Threat Intelligence Sharing Flashcards
(23 cards)
Processed and analyzed threat data that helps guide security decisions, distinguish false positives, and detect emerging patterns.
Threat intelligence
High-level threat trends and geopolitical context used by executive leadership and CISOs.
Strategic intelligence
Real-time, actionable indicators (like IPs, domains, file hashes) used by SOC analysts for immediate defense.
Tactical intelligence
Intelligence describing attacker motivations, timing, and tools used in specific campaigns.
Operational intelligence
Low-level, machine-consumable data such as malware binaries, registry keys, and file names.
Technical intelligence
Observable evidence like domains, IPs, or filenames that suggest a system has been breached.
Indicator of Compromise (IoC)
A platform that aggregates and normalizes threat data from many sources, helping teams collaborate.
Threat Intelligence Platform (TIP)
The structured format developed to standardize how cyber threat intel is described and shared.
STIX (Structured Threat Information eXpression)
The protocol used to transmit cyber threat data (often in STIX format) between systems securely.
TAXII (Trusted Automated eXchange of Indicator Information)
A sector-specific organization that facilitates sharing cyber threat information among related businesses.
ISAC (Information Sharing and Analysis Center)
A more flexible alternative to ISACs that allows regional or industry-customized threat sharing.
ISAO (Information Sharing and Analysis Organization)
The cybersecurity framework that maps threat actor behavior (TTPs) into a matrix of techniques and tactics.
MITRE ATT&CK
A method for modeling attacks using four components: adversary, capability, infrastructure, and victim.
Diamond Model of Intrusion Analysis
The concept explaining how hard it is for adversaries to modify various indicators (e.g., TTPs vs. file hashes).
Pyramid of Pain
Tools like abuse.ch, AlienVault OTX, and paid threat feeds that supply known-bad IPs, hashes, and URLs.
Threat intelligence feeds
This concept determines how trustworthy or useful a threat intel item is, often scored by source reliability.
Confidence rating
Explains how attackers operate — more valuable than static IoCs.
TTPs
The requirement that intel must be current and relevant — outdated info can cause false positives or missed threats.
Timeliness
The ability of systems to automatically ingest, enrich, and act on threat intel in real time.
Automated threat sharing
This ensures shared intel respects privacy, contractual obligations, and regulatory compliance.
Legal and ethical considerations
The added value of understanding threat actor motivation, intent, or industry targeting behind raw indicators.
Context
A pre-planned offensive simulation using real-world threat data to test how well defenses hold up.
Adversary emulation plan
Sharing frameworks that help organizations understand their maturity and capabilities in exchanging threat intel.
Intelligence sharing models (e.g., MISP, NIST, DHS guidelines)
