Connect with us

Hi, what are you looking for?


Security Architecture

Distinctions: Threat Information vs.Threat Intelligence

Finished Intelligence is the Output of Taking Threat Information, Evaluating it and Deriving a Business Benefit 

In the cyber threat intelligence space, there is confusion (much of which is driven by vendors)… where threat information is positioned as finished intelligence.

Finished Intelligence is the Output of Taking Threat Information, Evaluating it and Deriving a Business Benefit 

In the cyber threat intelligence space, there is confusion (much of which is driven by vendors)… where threat information is positioned as finished intelligence.

While the intel process starts with the collection of threat information, it is just that… a starting point. There is a vast difference between obtaining information en mass and producing finished intelligence. Picture 1000 dots scattered all over a chart – that’s information. But the dots connected in some way showing context and relevancy (We call that “Evaluated Intel”) – that’s intel that can be used to prepare and plan for future attacks, to shore up previously unknown risks, to focus efforts in the right areas. It can also help you understand from an incident response perspective what happened, why, and how. 

Cyber threat intelligence (CTI) is a lifecycle process that ultimately produces a deliverable that can be consumed by different groups in numerous ways (depending on the level of threat intelligence being provided – strategic, operational and/or tactical). To be clear – CTI is not just about pulling in feeds of indicators or flooding a repository with data and applying those indicators in your environment. 

Threat intel requires automation (in terms of data collection, processing, filtering and some analytics) combined with human analysis. The human element is too often overlooked in the feed frenzy. But here’s why that is a mistake. While there is a lot of information gathering going on these days, whether it’s scraping dark web sites or open sources – getting information is fairly simple (with the exception of having undercover personas in restricted black markets and forums). It’s just collecting and gathering data. Maybe it includes some processing and filtering, but the special sauce is in the intelligence analysis. This analysis, when done properly, ensures that the information is evaluated for accuracy, relevancy, timeliness and completeness. The intel is put into context specific to an industry or organization for different views and decisions. And it requires humans with experience and attention to detail. 

At the end of the day, you need information in order to create intelligence. However, information itself is not intelligence and actually can overwhelm an organization and even point them in the wrong direction. Intelligence tells a story. While information provides a lot of potential actions, intelligence is meaningful and usable (I hate the overused word “actionable”), it supports planning, it provides direction and focus and ultimately helps you make better decisions on where you focus your efforts and resources. 

When my team analyzes a threat campaign for example, we look at it through the lens of the “Avenue of Approach”, which breaks out the following:

Advertisement. Scroll to continue reading.

Industry Target – What specific organization(s) or group(s) is the actor going after?

Technology Target – What technology (i.e. Adobe Flash, Internet Explorer, etc.) used by the organization(s) use that can be exploited by the actor to carry out an attack?

Delivery Method – How did the actor deliver the payload to the target (i.e. spear-phishing, third party compromise, etc.)?

Exploit Used – What specific exploit and/or known (or unknown for that matter) vulnerability was used by the actor?

Presence Achieved – What level of presence (i.e. privileged accounts, database access, etc.) did that actor gain/use in order to carry out their attack?

Effect/Harm Caused – What was the impact (i.e. stolen IP, service downtime, etc.) caused by the attack?

Understanding the avenue of approach provides meaningful context of what the threat is, how it works, what it targets, and what the impact is to an organization. Finished intelligence includes this type of analysis and includes threat indicators and supporting evidence, along with confidence levels and practical course of action recommendations. So not only are you getting the story of what happened and how, but impact assessment and mitigation steps to help from an incident response perspective or in a risk planning and preparation manner. 

One thing that does not get enough discussion when it comes to threat intelligence is what I like to call the “go do’s”. Maybe this is what some vendors mean when they use “actionable” intelligence, but beyond being “actionable”, the intel should give you practical tasks to address the impending threat or identified risk. This is where the rubber meets the road and decisions are made that will influence future outcomes. At the end of the day finished intelligence is the output of taking threat information, evaluating it and deriving a business benefit from the effort, typically in the form of risk reduction to potential impact to a business operation.  

If you can not easily articulate the business benefit from your current CTI efforts or have not defined them when looking to stand up a new CTI capability then you might be only collecting threat information and not conducting threat intelligence. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Threat Intelligence

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.