Intelligence can be collected from many sources. Indeed, many sources freely offer intelligence to anyone who desires to consume it. However, too much intelligence is counterproductive, and may simply cloud the picture, while applying incorrect intelligence, or maliciously false intelligence can only lead to making bad decisions.

No threat intelligence data can provide a crystal ball to see into the future and predict with perfect precision the attacks that will occur. Nevertheless, threat intelligence can be incredibly useful in providing forward looking statements based on observation and professional opinion.

Chapter 4 considers the issues that affect the suitability of sources of intelligence for inclusion in a threat intelligence programme.

4.1 Hierarchy of Evidence

Within any cyber incident nobody has a complete understanding of the full picture. The threat actor will hopefully be aware of their actions and the systems that they have compromised. Nevertheless, much information will remain unknown. The threat actor is unlikely to be aware of the entire IT estate of their victim, they will be unaware of the level of awareness of the attack by the victim, and cannot know the precise future actions of the victim.

Similarly, the victim may be aware of parts of an attack they have discovered, but will remain ignorant of the full extent of the threat actor's actions, their exact motivations, future actions, and exactly which systems (if any) that the ...