A comprehensive study guide covering the intelligence lifecycle, source evaluation, public-private partnerships (ISACs), and how to make threat intelligence actionable across risk management, incident response, vulnerability management, and detection functions.
Security Intelligence vs. Cyber Threat Intelligence
Modern defense cannot rely on static configurations alone — firewalls, ACLs, and antivirus signatures are necessary but insufficient against a thinking adversary. An intelligence-driven defense requires two complementary lenses: looking inward at your own posture, and looking outward at the threat landscape.
Security intelligence — looking inward
The process of generating, collecting, processing, analyzing, and disseminating data from your own information systems to understand your organization's current security posture. Examples: reviewing firewall logs, processing IDS alerts, analyzing authentication events.
Cyber threat intelligence — looking outward
The process of investigating, collecting, analyzing, and disseminating information about emerging threats and threat sources — attacker groups, malware outbreaks, zero-day exploits. Answers: "What can attack us and how?"
You need both. Security intelligence tells you where you stand; cyber threat intelligence tells you what is coming.
Two delivery formats for cyber threat intelligence
Narrative reports
Strategic-level intelligence
Written analysis of a specific adversary group or malware family — typically 20–30 pages. Manually created by threat analysts from packet captures, honeypot data, and research. Used to drive long-term security investment and control selection. Available via subscription from vendors like Mandiant, FireEye, Red Canary.
Data feeds
Tactical-level intelligence
Automated lists of known-bad indicators — IP addresses, domain names, malware hashes, IOCs. Highly operational: a bad-IP feed can be loaded directly into a firewall block rule. Complements the narrative picture with specific, actionable data points.
Neither format alone is sufficient. Narrative reports give you strategic context ("who is attacking my sector and why"); data feeds give you tactical rules ("block this IP now"). An effective CTI program uses both.
2
The Intelligence Lifecycle — Five Phases
Intelligence is a process, not a product. Raw data becomes actionable intelligence only by moving through a structured cycle. The five phases form a continuous loop — the output of phase five feeds back into phase one to continuously refine the effort.
1
Requirements, planning & direction Define what you need to collect, why, and under what legal constraints. Tied to organizational use cases — without clear goals, you collect everything and learn nothing.
2
Collection & processing Gather data via SIEMs, sensors, packet captures, and external feeds. Normalize disparate log formats into a unified schema so they can be queried and indexed together.
3
Analysis Bucket data into known-good, known-bad, and uncertain. Apply machine learning, AI, and human expertise to the uncertain bucket. Filter through the lens of your use cases.
4
Dissemination Publish findings at the right level — strategic (exec reports), operational (manager checklists), or tactical (real-time SOC alerts). Format and audience must match.
5
Feedback & review Measure success, review lessons learned, and evolve collection priorities as the threat landscape shifts. The cycle then restarts with refined requirements.
Phase 2 in depth — collection & processing considerations
Normalization
Raw logs from firewalls, routers, endpoints, and IDS sensors arrive in different formats. Processing standardizes fields — source IP, destination IP, timestamp — so a single SIEM can query across all of them.
SIEM as hub
The SIEM (Security Information and Event Management system) aggregates normalized data from all sensors. It is both the collection point and the primary analysis interface.
Protecting the SIEM
The SIEM is a high-value target. Apply encryption at rest, strict access controls, and hash-based integrity checks — the same data useful to defenders is equally valuable to attackers.
Phase 4 in depth — three dissemination levels
Strategic
Broad themes and long-term organizational priorities. Delivered to executives and senior leadership as written reports or presentations. Influences security investment and program direction over weeks, months, or years. Example: "APT groups are increasingly targeting Linux infrastructure — our roadmap should prioritize Linux hardening."
Operational
Day-to-day priorities for managers and specialists. Often delivered as a briefing or prioritized checklist. Example: "Three new phishing campaigns were detected targeting our sector this week — focus patch efforts on the following systems today."
Tactical
Real-time information for SOC analysts responding to live alerts. Immediate and specific — an alert on the watch floor with context about the associated IOC, TTP, or adversary group. Drives in-the-moment decisions.
3
Intelligence Sources & Quality Factors
Not all intelligence sources are equal. Before acting on external threat data, evaluate it against four quality factors — and understand where it comes from.
The four quality factors
Timeliness
Is it current?
Once an adversary knows they've been identified, they change TTPs. Intelligence about a threat actor's techniques may be obsolete within days or weeks. Timely dissemination is as important as accurate analysis.
Relevancy
Does it apply to your context?
Mac OS X attack data is unlikely to be relevant to an organization running Windows or Linux embedded systems. Intelligence must match your environment, industry, and use cases to drive meaningful decisions.
Accuracy
Is it valid and true?
False positives waste analyst time and erode trust in the intelligence process. Especially critical when using ML/AI-based feeds — the quality of automated decisions is bounded by the quality of input data.
Confidence level
How certain is the source?
Analysts rarely have 100% of the facts. Explicitly grading confidence — using a scale like the admiralty scale — allows consumers to calibrate their response appropriately. High-confidence intel warrants aggressive action; low-confidence intel warrants monitoring.
Grading confidence — the Admiralty Scale
The MISP project formalizes the use of the admiralty scale for rating intelligence. It grades two independent dimensions: how reliable the source is, and how well-confirmed the information is.
Source reliability (A–F)
ACompletely reliable — no doubt in past reliability
BUsually reliable — minor doubts in past
CFairly reliable — doubts in past reliability
DNot usually reliable — significant doubts
EUnreliable
FReliability cannot be judged
Information content (1–6)
1Confirmed — multiple independent sources
2Probably true — corroborated by other info
3Possibly true — not confirmed
4Doubtful — contradicts other info
5Improbable — contradicted by reliable info
6Cannot be judged — no basis for evaluation
Exam note: You do not need to memorize the admiralty scale for the exam, but knowing it exists and how it works is valuable for real-world practice. Combined grades read as letter + number — e.g. "A1" means a completely reliable source with confirmed information, the highest possible confidence.
Three source categories
Proprietary
Commercial subscription services providing threat updates and research. Quality varies significantly — some simply repackage freely available data without adding original research. Evaluate what proprietary value the provider actually delivers before subscribing.
Closed-source
Data derived from the provider's own research, honeynets, and anonymized telemetry from their customer base. Mandiant is the canonical example — their intelligence is built from real incident response engagements and proprietary sensor networks, giving it high value and depth.
Open-source
Freely available threat feeds, reputation lists, and malware databases. A strong starting point for organizations not yet ready to invest in commercial subscriptions, and a useful supplement for those that are. Quality varies — evaluate using the four quality factors above.
Key open-source intelligence feeds
US-CERTCurrent activity alerts, bulletins, analysis reports, and the Automated Indicator Service (AIS) — a bidirectional threat feed for sharing IOCs with federal partners.
UK NCSCThe UK's National Cyber Security Centre provides equivalent services to US-CERT, including threat assessments and advisories relevant to UK and international organizations.
AT&T Security (OTX)Formerly AlienVault Open Threat Exchange — a community-driven threat intelligence feed with a large contributor base of security researchers worldwide.
MISPMalware Information Sharing Project — an open-source platform for sharing, storing, and correlating IOCs. Integrates STIX over TAXII (see Chapter 4) and supports OpenIOC definitions.
VirusTotalUpload any suspicious file and check it against 40–50 antivirus engines simultaneously. A critical first triage step for unknown files encountered during incident response.
SpamhausFocused on spam and email-based threats — maintains block lists of known spam sources and domains widely used in email filtering infrastructure.
SANS ISC Suspicious DomainsA continuously updated feed of domains flagged as potentially malicious by the SANS Internet Storm Center community of security researchers.
Explicit vs. implicit knowledge
Explicit knowledge
Codifiable — what feeds provide
Knowledge that can be written down, formalized, and shared: IOC lists, signature databases, published TTPs, vulnerability advisories. This is what intelligence feeds deliver and what SIEMs can act on automatically.
Implicit knowledge
Experiential — what people provide
Pattern recognition and instinct built through years of practice. An experienced analyst can sense that something is wrong even when no alert fires. Cannot be codified in a procedure — it is developed through exposure to hundreds of real incidents over a career.
OSINT (Open-Source Intelligence) is the practice of obtaining information about a person or organization through public records, websites, and social media. Attackers use it during reconnaissance; defenders use it to understand their own external exposure. Covered in depth during the penetration testing sections of this course.
4
ISACs — Information Sharing & Analysis Centers
ISACs are not-for-profit public-private partnership organizations established in the United States (starting in the 1990s) for each critical industry sector. Their purpose is to share sector-specific threat intelligence and security best practices among member organizations. The UK equivalent is the CSIP (Cybersecurity Information Sharing Partnership).
Critical infrastructure (DHS definition): Any physical or virtual infrastructure so vital to the United States that its incapacitation or destruction would have a debilitating effect on national security, economic security, or public health and safety. The DHS identifies 16 critical infrastructure sectors — ranging from energy and water to healthcare and aviation.
Five key ISACs to know
⚡
Critical Infrastructure
Covers ICS, SCADA, and embedded systems across the 16 DHS-defined sectors. High focus on operational technology (OT) security threats.
🏛️
Government
Serves non-federal governments: state, local, tribal, and territorial (SLTT). Bridges these bodies to federal threat intelligence through a public-private partnership.
🏥
Healthcare
Serves healthcare providers — frequent targets of ransomware, data extortion, and attacks on medical devices. Threat sharing helps the sector defend patient records and care systems.
🏦
Financial
Protects banks, trading platforms (e.g., NASDAQ), ATM networks, and payment systems from fraud, extortion, and attacks that could pose national economic risk.
✈️
Aviation
Serves the aviation industry against fraud, terrorism, service disruptions, and attacks on air traffic control systems — where failure could cause mass-casualty events.
Exam note: You do not need to memorize all 16 critical infrastructure sectors or the full list of ISACs. Know what an ISAC is (not-for-profit, sector-specific, public-private partnership), the five sectors covered above, and that the UK equivalent is the CSIP.
5
Making Intelligence Actionable Within Your Organization
Threat intelligence only has value when it reaches the right people in the right form at the right time. Within your organization, intelligence must feed four key operational functions.
Risk management & security engineering
Risk management identifies, evaluates, and prioritizes threats and vulnerabilities to reduce negative impact. Threat intelligence supplies the external threat dimension — your vulnerability scanner tells you what you're exposed to, but threat intelligence tells you who is actively targeting that exposure. Combined, they drive security engineering decisions: what hardware, software, and network architecture changes reduce your attack surface against the specific threats aimed at your sector. Strategic intel (e.g., "Linux servers are increasingly targeted") informs long-term architecture; tactical intel drives urgent patching priorities.
Strategic focusArchitecture decisions
Incident response
When an attacker is already inside your network, you need tactical intelligence immediately: what IP addresses are they using, what tools are they deploying, what lateral movement techniques do they favor? Tactical IOCs feed directly into containment and eradication steps. Once the incident is resolved, strategic intelligence helps prevent recurrence by addressing the root-cause attack vector.
Tactical priorityReal-time C2 detection
Vulnerability management
Strategic threat intelligence surfaces unrecognized vulnerability categories you may not have thought to scan for — IoT thermostats, deepfake-facilitated social engineering, AI-assisted fuzzing for zero-days. Tactical intelligence enables targeted scans: when a major malware family (e.g., WannaCry) is announced, immediately scan your environment specifically for that vulnerability before you are attacked. Threat intelligence turns vulnerability management from a schedule-driven compliance exercise into a risk-driven, adversary-aware program.
Targeted scanningIoT & emerging vectors
Detection & monitoring
Knowing what threats exist allows you to tune your sensors to detect them. New rules and definitions derived from intelligence — whether from your own incident data, partner organizations, or commercial feeds — directly improve the signal-to-noise ratio of your detection stack. More true positives, fewer false positives. Analysts in detection and monitoring roles should be on the dissemination list for all new threat intelligence as a matter of priority.
SIEM tuningReduce false positives
The dissemination chain matters. The most accurate, timely intelligence in the world has zero value if it doesn't reach the people who can act on it. Make sure your SOC analysts, IR team, vulnerability management team, and security architects are all on the distribution list — each group needs a different slice of the same intelligence picture.
Exam
Quick Reference Cheat Sheet
Two intelligence types
Security intelligence = inward (your systems). Cyber threat intelligence = outward (the threat landscape). Both needed. Two formats: narrative reports (strategic) and data feeds (tactical).
Timeliness — Relevancy — Accuracy — Confidence level. Admiralty scale grades source reliability (A–F) and information confidence (1–6). Not required for exam depth but know it exists.
Three source types
Proprietary = paid subscription (varies in quality). Closed-source = provider's own research (e.g. Mandiant). Open-source = freely available (US-CERT, OTX, MISP, VirusTotal, Spamhaus).
ISACs
Not-for-profit, sector-specific, public-private partnerships. Key sectors: Critical Infrastructure, Government (SLTT), Healthcare, Financial, Aviation. UK equivalent = CSIP.