Threat Intel Program – Quick Reference

Cyber Attack Taxonomy


Threat Intel Taxonomy


Threat Intel Classification




  • The decision by a competitor or potential competitor to enter your market space
    (e.g. a foreign competitor’s new five-year plan now shows interest in developing a domestic capability in a technology your company is known for).
  • Indications that a competitor, or foreign government, may have previously acquired intellectual property via cyber exploitation.
  • Indications that a competitor, or foreign government, is establishing an atypical influential relationship with a portion of your supply chain.
  • Indications that your corporate strategic objectives may be threatened due to adversarial cyber activity
  • Trend analysis indicating the technical direction in which an adversary’s capabilities are evolving.
  • Indications that an adversary has selected an avenue of approach for targeting your organisation.
  • Indications that an adversary is building capability to exploit a particular avenue of approach.
  • The revelation of adversary tactics, techniques, and procedures.
  • Understanding of the adversary operational cycle (i.e. decision making, acquisitions, command and control [C2] methods for both the technology and the personnel).
  • Technical, social, legal, financial, or other vulnerabilities that the adversary has.
  • Information that enables the defender to influence an adversary as they move through the kill chain.
  • Signature or behaviour detection efforts, and in advanced cases, some form of kill chain.
  • Analysis based upon known actors or network behavioural patterns.
  • Host-based security system alerts.
  • Hosts identified by known IOCs
    (c2, processes, files, user_agents)


Threat Intel vs Cyber Attacks


Adversaries vs Targets


US TRADOC Cyber Operations Model – Sample




Threat Intel Program Checklist

  • Biannual process in place to derive, update and capture prioritized intelligence requirements (PIRs) that map to your organization’s business risks.
  • Tracking of ad hoc requirements that meet and do not meet standing PIRs in order to identify emerging intelligence needs and requirements.
  • Documented intelligence production requirements.
  • Documented collection requirements.
  • Documented mapping of collection requirements to internal teams/capabilities or external (intelligence) providers/vendors (guidance).
  • Regular assessment and tracking of guidance versus output from internal capabilities and external (intelligence) providers/vendors (collection management).
  • Intelligence collection is easily consumable, i.e. in a threat intelligence platform (TIP).
  • Documented intelligence production style guide.
  • Documented intelligence review and editing process.
  • Formalized intelligence product style and templates.
  • Intelligence products include future predictions and doesn’t just report on facts.
  • Sources used in intelligence products are linked to the relevant source and graded.
  • Knowledge gaps are identified in intelligence products and pushed back into the requirements part of the intelligence cycle.
  • Feedback is received from your intelligence consumer/customer and used to drive further intelligence collection and production if needed.
  • Key Performance Indicators (KPIs) are generated for the intelligence program.
  • KPIs are generated for each part of the intelligence cycle including for internal and external sources of finished intelligence products and intelligence collection.
  • Have an intelligence (collection) management function that tracks and prioritizes requirements and tasks them as assigned guidance.
References/Additional Resources

About Uma Mahesh

A Creator/Equilizer. Creator/Equalizers are catalysts for positive, well-organized change. They never settle for the status quo. Instead, they see the opportunity for innovation in the processes that others have long taken for granted. They respect what's already operating, but they can't help but want to improve upon it. Their special combination provides innovation tempered with profound logic. They have incredible discernment. Should their efforts fail, they are unhesitating in accepting responsibility. They don't wallow in self-pity but rather see these missed attempts as critical steps on the path to success.
This entry was posted in Resources, security, Security Management. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s