Threat intelligence
Definition
Processed, analysed information about adversaries, their capabilities, and their current or anticipated activities. Includes strategic intelligence (actor motivations and trends) and tactical intelligence (specific indicators of compromise and techniques). Feeds directly into risk assessments and audit scope.
Related terms
- Advanced Persistent Threat (APT)
- A category of attacker, typically nation-state or state-sponsored, characterised by high technical capability, long dwell times, specific targets, and disciplined operational security....
- Insider threat
- An incident originating from a person with legitimate access to an organisation's systems, whether through malicious intent (data theft, sabotage) or negligence...
- IoC (Indicator of Compromise)
- Observable artefact linked to malicious activity. File hashes (MD5, SHA-256, ImpHash, ssdeep, TLSH), IPs, domains, URLs, registry keys, mutex names, named pipes,...
- ISAC (Information Sharing and Analysis Center)
- A sector-specific membership organisation that collects, analyses, and redistributes threat intelligence among its members under confidentiality agreements. Examples include FS-ISAC (financial services),...
- MITRE ATT&CK
- A publicly available knowledge base of adversary tactics, techniques, and procedures derived from real-world intrusion observations. Maintained by the MITRE Corporation. Techniques...
- STIX (Structured Threat Information eXpression)
- An OASIS open standard that defines a JSON-based language for describing cyber threat intelligence. STIX 2.1 defines objects for indicators, threat actors,...
- TAXII (Trusted Automated eXchange of Indicator Information)
- An OASIS open standard that defines an HTTPS-based protocol for transporting STIX content between organisations. A TAXII server exposes collections; clients poll...
- Threat actor
- An individual or group responsible for a security incident or malicious campaign. Threat actors are categorised by motivation (financial, espionage, hacktivism, destruction)...
- Threat vector
- The pathway or method a threat actor uses to gain access or cause harm. Examples include phishing email, unpatched software vulnerabilities, compromised...
- Traffic Light Protocol (TLP)
- A standardised colour-coded scheme for marking intelligence sharing restrictions. TLP:RED is for named recipients only; TLP:AMBER is for members' organisations; TLP:GREEN is...
Explained in these topics
- Intelligence Sources, Feeds and Sharing PlatformsEvidence-based knowledge about adversary capabilities, infrastructure, motivations, and intentions that is actionable for defenders or investigators. Distingui...
- The Threat Landscape and Threat ActorsProcessed, analysed information about adversaries, their capabilities, and their current or anticipated activities. Includes strategic intelligence (actor moti...