Your organization subscribes to threat intelligence feeds. Your SIEM ingests millions of indicators of compromise (IOCs) daily. You receive regular threat reports from vendors. And yet, when asked "How does threat intel improve our security?", the answer is often unclear.
This is the threat intelligence gap: lots of data, minimal action.
After integrating threat intelligence programs for financial institutions, healthcare providers, and technology companies, we've learned that effective threat intelligence isn't about collecting more data - it's about operationalizing the right intelligence to drive defensive actions.
This guide shows you how to build a threat intelligence program that actually improves security outcomes.
The threat intelligence problem
Most organizations approach threat intel as a consumption activity:
- Subscribe to commercial feeds (Recorded Future, CrowdStrike, Mandiant)
- Ingest IOCs (IPs, domains, file hashes) into SIEM
- Create alerts for IOC matches
- Receive weekly/monthly threat reports
- File reports for compliance evidence
Result: Lots of noise, minimal signal, unclear ROI.
The problems:
1. IOC overload
- Millions of indicators with unclear relevance
- High false positive rates
- Stale data (IOCs are often outdated by the time you receive them)
- Noisy alerts that analysts learn to ignore
2. Actionability gap
- Threat reports describe what happened, not what you should do
- Generic recommendations ("patch your systems", "train users")
- No connection between threat intel and your detection/response capabilities
3. Context mismatch
- Intelligence about threats that don't target your industry
- Alerts on IOCs your environment never communicates with
- Reports about attack campaigns irrelevant to your threat model
A better framework: Intelligence-driven defense
Effective threat intelligence programs follow this cycle:
1. Requirements: What do we need to know to make better security decisions?
2. Collection: Gather relevant threat data from appropriate sources.
3. Analysis: Transform data into actionable intelligence.
4. Dissemination: Deliver intelligence to the right people in usable formats.
5. Feedback: Measure effectiveness and refine requirements.
Let's walk through each phase with practical examples.
Phase 1: Define intelligence requirements
Start with the question: "What threat intelligence would change our security decisions or actions?"
Priority Intelligence Requirements (PIRs)
Work with stakeholders to identify decisions that threat intel should inform:
For Executive Leadership:
- Are we being targeted by sophisticated threat actors? (Affects board risk reporting)
- Are our industry peers experiencing increased attacks? (Budget justification)
- What emerging threats should we prioritize? (Strategic planning)
For Security Operations:
- What TTPs (tactics, techniques, procedures) are threat actors using against our industry?
- Which vulnerabilities are being actively exploited in the wild?
- What infrastructure (C2 servers, phishing domains) are adversaries using?
For Incident Response:
- Who is likely attacking us? (Attribution, motivation)
- What is their typical attack lifecycle? (Detection opportunities)
- What are their objectives? (Prioritize defense of crown jewels)
For Vulnerability Management:
- Which vulnerabilities should we patch first? (Exploit likelihood)
- Are any of our third-party vendors compromised? (Supply chain risk)
Example PIR for financial services firm:
Strategic PIRs (Quarterly Updates):
1. Which nation-state and cybercrime groups are targeting financial institutions?
2. What new attack techniques are being used against banking infrastructure?
3. What emerging threats (AI-enabled attacks, quantum computing) should we prepare for?
Operational PIRs (Weekly Updates):
1. What TTPs are being observed in recent financial sector breaches?
2. Which critical vulnerabilities are being exploited in the wild?
3. What phishing campaigns are targeting our industry?
4. What malware families are most prevalent in financial services?
Tactical PIRs (Daily/Real-time):
1. Are any of our assets (IPs, domains, brands) referenced in underground forums?
2. Are any known C2 servers communicating with our network?
3. Are credentials for our organization being sold on darknet markets?
4. Are any of our vendors experiencing security incidents?
Phase 2: Collection from relevant sources
Don't collect everything - collect what's relevant to your PIRs.
Source categories:
1. Open-source intelligence (OSINT):
- Free: AlienVault OTX, abuse.ch, MISP communities
- Vendor blogs: Microsoft, Google, Mandiant, CrowdStrike
- Government: CISA alerts, FBI flash reports, NCSC advisories
- Twitter/X, security researchers, bug bounty disclosures
2. Commercial threat intelligence:
- Strategic intel: Recorded Future, Mandiant Threat Intelligence, CrowdStrike Falcon Intelligence
- Technical feeds: Anomali, ThreatConnect, ThreatQuotient
- Industry-specific: FS-ISAC (financial), H-ISAC (healthcare), Auto-ISAC (automotive)
3. Internal intelligence:
- Your own incident data (what attacks have you seen?)
- Honeypots and deception technology
- Threat hunting findings
- Log analysis and anomaly detection
4. Community intelligence:
- ISACs and ISAOs (Information Sharing and Analysis Centers/Organizations)
- Peer groups and security communities
- Vendor partner intelligence programs
5. Dark web monitoring:
- Credential leaks mentioning your organization
- Discussion of your organization in threat actor forums
- Ransomware leak sites
- Marketplace offerings (RDP access, VPN credentials)
Collection strategy:
Don't subscribe to everything. Map sources to PIRs:
PIR: "Which critical vulnerabilities are being exploited in the wild?"
Relevant Sources:
- CISA Known Exploited Vulnerabilities (KEV) catalog
- Shadowserver exploit attempt data
- GreyNoise mass-scan activity
- Vendor security bulletins
- Commercial exploit intelligence (Recorded Future, Mandiant)
Collection Method:
- Automated: API feeds to vulnerability management system
- Manual: Weekly review of CISA KEV additions
- Alerting: Real-time notifications for exploits targeting technologies we use
Phase 3: Analysis & operationalization
This is where most programs fail. Raw threat data must be transformed into actionable intelligence.
Tactic 1: Threat-informed detection engineering
Use threat intelligence to prioritize detection development:
Process:
- Review recent threat reports for TTPs targeting your industry
- Map TTPs to MITRE ATT&CK framework
- Identify TTPs you cannot currently detect
- Build detections for the highest-priority gaps
Example:
Threat report: "Ransomware gang FIN12 targeting healthcare with rapid encryption following RDP compromise"
Analysis: FIN12 TTP breakdown:
- Initial Access: External remote services (T1133) - RDP with compromised/weak credentials
- Execution: Command and Scripting Interpreter (T1059) - PowerShell and CMD
- Persistence: Create Account (T1136) - New local admin accounts
- Defense Evasion: Disable or Modify Tools (T1562.001) - Disable AV and EDR
- Discovery: Network Service Scanning (T1046) - Scan for additional targets
- Lateral Movement: Remote Desktop Protocol (T1021.001)
- Impact: Data Encrypted for Impact (T1486)
Detection gaps identified:
- ✓ Have detection for RDP brute force attempts
- ✗ Missing detection for new local admin account creation
- ✗ Missing detection for AV/EDR service tampering
- ✓ Have detection for network scanning from endpoints
Priority: Build detections for account creation and AV tampering.
Resulting Sigma rule:
title: Suspicious Local Administrator Account Creation
id: custom-123-admin-creation
status: production
description: Detects creation of new local admin accounts, often used by ransomware groups for persistence
references:
- https://thedfirreport.com/2021/12/13/diavol-ransomware/
- MITRE ATT&CK T1136.001
tags:
- attack.persistence
- attack.t1136.001
- threat-actor.fin12
logsource:
product: windows
service: security
detection:
selection:
EventID: 4720 # User account created
filter_admin_group:
MemberOf|contains: 'Administrators'
filter_legit:
SubjectUserName:
- 'SYSTEM'
- 'domain-joiner$'
condition: selection and filter_admin_group and not filter_legit
falsepositives:
- Legitimate IT provisioning (should use standardized naming)
- Domain controllers creating computer accounts
level: high
Tactic 2: Dynamic IOC enrichment
Use threat intelligence to enrich alerts with context:
Instead of alert: "Connection to suspicious IP 192.0.2.45"
Enrich with threat intel:
ALERT: Connection to Known C2 Infrastructure
Severity: Critical
Destination: 192.0.2.45:443
Protocol: HTTPS
Source Host: LAPTOP-1234 (user: john.doe)
THREAT INTELLIGENCE:
- IP associated with: Cobalt Strike C2 infrastructure
- First seen: 2024-12-15 (2 weeks ago)
- Associated malware: Conti Ransomware
- Threat actor: FIN12 (financially motivated, targets healthcare)
- Campaign: "Silent Night" ransomware campaign (active since Nov 2024)
- Other targets: 15 healthcare organizations in US/EU
RECOMMENDED ACTIONS:
1. ISOLATE host LAPTOP-1234 immediately (block network access)
2. COLLECT forensic evidence (memory dump, disk image)
3. SEARCH for indicators of Cobalt Strike beacon:
- Named pipes: \\.\pipe\MSSE-*
- Service DLL injections
- PowerShell encoded commands
4. HUNT for lateral movement from this host (RDP, SMB, PSExec)
5. ACTIVATE incident response team (ransomware playbook)
Tactic 3: Proactive threat hunting
Use threat intelligence to guide hunting campaigns:
Monthly hunting cadence:
- Review latest threat reports for your industry
- Select 2-3 TTPs or campaigns to hunt for
- Develop hunting hypotheses
- Search for evidence in your environment
- Document findings (true positives, false positives, detection gaps)
Example hunting campaign:
Hunt: Search for SolarWinds-style supply chain compromise indicators
Hypothesis: If an adversary compromised our software supply chain, we would see:
- Unusual network connections from trusted build/deployment tools
- Code signing certificates used at unusual times or by unusual processes
- Legitimate software processes making suspicious API calls
Data sources:
- EDR telemetry for build servers
- Network flow logs for CI/CD infrastructure
- Code signing logs
- Cloud provider API audit logs (CloudTrail, Azure Activity Log)
Hunting queries:
1. Build tools making outbound connections to non-expected destinations
2. Code signed binaries with recent signatures (past 7 days) communicating externally
3. CI/CD service accounts accessing unusual cloud resources
4. Package downloads from suspicious or newly registered repositories
Hunt duration: 4 hours
Findings:
- False positive: Build server connects to third-party analytics service (expected, not documented)
- Detection gap: No alerting on unusual code signing activity
- True negative: No evidence of supply chain compromise
- Action items: Document expected build server connections, create detection for code signing anomalies
Tactic 4: Vulnerability prioritization
Use exploit intelligence to prioritize patching:
Before threat intel: Patch everything with CVSS ≥ 7.0
Problem: Thousands of vulnerabilities, limited resources, unclear priorities
With threat intel: Risk-based prioritization
Vulnerability Scoring = CVSS Base Score + Threat Intel Modifiers
Threat Intel Modifiers:
+3.0: Actively exploited in the wild (CISA KEV, exploit attempts observed)
+2.0: Exploit code publicly available
+1.5: Targeted attacks using this vulnerability reported
+1.0: Vulnerability in technology we use extensively
-1.0: Vulnerability in technology we don't use
-2.0: Requires complex attack chain (low exploitability)
Example:
CVE-2024-12345: Microsoft Exchange RCE
- CVSS: 8.8 (High)
- CISA KEV: Yes (+3.0)
- Public exploit: Yes (+2.0)
- Our exposure: 15 Exchange servers (+1.0)
Final Priority Score: 14.8 (Critical - patch within 48 hours)
CVE-2024-67890: Obscure IoT device RCE
- CVSS: 9.2 (Critical)
- CISA KEV: No
- Public exploit: No
- Our exposure: Don't use this device (-1.0)
Final Priority Score: 8.2 (High - patch within 30 days)
Phase 4: Dissemination
Deliver intelligence in formats that drive action:
For SOC Analysts: Playbook integration
Embed threat intelligence directly into incident response playbooks:
Playbook: Cobalt Strike Detection Response
THREAT CONTEXT (from Threat Intel):
- Tool: Cobalt Strike (legitimate penetration testing tool abused by adversaries)
- Threat actors: FIN12, Wizard Spider, APT29, and many cybercrime groups
- Typical use: Post-exploitation, lateral movement, C2 communications
- Next steps: Often precedes ransomware deployment within 48-72 hours
DETECTION INDICATORS:
- Named pipes: \pipe\MSSE-*, \pipe\status_*
- Scheduled tasks with random names
- Network beacons to non-standard ports (common: 443, 80, 8080)
- DNS queries to DGA domains
- DLL injection into legitimate processes
RESPONSE ACTIONS:
1. ISOLATE compromised host (assume imminent ransomware)
2. HUNT for lateral movement (check other hosts for same indicators)
3. REVIEW domain admin account activity (privilege escalation likely)
4. COLLECT forensics (memory, disk, network logs)
5. ENGAGE incident response team (ransomware playbook)
TIMELINE: This is a CRITICAL incident. Ransomware deployment typically occurs within 48-72 hours of Cobalt Strike detection. Act urgently.
For Executives: Strategic intelligence briefings
Monthly one-page executive summary:
December 2024 Threat Intelligence Summary
TOP THREATS TO OUR INDUSTRY (Financial Services):
1. Ransomware groups targeting financial institutions (FIN12, LockBit) - 35% increase
2. Supply chain compromises via third-party software vendors
3. Cloud infrastructure targeting (AWS, Azure credential theft)
SPECIFIC RISKS TO OUR ORGANIZATION:
⚠ HIGH: One of our vendors (VendorX) experienced data breach on Dec 15. Customer data may be exposed.
Action: Incident response engaged, customer notifications prepared.
⚠ MEDIUM: Phishing campaign targeting financial institutions using fake SharePoint notifications.
Action: Email filters updated, user awareness alert sent.
INTELLIGENCE-DRIVEN ACTIONS THIS MONTH:
✓ Patched critical Exchange vulnerability being exploited in the wild (CVE-2024-12345)
✓ Built 3 new detection rules based on FIN12 ransomware TTPs
✓ Blocked 15 C2 infrastructure IPs associated with active campaigns
✓ Identified and remediated 2 dark web credential leaks for former employees
LOOKING AHEAD:
- Q1 2025: Expected increase in tax-themed phishing campaigns
- Ongoing: Monitor for "Silent Night" ransomware campaign indicators
- Strategic: Prepare for AI-enabled social engineering attacks
For Security Engineers: Automated feeds
Integrate threat intel directly into security tools:
- SIEM: Enrich alerts with threat context
- Firewall/IPS: Block known malicious infrastructure
- EDR: Flag processes matching malware signatures
- CASB: Alert on suspicious cloud activity matching attack patterns
- Email security: Block domains used in phishing campaigns
Automate using STIX/TAXII, APIs, or custom integrations.
Phase 5: Feedback & measurement
Measure threat intelligence effectiveness:
Leading indicators:
- Number of PIRs addressed by collected intelligence
- Percentage of detections informed by threat intel
- Time from intelligence publication to defensive action
Lagging indicators:
- Incidents detected due to threat intel-based detections
- Vulnerabilities patched proactively due to exploit intelligence
- Phishing campaigns blocked based on threat intel
- Cost/time saved vs. reactive response
Example metrics dashboard:
Q4 2024 Threat Intelligence Program Effectiveness
Threat-Informed Detections:
- New detections built: 12 (based on ransomware TTPs)
- True positives detected: 3 incidents (prevented ransomware deployment)
- Estimated cost avoidance: $2.4M (industry average ransomware incident cost)
Proactive Defense:
- Critical vulnerabilities patched due to exploit intel: 8
- Malicious infrastructure blocked: 450 IPs/domains
- Phishing campaigns blocked: 23
Threat Hunting:
- Hunt campaigns conducted: 6
- True positives found: 2 (undetected malware, misused credentials)
- Detection gaps identified and addressed: 8
Strategic Intelligence:
- Executive briefings delivered: 3
- Board presentations: 1 (ransomware threat landscape)
- Budget justifications supported: Security tool expansion ($500K approved)
ROI: $2.4M+ in estimated cost avoidance for $250K threat intel program investment
Building your threat intelligence program
Start small (90-day pilot):
Month 1: Requirements & collection
- Define 3-5 PIRs
- Select 2-3 relevant intelligence sources (1 free, 1-2 commercial)
- Integrate feeds into SIEM for enrichment
Month 2: Analysis & operationalization
- Review threat reports and identify 5-10 relevant TTPs
- Build 3-5 threat-informed detection rules
- Run 2 threat hunting campaigns
Month 3: Dissemination & feedback
- Deliver monthly executive threat briefing
- Measure detections and hunting results
- Gather feedback from SOC analysts
- Calculate ROI and present findings to leadership
Then expand:
- Add more PIRs and intelligence sources
- Automate enrichment and IOC blocking
- Establish regular hunting cadence
- Create industry peer intelligence-sharing relationships
Conclusion
Effective threat intelligence is:
- Requirements-driven: Collect intelligence that informs decisions, not everything
- Actionable: Translate intelligence into detections, hunts, and remediation
- Contextual: Focus on threats relevant to your industry and organization
- Measured: Demonstrate ROI through metrics and cost avoidance
- Integrated: Embed into detection engineering, IR, and vulnerability management
The goal isn't to collect the most threat intelligence - it's to operationalize the right intelligence to measurably reduce risk.
Need help building a threat intelligence program that drives action? Contact us to discuss how our Forward-Deployed Engineers can operationalize threat intel in your environment.