Complete Threat Intelligence Guide 2024: Collection, Analysis & Application

Key Takeaways

Intel is only valuable if it's actionable.
Focus on TTPs, not just IoCs—attackers change indicators.
Context determines relevance—generic intel has limited value.

MITRE ATT&CK provides common language for TTPs.
Threat intel feeds detection rules and hunting.
Intelligence must be timely to be useful.

1. What is Threat Intelligence?
2. Types of Threat Intelligence
3. Intelligence Sources
4. MITRE ATT&CK Framework

5. Indicators of Compromise
6. Operationalizing Intel
7. Tools & Platforms
8. Frequently Asked Questions

1. What is Threat Intelligence?

Threat intelligence is evidence-based knowledge about existing or emerging threats that helps inform decisions about security posture and incident response. It transforms raw data into actionable information about threat actors, their motivations, capabilities, and tactics.

Good threat intel answers: Who is targeting us? How would they attack? What would it look like? How do we detect or prevent it?

Intelligence Cycle

1. Requirements: Define what you need to know
2. Collection: Gather relevant data
3. Processing: Organize and normalize data
4. Analysis: Derive meaning and context
5. Dissemination: Share with stakeholders
6. Feedback: Refine based on utility

2. Types of Threat Intelligence

Type	Audience	Content	Timeframe
Strategic	Executives	Trends, motivations, risk landscape	Long-term
Tactical	SecOps	TTPs, attack techniques	Medium-term
Operational	IR/Hunting	Specific campaigns, actor intel	Short-term
Technical	SOC/Automation	IoCs, signatures, rules	Immediate

3. Intelligence Sources

3.1 Source Categories

Open Source (OSINT): Public reports, news, social media
Commercial Feeds: Vendor threat intel subscriptions
Government/ISAC: Sector-specific sharing
Internal: Your own incident data, malware analysis
Dark Web: Underground forums, leaked data

3.2 Free Threat Feeds

# Popular open threat feeds:
- AlienVault OTX (otx.alienvault.com)
- Abuse.ch (urlhaus, malwarebazaar)
- MISP feeds
- CISA alerts (cisa.gov)
- PhishTank
- Emerging Threats rules

4. MITRE ATT&CK Framework

MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. It provides a common language for describing attacker behavior.

4.1 ATT&CK Structure

# ATT&CK Matrix structure:
Tactics = WHY (adversary goals)
  └── Techniques = HOW (achieving goals)
       └── Sub-techniques = Specific variations

Example:
Tactic: Initial Access
  └── Technique: Phishing (T1566)
       └── Spearphishing Attachment (T1566.001)
       └── Spearphishing Link (T1566.002)

IoC Limitations

IoCs (IPs, domains, hashes) have short lifespans—attackers change them frequently. TTPs are more durable—attackers must retool significantly to change their methods. Build detection around behaviors, not just indicators.

5. Indicators of Compromise

5.1 IoC Types

Type	Lifespan	Example
File Hash	Short	SHA256 of malware sample
IP Address	Short-Medium	C2 server IP
Domain	Short-Medium	Phishing domain
URL	Short	Malware download URL
Email Address	Medium	Phishing sender
YARA Rule	Longer	Malware pattern match

5.2 IoC Sharing Formats

STIX: Structured Threat Information Expression
TAXII: Transport protocol for STIX
OpenIOC: XML-based indicator format
CSV/JSON: Simple sharing formats

6. Operationalizing Intel

6.1 Use Cases

Detection Rules: IoCs → SIEM/EDR alerts
Threat Hunting: TTPs → Hunting hypotheses
Risk Assessment: Threat actor profiles → Prioritization
IR: Campaign intel → Attribution, scope
Blocking: Malicious IPs/domains → Firewall/proxy

6.2 Threat Hunting Process

# Intel-driven hunting:
1. Consume threat report on actor group
2. Identify TTPs used (map to ATT&CK)
3. Develop hypothesis: "Adversary may use T1059.001"
4. Create detection query/hunt logic
5. Search historical data
6. Investigate anomalies
7. Document findings
8. Create new detections if needed

7. Tools & Platforms

Tool	Type	Purpose
MISP	Open Source	Threat intel sharing platform
OpenCTI	Open Source	CTI platform with STIX support
ThreatConnect	Commercial	TIP with automation
Anomali	Commercial	TIP with threat feeds
YARA	Open Source	Pattern matching for malware

Start Small

You don't need a complex platform to start with threat intel. Begin by consuming relevant reports, identifying TTPs that matter to your environment, and manually updating detection rules. Formalize as capabilities mature.

8. Frequently Asked Questions

How do I prioritize threat intel?

Focus on threats relevant to your industry, geography, and technology stack. A threat targeting industrial control systems doesn't matter to a SaaS company. Start with actors known to target organizations like yours, then expand.

Do I need a commercial threat intel feed?

Not necessarily. High-quality open source intel exists. Commercial feeds add value through curation, analysis, and integration. Evaluate based on your team's capacity to process raw intel and specific intelligence requirements.

Conclusion

Threat intelligence is most valuable when it's timely, relevant, and actionable. Focus on TTPs over IoCs for more durable detection. Use MITRE ATT&CK as a common framework. Start with free sources and operationalize what you consume before expanding. Intelligence without action is just information.

Continue Learning:
SIEM Guide Malware Analysis