Connect with us

Hi, what are you looking for?


Security Architecture

Distinctions: Threat Information vs.Threat Intelligence

Finished Intelligence is the Output of Taking Threat Information, Evaluating it and Deriving a Business Benefit 

In the cyber threat intelligence space, there is confusion (much of which is driven by vendors)… where threat information is positioned as finished intelligence.

Finished Intelligence is the Output of Taking Threat Information, Evaluating it and Deriving a Business Benefit 

In the cyber threat intelligence space, there is confusion (much of which is driven by vendors)… where threat information is positioned as finished intelligence.

While the intel process starts with the collection of threat information, it is just that… a starting point. There is a vast difference between obtaining information en mass and producing finished intelligence. Picture 1000 dots scattered all over a chart – that’s information. But the dots connected in some way showing context and relevancy (We call that “Evaluated Intel”) – that’s intel that can be used to prepare and plan for future attacks, to shore up previously unknown risks, to focus efforts in the right areas. It can also help you understand from an incident response perspective what happened, why, and how. 

Cyber threat intelligence (CTI) is a lifecycle process that ultimately produces a deliverable that can be consumed by different groups in numerous ways (depending on the level of threat intelligence being provided – strategic, operational and/or tactical). To be clear – CTI is not just about pulling in feeds of indicators or flooding a repository with data and applying those indicators in your environment. 

Threat intel requires automation (in terms of data collection, processing, filtering and some analytics) combined with human analysis. The human element is too often overlooked in the feed frenzy. But here’s why that is a mistake. While there is a lot of information gathering going on these days, whether it’s scraping dark web sites or open sources – getting information is fairly simple (with the exception of having undercover personas in restricted black markets and forums). It’s just collecting and gathering data. Maybe it includes some processing and filtering, but the special sauce is in the intelligence analysis. This analysis, when done properly, ensures that the information is evaluated for accuracy, relevancy, timeliness and completeness. The intel is put into context specific to an industry or organization for different views and decisions. And it requires humans with experience and attention to detail. 

At the end of the day, you need information in order to create intelligence. However, information itself is not intelligence and actually can overwhelm an organization and even point them in the wrong direction. Intelligence tells a story. While information provides a lot of potential actions, intelligence is meaningful and usable (I hate the overused word “actionable”), it supports planning, it provides direction and focus and ultimately helps you make better decisions on where you focus your efforts and resources. 

When my team analyzes a threat campaign for example, we look at it through the lens of the “Avenue of Approach”, which breaks out the following:

Industry Target – What specific organization(s) or group(s) is the actor going after?

Advertisement. Scroll to continue reading.

Technology Target – What technology (i.e. Adobe Flash, Internet Explorer, etc.) used by the organization(s) use that can be exploited by the actor to carry out an attack?

Delivery Method – How did the actor deliver the payload to the target (i.e. spear-phishing, third party compromise, etc.)?

Exploit Used – What specific exploit and/or known (or unknown for that matter) vulnerability was used by the actor?

Presence Achieved – What level of presence (i.e. privileged accounts, database access, etc.) did that actor gain/use in order to carry out their attack?

Effect/Harm Caused – What was the impact (i.e. stolen IP, service downtime, etc.) caused by the attack?

Understanding the avenue of approach provides meaningful context of what the threat is, how it works, what it targets, and what the impact is to an organization. Finished intelligence includes this type of analysis and includes threat indicators and supporting evidence, along with confidence levels and practical course of action recommendations. So not only are you getting the story of what happened and how, but impact assessment and mitigation steps to help from an incident response perspective or in a risk planning and preparation manner. 

One thing that does not get enough discussion when it comes to threat intelligence is what I like to call the “go do’s”. Maybe this is what some vendors mean when they use “actionable” intelligence, but beyond being “actionable”, the intel should give you practical tasks to address the impending threat or identified risk. This is where the rubber meets the road and decisions are made that will influence future outcomes. At the end of the day finished intelligence is the output of taking threat information, evaluating it and deriving a business benefit from the effort, typically in the form of risk reduction to potential impact to a business operation.  

If you can not easily articulate the business benefit from your current CTI efforts or have not defined them when looking to stand up a new CTI capability then you might be only collecting threat information and not conducting threat intelligence. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...