OSINT — Three Source Categories
| Category | Examples | What It Provides | Quality Consideration |
|---|---|---|---|
| Internet sources | Discussion forums, social media, security blogs, public code repositories, vulnerability databases, paste sites | Threat actor communications, newly discovered exploits, malware samples, researcher analysis of campaigns | Highly variable; requires validation; threat actors post deliberately misleading information |
| Government sources | National cybersecurity agency advisories (CISA, NCSC), public hearings, regulatory reports, national threat assessments | High-credibility threat actor profiles, vulnerability alerts, campaign analysis, defensive recommendations | Generally high credibility; may lag real-time events due to publication process |
| Commercial data | Financial reports, geographic mapping data, public company databases, industry filings | Attribution analysis support, supply chain investigation, risk assessment context, organizational dependency mapping | Factual but requires context to apply to threat analysis; not designed for security use |
Four Intelligence Source Types — Comparison
| Source Type | Cost | Key Advantage | Key Limitation | Best For |
|---|---|---|---|---|
| OSINT | Free (labor cost only) | Widely accessible; broad coverage; starting point for any research | Quality varies; requires validation; may be outdated or disinformation | Initial research, threat actor profiling, low-budget programs |
| Proprietary / commercial | Subscription fee | Cross-organization correlation; real-time alerts before threats arrive; curated and analyzed | Cost; vendor dependency; data-sharing arrangements required | Organizations needing real-time, high-confidence intelligence with minimal analyst overhead |
| Information-sharing orgs (ISACs, CTA) | Membership (often low or free for non-profits) | Peer organizations share first-hand attack evidence; highly relevant to sector-specific threats | Requires participating organizations to contribute; intelligence quality depends on member engagement | Industry-specific threats; real-time peer sharing during active campaigns |
| Dark web intelligence | Specialized tools or commercial service | Direct visibility into criminal ecosystem; early warning of planned or completed attacks | Reliability varies; legal and OPSEC risks; requires specialized expertise | Monitoring for organization-specific mentions, credential leaks, access listings |
Cyber Threat Alliance (CTA) — Process Flow
| Step | Who Acts | What Happens | Why It Matters |
|---|---|---|---|
| 1. Intelligence submission | CTA member organization | Member submits threat intelligence in CTA's standardized format (structured data, not free text) | Standardization makes intelligence machine-readable and immediately actionable for all recipients |
| 2. Validation | CTA | CTA validates submission for accuracy; cross-references against other submissions to identify corroboration or conflicts | Removes false, fabricated, or low-quality submissions before they reach other members |
| 3. Scoring | CTA | CTA assigns a credibility and severity score to each validated submission | Enables members to prioritize: high-severity, high-confidence submissions demand immediate response |
| 4. Distribution | CTA → all members | Validated, scored intelligence becomes available to all CTA members for extraction and use | One organization's attack experience protects all members before the attacker can reuse techniques |
Dark Web Content Categories
| Category | Examples | Intelligence Value |
|---|---|---|
| Stolen data markets | Credit card numbers, account credentials, corporate financial records, employee PII, intellectual property | Identify if the organization's data has been compromised; enable credential invalidation before attacker use |
| Malware markets | Exploit kits, ransomware-as-a-service, RATs, custom malware variants, zero-day exploits | Identify newly circulating tools; develop detection signatures before they are deployed against the organization |
| Hacking services | DDoS-for-hire, initial access brokering (selling compromised network access), phishing services, social engineering scripts | Monitor for access listings that may include the organization's network; detect planned attack campaigns |
| Forums and communications | Threat actor discussions of techniques, target selection, proof-of-compromise posts, planned campaign announcements | Monitor for organization name mentions, executive names, planned attacks; earliest warning before action begins |
Threat Actor Categories — Motivation and Capability
| Threat Actor Type | Primary Motivation | Typical Capability | Common Tactics |
|---|---|---|---|
| Nation-state actors | Espionage, sabotage, geopolitical objectives | Very high — significant resources, long-term access, custom tooling | Spearphishing, supply chain compromise, zero-day exploitation, long-term persistent access |
| Criminal groups | Financial gain | High — professional operations, specialized roles | Ransomware, data extortion, credential theft, fraud, initial access brokering |
| Hacktivists | Ideological or political | Variable — typically low to moderate | Website defacement, data leaks, DDoS, public embarrassment campaigns |
| Insider threats | Financial gain, grievance, coercion | Unique — legitimate access bypasses perimeter controls | Data exfiltration, sabotage, credential sharing, privilege abuse |
| Script kiddies | Notoriety, curiosity | Low — use available tools without understanding them | Publicly available exploit tools, unsophisticated phishing, opportunistic scanning |
Threat Intelligence Consumer Roles
| Consumer | Intelligence Need | How Intelligence Is Used |
|---|---|---|
| SOC analysts | IOCs, current attack campaigns, attacker infrastructure | Enrich security alerts; prioritize investigation; configure blocking rules for known-malicious IPs/domains/hashes |
| Incident responders | Attacker TTPs, malware analysis, attribution data | Identify attacker tools; accelerate containment; understand full scope of compromise; support attribution |
| Threat hunters | Known attacker TTPs, behavioral patterns | Build hypotheses about whether a known actor may already be in the environment; design targeted hunts |
| Vulnerability management | Active exploitation intelligence for specific CVEs | Prioritize patching: a CVE being actively exploited in the wild is more urgent than an unexploited theoretical vulnerability |
| Executive / business leadership | Strategic threat trends, risk landscape, sector-specific threats | Direct security investment; understand organizational risk exposure; inform board-level reporting |