Fundamentals
T1598Threat Intelligence Fundamentals
A foundational guide to threat intelligence for SOC analysts — the intelligence lifecycle, STIX/TAXII, feed quality evaluation, and how to operationalize IOCs in SIEM and EDR.
View on Graph
What Threat Intelligence Is and Why Analysts Need It
- Threat intelligence (CTI) is evidence-based knowledge about existing or emerging threats, including context, mechanisms, indicators, implications, and actionable advice — not just a list of IPs and hashes.
- The difference between a feed of IP addresses and real intelligence is context: who is targeting you, what tools they use, what their motive is, and what they are after.
- MITRE ATT&CK maps general threat intelligence gathering to
T1598(Search Victim-Owned Websites / Social Media) but the CTI discipline spans the entire kill chain. - Analysts who understand CTI can prioritize alerts based on actual threat actor behavior instead of chasing noise, and they can proactively hunt for threats rather than waiting for alerts.
The Intelligence Lifecycle
Intelligence is not a product — it is a process. The intelligence lifecycle describes how raw data becomes actionable intelligence.
| Phase | What Happens | Analyst Role |
|---|---|---|
| 1. Direction | Define intelligence requirements — what decisions need support? What threats matter most to your organization? | Triage queue priorities, sector-specific threats (e.g., ransomware for healthcare), regulatory concerns |
| 2. Collection | Gather raw data from sources: open-source intel (OSINT), commercial feeds, information sharing groups, internal telemetry | Identify relevant sources, subscribe to feeds, configure collection |
| 3. Processing | Convert raw data into a structured, analyzable format — parsing, deduplication, normalization | Typically automated via MISP, ThreatConnect, or in-house pipelines |
| 4. Analysis | Transform processed data into intelligence — identify patterns, correlate indicators, assess relevance to your environment | The core analyst function: is this IoC relevant to your sector? Is it a false positive? |
| 5. Dissemination | Deliver intelligence to the right consumer in the right format — briefings, automated SIEM feeds, reports | Produce technical IoC blocks, analyst summaries, and executive briefings |
| 6. Feedback | Evaluate how the intelligence was used and whether it produced the desired outcome | Update direction phase — were the requirements met? What was missed? |
The key insight: Most SOCs skip phases 1 (Direction) and 6 (Feedback), which means their CTI program is reactive and unfocused. If you do not define what intelligence you need, you will drown in what you get.
STIX and TAXII — Structured Intelligence Sharing
STIX (Structured Threat Information eXpression)
STIX is an OASIS standard for expressing threat intelligence in a structured, machine-readable format. Version 2.1 defines the following STIX Domain Objects (SDOs):
| STIX Object | What It Represents | Example |
|---|---|---|
| Indicator | A pattern that identifies a potential threat | file:hashes.SHA256 = 'abc123' |
| Threat Actor | An individual, group, or organization believed to be operating with malicious intent | APT29, FIN7, Lazarus Group |
| Attack Pattern | A type of TTP (tactic, technique, or procedure) | T1055 Process Injection |
| Campaign | A series of malicious activities over time | Operation Dream Job |
| Malware | A malicious software variant | TrickBot, Emotet, Cobalt Strike Beacon |
| Course of Action | A recommended response to a threat | Block IP 5.5.5.5 at the firewall |
| Relationship | Links two SDOs together | Indicator 'abc123' indicates Malware 'TrickBot' |
Why STIX matters: Without STIX, intelligence is shared as text, PDFs, or CSV files — human-readable but machine-chaotic. With STIX, a CTI platform ingests structured data, creates relationships, and automates feed updates.
TAXII (Trusted Automated eXchange of Intelligence)
TAXII is the transport protocol that moves STIX data between parties.
| TAXII Channel | What It Does | Use Case |
|---|---|---|
| TAXII Discovery | Discovers what collections a TAXII server offers | Initial setup — learn what feeds are available |
| TAXII Collection | A set of STIX objects on a specific topic (e.g., “Ransomware indicators”) | Subscribe to a specific threat feed |
| TAXII Poll | Pull intelligence from a collection (HTTP GET/POST) | Your CTI platform fetches new indicators at intervals |
| TAXII Push | Optional — server pushes new intelligence to subscribers | Real-time intelligence sharing |
Example — poll a TAXII feed with curl:
# Poll a TAXII 2.1 collection
curl -H "Accept: application/taxii+json;version=2.1" \
-H "Authorization: Bearer API_KEY" \
https://taxii.example.com/api/v2/collections/COLLECTION_ID/objects/Evaluating Feed Quality — Don’t Blindly Import
Not all threat intelligence feeds are equal. A poor-quality feed will flood your SIEM with false positives and erode analyst trust. Evaluate every feed against these criteria:
| Criterion | Good Feed | Bad Feed |
|---|---|---|
| False positive rate | < 5% — indicators actively verified | > 20% — bulk-collected with no validation |
| Context | Includes TTP, threat actor, campaign, and time of observation | Just an IP address with no context |
| Timeliness | Indicators within hours of observation | Indicators weeks or months old |
| Relevance | Matches your sector, technology stack, and threat model | Generic global feed with no filtering |
| Confidence scoring | Provides confidence score (0-100) per indicator | No confidence score — all indicators treated equally |
| Deduplication | Normalized IPs, domains, and hashes — each listed once | Duplicate IPs across multiple entries |
| Expiration policy | Explicit TTL — “valid until” timestamp | No expiration — old indicators accumulate forever |
SPL query — measure the hit rate of a threat intel feed in your environment:
index=proxy
| lookup threat_feed_ip.csv ip AS dest_ip OUTPUT confidence
| where confidence > 0
| stats count by confidence, dest_ip
| eval hit_rate = count / (total_events) * 100
| table confidence, dest_ip, count, hit_rate
| sort - countA feed with a < 1% hit rate in your environment is adding more noise than signal. Archive or disable it.
Operationalizing IOCs — Turning Intelligence into Detections
The most common CTI failure is importing 10,000 indicators into a SIEM and calling it “intelligence integration.” Real operationalization requires prioritization.
IOC Prioritization Matrix
| Indicator Type | Confidence | Action | Priority |
|---|---|---|---|
| File hash (SHA256) + known threat actor attribution | High | Create alert rule — reduce process creation log | Critical |
| IP address + known C2 infrastructure | High | Block at firewall perimeter | High |
| Domain + known malware family | Medium | Monitor DNS logs and proxy logs for any resolution | Medium |
| IP address from a bulk feed | Low | Generate a low-severity enrichment tag only | Low |
| Email sender domain from a spam feed | Low | Create an info-level tag — do not alert | Informational |
Implementation Approaches
| Approach | How It Works | Best For |
|---|---|---|
| SIEM watchlist/Threat intel matching | SIEM enriches every event against a threat intel list | SOCs with mature SIEM correlation (Splunk ES, Sentinel, Elastic) |
| DNS sinkhole | DNS server resolves known-malicious domains to a sinkhole IP | Blocking DNS-level C2 — requires internal DNS resolution |
| Firewall blocklist | Perimeter firewall blocks known-bad IPs at egress | Blocking outbound C2 — may require performance consideration for large lists |
| Proxy block | Web proxy blocks known-bad URLs and domains | HTTP/HTTPS C2 and phishing domains |
| EDR watchlist | EDR alerts when a known-bad hash executes | Blocking file-based attacks — requires immediate hash delivery |
SPL — Automated IOC Matching in SIEM
index=* sourcetype=*
| lookup ioc_domain.csv domain as dest_domain OUTPUT ioc_type, confidence, feed_source
| where ioc_type IN ("c2", "malware", "phishing")
| eval alert = "HIGH — domain from " . feed_source . " feed (" . ioc_type . ", confidence: " . confidence . ") resolved by " . Computer
| stats values(dest_domain) as Domains, values(src_ip) as Sources, values(alert) as Alerts by Computer, dest_ip
| table _time, Computer, Domains, dest_ip, Sources, AlertsFeed Sources Every SOC Should Evaluate
| Feed | Type | Cost | Strength |
|---|---|---|---|
| AlienVault OTX | Open source | Free | Broad community coverage, pulse-based sharing |
| MISP communities | Open source (via sharing groups) | Free (membership) | Peer-reviewed indicators, sector-specific groups |
| Abuse.ch | Open source (URLhaus, MalwareBazaar, etc.) | Free | High-quality malware and C2 indicators |
| VirusTotal | Aggregated | Free tier / Paid | Massive volume, community reputation |
| Team Cymru | Aggregated | Free (community) | Known-bad IP ranges, BGP analysis |
| Mandiant | Commercial | Paid | High confidence, deep threat actor attribution |
| Recorded Future | Commercial | Paid | Extensive enrichment, temporal scoring |
| Intel471 | Commercial | Paid | Focused on cybercrime forums and real-time actor communication |
Related
- EDR Basics — detection and response for T1059, T1003, T1055, T1204, T1562 techniques
- Indicators: IoC, IoA, and TTP — covers the indicators: ioc, ioa, and ttp concepts
- Process Injection (T1055) — detection and response for T1055 techniques
- Cobalt Strike — Detection and Beacon Analysis — detection and response for T1055, T1572, T1071 techniques
- MISP — detection and response for T1598 techniques