Threat Intelligence Programme: How to Build One That Actually Prevents Attacks

Threat intelligence is one of the most misunderstood capabilities in enterprise security. Most organisations either treat it as a checkbox — subscribing to a commercial feed and calling it done — or invest heavily in it without a clear path from raw intelligence to operational action.

The result: security teams receive thousands of indicators of compromise (IOCs) per day, none of which are contextualised for their specific environment, and most of which are stale before anyone acts on them.

This guide covers how to build a threat intelligence programme that closes the loop — from collection and processing to detection, hunting, and incident response.

What Threat Intelligence Actually Is

Threat intelligence is processed information about adversaries — their capabilities, infrastructure, motivations, and tactics — that informs decisions.

The key word is processed. Raw data is not intelligence. An IP address flagged as malicious is not intelligence. Intelligence is the answer to a specific question: Who is likely to target us, how, and what can we do about it?

The Four Types

Strategic intelligence — high-level analysis for executives and board: which threat actors target your industry, what their objectives are, and how your risk posture compares to peers. Drives security investment decisions.

Operational intelligence — campaign-level information about ongoing attacks: specific threat actors, their current infrastructure, active phishing campaigns, or coordinated attack waves. Useful for SOC leadership and incident response.

Tactical intelligence — TTPs (tactics, techniques, and procedures) used by specific threat actors. Maps to MITRE ATT&CK. Used by red teams, detection engineers, and threat hunters to build or validate controls.

Technical intelligence — atomic indicators: IP addresses, domains, file hashes, URLs. Highest volume, shortest shelf life. Directly consumable by security tools (SIEM, firewall, EDR).

Most organisations over-index on technical intelligence (IOC feeds) and under-invest in tactical and operational intelligence where the real detection value lies.

The Intelligence Cycle

A functional threat intelligence programme follows a structured cycle:

1. Direction — Define what questions the programme needs to answer. These come from business priorities and security requirements:

• Which threat actors target financial services SaaS companies in India?
• What techniques are ransomware groups using to bypass our EDR?
• Are any threat actors actively targeting our industry with supply chain attacks?

Without clear requirements, intelligence programmes collect everything and deliver nothing.

2. Collection — Gather raw data from sources relevant to your requirements.

3. Processing — Normalise, deduplicate, and enrich raw data into a usable format.

4. Analysis — Apply analyst expertise to transform processed data into intelligence — answers to the questions defined in Direction.

5. Dissemination — Deliver finished intelligence to the right consumers in a format they can use. A TTP briefing for detection engineers looks completely different from a board-level threat landscape report.

6. Feedback — Consumers evaluate whether intelligence was actionable and accurate. Closes the loop and refines future collection requirements.

Intelligence Sources

Open Source Intelligence (OSINT)

Free and publicly available sources provide the foundation of most threat intelligence programmes:

Threat feeds:

• AlienVault OTX — large community-driven IOC sharing platform with API access
• Abuse.ch — MalwareBazaar, URLhaus, ThreatFox, Feodo Tracker (C2 infrastructure)
• VirusTotal — file and URL reputation; Enterprise API provides richer data
• Shodan — internet-exposed infrastructure; useful for monitoring your own attack surface and tracking threat actor infrastructure
• CIRCL MISP feeds — structured IOC feeds in MISP format
• CISA Known Exploited Vulnerabilities (KEV) — definitive list of vulnerabilities being actively exploited in the wild

Threat actor tracking:

• MITRE ATT&CK — the standard framework for adversary TTPs. Every threat actor’s known techniques are mapped here.
• Malpedia — malware family database with actor attribution
• APT Groups and Operations — community-maintained spreadsheet tracking known APT groups
• DomainTools Iris — domain attribution and infrastructure pivoting

Community and sharing:

• FIRST.org — Forum of Incident Response and Security Teams
• Information Sharing and Analysis Centers (ISACs) for your sector — FS-ISAC for financial services, H-ISAC for healthcare, Auto-ISAC for automotive

Commercial Feeds

Commercial threat intelligence platforms provide curated, high-fidelity feeds with analyst context that OSINT alone cannot match:

• Recorded Future — real-time intelligence across dark web, technical sources, and geopolitical signals. Strong for strategic and operational intelligence.
• Mandiant Advantage — deep threat actor profiles and campaign tracking, especially APT groups. Strong analyst context.
• CrowdStrike Falcon Intelligence — tight integration with EDR; actor profiles linked directly to detections.
• Flashpoint — dark web and deep web intelligence; strong for ransomware group tracking and credential exposure monitoring.
• Digital Shadows (now ReliaQuest) — attack surface monitoring combined with threat intelligence.

Cost ranges from $20,000–$200,000+ per year depending on platform and tier. Start with OSINT before committing commercial budget.

Internal Sources

Your own environment generates intelligence that no external source can provide:

• SIEM logs — patterns in authentication failures, lateral movement, unusual outbound connections
• EDR telemetry — process execution chains, file system changes, network connections
• Email security gateway — phishing attempts, sender infrastructure, malicious attachments
• DNS logs — communication with suspicious domains, DGA (domain generation algorithm) traffic
• Incident history — your past incidents are the most relevant intelligence for future defence

Internal intelligence is often underutilised. A structured hunting programme mines this data systematically.

Threat Intelligence Platforms (TIPs)

A Threat Intelligence Platform aggregates, normalises, and operationalises intelligence from multiple sources. Without a TIP, your team is manually correlating IOCs across spreadsheets — which doesn’t scale.

Open Source TIPs

MISP (Malware Information Sharing Platform) The de facto standard for open source TIP. Originally built for sharing between organisations, now widely used internally.

Key capabilities:

• Ingest structured feeds (STIX/TAXII, CSV, JSON)
• Tag and classify indicators by confidence, threat actor, campaign
• Correlation — automatically links related IOCs
• Export in formats your tools consume (STIX, OpenIOC, CSV, Bro/Zeek rules, Suricata rules)
• Sharing communities — connect to MISP instances at other organisations to share intelligence

Installation: Docker-based deployment, runs on a single VM. MISP Project documentation covers setup.

OpenCTI More modern platform with a graph-based data model. Better UI and visualisation than MISP, especially for tracking relationships between threat actors, malware, and infrastructure.

• Native STIX 2.1 data model
• Strong integration with MITRE ATT&CK
• Connectors for common sources (AlienVault, MISP, VirusTotal, Shodan)
• Playbook automation for enrichment

Both MISP and OpenCTI are production-grade. MISP has a larger community and more sharing integrations; OpenCTI has a better analyst experience.

Commercial TIPs

For larger organisations, commercial platforms include ThreatConnect, Anomali, and ThreatQ. These add workflow automation, analyst collaboration features, and support — at significantly higher cost.

Operationalising Intelligence

The highest-value activity in threat intelligence is not collection — it’s operationalisation: turning intelligence into detections, hunting queries, and configuration changes that stop attacks.

IOC-Based Detections (Tactical)

The most direct path from intelligence to action is blocking or detecting known-bad infrastructure:

Firewall/proxy blocklists: Export high-confidence malicious IP and domain IOCs from your TIP into your firewall or web proxy. Automate the export on a schedule — stale IOCs are worse than none.

# Example: Export IOCs from MISP and push to firewall blocklist
import pymisp

misp = pymisp.ExpandedPyMISP(misp_url, misp_key)
events = misp.search(tags=['tlp:white'], type_attribute='ip-dst', to_ids=True)

malicious_ips = []
for event in events:
    for attr in event.attributes:
        if attr.type == 'ip-dst' and attr.to_ids:
            malicious_ips.append(attr.value)

# Push to firewall API or write to blocklist file

SIEM detection rules: IOCs enriched with TTP context become more valuable. Instead of just alerting on a known-bad IP, correlate it with the associated ATT&CK technique:

# Splunk query: Detect outbound traffic to known C2 infrastructure
# tagged as TA0011 (Command and Control) in your TIP
index=proxy_logs dest_ip IN [| inputlookup c2_iocs.csv | fields ip | rename ip as dest_ip]
| eval technique="T1071 - Application Layer Protocol"
| stats count by src_ip, dest_ip, technique

EDR exclusions and detections: When you know a threat actor uses a specific technique (e.g., reflective DLL injection, process hollowing), validate that your EDR detects it. Use threat intelligence to drive your EDR rule testing.

TTP-Based Detections (Strategic)

IOC-based detections are necessary but not sufficient — IOCs rotate constantly, often within hours. TTP-based detections are more durable because adversary behaviour changes more slowly than infrastructure.

The workflow:

1. Identify threat actors likely to target your organisation (based on industry, geography, technology stack)
2. Pull their known TTPs from MITRE ATT&CK
3. Map TTPs to your detection stack — what do you detect, what are you blind to?
4. Build detections for the gaps

Example: If intelligence indicates that a ransomware group targeting your sector uses T1003.001 (LSASS Memory Dump) for credential access, check whether your EDR detects:

• Access to lsass.exe from non-system processes
• Execution of Mimikatz or similar tools
• Use of procdump.exe -ma lsass.exe

If you’re blind to any of these, build the detection before the threat arrives.

Threat Hunting

Threat intelligence enables proactive hunting — searching your environment for evidence of compromise or attacker activity that your automated detections missed.

A structured hunting programme:

1. Intelligence-led hypothesis: “Threat actor X, which targets Indian fintech companies, uses spearphishing with malicious LNK files (T1566.001 + T1204.002). Have any LNK files been executed recently from user download directories?”
2. Query development: Translate the hypothesis into a search across SIEM/EDR telemetry
3. Investigation: Analyse results, distinguish true positives from false positives
4. Detection creation: Convert confirmed hunts into automated detections
5. Documentation: Record findings to inform future hunts and improve coverage

# Hunt: LNK file execution from user Downloads
index=endpoint_logs process_name="cmd.exe" OR process_name="powershell.exe"
| join pid [search index=endpoint_logs file_extension=".lnk" file_path="*\\Downloads\\*"]
| table _time, hostname, user, process_name, command_line, file_path
| sort _time desc

Measuring Programme Effectiveness

A threat intelligence programme that doesn’t measure outcomes cannot improve. Key metrics:

Coverage metrics:

• % of ATT&CK techniques for relevant threat actors with active detections
• Number of unique threat actors profiled and tracked
• IOC ingestion rate (volume is a vanity metric — coverage by source quality matters more)

Operational metrics:

• Mean time from intelligence ingestion to detection rule deployment
• Number of hunts completed per quarter with positive findings
• False positive rate on IOC-based detections (high FPR = low-quality feeds)

Business impact metrics:

• Incidents detected via intelligence-led hunting vs. automated detection vs. external notification
• Time saved in incident response when IOCs were pre-staged
• Threat actors tracked before they targeted your organisation vs. after

The last metric is the most meaningful. If you’re regularly finding threat actor infrastructure in your blocklists before an incident, your intelligence programme is working.

Getting Started: A Phased Approach

Phase 1 (Weeks 1–4) — Foundation

1. Define your threat profile: Which threat actors are most relevant to your organisation? Use MITRE ATT&CK Groups filtered by your industry.
2. Deploy MISP or OpenCTI on a VM. Connect AlienVault OTX and Abuse.ch feeds.
3. Export IOCs into your SIEM as a lookup table. Build one detection rule per ATT&CK technique for the most relevant threat actors.
4. Subscribe to CISA KEV and prioritise patching for vulnerabilities actively exploited against your sector.

Phase 2 (Months 2–3) — Operationalisation

1. Build a hunting cadence: one structured hunt per week based on recent threat intelligence.
2. Integrate TIP with SIEM, EDR, and firewall. Automate IOC export and blocklist updates.
3. Produce a monthly threat landscape briefing for security leadership covering active campaigns, relevant TTPs, and detection gaps.

Phase 3 (Months 4–6) — Maturity

1. Evaluate commercial intelligence for gaps not covered by OSINT. Prioritise based on hunting findings.
2. Establish sharing relationships — either via an ISAC or bilateral agreements with peers.
3. Build playbooks: for each tracked threat actor, a documented response playbook covering detection, containment, and eradication.
4. Measure programme effectiveness quarterly and adjust collection priorities based on what’s actually proving useful.

Common Mistakes to Avoid

Treating IOC volume as a success metric. A team ingesting 500,000 IOCs per day is not more secure than one ingesting 5,000 high-quality, contextualised indicators. Quality beats quantity every time.

No feedback loop. If analysts never tell the intelligence team whether IOCs triggered real incidents or generated nothing but noise, the programme can’t improve.

Ignoring internal intelligence. Your SIEM and EDR contain the most relevant intelligence for your environment. External feeds are supplementary.

Collecting intelligence without acting on it. Intelligence that doesn’t drive a detection, a patch, a blocklist update, or a hunting hypothesis is wasted.

Skipping the strategy. A threat intelligence programme without defined requirements — what questions does it need to answer? — will drift into collecting everything and answering nothing.

Threat intelligence is one of the highest-leverage capabilities in an enterprise security programme. Done well, it converts reactive incident response into proactive defence — identifying adversary infrastructure before it’s used, detecting techniques before tools trigger, and hunting for evidence of compromise before breaches escalate.

The barrier to entry is lower than most organisations expect. An OSINT-based programme running MISP, hunting weekly, and maintaining ATT&CK-based detection coverage for three or four relevant threat actors delivers significant value at near-zero cost.

CyberneticsPlus delivers threat intelligence integration and threat hunting services for enterprise security teams. Our analysts hold MITRE ATT&CK Defender certifications and work across financial services, SaaS, and critical infrastructure. If your team needs a structured threat hunting engagement or help building an intelligence-led detection programme, contact us.