On this page
- Quick Reference: A.5.7 in 60 Seconds
- What the Standard Actually Requires
- The Threat Intelligence Lifecycle
- The Four Types of Threat Intelligence
- Threat Intelligence Sources
- Building Your Threat Intelligence Program
- Threat Intelligence Platforms & Tools
- Threat Intelligence for SaaS & Cloud Environments
- MITRE ATT&CK Framework Integration
- Threat Intelligence Metrics & KPIs
- Threat Intelligence on a Budget
- Automation: STIX/TAXII & APIs
- India-Specific Threat Intelligence
- AI/ML Threat Intelligence
- Integration with SOC & SIEM
- Threat Intelligence-Driven Vulnerability Prioritization
- Governance & Roles
- Training & Awareness
- Implementation Roadmap: 4 Weeks
- Common Audit Failures & How to Fix Them
- Illustrative Scenarios: Real Intelligence in Action
- Multi-Framework Mapping
- FAQ
- Advanced Threat Intelligence Concepts
- Additional FAQ
- Indian Threat Landscape, 2026 Overview
Quick Reference: A.5.7 in 60 Seconds
| Question | Answer |
|---|---|
| What is it? | A control requiring organizations to collect and analyze information about information security threats to produce actionable intelligence. |
| Why does it matter? | Without threat intelligence, you defend against yesterday's threats while today's attackers use new techniques. Intelligence turns reactive security into proactive defense. |
| Minimum requirement | Documented process for collecting, analyzing, and acting on threat intelligence; identified sources; evidence of analysis and action. |
| Audit red flag | Subscribed to a threat feed but never read it; no analysis documented; no evidence that intelligence influenced security decisions. |
| Quick win | Subscribe to 3 free feeds, dedicate 30 min/week to review, log findings in a spreadsheet, and update the risk register quarterly. |
| Time to implement | 1–2 weeks for basic program; 4–8 weeks for mature program. |
| Related controls | A.5.35 (Independent Review), A.6.3 (Awareness), A.8.8 (Vulnerability Management), A.8.16 (Monitoring Activities) |
What the Standard Actually Requires
ISO 27001:2022 A.5.7 Text
ISO 27001:2022 Annex A 5.7 asks organizations to collect and analyze information about security threats to produce actionable threat intelligence.
ISO 27002:2022 Implementation Guidance (Section 5.7)
ISO 27002 provides 6 implementation guidelines:
- Establish objectives, Define what threat intelligence you need and why.
- Identify sources, Internal and external sources of threat information.
- Collect information, Gather threat data from identified sources.
- Prepare information, Format, translate, and normalize data for analysis.
- Analyze information, Understand how threats relate to your organization.
- Communicate and share, Share intelligence with relevant people in an understandable way.
What Auditors Actually Check
| Auditor Action | What They Want to See |
|---|---|
| Review threat intelligence procedure | Documented process for collection, analysis, and action |
| Check threat intelligence sources | List of internal and external sources with vetting evidence |
| Verify collection evidence | Logs, screenshots, or records of threat data collected |
| Verify analysis evidence | Analysis reports, meeting minutes, or documented assessments |
| Verify action evidence | Risk register updates, control changes, or incident response triggered by intelligence |
| Check communication records | Evidence that intelligence was shared with relevant stakeholders |
| Verify integration with risk management | Threat intelligence influenced risk assessments or risk treatment |
| Check for SaaS-only approach | Evidence of human analysis, not just automated tool outputs |
| Review staff interviews | "How do you know what threats are relevant to us?" |
The Threat Intelligence Lifecycle
The threat intelligence lifecycle is a continuous loop of six phases. Each phase feeds into the next, creating a self-improving system.
┌─────────────────────────────────────────────────────────────┐
│ 1. PLANNING & DIRECTION │
│ • Define intelligence requirements │
│ • Identify key questions to answer │
│ • Set objectives and priorities │
│ • Allocate resources │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ 2. COLLECTION │
│ • Gather data from internal and external sources │
│ • Automated feeds + manual research │
│ • Store raw data in centralized repository │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ 3. PROCESSING │
│ • Normalize and format data │
│ • Translate foreign language sources │
│ • Deduplicate and filter noise │
│ • Enrich with context (geography, industry, technology) │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ 4. ANALYSIS │
│ • Assess relevance to your organization │
│ • Determine likelihood and impact │
│ • Map to MITRE ATT&CK techniques │
│ • Identify gaps in current defenses │
│ • Produce actionable recommendations │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ 5. DISSEMINATION │
│ • Package intelligence for audience │
│ • Strategic: Board/CISO briefing │
│ • Tactical: SOC playbooks, detection rules │
│ • Operational: Incident response procedures │
│ • Technical: IOCs, signatures, blocklists │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ 6. FEEDBACK & IMPROVEMENT │
│ • Did the intelligence lead to action? │
│ • Was the intelligence accurate? │
│ • Did we prevent or detect the threat? │
│ • Update sources, processes, and priorities │
└─────────────────────────────────────────────────────────────┘
│
▼
(Back to Planning)
Planning & Direction: Key Questions
| Audience | Key Questions | Output Format |
|---|---|---|
| Board / CEO | "What are the top 3 threats to our business?" | Quarterly strategic briefing (1 page) |
| CISO | "What threats are we most vulnerable to?" | Monthly threat assessment report |
| SOC Manager | "What IOCs should we hunt for this week?" | Weekly IOC feed + detection rules |
| IT Director | "What vulnerabilities should we patch first?" | Weekly vulnerability prioritization |
| Dev Team | "What attack techniques target our tech stack?" | Monthly threat profile for tech stack |
| Compliance | "What threats affect our regulatory posture?" | Quarterly regulatory threat update |
The Four Types of Threat Intelligence
| Type | Audience | Time Horizon | Focus | Example |
|---|---|---|---|---|
| Strategic | Board, CISO, executives | 6–12 months | Trends, actor motivations, geopolitical | "APT groups targeting Indian fintech are increasing" |
| Tactical | SOC managers, IR leads | 1–3 months | Tactics, techniques, procedures (TTPs) | "APT41 uses spear-phishing with LNK files to deliver Cobalt Strike" |
| Operational | SOC analysts, incident responders | Days–weeks | Specific campaigns, active threats | "Ransomware campaign targeting unpatched CVE-2024-XXXX is active in APAC" |
| Technical | SOC analysts, threat hunters | Real-time | IOCs, signatures, hashes, IPs | "Block these 47 IPs associated with C2 infrastructure" |
Strategic Intelligence Example
STRATEGIC THREAT INTELLIGENCE BRIEFING
Date: June 2026
Audience: Board of Directors
TOP 3 THREATS TO OUR ORGANIZATION:
1. SUPPLY CHAIN ATTACKS
• Trend: 40% increase in software supply chain attacks in 2025
• Impact: We use 200+ open-source dependencies
• Risk: High — single compromised dependency could breach our entire platform
• Mitigation: SBOM generation, dependency scanning, vendor security assessments
2. AI-POWERED SOCIAL ENGINEERING
• Trend: Deepfake voice calls and AI-generated phishing emails increased 300%
• Impact: Our CEO and CFO are high-value targets
• Risk: Medium-High — wire transfer fraud could overhead +
• Mitigation: Out-of-band verification for large transfers, voice authentication
3. RANSOMWARE TARGETING SAAS PROVIDERS
• Trend: Ransomware groups now targeting cloud/SaaS infrastructure directly
• Impact: Our AWS environment is a single point of failure
• Risk: High — 72-hour downtime could overhead in lost revenue
• Mitigation: Immutable backups, air-gapped recovery, incident response drills
RECOMMENDATION: Increase security budget by 25% for supply chain security and backup infrastructure.
Tactical Intelligence Example
TACTICAL THREAT INTELLIGENCE REPORT
Date: Week of June 15, 2026
Audience: SOC Team, IR Team
ACTIVE THREAT: "SILENT LYNX" CAMPAIGN
THREAT ACTOR: APT Group (Suspected nation-state, Asia-Pacific focus)
TACTICS:
• Initial Access: Spear-phishing with malicious PDF attachments
• Execution: Exploits CVE-2024-XXXX in Adobe Acrobat Reader
• Persistence: Registry run key modification
• C2: HTTPS communication to domains: evil-domain[.]com, bad-site[.]net
MITRE ATT&CK MAPPING:
• T1566.001 — Spear-phishing Attachment
• T1203 — Exploitation for Client Execution
• T1547.001 — Registry Run Keys
• T1071.001 — Application Layer Protocol: Web Protocols
INDICATORS OF COMPromise (IOCs):
• File Hash: a1b2c3d4e5f6... (malicious PDF)
• IP: 192.0.2.100, 192.0.2.101
• Domain: evil-domain[.]com, bad-site[.]net
• Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Updater
RELEVANCE TO US:
• We use Adobe Acrobat Reader (confirmed vulnerable version on 3 endpoints)
• Our industry (fintech) is a known target of this group
• We received 2 suspicious PDFs in email last week (quarantined)
RECOMMENDED ACTIONS:
1. Update Adobe Acrobat Reader to latest version (IT-2026-0615)
2. Block IOCs on firewall and EDR (SOC-2026-0615)
3. Hunt for registry key on all endpoints (TH-2026-0615)
4. Review email quarantine for similar PDFs (SOC-2026-0615)
5. Brief all staff on PDF-based phishing (HR-2026-0615)
Threat Intelligence Sources
Internal Sources
| Source | What You Get | Collection Method | Frequency |
|---|---|---|---|
| SIEM logs | Attack patterns, failed logins, anomalous behavior | Automated aggregation | Real-time |
| EDR alerts | Endpoint threats, malware detections, lateral movement | Automated feed | Real-time |
| Incident reports | Post-incident analysis, lessons learned | Manual documentation | Per incident |
| Vulnerability scans | Internal vulnerability data | Automated scanning | Weekly |
| Penetration test results | Identified weaknesses, attack paths | Manual report | Annually |
| Security audit findings | Control gaps, compliance issues | Manual report | Annually |
| Employee reports | Phishing attempts, suspicious activity | Email/Slack/phone | As reported |
| Application logs | API abuse, fraud attempts, abuse patterns | Automated aggregation | Real-time |
| Dark web monitoring | Leaked credentials, data dumps, chatter about your org | Third-party service | Weekly |
External Sources (Free)
| Source | Type | URL | Update Frequency | Best For |
|---|---|---|---|---|
| CERT-In Advisories | Government alerts | cert-in.org.in | Weekly | Indian orgs, regulatory compliance |
| NCSC Weekly Threat Report | Government summary | ncsc.gov.uk | Weekly | SMEs, executive briefings |
| CISA Known Exploited Vulnerabilities | Vulnerability list | cisa.gov/known-exploited-vulnerabilities | Daily | Patch prioritization |
| CISA Alerts & Bulletins | Government alerts | cisa.gov/alerts | As needed | Critical infrastructure |
| Microsoft Security Blog | Vendor-specific | msrc.microsoft.com | Weekly | Microsoft environments |
| AWS Security Bulletins | Cloud-specific | aws.amazon.com/security/security-bulletins | Weekly | AWS environments |
| Google Cloud Security Bulletin | Cloud-specific | cloud.google.com/support/bulletins | Weekly | GCP environments |
| SANS Internet Storm Center | Community-driven | isc.sans.edu | Daily | SOC analysts |
| Bleeping Computer | News & analysis | bleepingcomputer.com | Daily | General awareness |
| The Hacker News | News & analysis | thehackernews.com | Daily | General awareness |
| Reddit r/netsec | Community discussion | reddit.com/r/netsec | Real-time | Technical trends |
| MITRE ATT&CK | TTP framework | attack.mitre.org | Quarterly | TTP mapping |
| CVE Database | Vulnerability data | cve.mitre.org | Daily | Vulnerability tracking |
| NVD | Vulnerability scoring | nvd.nist.gov | Daily | CVSS scoring |
| Exploit-DB | Exploit code | exploit-db.com | Daily | Vulnerability verification |
| Phishing Database | Phishing URLs | phishtank.com | Real-time | Phishing defense |
| URLhaus | Malware URLs | urlhaus.abuse.ch | Real-time | Malware blocking |
| Abuse.ch | IOC feeds (multiple) | abuse.ch | Real-time | IOC collection |
| MISP Project | Threat sharing platform | misp-project.org | Real-time | Community sharing |
| AlienVault OTX | Open threat exchange | otx.alienvault.com | Real-time | Free IOC feeds |
| VirusTotal | File/URL analysis | virustotal.com | Real-time | Malware analysis |
| GreyNoise | Internet scan data | greynoise.io | Real-time | Scan activity |
| Shodan | Internet-exposed devices | shodan.io | Weekly | Attack surface |
| Have I Been Pwned | Breach data | haveibeenpwned.com | Weekly | Credential monitoring |
External Sources (Paid)
| Source | Type | licensing Range | Best For |
|---|
Source Selection Framework
| Organization Size | Recommended Free Sources | Recommended Paid Sources | Budget |
|---|
Building Your Threat Intelligence Program
Threat Intelligence Program Maturity Model
| Level | Name | Characteristics | Time to Reach | Tools |
|---|---|---|---|---|
| 1 | Ad-hoc | Occasional reading of security news; no formal process | Baseline | News sites, email alerts |
| 2 | Defined | Weekly timeboxed review; documented sources; simple log | 2–4 weeks | Spreadsheet, RSS feeds, email |
| 3 | Managed | Structured lifecycle; regular analysis; integration with risk register | 1–3 months | MISP, Trello/Jira, wiki |
| 4 | Measured | Metrics tracked; KPIs reported; feedback loop operational | 3–6 months | TIP platform, dashboard |
| 5 | Optimized | Automated collection; AI-assisted analysis; predictive intelligence | 6–12 months | Enterprise TIP + SOAR + ML |
Step-by-Step Implementation (Level 1 → Level 3)
Week 1: Define
- Identify 5 key questions your organization needs answered
- Select 5–10 free threat intelligence sources
- Create a simple threat intelligence log (spreadsheet)
- Assign a threat intelligence owner (CISO or security analyst)
- Schedule 30 minutes/week for threat review (e.g., Tuesday morning)
Week 2: Collect
- Subscribe to RSS feeds or email alerts from selected sources
- Set up Google Alerts for your organization name + "breach" or "hack"
- Join MISP community (free) or AlienVault OTX
- Set up dark web monitoring for leaked credentials (Have I Been Pwned)
- Configure SIEM to collect security events (if not already done)
Week 3: Analyze
- Review collected intelligence weekly
- Assess relevance: "Does this threat affect our technology, industry, or geography?"
- Map relevant threats to MITRE ATT&CK techniques
- Document analysis in threat intelligence log
- Update risk register with new threats or changed threat levels
Week 4: Disseminate & Act
- Create weekly threat summary email (3 bullets) for leadership
- Share relevant IOCs with SOC team for detection rules
- Share relevant vulnerabilities with IT for patching priority
- Add threat intelligence as standing agenda item in security meetings
- Document actions taken based on intelligence
Threat Intelligence Platforms & Tools
Platform Comparison Matrix
| Platform | Type | Best For | Key Features | Integration | licensing | Deployment |
|---|---|---|---|---|---|---|
| MISP | Open-source TIP | All sizes, budget-conscious | Threat sharing, IOC management, community feeds | SIEM, SOAR, EDR, firewalls | Free | Self-hosted or cloud |
| ThreatConnect | Enterprise TIP | Large enterprises, MSSPs | Threat Graph, CAL analytics, playbooks, ATT&CK mapping | 200+ integrations | Quote-based | Cloud or on-prem |
| Anomali ThreatStream | Enterprise TIP | Large enterprises | 200+ sources, AI correlation, marketplace | SIEM, SOAR, EDR | Quote-based | Cloud or on-prem |
| Recorded Future | Intelligence Cloud | Enterprises, governments | AI graph, modular suites, broad coverage | SIEM, SOAR, XDR, firewalls | Premium (modular) | Cloud (AWS Marketplace) |
| CrowdStrike Falcon Intelligence | EDR-integrated | CrowdStrike customers | First-party intel, adversary tracking, EDR workflow | Falcon EDR/XDR | Bundled with Falcon | Cloud |
| Mandiant Advantage | IR-grounded | Large enterprises, Google Cloud | Incident-response-driven intel, actor/vuln prioritization | Google Cloud security | Quote-based | Cloud |
| Microsoft Defender TI | Ecosystem-integrated | Microsoft customers | Native MS signals, Defender/Sentinel integration, free tier | Defender, Sentinel, Copilot | Free tier + premium | Cloud |
| Flashpoint Ignite | Dark web/fraud | Fraud prevention, brand protection | Closed-source collections, analyst enrichment, CTI/PSI | SIEM, SOAR, case management | Sales-gated | Cloud or on-prem |
| VirusTotal | Analysis tool | All sizes | File/URL/Hash analysis, community scores, API | SIEM, SOAR, EDR, firewalls | Free tier + API | Cloud |
| AlienVault OTX | Open exchange | All sizes, free IOCs | Community-driven IOCs, pulse subscriptions, API | SIEM, EDR, firewalls | Free | Cloud |
| GreyNoise | Internet noise | SOC analysts, threat hunters | Scan and attack data, benign vs. malicious classification | SIEM, SOAR, EDR, firewalls | Free tier + API | Cloud |
| Shodan | Attack surface | All sizes | Internet-exposed device discovery, API | SIEM, SOAR, EDR | Free tier + API | Cloud |
Tool Selection Decision Tree
┌─────────────────────────────────────────────────────────────┐
│ BUDGET? │
└─────────────────────────────────────────────────────────────┘
│
┌───────────────┼───────────────┐
│ │
▼ ▼
┌─────────────┐ ┌─────────────┐
└─────────────┘ └─────────────┘
│ │
▼ ▼
┌─────────────────────┐ ┌─────────────────────┐
│ MISP + OTX + │ │ SIZE? │
│ VirusTotal + │ └─────────────────────┘
│ CISA KEV + │ │
│ RSS feeds │ ┌──────────┼──────────┐
│ │ │ │ │
└─────────────────────┘ ▼ ▼ ▼
┌────────┐ ┌────────┐ ┌────────┐
│ Small │ │ Medium │ │ Large │
│ 1-50 │ │ 50-500 │ │ 500+ │
└────────┘ └────────┘ └────────┘
│ │ │
▼ ▼ ▼
┌────────┐ ┌────────┐ ┌────────┐
│ CloudSEK││Recorded││ThreatConnect│
│ MISP ││Future ││ Mandiant │
│ ││ CrowdStrike││ Recorded Future│
└────────┘ └────────┘ └────────┘
MISP Setup Guide (Free, Open-Source)
MISP (Malware Information Sharing Platform) is the most popular open-source threat intelligence platform. It's used by 10,000+ organizations worldwide.
Step 1: Deploy MISP
## Docker deployment (easiest)
docker run -it --rm \
-p 80:80 \
-p 443:443 \
hacklu/misp:latest
## Or use the official VM image
## https://www.circl.lu/misp-images/
Step 2: Configure Feeds
- Go to Sync Actions → List Feeds
- Enable default feeds: CIRCL, NIST, CISA, etc.
- Add custom feeds: CERT-In, NCSC, vendor-specific
- Schedule automatic feed fetching (hourly or daily)
Step 3: Create Events
- When you discover a threat, create a MISP event
- Add attributes: IPs, domains, file hashes, email addresses
- Tag with MITRE ATT&CK techniques
- Set distribution: Organization only, Community, Connected communities, All communities
Step 4: Integrate with SIEM
## Example: Fetch MISP events for Splunk
import requests
misp_url = "https://misp.your-org.com"
api_key = "YOUR_API_KEY"
headers = {
"Authorization": api_key,
"Accept": "application/json",
"Content-Type": "application/json"
}
## Get recent events
response = requests.get(
f"{misp_url}/events/restSearch",
headers=headers,
json={"returnFormat": "json", "last": "1d"}
)
events = response.json()
## Send to Splunk via HEC
for event in events:
# Format and send to Splunk
pass
Step 5: Share Intelligence
- Join sharing communities (CIRCL, FIRST, sector-specific)
- Share sanitized IOCs with trusted partners
- Consume community intelligence to enrich your own
Threat Intelligence for SaaS & Cloud Environments
Cloud-Specific Threat Intelligence Sources
| Cloud Provider | Security Feed | What It Covers | Frequency |
|---|---|---|---|
| AWS | AWS Security Bulletins | AWS service vulnerabilities, best practices | Weekly |
| AWS | AWS Security Blog | New security features, threat research | Weekly |
| Azure | Microsoft Security Response Center | Azure vulnerabilities, security updates | Weekly |
| Azure | Microsoft Defender Threat Intelligence | Azure-specific threats, actor tracking | Real-time |
| GCP | Google Cloud Security Bulletins | GCP service vulnerabilities | Weekly |
| GCP | Google Cloud Threat Horizon | Cloud threat landscape, research | Quarterly |
| Multi-cloud | Cloud Security Alliance (CSA) | Cloud security research, best practices | Quarterly |
| SaaS | SaaS Alerts | Major SaaS breaches (Okta, Twilio, etc.) | As needed |
| SaaS | Vanta/Drata/Sprinto | Compliance-focused security updates | Monthly |
Cloud Threat Intelligence Priorities
| Threat Category | Example | Intelligence Source | Action |
|---|---|---|---|
| Misconfiguration | Public S3 bucket exposed | AWS Security Bulletins, CSPM alerts | Automated CSPM + manual review |
| Credential compromise | Leaked AWS access keys in GitHub | Dark web monitoring, GitHub secret scanning | Rotate keys, implement pre-commit hooks |
| API abuse | Credential stuffing on auth API | SIEM alerts, application logs | Rate limiting, MFA, anomaly detection |
| Supply chain | Compromised npm package | Snyk, npm audit, SCA tools | Dependency scanning, SBOM |
| Container escape | Vulnerable container runtime | Docker Security, K8s CVE feed | Runtime security, image scanning |
| Cloud ransomware | Ransomware targeting cloud backups | CISA alerts, cloud-specific threat feeds | Immutable backups, air-gapped recovery |
| Insider threat | Employee exfiltrating customer data | DLP alerts, UBA, access logs | DLP, UBA, access monitoring |
| AI/ML poisoning | Adversarial input to ML model | AI security research, academic papers | Adversarial training, input validation |
Cloud Threat Intelligence Integration
## Example: Terraform + AWS Config for threat-driven compliance
## Block IPs from threat intelligence feed automatically
resource "aws_wafv2_ip_set" "threat_intel_blocklist" {
name = "threat-intel-blocklist"
description = "IPs from threat intelligence feed"
scope = "REGIONAL"
ip_address_version = "IPV4"
addresses = data.external.threat_intel_ips.result.ips
}
resource "aws_wafv2_web_acl" "main" {
name = "threat-intel-protected"
description = "WAF with threat intelligence blocklist"
scope = "REGIONAL"
default_action {
allow {}
}
rule {
name = "ThreatIntelBlock"
priority = 1
action {
block {}
}
statement {
ip_set_reference_statement {
arn = aws_wafv2_ip_set.threat_intel_blocklist.arn
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "ThreatIntelBlock"
sampled_requests_enabled = true
}
}
}
MITRE ATT&CK Framework Integration
Why MITRE ATT&CK Matters
MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It's the standard language for describing cyber threats.
Benefits for Threat Intelligence:
- Common language, Everyone describes threats the same way
- Gap analysis, "We have detection for T1566 but not T1059"
- Prioritization, Focus on techniques used by actors targeting your industry
- Reporting, "APT41 uses T1566.001 and T1203" is more precise than "they use phishing"
- Detection engineering, Map detection rules to ATT&CK techniques
How to Use ATT&CK for Threat Intelligence
Step 1: Map Your Threats
Threat: "Silent Lynx" Campaign
├── T1566.001 — Spear-phishing Attachment (Initial Access)
├── T1203 — Exploitation for Client Execution (Execution)
├── T1547.001 — Registry Run Keys (Persistence)
├── T1071.001 — Application Layer Protocol: Web Protocols (C2)
└── T1041 — Exfiltration Over C2 Channel (Exfiltration)
Step 2: Map Your Defenses
Defense Coverage for "Silent Lynx":
├── T1566.001 — Email security gateway ✅ (detects malicious PDF)
├── T1203 — EDR + application control ✅ (blocks exploit)
├── T1547.001 — EDR + registry monitoring ✅ (detects run key)
├── T1071.001 — Network monitoring ✅ (detects C2 traffic)
└── T1041 — DLP + network monitoring ✅ (detects exfiltration)
Step 3: Identify Gaps
Gap Analysis:
├── T1566.001 — No user training on PDF phishing ❌ (GAP)
├── T1203 — Adobe Reader not fully patched ❌ (GAP)
├── T1547.001 — Registry monitoring noisy, needs tuning ⚠️ (IMPROVE)
├── T1071.001 — HTTPS inspection not enabled ❌ (GAP)
└── T1041 — DLP not monitoring cloud uploads ❌ (GAP)
Step 4: Prioritize Actions
Priority Matrix:
├── HIGH: Patch Adobe Reader (T1203) — Easy fix, high impact
├── HIGH: Enable HTTPS inspection (T1071.001) — Critical for C2 detection
├── HIGH: Add user training (T1566.001) — Prevents initial access
├── MEDIUM: Tune registry monitoring (T1547.001) — Reduce noise
└── MEDIUM: Extend DLP to cloud (T1041) — Prevent data loss
ATT&CK Navigator for Threat Intelligence
Use the ATT&CK Navigator to:
- Visualize your detection coverage
- Overlay threat actor techniques
- Identify coverage gaps
- Generate coverage reports for auditors
Threat Intelligence Metrics & KPIs
Threat Intelligence Program Scorecard
| Metric | Target | How to Measure | Frequency | Audience |
|---|---|---|---|---|
| Intelligence sources active | >5 free or >1 paid | Count of active feeds | Monthly | CISO |
| Intelligence review completion | 100% | Reviews completed / Reviews scheduled | Weekly | CISO |
| Intelligence items analyzed | >10/week | Count of items with analysis | Weekly | CISO |
| Intelligence items actionable | >30% | Actionable items / Total items | Weekly | CISO |
| IOC blocklist update frequency | <24 hours | Time from IOC discovery to blocking | Weekly | SOC Manager |
| Threat-driven risk register updates | >1/quarter | Risk updates triggered by intelligence | Quarterly | Risk Manager |
| Threat-driven control changes | >1/quarter | Control changes triggered by intelligence | Quarterly | CISO |
| Threat intelligence training completion | 100% | Staff trained / Total staff | Annually | HR |
| Threat-driven incident detections | >1/quarter | Incidents detected due to threat intelligence | Quarterly | SOC Manager |
| Mean time to detect (MTTD) | <30 days | Time from threat emergence to detection | Quarterly | CISO |
| False positive rate | <10% | False positives / Total intelligence alerts | Monthly | SOC Manager |
| Intelligence overhead per actionable item | Decreasing | overhead / Actionable items | Quarterly | CFO |
| ATT&CK coverage | >80% | Techniques with detection / Total relevant techniques | Quarterly | CISO |
| Dark web credential hits | 0 | Leaked credentials found in dark web monitoring | Monthly | CISO |
| Threat intelligence SLA | <4 hours | Time from IOC receipt to SOC notification | Weekly | SOC Manager |
Threat Intelligence on a Budget
Zero-Budget Threat Intelligence Program
| overhead | Component | Implementation |
|---|
/month Budget Program
| overhead | Component | Implementation |
|---|---|---|
| **** | Paid source | CloudSEK (India-focused, affordable) or VirusTotal API premium |
| **** | Platform | MISP hosting (VPS) or CloudSEK SaaS |
| **** | Dark web monitoring | Have I Been Pwned premium or basic dark web service |
| **** | Automation | Zapier/Make.com for workflow automation |
| **** | Analysis time | 2 hours/week from security analyst |
/month Budget Program
| overhead | Component | Implementation |
|---|---|---|
| **** | Enterprise TIP | Recorded Future, ThreatConnect, or CrowdStrike Falcon Intelligence |
| **** | SIEM integration | Professional services or internal engineering time |
| **** | Dark web monitoring | Flashpoint or ZeroFox |
| **** | Custom feeds | Industry-specific or government feeds |
| **** | Analysis team | Dedicated threat intelligence analyst |
Automation: STIX/TAXII & APIs
STIX/TAXII Explained
- STIX (Structured Threat Information Expression), Standard format for representing threat intelligence (JSON/XML)
- TAXII (Trusted Automated Exchange of Intelligence Information), Protocol for exchanging STIX data over HTTPS
Together, they enable automated threat intelligence sharing between organizations and tools.
Free TAXII Feeds
| Feed | URL | Content | Update Frequency |
|---|---|---|---|
| CISA AIS | us-cert.gov/ais | US government threat intelligence | Real-time |
| CIRCL MISP | circl.lu | Luxembourg CIRCL feed | Real-time |
| Botvrij.eu | botvrij.eu | Dutch threat intelligence | Daily |
| DigitalSide | osint.digitalideation.it | Open source threat intelligence | Daily |
| Hail a TAXII | hailataxii.com | Aggregation of multiple feeds | Real-time |
| AlienVault OTX | otx.alienvault.com | Community-driven pulses | Real-time |
Python: Consume TAXII Feed
import requests
from stix2 import parse
## CISA AIS TAXII feed (example)
taxii_url = "https://ais.us-cert.gov/taxii-discovery-service"
headers = {
"X-TAXII-Content-Type": "urn:taxii.mitre.org:message:xml:1.1",
"Accept": "application/xml"
}
response = requests.get(taxii_url, headers=headers)
## Parse STIX objects and extract IOCs
## Add IOCs to your firewall, EDR, or SIEM
Python: VirusTotal API for IOC Enrichment
import requests
import os
VT_API_KEY = os.environ.get("VIRUSTOTAL_API_KEY")
def check_ip_reputation(ip_address):
url = f"https://www.virustotal.com/api/v3/ip_addresses/{ip_address}"
headers = {"x-apikey": VT_API_KEY}
response = requests.get(url, headers=headers)
data = response.json()
malicious_votes = data["data"]["attributes"]["last_analysis_stats"]["malicious"]
total_votes = sum(data["data"]["attributes"]["last_analysis_stats"].values())
return {
"ip": ip_address,
"malicious_score": malicious_votes,
"total_score": total_votes,
"reputation": "Malicious" if malicious_votes > 5 else "Suspicious" if malicious_votes > 0 else "Clean"
}
## Example usage
result = check_ip_reputation("192.0.2.100")
print(result)
## {'ip': '192.0.2.100', 'malicious_score': 12, 'total_score': 75, 'reputation': 'Malicious'}
Python: Check Domain Against Threat Feed
import requests
def check_domain_against_urlhaus(domain):
url = "https://urlhaus-api.abuse.ch/v1/host/"
headers = {"Content-Type": "application/x-www-form-urlencoded"}
data = {"host": domain}
response = requests.post(url, headers=headers, data=data)
result = response.json()
if result.get("query_status") == "ok":
urls = result.get("urls", [])
return {
"domain": domain,
"malicious_urls": len(urls),
"threat": "Malicious" if len(urls) > 0 else "Clean"
}
return {"domain": domain, "threat": "Unknown"}
## Example usage
result = check_domain_against_urlhaus("evil-domain.com")
print(result)
## {'domain': 'evil-domain.com', 'malicious_urls': 3, 'threat': 'Malicious'}
India-Specific Threat Intelligence
Indian Threat Landscape
India faces unique threat challenges:
- High mobile malware rates, India has one of the highest mobile malware infection rates globally
- UPI fraud, Digital payment fraud is a massive and growing threat
- APAC-targeted APTs, Chinese and Pakistani APT groups actively target Indian organizations
- Supply chain risks, Heavy reliance on Chinese hardware and software creates supply chain vulnerabilities
- Data localization requirements, DPDP Act requires data protection awareness
- Skill shortage, Shortage of trained cybersecurity professionals
India-Specific Intelligence Sources
| Source | Type | URL | Update Frequency | Best For |
|---|---|---|---|---|
| CERT-In Advisories | Government | cert-in.org.in | Weekly | All Indian organizations, regulatory compliance |
| CERT-In Vulnerability Notes | Government | cert-in.org.in | Weekly | Vulnerability prioritization |
| NCIIPC Alerts | Critical infrastructure | nciipc.gov.in | As needed | Critical infrastructure operators |
| RBI Cyber Security Circulars | Financial | rbi.org.in | Monthly | Banks, NBFCs, fintech |
| SEBI Cyber Security Guidelines | Securities | sebi.gov.in | Quarterly | Stock brokers, mutual funds |
| IRDAI Cyber Security | Insurance | irdai.gov.in | Quarterly | Insurance companies |
| MeitY Cyber Security Division | Government | meity.gov.in | Monthly | Government organizations |
| STQC (Testing & Quality Certification) | Government | stqc.gov.in | Quarterly | IT product security |
| ISAC (Information Sharing and Analysis Center) | Community | Various sector ISACs | Real-time | Sector-specific sharing |
| Data Security Council of India (DSCI) | Industry body | dsci.in | Quarterly | Best practices, research |
| Quick Heal Threat Reports | Vendor | quickheal.com | Monthly | Consumer/endpoint threats |
| Seqrite Threat Reports | Vendor | seqrite.com | Monthly | Enterprise threats |
| K7 Computing Threat Reports | Vendor | k7computing.com | Monthly | Indian threat landscape |
| CloudSEK | India-focused TI | cloudsek.com | Real-time | Indian digital risk monitoring |
| Sattva | India-focused TI | sattva.com | Real-time | Indian threat intelligence |
India-Specific Threat Intelligence Priorities
| Threat | Example | Intelligence Source | Action |
|---|---|---|---|
| UPI fraud | Fake UPI apps, phishing for PIN | RBI circulars, CERT-In, banking ISAC | Customer awareness, transaction monitoring |
| Mobile banking trojans | Anubis, EventBot targeting Indian banks | CERT-In, vendor reports, K7 | Mobile app security, MDM |
| APAC APTs | APT41, Lazarus targeting Indian pharma/tech | CERT-In, CrowdStrike, Group-IB | Enhanced monitoring, supply chain security |
| Power grid attacks | APT targeting Indian critical infrastructure | CERT-In, NCIIPC | Air-gapped networks, anomaly detection |
| Ransomware on SMEs | LockBit, BlackCat targeting Indian SMEs | CERT-In, Bleeping Computer | Backup, EDR, incident response |
| DPDP Act compliance | Data breach notification requirements | CERT-In, legal counsel | Incident response planning, breach notification |
| OT/ICS attacks | Attacks on manufacturing, oil & gas | CERT-In, NCIIPC | OT security, network segmentation |
| Fake job scams | Scammers using company name for fake job offers | Social media monitoring, brand protection | Brand monitoring, legal action |
AI/ML Threat Intelligence
AI-Generated Threats
| Threat | Description | Intelligence Needed | Defense |
|---|---|---|---|
| Deepfake voice phishing | AI-generated voice calls impersonating executives | Audio deepfake detection research, vendor alerts | Out-of-band verification, voice biometrics |
| AI-generated phishing | GPT-generated phishing emails with perfect grammar | Email security feeds, AI text detection | Advanced email security, user training |
| AI-powered malware | Malware that adapts to evade detection | Malware analysis feeds, AI security research | Behavioral detection, EDR |
| Adversarial ML | Attacks on AI/ML systems (poisoning, evasion) | Academic research, vendor alerts | Adversarial training, input validation |
| AI-powered social engineering | Personalized scams at scale | Social engineering research, illustrative scenarios | Verification procedures, awareness training |
| LLM jailbreaks | Bypassing AI safety controls | LLM security research, bug bounty programs | Prompt filtering, output monitoring |
| AI-generated exploits | AI helping write exploit code | Exploit database monitoring, vulnerability research | Patch management, WAF rules |
AI-Powered Threat Intelligence (Defensive)
| Technology | Use Case | Tools/Examples |
|---|---|---|
| LLM for threat summarization | Summarize threat reports into 1-page briefings | ChatGPT, Claude, custom LLM |
| ML for anomaly detection | Detect unusual patterns in network traffic | Darktrace, Vectra, Cisco ETA |
| NLP for dark web monitoring | Automatically extract threats from dark web forums | Recorded Future, Flashpoint, custom NLP |
| AI for IOC extraction | Automatically extract IOCs from threat reports | AI-powered TIPs, custom parsers |
| Predictive analytics | Predict which vulnerabilities will be exploited | Kenna Security, Tenable.ep, custom ML |
| Automated threat hunting | Use AI to hunt for threats in logs | Microsoft Defender, CrowdStrike, Splunk UBA |
Integration with SOC & SIEM
Threat Intelligence → SOC Workflow
┌─────────────────────────────────────────────────────────────┐
│ 1. THREAT INTELLIGENCE FEED │
│ (MISP, TIP, vendor feed, government alert) │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ 2. IOC ENRICHMENT │
│ • Check reputation (VirusTotal, GreyNoise) │
│ • Check if IOC seen in our environment (SIEM query) │
│ • Check if IOC already blocked (firewall/EDR) │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ 3. PRIORITIZATION │
│ • Relevance to our environment? │
│ • Is it already blocked? │
│ • Has it been seen in our logs? │
│ • What is the threat actor's targeting? │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ 4. ACTION │
│ • Block IOC (firewall, EDR, DNS, email gateway) │
│ • Create detection rule (SIEM, EDR, IDS) │
│ • Hunt in logs (retroactive search) │
│ • Alert SOC (high-priority ticket) │
│ • Update risk register (if new threat) │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ 5. FEEDBACK │
│ • Did the detection work? │
│ • Were there false positives? │
│ • Did we find any compromised systems? │
│ • Update intelligence quality assessment │
└─────────────────────────────────────────────────────────────┘
SIEM Integration Example: Splunk
## Splunk ES: Threat Intelligence Framework
## Automatically matches IOCs against all logs
## 1. Enable Threat Intelligence Framework
Settings → Data Inputs → Threat Intelligence Downloads
## 2. Add custom threat feeds
Name: CERT-In_Malicious_IPs
Type: csv
URL: https://cert-in.org.in/advisories.csv
Interval: 3600 (1 hour)
## 3. Enable adaptive response actions
When IOC match found:
- Create notable event (high priority)
- Enrich with VirusTotal (automated)
- Create Jira ticket for SOC analyst
- Send Slack alert to #security-alerts
## 4. Dashboard: Threat Intelligence Matches
index=notable
| stats count by threat_match_type, threat_match_value, src_ip, dest_ip
| sort -count
SIEM Integration Example: Microsoft Sentinel
## Microsoft Sentinel: Threat Intelligence Connector
## Connects to MISP, TAXII, or custom feeds
## 1. Deploy Threat Intelligence solution
Content Hub → Threat Intelligence → Deploy
## 2. Add MISP connector
Data Connectors → MISP → Configure
Server: https://misp.your-org.com
API Key: [your API key]
## 3. Create analytics rule
Name: TI Match - High Priority
Query: ThreatIntelligenceIndicator
| where Active == true and ConfidenceScore > 70
| project TimeGenerated, IndicatorId, ThreatType, ConfidenceScore, SourceIP
## 4. Automated response
When alert triggered:
- Create incident (severity: High)
- Run playbook: Block IP in Azure Firewall
- Notify SOC team via Teams
Threat Intelligence-Driven Vulnerability Prioritization
The Problem: CVSS Doesn't Tell the Whole Story
CVSS scores tell you how severe a vulnerability is technically, but not whether attackers are actually exploiting it. Threat intelligence closes this gap.
Threat-Enhanced Vulnerability Scoring
| Factor | CVSS Only | CVSS + Threat Intel |
|---|---|---|
| Base score | 7.5 (High) | 7.5 (High) |
| Exploit in the wild? | Unknown | Yes, CISA KEV, threat feeds |
| Exploit code available? | Unknown | Yes, Exploit-DB, Metasploit |
| Threat actor targeting? | Unknown | Yes, APT41 actively using this |
| Affects our technology? | Unknown | Yes, we use vulnerable component |
| Prioritized score | 7.5 | 9.5 (Critical) |
| Patch priority | Week 3 | Today |
Vulnerability Prioritization Matrix
| Threat Intel Indicator | CVSS | Priority | Action |
|---|---|---|---|
| CISA KEV + exploit code + APT targeting | 8.0+ | CRITICAL, Patch within 24 hours | Emergency change, all hands |
| CISA KEV + exploit code | 7.0+ | HIGH, Patch within 72 hours | Standard change, expedited |
| Exploit code only | 7.0+ | HIGH, Patch within 7 days | Standard change |
| CISA KEV only | 6.0+ | MEDIUM, Patch within 14 days | Standard change |
| No threat intel | 7.0+ | MEDIUM, Patch within 30 days | Standard change |
| No threat intel | <7.0 | LOW, Patch within 90 days | Standard change |
Automated Prioritization: Python Script
import requests
from datetime import datetime, timedelta
## Fetch CISA KEV list
cisa_kev = requests.get("https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv").text
## Fetch your vulnerability scan results
vulnerabilities = [
{"cve": "CVE-2024-XXXX", "cvss": 8.5, "asset": "web-server-01", "exploit_available": True},
{"cve": "CVE-2024-YYYY", "cvss": 7.2, "asset": "db-server-01", "exploit_available": False},
]
def prioritize_vulnerability(cve, cvss, exploit_available):
# Check if CVE is in CISA KEV
in_kev = cve in cisa_kev
# Calculate priority score
score = cvss
if in_kev: score += 2.0
if exploit_available: score += 1.5
if score >= 9.0: return "CRITICAL", "24 hours"
if score >= 8.0: return "HIGH", "72 hours"
if score >= 7.0: return "HIGH", "7 days"
if score >= 6.0: return "MEDIUM", "14 days"
return "LOW", "30 days"
for vuln in vulnerabilities:
priority, sla = prioritize_vulnerability(vuln["cve"], vuln["cvss"], vuln["exploit_available"])
print(f"{vuln['cve']} on {vuln['asset']}: {priority} — Patch within {sla}")
Governance & Roles
Threat Intelligence Governance Structure
┌─────────────────────────────────────────────────────────────┐
│ THREAT INTELLIGENCE GOVERNANCE BOARD │
│ • Meets quarterly │
│ • Reviews program effectiveness │
│ • Approves budget and resources │
│ • Members: CISO, SOC Manager, IT Director, Legal │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ THREAT INTELLIGENCE MANAGER / LEAD │
│ • Owns the threat intelligence program │
│ • Manages sources, collection, analysis, dissemination │
│ • Reports to CISO │
│ • Skills: Threat analysis, OSINT, malware analysis, network forensics│
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ THREAT INTELLIGENCE ANALYST(S) │
│ • Collect and analyze threat data │
│ • Produce intelligence reports │
│ • Maintain IOC blocklists │
│ • Support incident response with intelligence │
│ • Skills: SIEM, EDR, malware analysis, Python, OSINT │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ SOC ANALYSTS (Consumers) │
│ • Use threat intelligence for detection and response │
│ • Provide feedback on intelligence quality │
│ • Report sightings of IOCs in environment │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ ALL STAFF (Human Sensors) │
│ • Report suspicious emails, calls, activity │
│ • Complete threat awareness training │
│ • Follow reporting procedures │
└─────────────────────────────────────────────────────────────┘
RACI Matrix for Threat Intelligence
| Activity | TI Manager | TI Analyst | SOC Manager | SOC Analyst | CISO | IT Director | All Staff |
|---|---|---|---|---|---|---|---|
| Define intelligence requirements | R | C | C | I | A | I | I |
| Select and vet sources | R | A | C | I | I | I | I |
| Collect threat data | R | A | I | I | I | I | I |
| Analyze threats | R | A | C | C | I | I | I |
| Produce intelligence reports | R | A | C | I | A | I | I |
| Disseminate intelligence | R | A | C | C | I | I | I |
| Update IOC blocklists | R | A | C | C | I | I | I |
| Update risk register | R | C | A | I | A | I | I |
| Integrate with SOC | C | C | R | A | I | C | I |
| Report suspicious activity | I | I | I | C | I | I | R |
| Review program effectiveness | R | C | C | I | A | C | I |
Training & Awareness
Threat Intelligence Training Curriculum
| Audience | Course | Duration | Frequency | Content |
|---|---|---|---|---|
| All staff | Threat Awareness Basics | 30 min | Annually | Phishing, social engineering, reporting |
| IT staff | Technical Threat Awareness | 1 hour | Annually | Vulnerability management, patching, IOCs |
| Security team | Threat Intelligence Fundamentals | 4 hours | Quarterly | Sources, analysis, STIX/TAXII, ATT&CK |
| SOC analysts | Advanced Threat Hunting | 8 hours | Quarterly | Threat hunting, IOC analysis, malware analysis |
| Security managers | Strategic Intelligence | 2 hours | Quarterly | Strategic analysis, reporting, governance |
| Executives | Board Threat Briefing | 30 min | Quarterly | Top 3 threats, business impact, budget needs |
Threat Intelligence Awareness Program
- Monthly threat briefing email, Top 3 threats to the organization, 1-minute read
- Weekly threat digest, For security team, 5-minute summary of week's threats
- Quarterly tabletop exercise, Simulate a threat-based incident (e.g., "APT41 targets us")
- Annual threat landscape review, Complete review of year's threats and lessons learned
- Security awareness posters, "Threat of the Month" with simple protection steps
Implementation Roadmap: 4 Weeks
| Week | Focus | Key Activities | Deliverable | Owner |
|---|---|---|---|---|
| 1 | Define | • Identify intelligence requirements • Select 5–10 free sources • Create threat intelligence log • Assign owner | Threat intelligence procedure + source list | CISO |
| 2 | Collect | • Subscribe to feeds and alerts • Set up MISP or simple spreadsheet • Configure SIEM to collect security events • Set up dark web monitoring | Collection system operational | TI Analyst |
| 3 | Analyze | • Conduct first weekly threat review • Map threats to MITRE ATT&CK • Assess relevance to organization • Update risk register | First analysis report + risk register updates | TI Analyst |
| 4 | Disseminate & Embed | • Create weekly threat summary email • Share IOCs with SOC • Add to meeting agendas • Document feedback loop | Communication established + metrics baseline | TI Manager |
90-Day Program Maturity Plan
| Phase | Days | Activities | Target Maturity |
|---|---|---|---|
| Phase 1: Foundation | 1-30 | Define requirements, select sources, create procedure, begin collection | Level 2 (Defined) |
| Phase 2: Operation | 31-60 | Regular analysis, weekly reports, risk register integration, SOC integration | Level 2–3 (Defined–Managed) |
| Phase 3: Enhancement | 61-90 | Metrics tracking, automation, ATT&CK mapping, training program, governance review | Level 3 (Managed) |
Common Audit Failures & How to Fix Them
| # | Finding | Severity | Why It's Wrong | How to Fix | Timeline |
|---|---|---|---|---|---|
| 1 | No threat intelligence procedure | 🔴 Major | No documented process | Create procedure in 1 day using our template | 1 day |
| 2 | No identified sources | 🔴 Major | Can't prove where intelligence comes from | List 5 sources with justification | 1 day |
| 3 | Subscribed to feed but never read it | 🔴 Major | No evidence of analysis | Schedule 30 min/week, document review | 1 week |
| 4 | SaaS-only approach | 🟡 Minor | No human analysis, just tool outputs | Add manual review step, document analysis | 1 week |
| 5 | No evidence of action | 🔴 Major | Intelligence didn't influence decisions | Log at least one action per quarter (risk update, control change, IOC block) | 1 week |
| 6 | No communication records | 🟡 Minor | Can't prove intelligence was shared | Save emails, meeting minutes, Slack logs | 1 day |
| 7 | No integration with risk management | 🟡 Minor | Threat intelligence is isolated | Cross-reference threat log with risk register quarterly | 1 week |
| 8 | Generic intelligence | 🟡 Minor | Not tailored to organization | Add "Relevance to Us" section to every analysis | 1 week |
| 9 | No metrics | 🟢 Medium | Can't measure effectiveness | Track items analyzed, actionable items, actions taken | 2 weeks |
| 10 | No review or improvement | 🟢 Medium | Program is static | Quarterly review of sources, process, and effectiveness | 1 week |
Illustrative Scenarios: Real Intelligence in Action
Illustrative scenario, a composite example for guidance, not a specific Singahi engagement or a verified outcome.
Illustrative Scenario 1: The Log4j Response (2021)
What happened: Log4j vulnerability (CVE-2021-44228) was disclosed in December 2021. Organizations with threat intelligence programs responded faster and more effectively.
Intelligence-driven response:
- Day 0 (Dec 9): Threat intelligence team identified the vulnerability within hours of disclosure via CISA alert and Twitter/X security researchers
- Day 1: Intelligence team assessed relevance: "We use Log4j in 12 applications. Exploit code is public. Mass exploitation is underway."
- Day 1: Risk register updated: Log4j added as Critical risk with 24-hour treatment deadline
- Day 2: IOCs collected from threat feeds (known exploitation IPs, domains, payloads)
- Day 2: SOC team deployed detection rules for Log4j exploitation attempts
- Day 3: All 12 applications patched or mitigated (WAF rules, Log4j upgrade)
- Week 1: Continuous monitoring for exploitation attempts via SOC and threat feeds
Lessons for A.5.7:
- Threat intelligence enabled 3-day response instead of 3-week response
- Integration with risk management and SOC was critical
- Free sources (CISA, Twitter/X, vendor blogs) were sufficient for initial response
- Having a process meant everyone knew their role and timeline
Illustrative Scenario 2: The SolarWinds Supply Chain Attack (2020)
What happened: Russian APT group compromised SolarWinds Orion software, affecting 18,000+ organizations including US government agencies.
Intelligence failures:
- SolarWinds had no threat intelligence program monitoring supply chain risks
- No intelligence sharing with industry peers about suspicious Orion behavior
- FireEye (a victim) had threat intelligence and detected the attack internally, but no external intelligence predicted the supply chain vector
Intelligence lessons:
- Supply chain threat intelligence is essential for software vendors
- Threat intelligence should include vendor security monitoring
- Industry sharing (ISACs) can detect patterns that individual organizations miss
- "Trust but verify", intelligence should validate vendor security claims
Post-incident intelligence improvements:
- SolarWinds implemented threat intelligence program
- Created SBOM for all products
- Joined software industry ISAC
- Implemented vendor security monitoring
- Added supply chain risk to threat intelligence priorities
Illustrative Scenario 3: The Indian Fintech Phishing Wave (2025)
What happened: A coordinated phishing campaign targeting Indian fintech companies used UPI-themed emails to steal credentials. 15+ companies affected, + in attempted fraud.
Intelligence-driven defense (successful company):
- Week 1: CloudSEK alert about UPI phishing trend targeting Indian fintech
- Week 1: Threat intelligence team assessed: "We are fintech. We use UPI. This is highly relevant."
- Week 2: CERT-In advisory confirmed the campaign
- Week 2: Email security team updated filters for UPI-themed phishing keywords
- Week 2: Security awareness team sent "UPI Phishing Alert" to all staff
- Week 3: SOC detected and blocked 47 phishing emails targeting the company
- Week 4: No successful breaches. Competitors without intelligence program had 3 breaches.
Lessons for A.5.7:
- India-specific intelligence (CloudSEK, CERT-In) is critical for Indian organizations
- Timely communication of intelligence to all staff prevented breaches
- Free + paid sources combined for complete coverage
- Intelligence-driven awareness is more effective than generic training
Multi-Framework Mapping
| ISO 27001:2022 | SOC 2 Type II | PCI DSS 4.0 | NIST 800-53 Rev 5 | DORA | COBIT 2019 |
|---|---|---|---|---|---|
| A.5.7 | CC7.2, CC7.3 | 12.10.1 | RA-3, RA-5, SI-5 | Art. 8, Art. 11 | APO12.01, APO12.02, APO12.03 |
| A.5.35 | CC7.2 | 12.10.1 | CA-2, CA-7 | Art. 8 | APO14.02 |
| A.6.3 | CC2.2 | 12.6.1 | AT-2, AT-3 | Art. 13 | BAI05.01 |
| A.8.8 | CC8.1 | 6.5.1 | RA-5, SI-5 | Art. 12 | BAI03.01 |
| A.8.16 | CC7.2 | 10.2.1, 10.3.1 | AU-6, AU-7, SI-4 | Art. 11 | DSS05.01 |
FAQ
What is the minimum requirement for A.5.7?
Documented process + evidence of analysis + evidence of action. The minimum is:
- A written procedure for collecting and analyzing threat intelligence
- A list of identified sources (internal and external)
- Evidence that someone regularly reviews the intelligence (logged entries, meeting minutes)
- Evidence that the intelligence influenced a decision (risk register update, control change, IOC block, etc.)
Can we just use a paid threat intelligence platform and pass the audit?
No, auditors specifically look for human analysis. A SaaS platform alone is not enough. You need evidence that:
- Someone reviewed the intelligence
- Someone assessed relevance to your organization
- Someone took action based on the intelligence
- The process is documented, not just the tool output
How much time does threat intelligence require?
| Maturity Level | Time per Week | Who |
|---|---|---|
| Ad-hoc | 30 min | CISO or security lead |
| Defined | 1–2 hours | Security analyst |
| Managed | 4–8 hours | Dedicated TI analyst |
| Measured | 16–24 hours | TI team (2+ analysts) |
| Optimized | 40+ hours | TI team + automation + ML |
Do we need a dedicated threat intelligence analyst?
Not for small organizations. A small company (1-50 employees) can have the CISO or IT manager spend 30 minutes per week on threat intelligence. Medium companies (50-500) should have a security analyst dedicate 1-2 hours per week. Large companies (500+) should have a dedicated threat intelligence analyst or team.
What if we can't afford a threat intelligence platform?
Free tools are sufficient for A.5.7 compliance. MISP (free, open-source), AlienVault OTX (free), VirusTotal (free tier), CISA KEV (free), CERT-In (free), and 30 minutes per week of analyst time are enough to pass an ISO 27001 audit. The platform helps with efficiency and scale, but it's not required for compliance.
How do we integrate threat intelligence with our risk register?
Quarterly cross-reference: Review your threat intelligence log and ask:
- "Which threats from the past quarter affect our risk register?"
- "Do any risks need their likelihood or impact updated?"
- "Do we need new risks based on emerging threats?"
- "Did any intelligence validate or invalidate our current risk assessments?"
Document these updates in the risk register with the threat intelligence source cited.
What is STIX/TAXII and do we need it?
STIX/TAXII are standards for automated threat intelligence sharing. You need them if:
- You want to automate IOC sharing between tools (SIEM, firewall, EDR)
- You want to join threat sharing communities (ISACs, sector groups)
- You have a mature program with multiple tools
For basic A.5.7 compliance, STIX/TAXII are not required. Manual processes (spreadsheet, email, wiki) are sufficient.
Advanced Threat Intelligence Concepts
Threat Intelligence Lifecycle Maturity
Organizations should evolve their threat intelligence program through five maturity levels:
| Level | Name | Characteristics | Tools | Staffing |
|---|---|---|---|---|
| 1 | Ad Hoc | Reactive, occasional news monitoring | Free feeds, Google Alerts | 0.1 FTE (shared role) |
| 2 | Defined | Regular monitoring, basic IOC collection | MISP, CERT-In, RSS feeds | 0.25 FTE |
| 3 | Managed | Structured collection, analysis, and distribution | SIEM integration, TIPs, STIX/TAXII | 0.5 FTE |
| 4 | Integrated | Automated IOC ingestion, threat hunting, predictive analysis | SOAR, EDR, XDR, custom playbooks | 1-2 FTE |
| 5 | Optimized | Intelligence-led security, proactive disruption, community contribution | Full TIP ecosystem, AI/ML analysis, ISAC membership | 2-5 FTE + external partnerships |
Indian Organizations, Typical Starting Point: Most Indian SMEs start at Level 1-2. The goal for ISO 27001 compliance is Level 2-3. Organizations in critical infrastructure (BFSI, telecom, power) should aim for Level 4-5.
Sector-Specific Threat Intelligence Sources
Banking and Financial Services:
- FS-ISAC (Financial Services Information Sharing and Analysis Center): Global financial threat intelligence
- CERT-Fin (CERT-In Financial Sector): India-specific financial sector alerts
- RBI Cyber Security Alerts: Circulars and advisories on emerging threats
- NPCI Security Bulletins: UPI, IMPS, RuPay-specific threat intelligence
- SWIFT CSP Intelligence: For organizations using SWIFT messaging
Healthcare:
- H-ISAC (Health ISAC): Global healthcare threat intelligence
- CERT-Health (via CERT-In): Healthcare sector advisories
- MoHFW Cybersecurity Alerts: Ministry of Health advisories
- Medical Device Security Alerts: FDA, CDSCO alerts on device vulnerabilities
Government and Critical Infrastructure:
- NCIIPC (National Critical Information Infrastructure Protection Centre): Critical infrastructure threat alerts
- CERT-In Advisories: Mandatory for government organizations
- MeitY Security Guidelines: Sector-specific security directives
- National Cyber Coordination Centre (NCCC): Macro-level threat situational awareness
IT/ITeS and SaaS:
- Cloud Security Alliance (CSA): Cloud-specific threat intelligence
- Vendor Security Advisories: AWS, Azure, GCP security bulletins
- SaaS Security Alliance: Multi-tenant SaaS threat intelligence
- Bug Bounty Intelligence: HackerOne, Bugcrowd reports on common vulnerabilities
Threat Intelligence Metrics and KPIs
| Metric | Formula | Target | Frequency |
|---|---|---|---|
| Time to Intelligence | Time from threat emergence to internal alert | < 24 hours | Weekly |
| IOC Consumption Rate | (IOCs ingested / IOCs received) × 100 | > 80% | Monthly |
| False Positive Rate | (False positives / Total alerts) × 100 | < 5% | Monthly |
| Mean Time to Detect (MTTD) | Average time from compromise to detection | < 4 hours | Monthly |
| Threat Intelligence Coverage | (Threat categories covered / Total relevant categories) × 100 | > 90% | Quarterly |
| Intelligence-to-Action Ratio | (Actions taken based on intel / Intel items received) × 100 | > 30% | Quarterly |
| Attack Surface Reduction | (Critical exposures closed due to intel / Total exposures) × 100 | > 20% | Quarterly |
| Threat Hunting Findings | Number of threats found proactively per quarter | > 2 | Quarterly |
| Intel Source Diversity | Number of independent threat intelligence sources | > 5 | Quarterly |
| overhead per Incident Prevented | Threat intelligence program overhead / Incidents prevented | Decreasing trend | Annual |
Threat Intelligence Automation
Automation Tier 1, Basic (Free Tools):
- CERT-In RSS feed → Email alert
- CISA KEV JSON → Weekly spreadsheet update
- MISP → Manual CSV export to SIEM
Automation Tier 2, Integrated (Commercial/Open Source):
- TIP platform → STIX/TAXII → SIEM/EDR
- SOAR playbook: New IOC → Auto-block firewall → Alert SOC → Create ticket
- Threat feed → Auto-enrich alert with threat context
Automation Tier 3, Advanced (Enterprise):
- AI/ML-based threat prediction
- Automated threat hunting queries
- Self-healing security controls (auto-patch, auto-isolate)
- Predictive risk scoring based on threat landscape
Threat Intelligence and Incident Response Integration
Pre-Incident Phase:
- Threat intelligence feeds populate watchlists and detection rules
- Threat actor TTPs map to MITRE ATT&CK for detection engineering
- Vulnerability intelligence prioritizes patching
During Incident:
- IOCs from threat intelligence accelerate containment (known bad IPs, file hashes)
- Threat actor profiles inform response strategy (ransomware groups vs. nation-state APTs)
- External intelligence confirms scope ("This threat actor typically targets X, Y, Z")
Post-Incident:
- Incident data enriches internal threat intelligence
- New IOCs extracted and distributed to security controls
- Lessons learned update threat models and detection rules
- Intelligence shared with industry peers (via ISACs) if appropriate
Building an Internal Threat Intelligence Team (India Context)
Team Structure for Indian Organizations:
| Role | Responsibilities | Experience | Salary Range (India) |
|---|---|---|---|
| Threat Intelligence Analyst | Monitor feeds, analyze threats, produce reports | 2-4 years | -12 LPA |
| Threat Hunter | Proactive hunting, hypothesis-driven investigation | 4-6 years | -20 LPA |
| Intelligence Engineer | Tool integration, automation, STIX/TAXII | 3-5 years | -18 LPA |
| Intelligence Manager | Strategy, external partnerships, reporting to leadership | 6+ years | -35 LPA |
Outsourcing vs. In-House:
- Micro organizations (< 50 employees): Fully outsource to MSSP or use Singahi's managed threat intelligence service
- Small organizations (50-200): Hybrid, in-house analyst + external TIP feed
- Medium organizations (200-1000): In-house team (2-3 analysts) + external ISAC membership
- Large organizations (1000+): Full in-house team + external intelligence partnerships
Legal and Ethical Considerations in Threat Intelligence
Legal Boundaries:
- Do not hack back or actively disrupt threat actors (illegal under IT Act 2000)
- Do not share personal data of suspected threat actors without legal authorization
- Do not use deceptive practices (fake personas, honeypots) that violate privacy laws
- Do obtain proper authorization for internal monitoring and data collection
- Do comply with DPDP Act 2023 when processing personal data for threat intelligence
Ethical Guidelines:
- Share intelligence responsibly, anonymize where appropriate
- Do not share intelligence with malicious intent or for competitive advantage in unethical ways
- Respect vendor confidentiality when sharing vulnerability information
- Give credit to original intelligence sources
- Maintain objectivity, do not exaggerate threats for budget or attention
Indian Legal Context:
- Section 43A of IT Act 2000: Compensation for failure to protect data, applies to threat intelligence data too
- Section 69: Government power to intercept, organizations must have legal basis for monitoring
- DPDP Act 2023: Consent and purpose limitation for data processing
- CERT-In Directions 2022: Mandatory reporting of incidents, threat intelligence may trigger reporting obligations
Additional FAQ
Q11: How do we measure the ROI of threat intelligence? A: Measure incidents prevented (estimated efficiency gains), mean time to detect reduction, vulnerability remediation speed, and audit compliance. A typical Indian organization preventing 2-3 incidents per year saves -50 lakhs, justifying the threat intelligence program overhead.
Q12: Can we use AI for threat intelligence analysis? A: Yes, AI/ML tools can process vast amounts of threat data, identify patterns, and predict emerging threats. However, human analysts are still essential for context, judgment, and decision-making. Use AI as a force multiplier, not a replacement.
Q13: How do we handle threat intelligence in a multi-cloud environment? A: Use cloud-native threat intelligence services (AWS GuardDuty, Azure Sentinel, GCP Security Command Center) and aggregate them into a central TIP or SIEM. Ensure cloud provider threat feeds are integrated with on-premise security controls.
Q14: What is the role of threat intelligence in board reporting? A: Summarize threat landscape in business terms: "We identified X active threats targeting our sector, Y vulnerabilities exploited in the wild, and Z incidents prevented this quarter. Recommended investment: [specific control]." Use metrics, not technical jargon.
Q15: How do we integrate threat intelligence with vendor risk management? A: Monitor threat intelligence for vendor-specific vulnerabilities (e.g., CVEs in your vendors' products). Subscribe to vendor security advisories. Include threat intelligence requirements in vendor contracts ("Vendor must share threat intelligence relevant to their products within 24 hours").
Q16: Should we participate in threat intelligence sharing communities? A: Yes, ISACs and sector-specific sharing groups provide invaluable peer intelligence. In India, consider FS-ISAC (finance), H-ISAC (healthcare), and CERT-In sectoral programs. Start as a consumer of intelligence; contribute as your maturity grows.
Q17: How do we handle false positives in threat intelligence? A: Implement a feedback loop: analyst reviews alerted IOCs, validates true/false positive, updates whitelist/blacklist. Track false positive rate monthly. Tune detection rules based on intelligence context. Use reputation scoring (not all IOCs are equally reliable).
Q18: What is the difference between tactical, operational, and strategic threat intelligence? A: Tactical intelligence is immediate IOCs (IPs, hashes, domains) for blocking. Operational intelligence is TTPs (how attackers operate) for detection and hunting. Strategic intelligence is high-level trends (threat actor motivations, industry targeting) for executive decision-making. All three are needed for a complete program.
Q19: How do we handle threat intelligence during a merger or acquisition? A: Conduct threat intelligence assessment of the target company's exposure before acquisition. Check if their IP ranges, domains, or executives appear in threat actor targeting. Post-acquisition, integrate their threat intelligence into your program and apply your standards to their environment.
Q20: Can threat intelligence help with compliance beyond ISO 27001? A: Absolutely. Threat intelligence supports DPDP Act 2023 (security safeguards), RBI Cyber Security Framework (threat monitoring), SEBI guidelines (cyber resilience), and PCI DSS (threat awareness). A single threat intelligence program serves multiple compliance requirements.
Indian Threat Landscape, 2026 Overview
Active Threat Actors Targeting India
| Threat Actor | Motivation | Primary Targets | Known TTPs |
|---|---|---|---|
| APT36 (Transparent Tribe) | Nation-state (Pakistan) | Government, defense, education | Spear phishing, malicious documents, USB worms |
| APT32 (OceanLotus) | Nation-state (Vietnam) | Automotive, manufacturing | Watering hole attacks, supply chain compromise |
| SideWinder | Nation-state | Government, nuclear, maritime | Exploit docs, LOJBAN, C2 infrastructure |
| CryptoCore | Financial | Cryptocurrency exchanges | Credential harvesting, SIM swapping |
| FIN7 / Carbanak | Financial | Banking, hospitality | Malware, POS compromise, supply chain |
| Indian Ransomware Groups | Financial | SMEs, healthcare, education | Phishing → RDP → Encryption |
Top 10 Threat Vectors in India (2026)
- Phishing and Social Engineering, 78% of incidents start with phishing
- Ransomware, 40% YoY growth, average demand s
- Supply Chain Attacks, Third-party software compromise increasing
- Credential Stuffing, Reuse of breached credentials from Indian breaches
- Insider Threats, Data theft by departing employees, contractor misuse
- Cloud Misconfiguration, Exposed S3 buckets, open databases
- IoT and OT Vulnerabilities, Smart city devices, industrial control systems
- Mobile Banking Trojans, Android malware targeting UPI apps
- Business Email Compromise (BEC), Invoice fraud, CEO fraud targeting Indian exporters
- DDoS, Extortion-driven attacks on e-commerce during festivals
CERT-In Statistics (2025-2026)
- Total Incidents Reported: 1.4 million (up 35% from previous year)
- Ransomware Incidents: 312 reported (actual numbers much higher due to underreporting)
- Financial Fraud: s lost to cyber fraud
- Critical Infrastructure Attacks: 89 reported to NCIIPC
- Data Breaches: 450+ major breaches affecting Indian citizens
Indian Regulatory Context for Threat Intelligence
Indian organizations should integrate CERT-In, NCIIPC and sector-specific advisories into their threat intelligence program. CERT-In publishes periodic alerts on malware campaigns, vulnerabilities and attack trends affecting Indian entities, while NCIIPC shares threat intelligence for critical information infrastructure. RBI and SEBI circulars expect regulated entities to monitor threat intelligence and incorporate relevant indicators into security monitoring. The DPDP Act 2023 adds a data-protection lens: threat intelligence must not inadvertently process personal data without a lawful basis, and breach indicators that reveal a personal data breach must trigger Section 8(6) intimation. Singahi recommends that Indian companies subscribe to at least one India-focused threat feed, participate in industry forums such as DSCI and relevant ISACs, and document how external intelligence is actioned within 24 hours.