Threat Intel Program – Quick Reference

Cyber Attack Taxonomy


Threat Intel Taxonomy


Threat Intel Classification




  • The decision by a competitor or potential competitor to enter your market space
    (e.g. a foreign competitor’s new five-year plan now shows interest in developing a domestic capability in a technology your company is known for).
  • Indications that a competitor, or foreign government, may have previously acquired intellectual property via cyber exploitation.
  • Indications that a competitor, or foreign government, is establishing an atypical influential relationship with a portion of your supply chain.
  • Indications that your corporate strategic objectives may be threatened due to adversarial cyber activity
  • Trend analysis indicating the technical direction in which an adversary’s capabilities are evolving.
  • Indications that an adversary has selected an avenue of approach for targeting your organisation.
  • Indications that an adversary is building capability to exploit a particular avenue of approach.
  • The revelation of adversary tactics, techniques, and procedures.
  • Understanding of the adversary operational cycle (i.e. decision making, acquisitions, command and control [C2] methods for both the technology and the personnel).
  • Technical, social, legal, financial, or other vulnerabilities that the adversary has.
  • Information that enables the defender to influence an adversary as they move through the kill chain.
  • Signature or behaviour detection efforts, and in advanced cases, some form of kill chain.
  • Analysis based upon known actors or network behavioural patterns.
  • Host-based security system alerts.
  • Hosts identified by known IOCs
    (c2, processes, files, user_agents)


Threat Intel vs Cyber Attacks


Adversaries vs Targets


US TRADOC Cyber Operations Model – Sample




Threat Intel Program Checklist

  • Biannual process in place to derive, update and capture prioritized intelligence requirements (PIRs) that map to your organization’s business risks.
  • Tracking of ad hoc requirements that meet and do not meet standing PIRs in order to identify emerging intelligence needs and requirements.
  • Documented intelligence production requirements.
  • Documented collection requirements.
  • Documented mapping of collection requirements to internal teams/capabilities or external (intelligence) providers/vendors (guidance).
  • Regular assessment and tracking of guidance versus output from internal capabilities and external (intelligence) providers/vendors (collection management).
  • Intelligence collection is easily consumable, i.e. in a threat intelligence platform (TIP).
  • Documented intelligence production style guide.
  • Documented intelligence review and editing process.
  • Formalized intelligence product style and templates.
  • Intelligence products include future predictions and doesn’t just report on facts.
  • Sources used in intelligence products are linked to the relevant source and graded.
  • Knowledge gaps are identified in intelligence products and pushed back into the requirements part of the intelligence cycle.
  • Feedback is received from your intelligence consumer/customer and used to drive further intelligence collection and production if needed.
  • Key Performance Indicators (KPIs) are generated for the intelligence program.
  • KPIs are generated for each part of the intelligence cycle including for internal and external sources of finished intelligence products and intelligence collection.
  • Have an intelligence (collection) management function that tracks and prioritizes requirements and tasks them as assigned guidance.
References/Additional Resources

About wikihead

A Seeker. Information Security Professional, Pursuing Life with Ayurveda.
This entry was posted in Resources, security, Security Management. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s