Threat Intelligence Guide

Threat intelligence is processed information about adversaries and their tactics, techniques and procedures (TTPs), used by security teams to make better defense decisions. It is consumed at three levels:

• Strategic: board-level briefings about threat actor motives, geopolitical context and long-term trends. Output: written reports.
• Operational: campaign reports tied to specific threat groups (e.g. "Kimsuky targeting US think tanks Q2 2026"). Output: TTP narratives, victimology, infrastructure clusters.
• Tactical: concrete indicators (URLs, IPs, hashes) that can be ingested into a SIEM, firewall or EDR. Output: machine-readable feeds.

Threat intelligence is more than IOC blocklists. It includes context (who, why, when), attribution (which group), motive (financial, espionage, hacktivism) and the relationship between an indicator and the broader campaign. The list of URLs is the easiest layer to produce and the easiest for adversaries to rotate, which is why mature programs invest beyond IOCs into TTP-level detection.

An indicator of compromise is an artefact observed during or after an intrusion that suggests malicious activity. The four types you will meet most often:

Every IOC moves through four stages from collection to retirement:

• Collection: sourced from sandboxes, honeypots, partner feeds, OSINT or analyst observation.
• Enrichment: WHOIS, passive DNS, reputation scores, sandbox detonations, MITRE ATT&CK technique tagging.
• Action: blocking, alerting or monitoring; routed to SIEM, firewall, EDR, MISP or SOAR.
• Expiration: aged out by per-type TTL. URLs after a few days, IPs after weeks, hashes effectively never.

Without per-type TTL, a SIEM rule built on a 6-month-old URL list will alert on legitimate traffic to a domain that the original adversary lost months ago.

There is no single best feed. Most mature SOCs ingest both OSINT and commercial intelligence; the trick is matching feed properties to the use case.

A common pattern: OSINT feeds drive automated proxy and DNS blocks at scale; commercial intelligence drives incident response, attribution and executive briefings. The two are complementary, not substitutes.

MITRE ATT&CK is a knowledge base of adversary tactics, techniques and procedures maintained by the MITRE Corporation. It organises observed adversary behaviour into 14 tactics (the "why" of an action) and over 200 techniques (the "how"). Most threat intelligence reports and detection rules cite ATT&CK technique IDs (e.g. T1059 for Command and Scripting Interpreter, T1071 for Application Layer Protocol) so analysts can normalise across vendors.

The 14 ATT&CK Enterprise tactics, in execution order:

• Reconnaissance
• Resource Development
• Initial Access
• Execution
• Persistence
• Privilege Escalation
• Defense Evasion
• Credential Access
• Discovery
• Lateral Movement
• Collection
• Command and Control
• Exfiltration
• Impact

Reference: attack.mitre.org · Threat group catalogue · Enterprise technique matrix.

• Source: ~95 Twitter/X security researchers, scraped via RSS every 15 minutes.
• Output: CSV, JSON, RSS, MISP events and an MCP server, in windows of today / week / month / year. See /feeds.
• License: CC0 1.0 Public Domain. No authentication, no rate limit for normal use, no attribution required.
• Strengths: high recall, real-time signal, tagged with malware family and category for easy filtering.
• Limitations: lower precision than analyst-curated feeds; cross-reference VirusTotal, urlscan.io or your sandbox before automated blocking.
• Best fit: high-volume signal feed, complementary to commercial intelligence; primary feed for resource-constrained teams; teaching dataset for blue-team training.

Integration recipes for MISP, OpenCTI, Splunk, KQL and IntelOwl on the Threat Hunting page.

• Blocking on IPs alone. Shared hosting and CDNs reuse IPs across legitimate and malicious tenants. An IP is enrichment, not a verdict. Block only with corroborating signals (active sample, beacon traffic).
• Ignoring TTL. A six-month-old URL feed is mostly noise. Configure per-type TTL: hours for URLs, days for IPs, weeks for domains, never for hashes.
• Treating IOC = verdict. An IOC is a lead. Cross-reference VirusTotal, urlscan.io, your sandbox, or pivot through passive DNS before automating action.
• Single-feed dependency. Each feed has blind spots. Stack two or three feeds (one OSINT, one commercial, one peer-shared via ISAC/ISAO) and dedup on the way in.

APT (Advanced Persistent Threat)

A well-resourced adversary that maintains long-term access to a target environment. Often nation-state aligned. Tracked by aliases that vary by vendor.

IOC (Indicator of Compromise)

An observable artefact (URL, domain, IP, file hash) that suggests malicious activity in an environment.

C2 / C&C (Command-and-Control)

The infrastructure adversaries use to control compromised hosts. Common protocols: HTTPS, DNS, custom encrypted channels.

TTP (Tactic, Technique, Procedure)

The behaviour layer above IOCs. Harder for adversaries to change than infrastructure. Captured in MITRE ATT&CK.

OSINT (Open-Source Intelligence)

Intelligence sourced from publicly available information: blogs, social media, forums, leaked databases.

SOCMINT (Social Media Intelligence)

A subset of OSINT focused on social platforms (X/Twitter, LinkedIn, Telegram). TweetFeed is a SOCMINT-driven IOC feed.

MITRE

A US not-for-profit corporation that maintains the ATT&CK adversary behaviour knowledge base and the CWE software-weakness catalogue, among other public-good projects.