What is threat intelligence?
Threat intelligence is information about current and emerging cyber threats that has been collected, analyzed, and made actionable for defenders. The key word is analyzed: raw data such as logs and alerts only becomes intelligence once it has been processed and given context. It answers practical questions for an organization, including who might attack, what their capabilities and motives are, how they operate, and which weaknesses they are likely to target.
What does threat intelligence include?
- Attacker tactics, techniques, and procedures (TTPs): How adversaries plan and carry out attacks.
- Malicious infrastructure: Known bad IP addresses, domains, and servers used in attacks.
- Indicators of compromise (IOCs): Technical evidence such as file hashes and URLs that signal an attack.
- Context and motivation: Background on threat actors, their goals, and the trends shaping their behavior.
What are the main types of threat intelligence?
- Tactical: Technical and short-lived, focused on IOCs that can be fed straight into security tools. Used mainly by SOC analysts.
- Operational: Deeper insight into specific campaigns and attacker TTPs. Used to guide detection and response.
- Strategic: A high-level view of trends, geopolitics, and business risk. Used by executives to shape security strategy and investment.
Why does threat intelligence matter?
- Prioritization: It helps teams focus on the threats most relevant to their industry and environment instead of treating everything equally.
- Better detection: Tuning tools with intelligence increases true detections while cutting false positives.
- Faster response: Knowing an attacker’s likely objectives and methods shortens investigation and containment time.
- Proactive defense: It shifts an organization from reacting after an incident to anticipating attacks before they land.
How is threat intelligence produced and used?
- The lifecycle: Most programs follow a repeatable cycle of direction, collection, processing, analysis, dissemination, and feedback.
- Feeds other functions: It flows directly into detection tools, threat hunting, and incident response, making each one sharper and more targeted.