Chapter 83 · Concepts

Threat Intelligence — Concept Maps

Structured breakdowns comparing OSINT sources, intelligence type tradeoffs, CTA workflow, dark web content categories, threat actor types, and intelligence consumer roles.

OSINT — Three Source Categories
CategoryExamplesWhat It ProvidesQuality Consideration
Internet sources Discussion forums, social media, security blogs, public code repositories, vulnerability databases, paste sites Threat actor communications, newly discovered exploits, malware samples, researcher analysis of campaigns Highly variable; requires validation; threat actors post deliberately misleading information
Government sources National cybersecurity agency advisories (CISA, NCSC), public hearings, regulatory reports, national threat assessments High-credibility threat actor profiles, vulnerability alerts, campaign analysis, defensive recommendations Generally high credibility; may lag real-time events due to publication process
Commercial data Financial reports, geographic mapping data, public company databases, industry filings Attribution analysis support, supply chain investigation, risk assessment context, organizational dependency mapping Factual but requires context to apply to threat analysis; not designed for security use
Four Intelligence Source Types — Comparison
Source TypeCostKey AdvantageKey LimitationBest For
OSINT Free (labor cost only) Widely accessible; broad coverage; starting point for any research Quality varies; requires validation; may be outdated or disinformation Initial research, threat actor profiling, low-budget programs
Proprietary / commercial Subscription fee Cross-organization correlation; real-time alerts before threats arrive; curated and analyzed Cost; vendor dependency; data-sharing arrangements required Organizations needing real-time, high-confidence intelligence with minimal analyst overhead
Information-sharing orgs (ISACs, CTA) Membership (often low or free for non-profits) Peer organizations share first-hand attack evidence; highly relevant to sector-specific threats Requires participating organizations to contribute; intelligence quality depends on member engagement Industry-specific threats; real-time peer sharing during active campaigns
Dark web intelligence Specialized tools or commercial service Direct visibility into criminal ecosystem; early warning of planned or completed attacks Reliability varies; legal and OPSEC risks; requires specialized expertise Monitoring for organization-specific mentions, credential leaks, access listings
Cyber Threat Alliance (CTA) — Process Flow
StepWho ActsWhat HappensWhy It Matters
1. Intelligence submission CTA member organization Member submits threat intelligence in CTA's standardized format (structured data, not free text) Standardization makes intelligence machine-readable and immediately actionable for all recipients
2. Validation CTA CTA validates submission for accuracy; cross-references against other submissions to identify corroboration or conflicts Removes false, fabricated, or low-quality submissions before they reach other members
3. Scoring CTA CTA assigns a credibility and severity score to each validated submission Enables members to prioritize: high-severity, high-confidence submissions demand immediate response
4. Distribution CTA → all members Validated, scored intelligence becomes available to all CTA members for extraction and use One organization's attack experience protects all members before the attacker can reuse techniques
Dark Web Content Categories
CategoryExamplesIntelligence Value
Stolen data marketsCredit card numbers, account credentials, corporate financial records, employee PII, intellectual propertyIdentify if the organization's data has been compromised; enable credential invalidation before attacker use
Malware marketsExploit kits, ransomware-as-a-service, RATs, custom malware variants, zero-day exploitsIdentify newly circulating tools; develop detection signatures before they are deployed against the organization
Hacking servicesDDoS-for-hire, initial access brokering (selling compromised network access), phishing services, social engineering scriptsMonitor for access listings that may include the organization's network; detect planned attack campaigns
Forums and communicationsThreat actor discussions of techniques, target selection, proof-of-compromise posts, planned campaign announcementsMonitor for organization name mentions, executive names, planned attacks; earliest warning before action begins
Threat Actor Categories — Motivation and Capability
Threat Actor TypePrimary MotivationTypical CapabilityCommon Tactics
Nation-state actorsEspionage, sabotage, geopolitical objectivesVery high — significant resources, long-term access, custom toolingSpearphishing, supply chain compromise, zero-day exploitation, long-term persistent access
Criminal groupsFinancial gainHigh — professional operations, specialized rolesRansomware, data extortion, credential theft, fraud, initial access brokering
HacktivistsIdeological or politicalVariable — typically low to moderateWebsite defacement, data leaks, DDoS, public embarrassment campaigns
Insider threatsFinancial gain, grievance, coercionUnique — legitimate access bypasses perimeter controlsData exfiltration, sabotage, credential sharing, privilege abuse
Script kiddiesNotoriety, curiosityLow — use available tools without understanding themPublicly available exploit tools, unsophisticated phishing, opportunistic scanning
Threat Intelligence Consumer Roles
ConsumerIntelligence NeedHow Intelligence Is Used
SOC analystsIOCs, current attack campaigns, attacker infrastructureEnrich security alerts; prioritize investigation; configure blocking rules for known-malicious IPs/domains/hashes
Incident respondersAttacker TTPs, malware analysis, attribution dataIdentify attacker tools; accelerate containment; understand full scope of compromise; support attribution
Threat huntersKnown attacker TTPs, behavioral patternsBuild hypotheses about whether a known actor may already be in the environment; design targeted hunts
Vulnerability managementActive exploitation intelligence for specific CVEsPrioritize patching: a CVE being actively exploited in the wild is more urgent than an unexploited theoretical vulnerability
Executive / business leadershipStrategic threat trends, risk landscape, sector-specific threatsDirect security investment; understand organizational risk exposure; inform board-level reporting