There are plenty of opinions as to what threat intelligence is or isn't. I've gone around and around with executives about its place in a security organization. Is it part of the incident response toolset? Is it a part of the vulnerability management toolset? Does it belong to the security operations center? Maybe it belongs to risk? Maybe it is its own service? Depending on who you are talking to, they can make a case for each scenario.

My opinion is that the information that is derived from the threat intelligence feeds/tools are useful to all of the preceding questions. The information from these feeds must be tempered and tailored for use by all of these teams. We've discussed the importance of providing actionable information to stakeholders about decisions in the upper echelons of the organization in previous chapters. 

We can look at threat intelligence as a means to provide actionable information from the tactical level to the operational level.

How do we do this? Let's first start with what threat intelligence is. Gartner (https://www.gartner.com/doc/2941522/technology-overview-threat-intelligence-platforms) defines threat intelligence as:

"evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard."

This evidence-based knowledge is gathered from several means, including:

• Honeypots
• Malware processing
• Open source
• Human intelligence
• Scanning
• Crawling

The information gathered from these activities contain items of Indicators of Compromise (IoCs) that are related to a specific threat. Some examples of IoCs are:

• IP addresses
• Bad domains/URLs
• SHA-1 and MD-5 hashes
• File sizes
• Operating system information

Ericka Chickowski wrote an article on Dark Reading where she highlights 15 key IoCs:

• Unusual outbound network traffic
• Anomalies in privileged user account activity
• Geographical irregularities
• Other log-in red flags
• Increases in database read volume
• HTML response sizes
• Large numbers of requests for the same file
• Mismatched port-application traffic
• Suspicious registry or system file changes
• Unusual DNS requests
• Unexpected patching of systems
• Mobile device profile changes
• Bundles of data in the wrong place
• Web traffic with unhuman behavior
• Signs of DDoS activity

There are organizations and people who are dedicated to passing threat intelligence information to a wider and specific audience. These feeds can be specific to:

• Industry
• Threat actor
• Malware

You can find threat feeds that are provided as open source, or as a service provided from a vendor. However, as you are building the threat intelligence capability within your organization, you will be taking these feeds and making them more relevant to you.