Chapter 83 · Security Advisory

Threat Intelligence

Open-source intelligence, proprietary threat services, information-sharing organizations, and dark web monitoring — the four pillars of knowing your adversary before they know you.

THREATINTEL-2024-001
Threat Intelligence Foundations — OSINT and the Case for Knowing Your Adversary
Severity: High

What Threat Intelligence Is — and Why Reactive Defense Is Not Enough

Threat intelligence is the practice of collecting, analyzing, and acting on information about current and potential cyber threats — including the threat actors who conduct them, the tools and techniques they use, the campaigns they are running, and the vulnerabilities they are exploiting. Its purpose is to enable proactive security decisions rather than purely reactive ones. An organization that knows an attacker group is actively targeting its sector can invest in specific defenses, train its analysts on relevant techniques, and configure detection rules before an attack arrives — rather than responding after damage is done.

Threat intelligence serves multiple parts of an organization. Security Operations Center (SOC) analysts use it to prioritize alerts and enrich incident data. Incident response teams use it to accelerate containment and attribution. Threat hunters use it to build hypotheses about what may already be in the environment. Vulnerability management teams use it to prioritize which CVEs represent active exploitation risk versus theoretical risk. Executive and business leadership use strategic threat intelligence to understand the risk landscape and direct security investment. The intelligence consumers and their needs differ, but the raw material — understanding who the adversaries are and what they do — is shared.

Open-Source Intelligence (OSINT) — What Is Publicly Available

Open-Source Intelligence (OSINT) is intelligence derived from publicly available sources — information that anyone can access without special authorization or payment. OSINT is typically the starting point for threat research because it is freely accessible, often plentiful, and covers an enormous range of threat actors and campaigns. The key skill is knowing where to look and how to evaluate what you find.

Internet sources include discussion forums where threat actors communicate, social media posts where researchers publish discoveries, public code repositories where malware samples and exploit code appear, security blogs from independent researchers and vendor threat intelligence teams, and technical communities such as vulnerability databases and malware analysis platforms. Threat actors themselves frequently reveal tools, techniques, and intentions through online communication — underground forums, paste sites, and public-facing social media are all sources that trained analysts monitor.

Government sources represent a large and often underused category of OSINT. Most government-produced cybersecurity information is publicly available: security advisories from national cybersecurity agencies (CISA, NCSC, ANSSI), public congressional or parliamentary hearings on cybersecurity topics, regulatory reports describing threat trends affecting regulated industries, and national threat assessments. These sources tend to carry high credibility and often contain threat actor profiles and campaign details that commercial intelligence would otherwise charge for.

Commercial data sources round out the category: financial reports that reveal organizational dependencies, geographic mapping data that supports attribution analysis, public databases, and industry-specific information that can support supply chain investigation and risk assessment.

OSINT Advantages and Limitations

OSINT's primary advantages are accessibility and cost: it is freely available, often voluminous, and does not require vendor relationships or budget approval. It is particularly useful for initial research into unfamiliar threat actors or newly announced campaigns where commercial intelligence may not yet have caught up.

Its limitations are equally important to understand. The quality and accuracy of OSINT vary enormously: a forum post claiming a particular group is responsible for an attack may be speculation, deliberate disinformation, or an honest error. Sources contradict each other. Information ages quickly — a threat actor profile that was accurate six months ago may reflect a group that has since changed tactics, merged with another group, or ceased operations. OSINT must be validated and correlated before operational use. Acting on unverified OSINT — blocking an IP range based on a forum post, for example — can cause operational disruption from false positives. The discipline of OSINT is not just finding information; it is evaluating and verifying it before acting.

THREATINTEL-2024-002
Proprietary Intelligence and Information-Sharing Organizations — Structured Threat Data at Scale
Severity: High

Proprietary and Third-Party Intelligence Services

Commercial threat intelligence vendors compile, analyze, and sell intelligence that OSINT alone cannot provide. These services aggregate data from sources that individual organizations cannot access on their own: global sensor networks, honeypot deployments, incident response engagements across hundreds of organizations, customer security telemetry, and dark web monitoring operations. The defining capability of commercial intelligence is cross-organization correlation — a vendor monitoring thousands of client environments simultaneously can identify emerging attack campaigns hours or days before they reach any individual client, then push alerts to all subscribers.

Commercial services typically provide: threat analytics that identify patterns and indicators of compromise (IOCs); malware analysis of newly discovered samples; vulnerability intelligence linking CVEs to active exploitation; attack infrastructure mapping (domains, IPs, certificates associated with attacker operations); and threat actor profiles describing tactics, techniques, and procedures (TTPs). Platforms integrate intelligence feeds into SIEM and security orchestration systems, enabling automated prevention workflows — for example, automatically blocking new command-and-control infrastructure as it is identified.

The tradeoffs are real: subscription costs can be substantial, particularly for small organizations; vendor dependency means the quality of an organization's intelligence is tied to the vendor's coverage and accuracy; and data-sharing arrangements (the intelligence vendor collects telemetry from your environment to contribute to their feed) raise privacy and confidentiality considerations. Organizations should assess what they gain from a vendor against what they share with one.

Information-Sharing Organizations — Collective Defense

Neither OSINT nor commercial intelligence captures everything. Threat actors that target one organization leave evidence in that organization's logs, network traffic, and endpoint data that no external vendor or public source has. The solution is structured intelligence sharing: organizations that have been targeted or attacked share what they found — indicators, malware samples, attack TTPs, infrastructure details — with peer organizations who can then defend against the same actors before they are targeted.

Information sharing is especially valuable during time-critical events: zero-day attacks where no patch exists; ransomware campaigns spreading across an industry; large-scale vulnerabilities being exploited before vendors release patches. In these scenarios, intelligence that one organization derived from its own network can protect dozens of others within hours of being shared.

Information-sharing organizations operate at both the public and private levels. Public initiatives distribute intelligence from government agencies and national security organizations — often including declassified analysis that was originally classified. Private sector organizations form industry-specific information-sharing and analysis centers (ISACs) and cross-sector coalitions that share intelligence among peer organizations. The shared characteristic: intelligence that would benefit one organization in isolation is far more valuable when it reaches all organizations facing the same adversaries.

The Cyber Threat Alliance (CTA) — A Structured Sharing Model

The Cyber Threat Alliance (CTA) is a prominent example of a structured intelligence-sharing organization. CTA is an industry collaboration of cybersecurity companies and organizations focused on sharing high-quality, validated threat intelligence.

The CTA model works as follows: member organizations submit threat intelligence in a standardized format. The CTA validates each submission and scores it for credibility and severity. Validated, scored intelligence is then distributed to all other CTA members. Any member can extract the validated data and integrate it into their own defenses. The standardization requirement is critical: it ensures that shared intelligence is machine-readable, consistent, and actionable rather than unstructured text that requires manual interpretation. The scoring function ensures that members can prioritize: a high-severity, well-validated submission from a trusted CTA member warrants immediate attention; a low-confidence submission warrants monitoring.

This cooperative model benefits all participants in a way that no single organization's intelligence program can achieve independently. The intelligence that one CTA member derives from responding to an attack becomes actionable defense for every other member — often before the attacker has the opportunity to reuse the same techniques at a different target.

THREATINTEL-2024-003
Dark Web Intelligence — Going to the Source
Severity: Medium

What the Dark Web Is and How It Is Accessed

The dark web is a collection of overlay networks that use the internet as transport infrastructure but are not accessible through standard web browsers or indexed by conventional search engines. Access requires specialized software and specific configurations — most commonly the Tor browser, which routes traffic through multiple encrypted relays to conceal both the user's identity and location. This technical barrier to entry is not incidental: the dark web exists specifically to provide anonymity, and that anonymity is what makes it attractive to threat actors who need to communicate and conduct business without being identified or monitored.

The dark web is not inherently criminal — it also hosts legitimate privacy tools, journalism, and whistleblower platforms in countries with restricted internet access. But for security professionals, the relevant content is the criminal ecosystem: forums, marketplaces, and services operated by and for threat actors.

What Is Found on the Dark Web

Dark web criminal forums and marketplaces host a wide range of threat-relevant content. Stolen data markets sell credit card numbers (acquired through point-of-sale malware, e-commerce skimmers, and database breaches), account credentials (usernames and passwords from breached services), and corporate data (financial records, employee PII, intellectual property, and proprietary documents stolen through ransomware or data extortion operations). Malware markets sell exploit kits, ransomware-as-a-service subscriptions, remote access tools (RATs), and customized malware variants. Hacking services offer distributed denial-of-service (DDoS) for hire, initial access brokering (selling access to networks that have already been compromised), and social engineering and phishing services.

Beyond the commerce, dark web forums are where threat actors communicate: discussing techniques, sharing attack results, posting proof-of-compromise screenshots, and occasionally referencing specific targets by name. This communication layer is where threat intelligence derived from dark web monitoring becomes most valuable.

Dark Web Monitoring — Early Warning Before the Attack

Organizations and threat intelligence vendors monitor dark web forums, paste sites, and marketplaces for content relevant to specific organizations. The specific items to monitor include: the organization's name and domain appearing in forum discussions; executive names and email addresses appearing in credential dumps or targeted discussions; the organization's data appearing in breach marketplaces or extortion posts; and threat actors discussing planned or ongoing campaigns against the organization or its sector.

The intelligence value of this monitoring is the early warning it provides. If an organization's stolen credentials appear on a dark web marketplace, the organization can invalidate those credentials before attackers use them for unauthorized access. If a threat actor posts that they have successfully breached an organization and are preparing to publish stolen data, the organization may have hours or days to respond before the breach becomes public. If a forum post describes a new attack technique being tested against a specific type of system the organization runs, the organization can deploy countermeasures before that technique is weaponized at scale.

Dark web intelligence operations carry significant challenges. The information is inherently unreliable: threat actors fabricate breaches and exaggerate capabilities, and distinguishing a real breach notification from a fraudulent one requires corroborating evidence. Legal and operational security considerations are real: accessing dark web criminal forums requires careful operational security to avoid detection, and the legal framework around accessing criminal content varies by jurisdiction. The data volume is large, unstructured, and constantly changing, requiring specialized tools and trained analysts to process effectively. Organizations that lack the capability to conduct dark web monitoring safely and effectively should use commercial services that specialize in it rather than attempting it independently.