Threat Intelligence Foundations

🎓 Why Intelligence Matters to Security Operations

Without intelligence, SOCs are blind. They react to alerts without context. With intelligence, SOCs see the threat landscape clearly. Intelligence enables predictive defense: teams know which threats are most likely, can prioritize detection efforts, and allocate resources efficiently. Intelligence transforms SOCs from reactive to proactive.

🔍 Open-Source Intelligence (OSINT)

OSINT is publicly available information that reveals threat actor behavior and infrastructure. OSINT sources include: domain registration data (WHOIS), DNS records, public threat feeds, social media, code repositories, academic papers, conferences, news articles, and archived websites.

Why it matters: OSINT is free, legal, and abundant. Threat actors leave tracks everywhere—registered domains, DNS zones, public forums discussing exploits. Intelligent collection of OSINT reveals attack infrastructure before attacks happen. Many high-confidence indicators originate from OSINT.

Examples: Shodan queries for exposed devices, GitHub monitoring for leaked credentials, domain registrant analysis to link attack infrastructure, threat actor forum posts indicating upcoming campaigns.

📡 Internal SOC Telemetry

Your own network generates the most relevant threat intelligence: logs from firewalls, proxies, endpoints, servers, cloud platforms, and security tools. Internal telemetry shows what actually hits your environment—attempted attacks, suspicious connections, malicious file detections.

Why it matters: External feeds tell you what exists globally. Internal telemetry tells you what threatens YOUR organization specifically. A payload detected on one endpoint might indicate broader compromise. Unusual connection patterns might indicate command-and-control communication.

Examples: Firewall logs showing blocked malicious IPs, EDR detecting unusual process execution, web proxy logs showing access to known malicious domains, DNS queries to suspicious C2 servers.

🔗 Threat Indicator Feeds

Subscribed feeds provide continuously updated indicators: malware hashes, command-and-control IPs, phishing URLs, compromised credentials. Feeds come from threat intelligence companies, government agencies (CISA, NSA), security vendors, and community platforms.

Why it matters: Processing OSINT manually is time-consuming. Feeds automate: new indicators are automatically distributed and ingested into detection systems (firewalls, SIEM, endpoint protection). When a new malware variant emerges, feed subscribers know within hours.

Feed Types: IP reputation feeds (malicious IPs), domain reputation feeds (phishing/malware domains), hash feeds (malware signatures), URL feeds (malicious links), credential feeds (leaked credentials), CVE feeds (vulnerability intelligence).

🔄 Lifecycle Feedback Loop

Intelligence lifecycle isn't linear—it's circular. Disseminated intelligence informs defense. Defense operations (incident response) generate new data. That data feeds back into collection, creating continuous improvement. As defenses improve, attacks adapt. Intelligence must adapt in response.

• Detection generates leads: SOC detects suspicious activity → triggers investigation → reveals threat actor infrastructure → feeds back into intelligence
• Incident response builds knowledge: Each incident teaches what works, what doesn't → improves detection rules → prevents similar attacks
• Intelligence improves prediction: Historical data shows patterns → models predict future attacks → defenses shift proactively

💼 Intelligence as Strategic Risk Management

From enterprise perspective, threat intelligence directly impacts risk. Organizations face thousands of potential threats. Intelligence answers: Which threats are most likely? Which would be most damaging? Where should we invest defensive resources?

Without intelligence: Resources spread thin across all possible threats. Defenses are generic, reactive. Attackers choose weak targets.

With intelligence: Resources concentrate on threats most likely to succeed. Defenses are targeted, proactive. Attackers find hardened targets and look elsewhere.

🎯 Practical Example: Intelligence in Action

Threat intelligence team identifies campaign targeting financial institutions in your region. They research the threat actor group: known TTPs (techniques, tactics, procedures), typical attack chain, command-and-control infrastructure.

Intelligence team shares findings with SOC: indicators (IPs, domains, file hashes), detection signatures, incident response procedures specific to this threat group. Network team blocks known C2 IPs at firewall. Endpoint team deploys detection rules for known malware variants.

Result: When threat group attempts attack against your organization (6 months later), detection systems catch it immediately. Incident response team (pre-trained by threat intelligence) contains quickly. Damage prevented by proactive defense enabled by intelligence.

📚 Key Reading

• APT Trend Reports from Mandiant/Google: Comprehensive annual reports on threat actor trends and campaigns
• Threat Intelligence Blogs: Industry leaders publish threat research weekly on threat behavior, new attack techniques, and campaign analysis
• SANS Cyber Aces: Free security tutorials and references for intelligence professionals