Threat intelligence data

Threat intelligence data refers to the collection, analysis, and sharing of information about current and emerging cyber threats. This data includes details about indicators of compromise (IOCs), tactics, techniques, procedures (TTPs), threat actors, vulnerabilities, attack campaigns, and contextual metadata. Threat intelligence data is used by security systems and professionals to detect, prevent, and respond to cyber attacks more effectively.

Key characteristics of threat intelligence data include that it is:

• Actionable: Enables informed security decisions and automated defense actions.
• Dynamic and contextual: Updated as threats evolve and usually includes context such as threat actor motives or targeted industries.
• Shared and aggregated: Often comes from commercial feeds, open-source intelligence (OSINT), ISACs, or internal research.
• Multi-format: Includes structured (machine-readable) and unstructured (reports, bulletins) data.

Examples of threat intelligence data include:

• Indicators of compromise (IOCs): Malicious IPs, file hashes, domains, URLs
• Malicious domain names and URLs: Known bad websites
• Threat actor profiles: Info on adversary groups, their targets and methods
• Tactics, techniques, and procedures (TTPs): Documented attack techniques and procedures
• Vulnerability information: CVEs, patch status, exploitability
• Phishing campaign indicators: Malicious sender addresses, email subjects, attachments
• Attack pattern metadata: Attack vectors, payload types, campaign timelines  

Threat intelligence feed providers might be commercial (for example,Cisco Talos, Recorded Future, or Mandiant) or open source (for example, MITRE ATT&CK, PhishTank, or Malware Bazaar).