• Open-source intelligence - OSINT is information that is publicly available is the form of search-engines, social media posts, news sites, blog posts, academic papers, Industry group data, etc.
• Proprietary/closed-source intelligence - is information that are not publicly available and usually require fees to access.
• Timeliness - intelligence needs to be received as soon as possible. Intelligence that is received a month late is usually too late.
• Relevancy - Intelligence data can be overwhelming and much can be irrelevant. Intelligence data should be relevant to the organization.
• Accuracy - If the intelligence gathered is inaccurate it will provide any benefit for the organization.

How confident are you that the intelligence you are receiving is correct, some malicious actors aim to provide false information.

Indicators of Compromise are used to help identify potential threats. These are some platforms that are used to manage collection and analysis of IOCs

• Structured Threat Information eXpression (STIX) - An XML based language used to share patterns that could indicate cyber threats, facilitate threat response activities, and sharing threat information within an organization and with outside partners.
• Trusted Automated eXchange of Indicator Information (TAXII) - An application protocol for sharing cyber threat information over HTTPS.
• OpenIoC - An open framework in XML for sharing threat intelligence information.

When threat data comes in it is important to classify the threat that this data poses to the organization. The most severe threats should be addressed first.

• Known threat vs. unknown threat - Known threats are threats that are common knowledge and identified. Unknown threats are threats that may have been identified, but there are no signatures to spot them. They can sometimes be spotted through static and dynamic analysis within a sandbox environment.
• Zero-day - A Zero-Day vulnerability is a vulnerability that has been discovered and currently has no fix or patch.
• Advanced persistent threat - APTs are campaigns that target specific entities over a long period of time. APTs are usually well-funded and highly skilled and target governments and large organizations.

A threat actor is who carries out the threat. These are the different types of threat actors:

• Nation-state - These are usually foreign government, they have the most resources of any other group.
• Hacktivist - This is a group that performs attacks for a cause.
• Organized crime - Well financed and organized groups that primarily target the financial sector/
• Insider threat - Employees or other insiders that have knowledge of and access to the organizations systems. They fall within two separate groups:
• Intentional - Insiders that have ill intent, they are usually disgruntled.
• Unintentional - Users that accidentally or unintentionally make the organization less secure.

A process of intelligence activities that follows the following stages:

• Requirements - Define the requirements of the information that is to be collected and analyzed. The amount of information that is available is overwhelming, so it must be distilled to an ingestible amount by determining the type of data to be ingested.
• Collection - Gathering all the data that is available and relevant according to the requirements.
• Analysis - The data is analyzed to identify information that is: Timely, Actionable, and Consistent.
• Dissemination - Once the analysis is complete, solutions must be built and deployed to mitigate the risk. Solutions can be policy changes, scripts, configuration changes, etc.
• Feedback - Looking at the whole process of the intelligence cycle and seeing what went well, what didn't, any improvements that can be made.

Malware that is widely available for free download or purchase that has not been customized or tailored for specific attacks. These tools are usually used by script kiddies, more advanced malware is usually written by APTs for specific attacks.

Security engineers have developed platforms for sharing information for specific industries to help each other out:

• Healthcare - Health Information Sharing and Analysis Center (H-ISAC)
• Financial - Financial Services Information Sharing and Analysis Center (FS-ISAC)
• Aviation - Aviation Government Coordinating Council (AGCC)
• Government - U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA)
• Critical infrastructure - European Union Agency for Network and Information Security (ENISA)