appear on dark web marketplaces or paste sites before the breach is publicly disclosed. Dark web monitoring services continuously scan for email addresses associated with an organization's domain appearing in credential dumps, providing early warning that users' credentials may be compromised and prompting proactive password resets before attackers use them.
Data leakage: sensitive documents, source code, and customer data stolen from organizations often appear on dark web markets. Monitoring for company-specific data (customer data patterns, proprietary document formatting, internal project names) can identify breaches that haven't been detected through internal controls.
Attack planning: some threat actors announce planned attacks, sell access to compromised systems, or discuss targeting of specific organizations in criminal forums. Intelligence collection from these sources can provide advance warning of imminent attacks, though this requires specialized expertise and operational security to conduct safely.
Threat Intelligence Sharing — ISACs and ISAOs
ISACs (Information Sharing and Analysis Centers) are sector-specific organizations that facilitate threat intelligence sharing between organizations within the same industry. The FS-ISAC serves the financial sector, the H-ISAC serves healthcare, the E-ISAC serves electricity/energy infrastructure, and dozens more serve other critical industries. ISACs allow organizations to share indicators, attack patterns, and defensive strategies — an attack observed at one bank may be shared with all member banks, enabling them to detect and block the same attack before it reaches them.
ISAOs (Information Sharing and Analysis Organizations) are similar to ISACs but not limited to specific critical infrastructure sectors. They can serve any community of interest — geographic regions, specific technology communities, or other groupings. Both ISACs and ISAOs operate under frameworks like the Traffic Light Protocol (TLP) that defines how shared information can be further distributed — TLP:RED means do not share beyond the immediate recipients; TLP:AMBER means share within the organization; TLP:GREEN means share within the community; TLP:WHITE/TLP:CLEAR means can be freely shared publicly. The Security+ exam tests TLP designations as part of the threat intelligence sharing topic.