Threat Intelligence: Sources, Tools, and US Applications

Threat intelligence encompasses the structured collection, analysis, and application of data about adversaries, their tactics, and their targets — enabling organizations to anticipate and counter cyber threats before they materialize as incidents. This page maps the source categories, tool classes, analytical frameworks, and regulatory contexts that define threat intelligence as a professional practice in the United States. The sector spans federal agencies, information sharing bodies, commercial platforms, and internal security operations functions, each operating with distinct data access and mission scope.

Definition and scope

Threat intelligence is formally defined by the NIST Glossary of Key Information Security Terms (NISTIR 7298, Rev. 3) as "threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes." This definition distinguishes raw threat data — IP addresses, file hashes, domain names — from processed intelligence that carries actionable meaning for a specific organization or sector.

The scope of threat intelligence divides into four recognized tiers, each serving a different organizational function:

1. Strategic intelligence — High-level analysis of threat actor motivations, geopolitical drivers, and industry-wide targeting trends; consumed by executive leadership and board-level risk committees.
2. Operational intelligence — Information about specific planned or ongoing campaigns; used by security operations and incident response teams.
3. Tactical intelligence — Adversary techniques, tactics, and procedures (TTPs) mapped to frameworks such as the MITRE ATT&CK® Enterprise Matrix; consumed by security engineers and detection teams.
4. Technical intelligence — Machine-readable indicators of compromise (IOCs) such as malicious IP addresses, file hashes, and domain registrations; ingested directly by security platforms.

The Cybersecurity and Infrastructure Security Agency (CISA) operates as the federal government's primary civilian threat intelligence authority, publishing advisories, the Known Exploited Vulnerabilities (KEV) Catalog, and joint advisories with the NSA and FBI. For critical infrastructure protection, CISA coordinates 16 designated critical infrastructure sectors under Presidential Policy Directive 21.

How it works

The threat intelligence lifecycle follows a structured process codified in frameworks including NIST SP 800-150, Guide to Cyber Threat Information Sharing:

1. Direction — Stakeholders define intelligence requirements: which threat actors, which asset classes, which geographic or sector exposures are in scope.
2. Collection — Data is gathered from open-source intelligence (OSINT), commercial feeds, government sharing programs (e.g., CISA Automated Indicator Sharing / AIS), dark web sources, honeypots, and internal telemetry.
3. Processing — Raw data is normalized, deduplicated, and enriched with context — linking an IP address to a known threat actor group, for instance.
4. Analysis — Analysts assess relevance, reliability, and urgency. The Diamond Model and MITRE ATT&CK are two frameworks applied at this stage to map adversary behavior.
5. Dissemination — Finished intelligence is distributed in formats appropriate to the consumer tier: PDF reports for executives, STIX/TAXII feeds for technical platforms.
6. Feedback — Consumers evaluate intelligence quality, closing the cycle and refining future collection requirements.

Information sharing structures formalize collection and dissemination at sector scale. Information Sharing and Analysis Centers (ISACs) exist for 25 critical infrastructure sectors, including the Financial Services ISAC (FS-ISAC) and the Health ISAC (H-ISAC). These organizations exchange threat data under Traffic Light Protocol (TLP) classification, a standard maintained by FIRST (Forum of Incident Response and Security Teams).

Technical intelligence feeds are typically expressed in STIX (Structured Threat Information eXpression) format and exchanged via TAXII (Trusted Automated eXchange of Intelligence Information) — both specifications managed by OASIS Open. Integration with SIEM and log management platforms and threat intelligence platforms (TIPs) automates IOC ingestion at machine speed.

Common scenarios

Federal and defense sector: The Department of Defense operates the Defense Cyber Crime Center (DC3) and participates in the Cyber Threat Intelligence Integration Center (CTIIC), which coordinates intelligence across 17 agencies. Defense Industrial Base (DIB) contractors receive threat intelligence through the DIBNet portal under the DoD's Cybersecurity Maturity Model Certification (CMMC) framework.

Financial services: Banks and payment processors subject to FFIEC examination standards are expected to maintain threat intelligence programs that feed directly into their cyber risk management and incident response functions. FS-ISAC's real-time alert network connects over 70 countries, though US-headquartered member density is highest in North America.

Healthcare: Under HHS guidance, healthcare organizations face persistent targeting from ransomware actors. The HHS 405(d) Health Industry Cybersecurity Practices (HICP) publication explicitly references threat intelligence integration as a mitigating control for the top five healthcare cyber threats identified by the task group. Ransomware defense programs in this sector rely heavily on H-ISAC feeds and CISA advisories.

Security operations centers: SOC teams use threat intelligence to enrich alerts, reduce false positives, and prioritize analyst workflows. A SOC operating without threat context treats every alert with equal weight; with tactical and technical intelligence integrated, analysts can deprioritize known-benign activity and escalate confirmed TTPs matching active threat actor profiles.

Dark web monitoring services function as a specialized collection layer, surfacing credential dumps, data broker listings, and threat actor communications that are not indexed by conventional OSINT tools.

Decision boundaries

Threat intelligence is not equivalent to vulnerability management, though the two disciplines intersect. Vulnerability management identifies and remediates weaknesses in an organization's own environment; threat intelligence contextualizes which of those weaknesses are being actively exploited by which actors. CISA's KEV Catalog operationalizes this intersection by identifying the subset of CVEs under active exploitation — as of the catalog's structure, Binding Operational Directive 22-01 requires federal civilian executive branch agencies to remediate KEV entries on defined timelines.

The boundary between threat intelligence and counterintelligence is legally significant. Active measures — accessing adversary infrastructure, attributing attacks for retaliatory purposes, or conducting offensive cyber operations — are reserved for authorized government actors under Title 10 and Title 50 of the US Code. Private-sector organizations are legally constrained to defensive intelligence collection under the Computer Fraud and Abuse Act (18 U.S.C. § 1030).

Organizations selecting threat intelligence capabilities face a build-versus-subscribe decision. An internal threat intelligence team requires analysts with certifications such as GIAC Cyber Threat Intelligence (GCTI) or the Certified Threat Intelligence Analyst (CTIA) credential from EC-Council. Commercial subscription feeds offer coverage breadth but require integration with internal information security frameworks to produce actionable output. The two approaches are not mutually exclusive; hybrid models are common across large enterprise and government environments, where internal teams curate and contextualize externally sourced data.

Supply chain security has elevated the role of third-party threat intelligence. The 2020 SolarWinds supply chain compromise, documented in CISA Emergency Directive 21-01, demonstrated that adversary access through trusted vendor channels evades perimeter-based detection entirely — making external intelligence on supplier compromise the primary detection path for that class of attack.

References

• NIST NISTIR 7298 Rev. 3 — Glossary of Key Information Security Terms
• NIST SP 800-150 — Guide to Cyber Threat Information Sharing
• CISA Known Exploited Vulnerabilities Catalog
• CISA Binding Operational Directive 22-01
• MITRE ATT&CK Enterprise Matrix
• FIRST — Traffic Light Protocol (TLP) Standard
• National Council of ISACs (NCI)
• HHS 405(d) Health Industry Cybersecurity Practices (HICP)
• OASIS Open — STIX/TAXII Specifications
• DoD CMMC Program