Advanced Security #threat-intelligence #STIX-TAXII #attribution #indicator-lifecycle

Threat Intelligence

5 exercises — master threat intelligence vocabulary: OSINT vs commercial feed evaluation (FP rate, relevance, staleness), threat actor profiling and attribution caveats ("attribution is hard"), STIX/TAXII standards for automated intel sharing, indicator lifecycle management in a TIP, and actionable vs aspirational intelligence with intel tasking.

0 / 5 completed

Threat intelligence quick reference

Feed quality criteria: false positive rate (high FP = alert fatigue), staleness (how fast expired indicators are removed), relevance (your industry/geography/tech), format (STIX/TAXII vs flat list).
Threat actor profiling components: motivation, capabilities, TTPs (the fingerprint), infrastructure preferences, victimology. "Attribution is hard" — TTP overlap ≠ identity proof; always state confidence level, not certainty.
STIX = data format (JSON schema for threat intel objects). TAXII = transport protocol (REST API for sharing those objects). ISAC = sector-level sharing community using both.
Indicator lifecycle: Fresh → Maturing → Expired → Revoked. IP addresses expire in days–weeks; domains in weeks–months; file hashes persist longer. Remove stale indicators to prevent FPs.
Actionable intelligence: relevant + timely + concrete next action (hunt/block/patch). Aspirational: interesting but no immediate action possible.
Intel tasking: formal directive to hunt, block, or detect based on a specific intel report. High-fidelity indicator: specific, current, low-FP. Threat briefing: structured presentation of findings with actionable guidance.

1 / 5

A threat intel analyst is onboarding new external threat feeds. During a team discussion, a colleague asks: "What's the difference between OSINT and commercial feeds, and why do we care about the false positive rate and feed relevance when selecting a threat feed?"

Explain the key distinctions and selection criteria for threat feeds.

Feed selection is a risk management exercise. Ingesting every available feed without quality control creates alert fatigue and operational overhead that outweighs the security benefit.

Threat feed evaluation dimensions:

Criterion	What to assess	Impact if poor
False positive rate	% of feed indicators that are benign; test against your environment's known-good traffic	High FP rate → alert fatigue; may block legitimate services
Staleness / freshness	How quickly expired indicators are removed from the feed	Stale indicators block legitimate re-used IPs; reduce detection accuracy
Relevance	Alignment with your industry, geography, and technology stack	Low-relevance feed generates noise from threats that will never target you
Format	Structured (STIX/TAXII) vs flat list (CSV, TXT); integration effort	Unstructured feeds require manual processing; automation difficult
Attribution depth	Does it identify actor, campaign, and TTPs, or just raw IOCs?	IOC-only feeds don't enable strategic prioritisation

Practical phrases:
• "We evaluated three commercial feeds. Feed A has a 2% FP rate and strong financial sector coverage — we selected it."
• "The OSINT feed from AlienVault OTX is useful for broadening coverage but we run all indicators through an FP filter before ingesting into the SIEM."

Key vocabulary:
• OSINT (Open Source Intelligence) — threat intelligence gathered from publicly available sources; free; broad coverage; variable quality
• Commercial threat feed — curated threat intelligence from a vendor subscription; active analyst curation; typically higher quality, higher cost
• False positive rate (feed) — the proportion of a feed's indicators that are benign in practice; high FP rate → alert fatigue and blocking of legitimate traffic
• Feed relevance scoring — a method for evaluating how closely a threat feed's coverage matches an organisation's specific industry, geography, and technology threats

2 / 5

A threat intel analyst presents to leadership: "We've been tracking threat actor group TA4122. They match the TTPs of a nation-state group. But I want to be clear about the limits of attribution — attribution is hard, and overconfident attribution can mislead our response strategy."

What does threat actor profiling involve, what is attribution, and why is "attribution is hard" a critical caveat?

"Attribution is hard" is one of the most important epistemic practices in threat intelligence. Overconfident attribution leads to wrong defences, diplomatic incidents, and missed threats from the real actor.

Threat actor profiling elements:

Element	Example
Motivation	Financial (ransomware gangs), espionage (APT groups), hacktivism (ideological)
Capabilities	Custom malware, zero-day exploitation, sophisticated OPSEC — vs. commodity tooling
TTPs	Consistent attack patterns across campaigns; MITRE ATT&CK profile
Infrastructure	Preferred hosting, bulletproof hosting, fast-flux DNS, C2 protocols
Victimology	Who they target: financial sector in Eastern Europe; government agencies; critical infrastructure

Attribution confidence levels in practice:
• "We assess with HIGH CONFIDENCE that this campaign is consistent with Lazarus Group's TTPs, based on custom malware MAgicLine4NX and domain registration patterns — but we cannot rule out a copycat."
• "Attribution is uncertain. The indicators overlap with known Chinese APT groups, but this could be intentional mimicry."

Key vocabulary:
• Threat actor profiling — building a comprehensive picture of an adversary from observable evidence: motivation, capabilities, TTPs, infrastructure preferences, and historical targeting
• Attribution — the act of assigning responsibility for an attack to a specific adversary; inherently uncertain; should include explicit confidence levels
• False flag — deliberate use of another group's TTPs or tools to mislead attribution; a sophisticated attacker tactic
• "Attribution is hard" — the professional acknowledgment that TTP overlap does not prove identity; responsible threat intelligence states confidence levels, not certainties

3 / 5

A security architect says: "We need to implement a STIX/TAXII integration to share threat intelligence with our sector ISAC and automate indicator ingestion into our SIEM. Can you explain the difference between STIX and TAXII and what they each do?"

What is STIX, what is TAXII, and how do they work together?

STIX + TAXII together form the backbone of automated, standardised threat intelligence sharing. Understanding them is essential for any analyst or architect involved in threat intel program design.

STIX/TAXII quick reference:

	STIX	TAXII
Full name	Structured Threat Information eXpression	Trusted Automated eXchange of Intelligence Information
Role	Data format — defines the schema and structure of threat intel objects	Transport protocol — defines how STIX data is shared between systems
Format	JSON (STIX 2.1); defines 18 STIX Domain Objects (threat actor, malware, indicator, campaign, etc.)	REST API over HTTPS; collection-based push/pull model
Analogy	STIX = the language (what threat intelligence looks like)	TAXII = the postal service (how threat intelligence is delivered)

ISAC context:
• ISAC (Information Sharing and Analysis Center) — sector-specific organizations that facilitate threat intelligence sharing among member companies; e.g., FS-ISAC (financial services), H-ISAC (health), E-ISAC (energy)
• "We joined the FS-ISAC and integrated their TAXII server into our TIP. All STIX indicators published by member banks are automatically ingested into our SIEM detection rules within minutes."

Key vocabulary:
• STIX (Structured Threat Information eXpression) — the open standard JSON format for representing threat intelligence as structured, machine-readable objects (indicators, actors, campaigns, malware, relationships)
• TAXII (Trusted Automated eXchange of Intelligence Information) — the open standard transport protocol for sharing STIX data between organizations; REST-based API with collection-based push/pull
• TIP (Threat Intelligence Platform) — a system that aggregates, normalises, and distributes threat intelligence from multiple feeds; integrates with SIEM, SOAR, and firewalls
• ISAC — sector-specific threat-sharing community; uses STIX/TAXII for automated, near-real-time indicator sharing among member organisations

4 / 5

During a TIP (Threat Intelligence Platform) review meeting, an analyst asks: "Why do we have 120,000 indicators in our TIP but our detection team says most of them are expired or stale? What does an indicator's lifecycle look like, and when should we de-prioritise or remove indicators?"

Describe the threat indicator lifecycle and how to manage it in practice.

Indicator lifecycle management is the discipline that keeps threat intelligence operational — preventing a TIP from becoming a legacy blocker database full of expired, FP-generating data.

Indicator lifecycle by type:

Indicator type	Typical lifetime	Reason for variation
IP address	Days to weeks	IPs are frequently recycled; attackers rotate infrastructure rapidly
Domain	Weeks to months	Domain may be sinkholed or expired; or actor may re-use registered domain
File hash (MD5/SHA)	Months to years	A specific malware binary doesn't change unless recompiled; historical value
CVE / vulnerability	Until patched in environment	Relevant as long as the vulnerability exists in the organisation's systems
URL	Days	Phishing URLs/malware drop sites are typically short-lived campaigns

TIP hygiene vocabulary:
• "We have 85,000 indicators in the TIP but 40% are older than 90 days — we're going to run a de-prioritisation review."
• "That IP was flagged 8 months ago but Shodan now shows a legitimate e-commerce site hosting on it. Revoking and removing from active blocking."

Key vocabulary:
• Indicator lifecycle — the progression of a threat indicator from fresh/active → maturing → expired/stale → revoked; determines whether it should remain in active detections
• Stale indicator — an indicator that has aged past its reliable maliciousness window; may generate FPs if kept in active blocking or SIEM detection
• Revoked indicator — a formerly published indicator explicitly withdrawn because it was confirmed as incorrect (FP) or benign
• TIP hygiene — the process of regularly reviewing, de-prioritising, and removing expired or revoked indicators from the Threat Intelligence Platform

5 / 5

A threat intel analyst is presenting findings to the SOC operations team. She says: "The purpose of this threat briefing is to turn raw intelligence into actionable guidance. Not every piece of intel is actionable — some is interesting but you can't do anything with it right now."

What makes threat intelligence "actionable," what is an "intel tasking," and how do you distinguish actionable from aspirational intelligence?

The actionable/aspirational distinction prevents intelligence overload. Not every report needs to generate SIEM rules or hunt campaigns. The analyst's job is to filter: what can we act on NOW, and what do we file for context?

Actionable vs aspirational intelligence:

	Actionable intelligence	Aspirational intelligence
Relevance	Your industry, geography, tech stack	Interesting but not specific to your environment
Timeliness	Active campaign, current IOCs, unpatched CVE	Historical analysis; no current campaign activity
Next action	Hunt campaign, block IOC, patch vulnerability, create detection rule	"Interesting context" — file for awareness; no immediate action
Indicator quality	High-fidelity indicator: specific, current, low FP rate	Low-fidelity: generic, aged, or high-FP-rate indicators

Intel tasking in practice:
INTEL TASKING — TI-2024-094
Source: CISA Advisory AA24-290A — Volt Typhoon pre-positioning in critical infrastructure
Relevance: Advisory applies to energy-sector organisations using LOTL (Living-Off-the-Land) techniques
Tasking: (1) Hunt for T1070.004 (File Deletion via WMIC), T1059.001 (PowerShell), T1083 (File and Directory Discovery) in endpoint logs for 60-day window; (2) Add published domain IOCs to SIEM block list; (3) Verify EDR coverage on OT-adjacent jump hosts
Deadline: 5 business days
Report to: SOC Lead
Key vocabulary:
• Actionable intelligence — threat information that is current, relevant, and specific enough to generate a concrete next action: hunt, block, patch, or detect
• Aspirational intelligence — interesting threat information that cannot yet be directly acted upon; filed for strategic context rather than immediate operational use
• Intel tasking — a formal directive to a security team to perform a specific detection or investigation action based on threat intelligence findings
• High-fidelity indicator — a threat indicator with high specificity, low FP rate, and current relevance; the gold standard of actionable threat intelligence
• Threat briefing — a structured presentation of threat intelligence findings to an operations or leadership audience, with clear actionable guidance