What is threat intelligence in cybersecurity?

Threat intelligence involves the gathering and analysis of threat information as collected and validated by cybersecurity analysts. Threat intelligence feeds and platforms, as well as information-sharing ecosystems such as ISACs, publish threat information as weighed and vetted by analysts using open source information tools and their own tradecraft knowledge and expertise to gauge the validity and risk of cyber threats. A company or organization consults this information to gain a better understanding of threats in their ecosystem, in turn leveraging cyber threat intelligence to more quickly mitigate and even prevent the potential impact of cyber attacks.
How does threat
intelligence help
cyber defense?
What are
common threat
intelligence tools?
How is
behavioral-based threat
intelligence different?
What is
collective threat
How can threat
intelligence from

How does threat intelligence
help cyber defense?

Traditional threat intelligence platforms and feeds broadcast evidence-based information about known threats, including indicators of compromise (IoCs); implications; and advice for taking action. As adversaries become more and more sophisticated by constantly changing tactics, techniques, and procedures (TTPs), ​threat intelligence helps Security Operations Center (SOC) analysts detect, triage, and respond faster to threats. To be effective in such a constantly changing threat landscape, threat intelligence needs to meet three criteria at once to better capture and communicate knowledge of unknown threats:

  • Timely:​ you need speed when it comes to both detection and triage
  • Actionable:​ you need situational context around detected anomalies
  • Relevant: ​you need meaningful threats to emerge from information overload

What are common threat intelligence tools?

Some companies hire cyber analysts dedicated to conducting threat intelligence in-house. Others rely on threat intelligence platforms, service providers, and collaboratives to identify cyber risk and threats. Some of these resources include the following:
Open Source Intelligence (or OSINT) tools

OSINT tools collect and distribute threat information available in the public domain. Analysts use OSINT tools to investigate a threat by collecting information about the possible target, thereby helping the analyst gain a fuller picture of the threat and its potential severity.


An integral part of the cyber defense ecosystem, ISACs collect, analyze, and share actionable threat information to their members. ISACs are grouped by sectors such as electricity, financial services, and healthcare to mitigate cyber risks and enhance the resilience of the nation’s critical infrastructure. Committed to information sharing, ISACs emerged 20 years ago to answer the U.S. government’s call to action for public-private partnerships to defend against cyber threats.

Threat intelligence feeds

Open source threat intelligence feeds are intended to help Security Operations Center teams work more effectively in response to identified threats. Some of these feeds include the U.S. Department of Homeland Security’s Automated Indicator Sharing feed, the SANS Internet Storm Center, and The Spamhaus Project.

Threat intelligence platforms (TIPs)

Threat intelligence platforms and products serve up evidence-based information around knowing threats, including indicators of compromise (IoCs), implications, and advice for threat mitigation (or threat response). SOC analysts leverage threat intelligence, often via feeds, to inform how they take action when threats are detected.


A security information event manager (SIEM) combines security event management (SEM) and security information management (SIM) technologies. SIEM tools allow SOC analysts to review network logs and event data (such as alerts from IronDefense as integrated in the SIEM), in turn reporting on that log data. ATT Cybersecurity reports that 76 percent of cybersecurity professionals reported the use of SIEM tools led to reduced security breaches.

Human intelligence

In-house threat intelligence analysts, such as those in IronNet’s Cyber Operations Center, conduct extensive research, compiling the latest data from many trusted sources, such as AlienVault OTX and Abuse.ch. Analysts vet the information and rank it based on source, age, and confidence to reduce false-positives. The analysts follow a stringent testing process to verify the threats based on human analysis and automated scripts.

white paper

How is behavioral-based threat intelligence different?

Most threat intelligence feeds and platforms publish signature-based threat information, or known Indicators of Compromise (or IoCs) such as hashes or IP addresses. Behavior-based threat intelligence draws on machine learning-based behavioral analytics that detect unknown threats on the network.
Read more about using AI to build threat intelligence based on network behavior.

What is collective
threat intelligence?

The concept of threat intelligence is not new as companies look to easy ways to share information to strengthen their cybersecurity posture. What is novel, however, is the concept of collective threat intelligence. This approach delivers a way to share behavior-based threat intelligence that automates some tedious investigation steps and integrates human insights that allow SOC analysts to accelerate response based on risk — all at network speed. 
Collective threat intelligence, as enabled by IronNet’s IronDome Collective Defense platform, provides both big-picture threat context and tailored, sector-specific intelligence that is actionable immediately. In contrast to traditional Threat Intelligence Platforms, which provide only hierarchical sharing capabilities, collective threat intelligence enables dynamic, one-to-many communication. As multiple participants generate new threat intelligence around correlated threats across their environments, they can be part of the solution, not just spectators.

How can threat intelligence
from MITRE ATT&CK help?

The MITRE ATT&CK® Framework is a way to complement the common programmatic Frameworks and determine the ability of your security capabilities to combat current cyber threats. The Framework integrates adversary techniques based on real-world threat intelligence.

In the past, the process of determining the goal of an adversary essentially was based on institutional knowledge and gut instincts. Now, the specific attack characteristics mapped across ATT&CK® can provide valuable and objective insights into the target of the threat and its current phase. This perspective allows your SOC team to pinpoint the potential impacts on your organization, evaluate the effectiveness of your existing protection and controls, and prioritize your response.

Learn more in the “5 practical ways for a CISO to use the MITRE ATT&CK® Framework” white paper.


What can you expect from
IronNet collective threat intelligence?

IronNet’s expert threat analysts continually create threat intelligence rules (TIRs) based on significant community findings from IronDome, malware analysis, threat research, or other methods to ensure timely detection of malicious behavior targeting an enterprise or other IronDome community participants. These TIRs are distributed to each IronDefense Network Detection and Response deployment as they are created, ensuring that customers receive the most up-to-date detection capabilities. 
IronNet threat intelligence is curated by a team of advanced researchers who have experience from the highest levels of the U.S. government, including NSA and the White House. IronNet’s threat intelligence analysts have targeted the greatest threats facing our nation’s critical infrastructures. From this experience, they have built a library of in-depth threat profiles and a blocklist database of the leading actors and exploits from nation-states and other attackers who attempt to steal confidential data and disrupt network availability.

How do IronNet’s threat intelligence
rules work?

IronDefense’s threat intelligence rules serve to detect malicious behavior by identifying specific network metadata defined in the threat intelligence rule. Analysts can create threat intelligence rules to alert on any number of suspicious characteristics, such as IP Address, Location/Origin, Entity ID, Session, HTTP Headers, DNS, Protocol Details, Sensor, and TLS. These categories are broken down into subcategories, which help analysts select attributes and create automated parameters for new rules. An alert will be generated when IronDefense NDR detects network traffic with characteristics that match those defined in the rule. 
Alerts generated by TIRs prompt the use of IronDefense’s hunt platform to examine network traffic and pull PCAP data to determine if the activity is malicious or benign. Verified TIR alerts are sent to IronDome for correlational analysis, if IronDome is enabled on the network. IronDome then reports if malicious indicators outlined in TIRs are appearing in other networks in an industry sector.
Learn more by reading IronNet’s latest collective threat intelligence report.