What Is Threat Intelligence?
Threat intelligence (TI) is evidence-based knowledge about existing or emerging threats — including context, mechanisms, indicators, implications, and actionable advice about a threat. The goal is to make security decisions faster and with better information by knowing what adversaries are doing before (or while) they attack you.
Raw threat data (an IP address, a domain name, a file hash) isn't intelligence by itself. Intelligence requires context — who is using this IP, what campaigns has this domain been linked to, what malware family uses this hash. The process of turning raw data into actionable intelligence is the threat intelligence lifecycle: Plan → Collect → Process → Analyze → Disseminate → Feedback.
Indicator of Compromise (IOC): Artifact left after a compromise — a malicious file hash, a known C2 IP address, a suspicious registry key, a domain associated with malware. IOCs are reactive: by the time you find them, you may already be compromised.
Indicator of Attack (IOA): Behavioral patterns that suggest an attack is happening right now — unusual process spawning, lateral movement, privilege escalation attempts. IOAs are proactive: you can detect an attack in progress even without known IOCs.
Types of Indicators of Compromise
| IOC Type | Example | Use Case |
|---|---|---|
| File Hash | MD5, SHA-1, SHA-256 of a malicious binary | Block execution of known malware; match against threat feeds |
| IP Address | Known C2 server, TOR exit node, attacker scanner | Block in firewall, alert in SIEM if internal host connects to it |
| Domain / URL | Phishing domain, malware distribution URL | DNS sinkholing, proxy blocking, phishing detection |
| Email Indicators | Malicious sender address, subject line pattern, attachment type | Email filtering, phishing detection rules |
| Registry Key | Persistence mechanism added by malware (run key) | Host-based detection, EDR rules |
| Mutex / Artifact | Named mutex created by malware to prevent re-infection | Memory forensics, malware analysis |
| Network Pattern | Specific User-Agent string, beacon interval, protocol anomaly | IDS/IPS signatures, network monitoring |
STIX and TAXII
For threat intelligence to be useful at scale, organizations need a standard way to express it and a standard way to share it. That's where STIX and TAXII come in — they're complementary standards developed by MITRE and now maintained by OASIS.
STIX and TAXII are almost always tested together. The key distinction: STIX is the format/language (what threat data looks like), TAXII is the transport (how that data gets shared). You describe a threat actor using STIX; you share that STIX data using TAXII. A common wrong answer is to conflate the two or assign the wrong role to each.
Threat Intelligence Sources
Threat intelligence comes from a variety of sources, ranging from open and free to closed and expensive. The Security+ exam distinguishes between source types:
| Source Type | Description | Examples |
|---|---|---|
| OSINT | Open Source Intelligence — publicly available information gathered and analyzed for threat context | Shodan, VirusTotal, AlienVault OTX, government advisories, CVE databases |
| Closed / Proprietary | Paid, subscription-based feeds with curated, validated intelligence — higher quality, less noise | CrowdStrike Falcon Intelligence, Recorded Future, Mandiant Threat Intelligence |
| ISACs | Information Sharing and Analysis Centers — sector-specific communities that share intel between member organizations | FS-ISAC (financial), H-ISAC (healthcare), E-ISAC (energy), IT-ISAC |
| Government | Official government threat intelligence, advisories, and sharing programs | CISA, FBI, NSA advisories; US-CERT; NCSC (UK) |
| Dark Web | Monitoring underground forums, marketplaces, and criminal communities for early warning | Threat actors advertising new exploits, stolen credentials for sale |
| Internal | Intelligence generated from your own environment — logs, incidents, honeypots, EDR telemetry | Your SIEM alerts, previous incident reports, honeypot interactions |
MITRE ATT&CK Framework
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It's organized as a matrix where columns represent tactics (the adversary's goal — the "why") and rows within each column represent techniques (how they achieve it — the "how").
The 14 ATT&CK Enterprise tactics in kill-chain order: Reconnaissance → Resource Development → Initial Access → Execution → Persistence → Privilege Escalation → Defense Evasion → Credential Access → Discovery → Lateral Movement → Collection → Command and Control → Exfiltration → Impact. Each tactic contains multiple techniques and sub-techniques — over 400 in total.
ATT&CK is primarily used for three purposes in a security operations context: threat hunting (using known adversary techniques as hunt hypotheses), detection engineering (building SIEM and EDR rules for specific techniques), and red team exercises (simulating specific adversary techniques to test defenses). When a threat intelligence report says an APT group uses "T1566.001" (Spearphishing Attachment), that's an ATT&CK technique ID.
Pyramid of Pain
The Pyramid of Pain, developed by security researcher David Bianco, illustrates the relative difficulty for adversaries when defenders block different types of indicators. Higher up the pyramid = more pain for the attacker when you detect or block that indicator.
The practical implication: blocking file hashes and IPs is cheap for defenders but also cheap for attackers to evade. Detecting and disrupting adversary TTPs (the techniques they use) is much harder for attackers to work around — they have to fundamentally change how they operate. This is why MITRE ATT&CK focuses on techniques rather than indicators.