Chapter 83 · Glossary

Threat Intelligence — Glossary

Key terms for threat intelligence principles, OSINT sources, proprietary intelligence services, the Cyber Threat Alliance, and dark web monitoring.

Threat Intelligence
The practice of collecting, analyzing, and acting on information about current and potential cyber threats, including the actors who conduct them, the tools and techniques they use, and the campaigns they are running. Threat intelligence transforms raw security data into actionable knowledge that enables proactive defense decisions. Used by SOC analysts (alert prioritization), incident responders (containment and attribution), threat hunters (hypothesis development), vulnerability management teams (exploited CVE prioritization), and executive decision-makers (risk-based investment). The goal is to understand the adversary well enough to defend against them before they act.
Open-Source Intelligence (OSINT)
Intelligence gathered from publicly available sources that anyone can access without special authorization or payment. OSINT serves as the typical starting point for threat research due to its accessibility and breadth. Sources span three categories: internet sources (discussion forums, social media, security blogs, public code repositories, vulnerability databases); government sources (national cybersecurity advisories, public hearings, regulatory reports, national threat assessments); and commercial data (financial reports, geographic mapping data, public databases). OSINT's primary limitation: information quality varies significantly, data may be outdated or deliberately misleading, and all OSINT must be validated and correlated before operational use.
Proprietary / Third-Party Intelligence
Threat intelligence compiled and sold by specialized commercial vendors. These services aggregate data that individual organizations cannot access independently: global sensor networks, honeypot telemetry, incident response engagements, customer security data, and dark web monitoring. The defining value is cross-organization correlation — a vendor observing thousands of client environments can identify emerging attack campaigns before they reach any single client. Typical deliverables: threat analytics, indicators of compromise (IOCs), malware samples and analysis, vulnerability exploitation intelligence, and attack infrastructure mapping. Tradeoffs include subscription costs, vendor dependency, and data-sharing arrangements that require careful consideration.
Indicators of Compromise (IOCs)
Artifacts found in networks, systems, or log data that indicate a system has been compromised or is being targeted. IOCs are a primary output of threat intelligence programs. Common types: malicious IP addresses and domain names (command-and-control infrastructure), file hashes of known malware samples, suspicious URL patterns, unusual network traffic signatures, and specific registry keys or file paths associated with known malware. Threat intelligence feeds distribute IOCs so organizations can configure detection and blocking rules. IOCs have a limited useful life: attackers change infrastructure frequently, and an IOC that was actionable last month may be stale today.
Threat Analytics
The process of correlating threat data from multiple sources to identify patterns, trends, and actionable intelligence that would not be visible from any single data source. Threat analytics platforms ingest data from internal security tools (SIEM, endpoint detection, network sensors), external intelligence feeds (commercial, OSINT, sharing communities), and historical incident data to identify: attack patterns emerging across an industry, new malware variants and their behavioral signatures, infrastructure shared across multiple threat actor groups, and early indicators of campaigns that are still in their early stages. Threat analytics is the analytical engine that turns raw intelligence into prioritized, actionable output.
Information-Sharing Organization
A formal structure that enables peer organizations to share threat intelligence with each other for collective defense. The underlying principle: an indicator or technique observed in one organization's environment may be about to appear in every peer organization's environment. Sharing that indicator rapidly benefits all participants. Information-sharing organizations operate at multiple levels: government-to-industry (national cybersecurity agencies distributing threat data to critical sectors), industry-to-industry (Information Sharing and Analysis Centers, or ISACs, organized by sector: financial, healthcare, energy, etc.), and cross-industry coalitions. Effective information sharing requires standardized formats, trust agreements, and anonymization mechanisms to protect the sharing organization's identity when desired.
Cyber Threat Alliance (CTA)
An industry collaboration of cybersecurity organizations focused on sharing high-quality, validated threat intelligence in a structured, standardized format. The CTA process: member organizations submit threat intelligence formatted to CTA specifications → CTA validates each submission and assigns a credibility and severity score → all other members can access the validated, scored intelligence and integrate it into their defenses. The standardization requirement makes shared intelligence machine-readable and immediately actionable. The scoring function enables prioritization. The CTA model demonstrates the collective defense principle: intelligence one organization derived from being attacked protects all other members before the attacker can reuse the same techniques elsewhere.
Dark Web
A collection of overlay networks that use the internet as transport infrastructure but require specialized software and specific configurations to access — most commonly the Tor network and browser. Unlike the surface web (publicly indexed) and the deep web (unindexed but accessible with standard browsers and credentials), dark web content is only reachable through anonymizing overlay networks. The dark web provides anonymity for both operators and visitors, which makes it attractive to threat actors who need to communicate, sell stolen data, and offer criminal services without being identified. For security professionals, dark web forums and marketplaces are a primary source of threat intelligence about criminal groups, their techniques, and their targets.
Tactics, Techniques, and Procedures (TTPs)
A framework for describing how threat actors operate. Tactics describe the high-level goals an attacker pursues (initial access, privilege escalation, lateral movement, data exfiltration). Techniques describe specific methods for achieving those goals (spearphishing with an attachment, pass-the-hash credential reuse, living-off-the-land using built-in OS tools). Procedures describe the specific implementation details used by a particular group (a named group's known spearphishing email templates, their specific malware payloads, their preferred command-and-control infrastructure patterns). TTP intelligence is more durable than IOC intelligence because attackers change infrastructure easily but changing tactics and techniques requires significant retooling.
Threat Actor
Any individual, group, or organization that poses a cyber threat. Threat actors are categorized by motivation and capability: nation-state actors (government-sponsored; highly sophisticated; motivated by espionage, sabotage, or geopolitical objectives); criminal groups (financially motivated; conduct ransomware, fraud, and data theft); hacktivists (ideologically motivated; typically seek publicity through defacement, data leaks, or DDoS); insider threats (current or former employees with legitimate access; motivated by financial gain, grievance, or coercion); and script kiddies (low-skill actors using publicly available tools without deep technical understanding). Threat intelligence profiles threat actors so defenders understand who is likely to target them and why.
Dark Web Monitoring
The practice of observing dark web forums, marketplaces, and paste sites for intelligence relevant to a specific organization or sector. Monitoring targets: mentions of the organization's name, domain, or executive names in forum posts or attack planning discussions; the organization's data appearing in breach listings or extortion posts; employee credentials appearing in credential dump marketplaces; and threat actor discussions of techniques targeting the organization's technology stack or sector. The value is early warning: organizations that discover their credentials are for sale can invalidate them before attackers use them for unauthorized access. Challenges: information reliability (threat actors fabricate breaches), operational security (monitoring must not expose the analyst), and legal considerations (accessing criminal content requires careful compliance review).
Initial Access Broker
A threat actor who specializes in gaining initial access to organizational networks and selling that access to other criminal actors rather than conducting attacks themselves. Initial access brokers (IABs) represent a division of labor in the criminal ecosystem: one group breaks in; a different group (ransomware operators, data extortionists, or espionage actors) purchases the access and conducts the subsequent campaign. Dark web markets regularly list IAB offerings: "access to Fortune 500 company in healthcare sector, domain admin rights, asking $30,000." Monitoring these listings is a critical form of dark web intelligence — if an organization's network access is listed for sale, an attack using that access is imminent or may have already begun.