Threat Intelligence is a practical discipline gathering and utilising information. Before considering how intelligence is used in practice, we must identify the nature of the intelligence that is required and the framework in which this intelligence will be applied. To be a useful adjunct to cyber security protection, the correct threat intelligence must be applied, and its utility measured.

Chapter 3 describes the threat intelligence cycle, the most commonly described framework for organising and applying intelligence, as well as the many elements that comprise the threat intelligence programme.

3.1 Planning Intelligence Gathering

In Chapter 1, Cyber Threat Intelligence was defined as:

The process and outcome of gathering and analysing information relating to the people or things that may cause damage to electronic networked devices, in order to assist decision making.

This definition poses some immediate questions – what intelligence does decision making require? How will the delivered intelligence be used? How will we know if the intelligence supplied is useful and fulfilling its purpose?

Threat intelligence cannot exist in a vacuum. Intelligence production must be part of a wider process of supporting the cyber security posture of an organisation as part of a developed security structure. Unplanned and undirected intelligence activities are unlikely to be productive. To provide value to an organisation, threat intelligence needs to be part of ...