Intelligence Lifecycle
End-to-end process from requirements through collection, analysis, dissemination, and feedback
01
Requirements
02
Collection
03
Processing
04
Analysis
05
Dissemination
06
Feedback
Collection Sources
Open source, government, commercial, community, and internal intelligence feeds
OSINT โ Open Source Intelligence
| Source | Type | Intelligence Value | Access | Freq |
|---|---|---|---|---|
| VirusTotal virustotal.com | Technical | File hashes, URL/domain/IP reputation, multi-AV scanning, behaviour sandboxing, YARA rules, community comments | Free + API; Enterprise | Real-time |
| Shodan shodan.io | Infra | Internet-facing asset discovery, banner grabbing, CVE exposure, open ports, certificate data, honeypot detection | Free (limited); API sub | Continuous |
| Censys censys.io | Infra | Internet-wide scanning, TLS certificate inventory, ASN analysis, attack surface mapping | Free (limited); Enterprise | Daily |
| AlienVault OTX otx.alienvault.com | Community | Crowdsourced IOC pulses, threat actor profiles, malware signatures, community YARA/Snort/Sigma rules | Free; API | Real-time |
| URLhaus / MalwareBazaar abuse.ch | Technical | Active malware distribution URLs, samples with tags, C2 infrastructure, botnet trackers (Feodo, SSL Blacklist) | Free; API | Real-time |
| CIRCL CVE Search cve.circl.lu | Vuln | CVE details with CVSS, CPE data, CWE classification, vendor advisories, exploit references | Free API | Daily |
| Exploit-DB / GHDB exploit-db.com | Vuln | Public exploit code, PoC availability timeline, Google Hacking Database โ direct applicability indicator for CVE triage | Free | Continuous |
| RiskIQ / PassiveDNS community.riskiq.com | Infra | Historical DNS resolution, domain registration pivoting, IP-to-domain mapping over time, certificate transparency | Free community; Enterprise | Continuous |
| MISP Threat Sharing misp-project.org | Community | Structured TI sharing platform; IOCs, malware artefacts, TTP correlation. Used by CIRCL, ISACs, CERTs globally | Self-hosted / community | Real-time |
| GreyNoise greynoise.io | Infra | Mass internet scanner vs targeted attacker classification. Reduces false positives from benign scanner IPs in SIEM | Free (limited); API | Continuous |
Government & National Cyber Agencies
| Source | Region | Intelligence Value | Sharing Format |
|---|---|---|---|
| NCSC (UK) ncsc.gov.uk | UK | Threat advisories, Malware Analysis Reports, joint advisories with CISA/NSA, PDNS, Active Cyber Defence services, Early Warning platform | Advisories, STIX/TAXII (Early Warning) |
| CISA (US) cisa.gov | US / Allied | KEV catalogue (Known Exploited Vulnerabilities), joint cybersecurity advisories, ICS-CERT alerts, #StopRansomware | Advisories, STIX/TAXII, KEV JSON feed |
| ENISA enisa.europa.eu | EU | Annual Threat Landscape report, sector threat reports, NIS2 guidance, CSIRT network intelligence (limited public) | Reports, advisories |
| NVD (NIST) nvd.nist.gov | US / Global | Authoritative CVE database with CVSS v3/v4 scores, CPE/CWE data, vendor statements. Primary CVE enrichment source | JSON feeds, API |
| ASD / ACSC (AU) cyber.gov.au | Australia | Joint advisories with Five Eyes partners, sector alerts, ransomware guidance | Advisories |
Commercial Threat Intelligence
| Vendor | Strengths | Typical Output |
|---|---|---|
| Recorded Future | Real-time indexing of dark web, paste sites, forums, technical sources; risk scores; API integration | IOC feeds, actor profiles, CVE intelligence with exploitation likelihood scoring, brand monitoring |
| Mandiant (Google) | Nation-state threat actor attribution, APT group tracking, frontline IR intelligence | Advantage platform: IOCs, actor profiles, malware intelligence, vulnerability intelligence with weaponisation data |
| CrowdStrike Falcon Intel | Adversary-centric intelligence; eCrime and nation-state actor tracking; TTP-focused | Adversary profiles, malware family reports, campaign reports, IOC integration via Falcon platform |
| Intel 471 | Deep and dark web collection; underground forum monitoring; initial access broker tracking | Actor profiles, credential leak monitoring, malware intelligence, criminal market surveillance |
| Digital Shadows (ReliaQuest) | Digital risk protection; brand monitoring; data leak detection; attack surface management | Leaked credential alerts, brand impersonation, domain squatting, paste site monitoring |
| Palo Alto Unit 42 | Ransomware group tracking; threat actor TTPs; malware analysis; cloud threat intelligence | Threat research reports, ransomware intelligence, IOCs via AutoFocus |
| Team Cymru | BGP routing data; IP reputation; infrastructure attribution; Pure Signal platform | IP/ASN threat intelligence, malware hosting attribution, C2 infrastructure mapping |
ISACs & Sector Sharing
FS-ISAC
Financial Services. Global financial sector TI sharing. TLP-governed IOC feeds, sector-specific threat reports, real-time alerts. Membership-based.
H-ISAC
Health. Healthcare sector. Ransomware alerts targeting healthcare, medical device vulnerability intelligence, sector-specific IOCs.
E-ISAC
Energy. Electric subsector TI, grid-specific IOCs, ICS/SCADA advisories, real-time incident coordination.
CiSP (UK)
NCSC's Cyber Information Sharing Partnership. UK-focused. TLP-governed sharing across sectors. Requires NCSC membership/vetting.
MS-ISAC
Multi-State. US state/local/tribal/territorial government. CISA-supported. Free IOC feeds, malware analysis, threat advisories for public sector.
A-ISAC
Aviation. Airline, airport, and aerospace sector TI. ATM-specific threats, physical-cyber convergence, supply chain intelligence.
Internal Sources
EDR / XDR Platform
Process telemetry, network events, file writes, memory injection attempts. Highest-fidelity internal TI. Feeds directly back into threat hunting and detection refinement.
SIEM & UEBA
Aggregated log intelligence, anomaly baselines, user behaviour deviations, insider threat signals. Alert data informs what external intelligence to prioritise.
Honeypots / Deception
Internal honeytokens, honeypot systems, decoy credentials. Lateral movement detection; near-zero false positives. Excellent TTPs signal.
DFIR Investigations
Post-incident forensic findings: new TTPs, novel persistence mechanisms, previously unknown infrastructure. Every investigation produces net-new intelligence.
Phishing Submissions
User-reported phishing emails. First-party intelligence on active campaigns targeting the organisation. Sender infrastructure, lures, payload URLs.
Vulnerability Scans
Authenticated internal scans (Qualys, Tenable, Rapid7). Combined with NVD/CISA KEV data drives evidence-based patch prioritisation.
Intelligence Types
Categories of intelligence beyond IOCs โ CVEs, zero-days, domain registration, infrastructure, email, credentials, and strategic
Intelligence Type Matrix
๐ฏ
Technical IOCs
Tactical
- File hashes (MD5, SHA-1, SHA-256, imphash, TLSH)
- IPv4/IPv6 addresses and CIDR ranges
- Domain names and subdomains
- URLs and URI patterns
- Email addresses and sender infrastructure
- Mutexes, registry keys, named pipes
- YARA rules, Sigma rules, Snort/Suricata rules
- JA3/JA3S TLS fingerprints
- User-agent strings, HTTP headers
- X.509 certificate hashes and serial numbers
โ ๏ธ
Vulnerability Intelligence
Operational
- CVE details with CVSS v3.1 / v4.0 base scores
- EPSS scores (Exploit Prediction Scoring System)
- CISA KEV (Known Exploited Vulnerabilities) status
- PoC / exploit availability and maturity
- Zero-day tracking and vendor patch timelines
- Affected product/version CPE data
- Patch availability and workaround status
- Active exploitation in the wild evidence
- Ransomware / eCrime exploitation association
- VEX (Vulnerability Exploitability eXchange) data
๐
Infrastructure Intelligence
Operational
- Domain registration data (WHOIS, registrar, creation date)
- Passive DNS historical resolution data
- BGP routing and ASN attribution
- IP geolocation and hosting provider attribution
- Certificate Transparency Log monitoring
- Newly registered domains (NRD) monitoring
- Fast-flux and bulletproof hosting patterns
- Domain squatting / typosquat detection
- Shared hosting / infrastructure clustering
- C2 framework fingerprinting (Cobalt Strike, Sliver)
๐ญ
Threat Actor Intelligence
Strategic
- Threat actor profiles and attribution confidence
- Motivation: espionage, financial, hacktivism, destructive
- Targeting: sector, geography, victim profile
- TTPs mapped to MITRE ATT&CK
- Infrastructure patterns and reuse
- Campaign tracking and temporal patterns
- Toolset: known malware families and custom tools
- Initial access broker relationships
- RaaS affiliate structure intelligence
- Leadership / persona attribution (where attributable)
๐ง
Email & Phishing Intelligence
Operational
- Phishing kit fingerprints and infrastructure
- DMARC/DKIM/SPF abuse and spoofing patterns
- Lookalike domain registration monitoring
- Business email compromise (BEC) lure patterns
- Malicious attachment hashes and document macros
- Phishing-as-a-service (PhaaS) platform tracking
- Credential harvesting page infrastructure
- QR code phishing (quishing) lure analysis
- EvilProxy / AiTM phishing proxy detection
- Callback phishing / vishing campaign patterns
๐
Credential & Exposure Intel
Operational
- Dark web credential dump monitoring
- Stealer log data (Redline, Vidar, Raccoon)
- Paste site credential exposure
- Initial access broker listings (org-specific)
- Data leak site monitoring (ransomware groups)
- Brand impersonation on dark web forums
- Access listings (RDP, VPN, webshell sales)
- Sensitive document exposure monitoring
- Corporate email appearance in combolists
- HIBP API integration for employee exposure
๐๏ธ
Strategic Intelligence
Strategic
- Geopolitical context and threat actor motivations
- Nation-state campaign targeting patterns
- Sector-level threat landscape assessments
- Regulatory environment changes affecting risk
- Hacktivist movement tracking and targeting
- Critical event calendars (elections, sanctions)
- Supply chain / third-party risk intelligence
- Industry incident reporting and trends
- Insurance market signals (ransomware frequency)
- Board / executive threat briefing materials
๐ญ
OT / ICS Intelligence
Operational
- ICS/SCADA-specific CVE and advisory tracking
- PLC/HMI firmware vulnerability monitoring
- Nation-state OT campaign intelligence
- Dragos WorldView / Claroty CTR reporting
- CISA ICS-CERT advisories
- IT-OT boundary threat patterns
- Critical infrastructure targeting intelligence
- Safety system (SIS) threat intelligence
- Industrial protocol exploitation (Modbus, DNP3)
- Living-off-the-land in OT environments
Vulnerability Prioritisation โ Scoring Framework
Combining CVSS, EPSS, and contextual factors to prioritise remediation. CVSS alone is insufficient โ EPSS exploitation likelihood and CISA KEV status are critical additional signals.
| Factor | Source | Weight / Use | Threshold / Action |
|---|---|---|---|
| CVSS v3.1 Base Score | NVD / vendor | Baseline severity. Use as initial filter only โ not as sole prioritisation signal. | Critical โฅ9.0 ยท High 7.0โ8.9 ยท Medium 4.0โ6.9 |
| EPSS Score | FIRST.org | Probability of exploitation in next 30 days. Updated daily. High EPSS + High CVSS = immediate priority. | >10% = elevated priority ยท >50% = critical action |
| CISA KEV Status | CISA KEV catalogue | Confirmed exploitation in the wild. KEV listing overrides scoring โ patch immediately. | KEV = 24โ72hr patch target internet-facing; 7 days internal |
| PoC / Exploit Availability | Exploit-DB, GitHub, TI platforms | Public PoC dramatically increases exploitation likelihood. Elevates priority independently of CVSS. | Public weaponised exploit = treat as KEV until confirmed otherwise |
| Asset Exposure | Internal CMDB / scan data | Internet-facing assets with the vulnerability are higher priority than internal-only. | Internet-facing: highest priority ยท Crown-jewel system: immediate escalation |
| Threat Actor Association | TI platform / advisories | Is this CVE being actively exploited by actors targeting your sector or geography? | Sector-targeted exploitation = immediate escalation regardless of other scores |
| Compensating Controls | Internal assessment | WAF, network segmentation, authentication controls may reduce exploitability. Adjust effective priority. | Documented compensating control signed by CISO can extend SLA by up to 50% |
Dissemination Targets
Where intelligence flows โ detection engineering, vuln management, executive briefing, regulatory sharing, and beyond
Intelligence Feed Targets
SIEM โ Detection Rules
Ingests: IOCs, Sigma rules, YARA rules, attack pattern indicators
Output: New detection rules, IOC correlation alerts, hunt queries
SLA: Critical IOCs <1hr; vetted rules <24hr
Owner: Detection Engineering / SOC
Output: New detection rules, IOC correlation alerts, hunt queries
SLA: Critical IOCs <1hr; vetted rules <24hr
Owner: Detection Engineering / SOC
EDR โ IOC Feeds
Ingests: File hashes, process names, registry keys, C2 IPs/domains, YARA rules
Output: Endpoint block/alert actions, real-time threat hunting
SLA: High-confidence IOCs <2hr via API integration
Output: Endpoint block/alert actions, real-time threat hunting
SLA: High-confidence IOCs <2hr via API integration
Firewall / Proxy Blocklists
Ingests: Malicious IPs, domains, URLs, ASNs, geo-blocks
Output: Network-layer blocking, proxy category updates
SLA: Critical C2 IPs <1hr
Caution: Validate before bulk push โ FP risk
Output: Network-layer blocking, proxy category updates
SLA: Critical C2 IPs <1hr
Caution: Validate before bulk push โ FP risk
Email Security Gateway
Ingests: Sender IPs, phishing domains, attachment hashes, URL patterns, DMARC signals
Output: Block/quarantine/tag rules, sandbox triggers
SLA: Active phishing IOCs <1hr
Output: Block/quarantine/tag rules, sandbox triggers
SLA: Active phishing IOCs <1hr
Vulnerability Management
Ingests: CVE details, CVSS, EPSS, CISA KEV, PoC availability, threat actor association
Output: Prioritised patch schedule, emergency patch tickets, compensating control decisions
Output: Prioritised patch schedule, emergency patch tickets, compensating control decisions
Threat Hunting
Ingests: New TTPs, actor profiles, infrastructure patterns, anomaly baselines
Output: Hunt packages (hypotheses + queries), new detections, IOC refinement
Cadence: Weekly + ad-hoc on new TI
Output: Hunt packages (hypotheses + queries), new detections, IOC refinement
Cadence: Weekly + ad-hoc on new TI
Executive / Board Briefing
Ingests: Strategic threat landscape, sector-targeting trends, major incidents, regulatory TI
Output: Monthly threat brief, ad-hoc for significant events
Format: Non-technical narrative; business impact framing
Output: Monthly threat brief, ad-hoc for significant events
Format: Non-technical narrative; business impact framing
Sector / Regulatory Sharing
Shares to: NCSC, ISAC, CiSP, sector peers, CERT/CC
Format: STIX 2.1, TAXII 2.1, TLP-governed advisories, MISP events
Governance: Legal review required for cross-org sharing
Format: STIX 2.1, TAXII 2.1, TLP-governed advisories, MISP events
Governance: Legal review required for cross-org sharing
Third-Party / Procurement
Ingests: Supplier compromise intelligence, supply chain campaign targeting
Output: Supplier security alerts, contract review triggers, emergency notifications
Output: Supplier security alerts, contract review triggers, emergency notifications
SOC Playbook Updates
Ingests: New malware TTPs, actor behaviour patterns, novel attack chains
Output: Updated triage playbooks, new runbooks, analyst training notes
Cadence: Monthly review; immediate for novel significant TTPs
Output: Updated triage playbooks, new runbooks, analyst training notes
Cadence: Monthly review; immediate for novel significant TTPs
Architecture & Red Team
Ingests: Attack surface intelligence, LOLBin evolution, novel exploitation chains
Output: Control gap identification, red team briefs, purple team exercises, hardening recommendations
Output: Control gap identification, red team briefs, purple team exercises, hardening recommendations
Brand & Digital Risk
Ingests: Lookalike domain registrations, brand impersonation on dark web, credential exposure, social media impersonation
Output: Takedown requests, monitoring alerts
Output: Takedown requests, monitoring alerts
Intelligence Report Types
| Report Type | Audience | Cadence | TLP | Content |
|---|---|---|---|---|
| Flash Report | SOC, IR, Detection Eng | Ad-hoc (<2hrs) | TLP:RED/AMBER | Breaking threat with immediate action required. Single-page max. IOCs, affected systems, immediate mitigations. |
| Daily Threat Digest | SOC, TI, Security Leadership | Daily | TLP:AMBER | Curated summary of overnight alerts, new CVEs, active campaigns, notable IOCs. 1โ2 pages. |
| Malware / Campaign Report | SOC, Detection Eng, Threat Hunters | Ad-hoc | TLP:AMBER | Deep-dive analysis of a specific malware family or campaign. IOCs, TTPs, hunt queries, detection logic. |
| Actor Profile | SOC, CISO, IR, Red Team | Quarterly / on change | TLP:AMBER | Threat actor profile: motivation, TTPs, targeting, infrastructure, historical campaigns, defensive recommendations. |
| Executive Threat Brief | CISO, Board, CLO | Monthly | TLP:GREEN | Non-technical strategic brief. Business risk framing. Sector threat landscape. No IOCs. 2โ3 pages max. |
| CVE / Vuln Advisory | Vuln Mgmt, IT Ops, CISO | Ad-hoc | TLP:AMBER | Specific CVE advisory with internal applicability assessment, EPSS/KEV context, patch/workaround guidance, SLA. |
| Threat Landscape Assessment | Board, CISO, Risk | Annual | TLP:GREEN | Annual strategic threat assessment. Risk register input. Sector benchmarking. Investment recommendations. |
Email Security Intelligence
DMARC, DKIM, SPF โ authentication workflows, intelligence value, and phishing threat intelligence
Email Authentication Protocols
SPF
Sender Policy Framework. DNS TXT record defining which IP addresses are authorised to send email for a domain. Receiver checks sending server IP against SPF record at envelope evaluation.
DKIM
DomainKeys Identified Mail. Cryptographic signature applied to outbound email headers and body. Receiver validates against public key in sender DNS. Proves message was not modified in transit.
DMARC
Domain-based Message Authentication. Policy layer on SPF and DKIM. Specifies handling for failing messages (none/quarantine/reject) and where to send aggregate (RUA) and forensic (RUF) reports.
DMARC Deployment Lifecycle
๐ Inventory
Map all sending domains
Identify all email streams
Third-party senders (CRM, ticketing)
Subdomains in use
Legacy / inactive domains
Identify all email streams
Third-party senders (CRM, ticketing)
Subdomains in use
Legacy / inactive domains
โ๏ธ SPF Deploy
Publish SPF TXT record
Authorise all sending IPs
Avoid >10 DNS lookups
Use ~all (softfail) first
Flatten where needed
Authorise all sending IPs
Avoid >10 DNS lookups
Use ~all (softfail) first
Flatten where needed
โ๏ธ DKIM Deploy
Generate 2048-bit keypair
Publish public key in DNS
Configure signing on MTA
Enable for all mail streams
Rotate keys annually
Publish public key in DNS
Configure signing on MTA
Enable for all mail streams
Rotate keys annually
๐ p=none
Publish p=none policy
Configure rua= reporting
Collect aggregate reports
Analyse all sending sources
Identify misconfigs / gaps
Configure rua= reporting
Collect aggregate reports
Analyse all sending sources
Identify misconfigs / gaps
โ ๏ธ p=quarantine
Move to p=quarantine
Monitor spam folder impact
Resolve legitimate failures
Confirm all streams passing
Target: pct=100
Monitor spam folder impact
Resolve legitimate failures
Confirm all streams passing
Target: pct=100
๐ด p=reject
Full enforcement active
Spoofing now blocked
Monitor for false positives
Maintain rua reporting
Review quarterly
Spoofing now blocked
Monitor for false positives
Maintain rua reporting
Review quarterly
DMARC as an Intelligence Source
Aggregate Reports (RUA)
Daily XML reports from receiving mail servers: sending IPs, volumes, SPF/DKIM pass/fail, disposition. Intelligence value: identify spoofing attempts, misconfigured senders, shadow IT email streams, and mail volume anomalies.
Forensic Reports (RUF)
Per-message failure reports including full message headers for emails that fail DMARC. Intelligence value: phishing lure analysis, attacker infrastructure identification, spoofed sender patterns.
Lookalike Domain Monitoring
Monitor Certificate Transparency logs and domain registration feeds for lookalike registrations (typosquats, homoglyphs, combosquats). Correlate with DMARC failure reports to identify active impersonation campaigns.
BIMI
Brand Indicators for Message Identification. Requires DMARC at p=quarantine/reject. Displays verified brand logo in supporting mail clients. Signals authentication maturity and deters impersonation at scale.
Broader Email Security Intelligence Areas
| Area | Intelligence Signals | Tooling / Sources | Feed Target |
|---|---|---|---|
| Header Analysis | Received chain anomalies, X-Originating-IP, authentication-results header, Reply-To mismatch, envelope From โ header From | MXToolbox, Mail Header Analyser, email gateway logs | SOC triage, phishing response playbooks |
| MX / Mail Infrastructure Recon | MX record changes (possible hijack), mail server fingerprinting, open relay detection, SMTP STARTTLS enforcement status | MXToolbox, DNSlytics, nmap | Vulnerability management, infrastructure monitoring |
| Phishing Kit Intelligence | Kit source code patterns, hosting provider patterns, certificate reuse, phishing page HTML fingerprints, credential exfil destination analysis | PhishTank, OpenPhish, FortiGuard, manual analysis | Email gateway rules, proxy blocklists |
| BEC Pattern Analysis | Display name spoofing patterns, CEO/CFO impersonation lures, vendor impersonation (invoice fraud), urgency and wire transfer language patterns | Email gateway logs, user-reported phishing, DMARC RUF | Email gateway rules, user awareness training |
| AiTM / EvilProxy Detection | Adversary-in-the-Middle phishing proxy indicators: cookie theft after MFA, unusual token reuse, logon from unexpected IP post-MFA | Entra ID sign-in logs, Defender for Identity, UEBA | SOC detection rules, identity security |
| Quishing (QR Phishing) | QR code payloads in email bodies/attachments, URL extraction from QR images, sandbox detonation of QR-delivered URLs | Email sandbox, computer vision tooling, URL detonation | Email gateway (QR scanning), user awareness |
| Credential Dump Monitoring | Corporate email addresses in leaked credential dumps, stealer log data with email credentials, combo list appearance | HIBP, Intel 471, Flare, Digital Shadows | Identity security, forced resets, SOC alerting |
| Malicious Attachment Intel | Document-based malware (macro, template injection, HTML smuggling), archive-based delivery, LNK/ISO container abuse | VirusTotal, MalwareBazaar, ANY.RUN, Tria.ge sandbox | Email gateway (file type blocking), EDR rules |
TLP Framework
Traffic Light Protocol 2.0 โ governing intelligence sharing, handling, and dissemination
TLP:RED
Strictly Restricted
Not for disclosure. Restricted to recipients only โ not to be forwarded, stored in shared systems, or discussed beyond named individuals in the conversation.
Use when: information could damage the source, ongoing operations, or specific individuals if shared beyond direct recipients.
Examples: active law enforcement operations, named victim details before public disclosure.
Examples: active law enforcement operations, named victim details before public disclosure.
TLP:AMBER
Limited Distribution
Restricted to the recipient organisation and their clients on a need-to-know basis. Cannot be shared publicly or with other organisations without explicit permission.
TLP:AMBER+STRICT = organisation only, not to clients/third parties.
Use when: information could harm the source or recipient's operations if shared beyond the immediate community.
Use when: information could harm the source or recipient's operations if shared beyond the immediate community.
TLP:GREEN
Community Sharing
Can be shared within the community (sector, ISAC, peer group). Not to be shared publicly or posted to internet-accessible resources.
Use when: information is useful for the community but could harm the source if made fully public.
Examples: sector-specific IOC feeds, ISAC advisories, CERT bulletins within closed communities.
Examples: sector-specific IOC feeds, ISAC advisories, CERT bulletins within closed communities.
TLP:WHITE
Unrestricted
No restriction on disclosure. Can be shared publicly without restriction. Subject to standard copyright rules.
Use when: information carries minimal risk of misuse and can freely circulate.
Examples: NCSC public advisories, CVE descriptions, published threat research, public YARA rules.
Examples: NCSC public advisories, CVE descriptions, published threat research, public YARA rules.
TLP Handling in Practice
| Scenario | TLP | Handling Requirement |
|---|---|---|
| Active phishing campaign targeting your org โ shared by NCSC Early Warning | TLP:AMBER | Share internally with SOC and email team. Do not publish IOCs publicly or share with other organisations without NCSC permission. |
| Zero-day PoC shared by a peer in a closed ISAC community call | TLP:RED | Share only with named participants. Do not log in shared systems. Cannot be quoted or referenced outside the call. |
| CISA KEV listing for a new actively exploited CVE | TLP:WHITE | No restrictions. Share freely. Use in public-facing comms, vendor advisories, blog posts. |
| Dark web intelligence indicating org credentials for sale โ sourced from commercial TI vendor | TLP:AMBER+STRICT | Organisation only โ HR, CISO, Legal, Identity team. Not to clients, partners, or public. |
| ISAC sector threat bulletin โ distributed to ISAC members | TLP:GREEN | Share within your sector community and ISAC members. Do not post to public forums, social media, or websites. |
| YARA rule derived from malware analysis, no attribution to sensitive source | TLP:WHITE | Can be published on GitHub, shared via OTX, or submitted to VirusTotal. Community sharing encouraged. |
STIX 2.1 / TAXII 2.1 โ Structured Sharing
STIX 2.1 Objects
Core SDO types:
attack-pattern โ MITRE ATT&CK techniques
campaign โ Threat campaigns
indicator โ IOCs with pattern language
malware โ Malware family descriptions
threat-actor โ Group profiles
vulnerability โ CVE references
course-of-action โ Mitigations
attack-pattern โ MITRE ATT&CK techniques
campaign โ Threat campaigns
indicator โ IOCs with pattern language
malware โ Malware family descriptions
threat-actor โ Group profiles
vulnerability โ CVE references
course-of-action โ Mitigations
TAXII 2.1 Transport
REST API for STIX bundle exchange.
Collections โ Named groups of STIX content
Authentication โ API key, OAuth 2.0, certificate
Compatible: MISP, OpenCTI, ThreatQ, Recorded Future, MITRE ATT&CK TAXII server
Collections โ Named groups of STIX content
Authentication โ API key, OAuth 2.0, certificate
Compatible: MISP, OpenCTI, ThreatQ, Recorded Future, MITRE ATT&CK TAXII server
MISP Integration
MISP supports STIX import/export and native TAXII server integration.
โข Ingest ISAC feeds
โข Share events with sector peers
โข TLP marking on all objects
โข Automated IOC push to SIEM/EDR via sync
โข Correlation across feeds to reduce duplicates
โข Ingest ISAC feeds
โข Share events with sector peers
โข TLP marking on all objects
โข Automated IOC push to SIEM/EDR via sync
โข Correlation across feeds to reduce duplicates
Intelligence Prioritisation
IOC triage and validation workflow, priority matrix, zero-day handling, and programme metrics
IOC Triage & Validation Workflow
1
Ingest & Deduplication
New intelligence arrives from feeds, advisories, ISAC, internal systems. Normalise to common format (STIX or internal schema). Deduplicate against existing IOC database โ avoid alert fatigue from reprocessing known indicators. Volume control is critical: a 100,000-IOC SIEM rule set degrades performance.
Output: normalised IOC setSLA: automated <15min
2
Source Reliability Assessment
Assess source reliability and information credibility independently using an Admiralty Scale or equivalent โ Source (AโF) ร Information (1โ6). High-volume automated feeds require statistical false-positive analysis before deployment. Government/CERT sources default to high reliability; community feeds require validation.
Output: reliability score per indicator
3
Context Enrichment
Enrich indicators with additional context: VirusTotal reputation, passive DNS history, WHOIS data, ASN/geolocation, related malware families, associated threat actors, MITRE ATT&CK mapping. Context transforms a raw IP address into an indicator with operational value โ know what you're blocking and why.
Output: enriched indicatorTools: VT API, Shodan, PassiveDNS
4
Relevance Assessment
Determine relevance to your organisation: Does this threat actor target your sector? Is the affected product in your environment? Is the campaign geographically relevant? Low-relevance indicators may be ingested at lower priority with monitoring-only disposition rather than blocking rules.
High / Medium / Low / Not applicable
5
Confidence Scoring
Assign confidence level based on: source reliability, corroboration from multiple independent sources, recency, and specificity. High-confidence + high-relevance = candidate for automated blocking. Low-confidence = alert-only until validated. Track confidence decay โ old IOCs lose value and become false-positive risk.
High / Medium / LowTTL: set expiry on all IOCs
6
Disposition & Action
Assign disposition: Block (automated, high-confidence) โ EDR/FW/Proxy. Alert (monitoring, medium) โ SIEM rule. Hunt (new TTP) โ Threat hunting package. Watch (lower priority) โ periodic review. Archive (low relevance) โ retain for future correlation only.
Block โ EDR/FW/ProxyAlert โ SIEMHunt โ TH package
7
Lifecycle Management & Expiry
IOCs have a shelf life. C2 IPs may be repurposed as legitimate infrastructure within weeks. Set TTL for all indicators: IPs (7โ30 days), domains (30โ90 days), file hashes (indefinite for known malware families). Automated expiry prevents false positives from stale intelligence degrading detection quality.
IPs: 7โ30d ยท Domains: 30โ90d ยท Hashes: indefinite
Intelligence Priority Matrix
P1 โ IMMEDIATE (<2 hours)
Active exploitation of your infrastructure
Credentials for sale on dark web (your org)
Zero-day in production software, no patch
Active phishing campaign targeting your users
Ransomware precursor IOCs detected internally
NCSC / CISA emergency alert โ sector-specific
Credentials for sale on dark web (your org)
Zero-day in production software, no patch
Active phishing campaign targeting your users
Ransomware precursor IOCs detected internally
NCSC / CISA emergency alert โ sector-specific
P2 โ URGENT (<24 hours)
CISA KEV addition affecting your software
New PoC for Critical CVE in your environment
EPSS >50% on unpatched vulnerability
Threat actor actively targeting your sector
Supply chain compromise of a key vendor
Major peer breach โ similar architecture
New PoC for Critical CVE in your environment
EPSS >50% on unpatched vulnerability
Threat actor actively targeting your sector
Supply chain compromise of a key vendor
Major peer breach โ similar architecture
P3 โ ELEVATED (2โ7 days)
High CVSS + EPSS 10โ50% โ assess exposure
New threat actor TTPs โ update detections
Sector ISAC advisory โ non-immediate
New malware family โ YARA/hunt package
Infrastructure changes in known threat actor
DMARC failure spike โ investigate spoofing
New threat actor TTPs โ update detections
Sector ISAC advisory โ non-immediate
New malware family โ YARA/hunt package
Infrastructure changes in known threat actor
DMARC failure spike โ investigate spoofing
P4 โ ROUTINE (Weekly cycle)
Monthly patch cycle CVE assessment
Threat landscape report review
IOC feed refresh and expiry management
Threat actor profile updates
Vendor security advisory review
Executive briefing preparation
Threat landscape report review
IOC feed refresh and expiry management
Threat actor profile updates
Vendor security advisory review
Executive briefing preparation
Zero-Day Intelligence Workflow
โก
Zero-Day Detection & Initial Triage
โถ- Verify the zero-day claim โ distinguish between "unpatched CVE" and a genuinely novel vulnerability with no vendor acknowledgement
- Identify the vulnerable product and version range โ cross-reference with internal CMDB/asset inventory immediately
- Assess exploitation complexity and pre-requisites (authentication required? network access? user interaction?)
- Determine: is there evidence of active exploitation in the wild? (Threat actor use, CISA/NCSC advisory, incident reports)
- Assess internet exposure of affected assets โ internet-facing = highest immediate priority
- Check vendor advisory status โ has the vendor acknowledged? Is there a patch timeline?
๐ก๏ธ
Compensating Controls โ While Awaiting Patch
โถ- Deploy WAF rule / IPS signature if available (vendor or community-supplied)
- Network segment / isolate affected systems where operational impact allows
- Restrict network access to affected service to known-good IPs / VPN-only where possible
- Enable enhanced logging on affected systems โ prepare detection if exploit is attempted
- Create SIEM detection rule for known exploit indicators or anomalous behaviour patterns
- Disable unnecessary features / components of vulnerable software that expand attack surface
- Document compensating controls formally with CISO sign-off and review date
๐ค
Dissemination & Escalation Actions
โถ- Issue internal Flash Report to SOC, vulnerability management, and affected system owners within 2 hours
- Escalate to CISO if: internet-facing, no patch, active exploitation, crown-jewel system affected
- Notify IT Ops / patch management with SLA requirement and compensating control guidance
- Share with ISAC / sector peers at appropriate TLP if intelligence suggests broad targeting
- Report to NCSC Early Warning or equivalent if significant and novel
- Track vendor patch release โ trigger emergency change as soon as patch is available and validated
- Post-patch: validate, update intelligence record, produce lessons-learned note for TI programme review
Intelligence Programme Metrics
| Metric | What It Measures | Target |
|---|---|---|
| MTTD โ TI-Driven | Time from threat actor activity to TI-informed detection โ measures intelligence lead time over traditional alerting | TI-informed detection <24hrs before SOC alert |
| IOC Hit Rate | Percentage of deployed IOCs generating at least one alert โ measures intelligence relevance and quality | >5% hit rate; low rate = poor source quality |
| False Positive Rate | Percentage of IOC-generated alerts that are false positives โ measures operational impact on SOC | <10% FP on blocking rules; higher acceptable on alert-only |
| Mean Time to Operationalise | Time from intelligence receipt to deployed detection/blocking rule โ measures analyst efficiency | P1: <2hrs ยท P2: <24hrs ยท P3: <7 days |
| Requirements Coverage | Percentage of PIRs addressed by current intelligence programme | >80% coverage; gaps drive source acquisition |
| IOC Expiry Compliance | Percentage of IOCs with defined TTL and active expiry management โ prevents stale FP risk | 100% of deployed IOCs with assigned TTL |