enespt-br
Glossary

Threat Intelligence

Evidence-based knowledge about threats, including their characteristics, intentions, and capabilities that can be used to inform decisions regarding protective measures.

Definition

Threat Intelligence is actionable, evidence-based information about threats and threat actors. Rather than raw data or general threat information, intelligence is analyzed, contextualized, and delivered to decision-makers who can act on it.

The term encompasses:

  • Data – Raw indicators like IP addresses, file hashes, domain names
  • Information – Data combined with context (e.g., “this malware targets financial institutions”)
  • Intelligence – Information analyzed and synthesized to support decision-making (e.g., “this threat actor targets your industry, uses these techniques, and is likely motivated by espionage”)

Key Characteristics

Effective threat intelligence has several defining traits:

1. Actionable

The intelligence supports specific decisions or actions. Generic warnings (“hackers are everywhere”) are not actionable. Specific intelligence (“this threat actor targets manufacturing firms in your region with supply chain attacks”) is actionable.

2. Timely

Intelligence reaches decision-makers before threats manifest. Intelligence about a threat actor’s new technique is valuable before it’s used in attacks.

3. Relevant

Intelligence addresses the organization’s specific risk profile, industry, geography, and assets. A financial firm needs different intelligence than a healthcare organization.

4. Accurate

Intelligence is based on evidence and verified sources. Attribution claims should have confidence levels; correlations should be substantiated.

5. Contextualized

Intelligence explains the “why” behind threats. Understanding that a threat actor targets your industry because they’re nation-state adversaries seeking intellectual property provides essential context.

Types of Threat Intelligence

Strategic Intelligence

Long-term threat landscape analysis for executive decision-making. Examples:

  • Which threat actors are most likely to target your industry?
  • What geopolitical events might trigger increased targeting?
  • How is the threat landscape evolving?

Tactical Intelligence

Information about specific threat actors’ techniques, tools, and procedures (TTPs). Used by security teams for:

  • Detection engineering
  • Incident response
  • Threat hunting

Example: “Threat actor X uses EvilCorp malware, deploys it via spear-phishing, establishes persistence via scheduled tasks (T1053), and exfiltrates data via DNS tunneling.”

Operational Intelligence

Real-time or near-real-time information about active threats. Used for:

  • Immediate incident response
  • Real-time defense adjustments
  • Threat actor activity tracking

Example: “Spear-phishing emails impersonating DocuSign are actively targeting your sector. Subject lines reference invoice approvals.”

How Organizations Use Threat Intelligence

Defense & Prevention

  • Hardening systems against known threat actor techniques
  • Implementing controls to detect observed TTPs
  • Updating security policies based on threat landscape changes

Detection & Response

  • Writing detection rules for known malware and attack patterns
  • Threat hunting for evidence of known threat actors
  • Incident response planning aligned to probable threats

Strategic Planning

  • Informing cybersecurity investment decisions
  • Aligning security posture to business-relevant threats
  • Executive reporting on organizational risk

Supply Chain Risk

  • Assessing third-party risk based on threat intelligence
  • Identifying industry-specific supply chain compromise risks
  • Negotiating security requirements with vendors

The Intelligence Cycle

Threat intelligence follows a structured cycle:

  1. Direction & Planning – Define intelligence requirements
  2. Collection – Gather data from sources (open source, proprietary, dark web, etc.)
  3. Processing – Organize and standardize data
  4. Analysis – Synthesize data into intelligence with context and assessment
  5. Dissemination – Deliver intelligence to stakeholders
  6. Feedback – Collect feedback to refine future intelligence

This cycle ensures intelligence remains relevant, accurate, and actionable.

Common Sources of Threat Intelligence

  • Open Source Intelligence (OSINT) – Publicly available information (NVD, security blogs, CVE databases)
  • Commercial Feeds – Paid threat feeds from specialized vendors
  • Government Sources – CISA alerts, sector-specific ISACs (Information Sharing & Analysis Centers)
  • Dark Web Monitoring – Monitoring underground forums for threat actor activity and data breaches
  • Internal Telemetry – Your organization’s own security logs and detections

Why Threat Intelligence Matters

Organizations without structured threat intelligence are reactive—they respond to incidents after damage occurs. Those with mature threat intelligence are proactive—they anticipate threats and implement preventive measures.

The difference in outcomes is dramatic:

  • Reactive: “We were breached. We’re investigating now.”
  • Proactive: “We detected reconnaissance activity by a known threat actor. We hardened our systems and alerted our team before an attack occurred.”

Threat intelligence is the bridge between reacting to threats and anticipating them.

Related Terms

CTI MaturityThreat ActorMITRE ATT&CK