Threat Intelligence Collection and Sharing
Not sure you’re ready?
Take the ~3-minute readiness diagnostic and see where you stand.
An isolated security operations center operates much like a lone astronomer scanning the night sky with a single telescope. They might spot a fleeting anomaly—a new comet or a passing satellite—but without consulting other observatories, they cannot determine its trajectory, its origin, or whether it poses an imminent threat. In modern cybersecurity, relying solely on internal telemetry is similarly myopic. Threat intelligence transforms defense from a fragmented, reactive scramble into a unified, proactive front. By gathering, refining, and securely broadcasting the digital footprints of adversaries, defenders map the entire threat landscape before the adversary strikes.

To master threat intelligence, we must examine the entire pipeline: how we source the data, how we format it for machines, how we share it legally and securely, and ultimately, how it changes the daily reality of incident response.
Before we collect intelligence, we must understand who we are collecting it for. Threat intelligence is not a monolithic feed of malicious IP addresses; it scales across three distinct levels of abstraction, serving different audiences within an organization.
-
Tactical threat intelligence consists of highly technical machine-readable indicators of compromise. This is the domain of the SOC analyst. It includes malicious IP addresses, file hashes, and domain names. Its primary utility is immediate detection and automated blocking.

Tactical intelligence relies heavily on specific, machine-readable indicators of compromise, such as cryptographic hashes of known malicious files. -
Operational threat intelligence focuses on adversary tactics, techniques, and procedures. This intelligence answers how the adversary operates. Incident responders and threat hunters use operational intelligence to understand an attacker's methodology (e.g., their preferred privilege escalation exploits) allowing defenders to build behavioral rules rather than just chasing easily altered file hashes.

Operational intelligence goes beyond static indicators to describe an attacker's behavior, such as the specific techniques they use to achieve privilege escalation. -
Strategic threat intelligence informs executive decision-making regarding long-term cyber risks. This is non-technical analysis directed at the C-suite and Board of Directors. It maps geopolitical trends, financial motivations, and broad shifts in the threat landscape to guide budgetary and architectural investments.
An analyst must feed their security tools with high-quality data. Broadly, we divide intelligence gathering into two methodological camps: open-source and closed-source. Each plays a distinct, necessary role in a mature security posture.
Open-Source Intelligence (OSINT)
By definition, open-source intelligence relies on publicly available information. Analysts monitor the broader internet to catch early whispers of new campaigns or zero-day vulnerabilities. Common open-source intelligence sources include public security blogs, code repositories, and social media platforms.
However, OSINT comes with a steep operational cost: noise. Because anyone can publish it, open-source threat intelligence requires significant filtering to remove irrelevant data. If a SOC ingests raw OSINT feeds directly into an alerting pipeline, analysts will rapidly drown in false positives triggered by benign research tools or misidentified IP addresses.
Closed-Source Intelligence
In contrast, closed-source threat intelligence involves proprietary data obtained through paid subscriptions. Cybersecurity vendors maintain massive global sensor networks, honeypots, and dedicated research teams to cultivate this data.

Because vendors have the resources to verify and curate their data, closed-source intelligence feeds typically provide higher fidelity indicators than open-source feeds. You are paying for accuracy, context, and immediate integration readiness.
| Feature | Open-Source Intelligence (OSINT) | Closed-Source Intelligence |
|---|---|---|
| Data Source | Public blogs, social media, code repositories | Proprietary sensor networks, vendor research |
| Cost | Free to acquire (but high operational cost to filter) | Paid subscription models |
| Fidelity | Highly variable; high false-positive rate | High fidelity; curated and verified |
| Primary Use | Early warning, broad context, independent research | Automated ingestion, reliable alerting |
Intelligence is only useful if it can be actioned quickly. If an analyst receives a PDF report detailing a new malware variant, they must manually extract the malicious IP addresses and paste them into a firewall blocklist. By the time they finish, the adversary has already moved to a new infrastructure.
To win, we must automate. Machine-readable threat intelligence enables automated blocking of malicious IP addresses in firewalls and updates to endpoint detection systems at machine speed. To achieve this, the cybersecurity community engineered a standardized syntax and transport mechanism.
- Structured Threat Information eXpression (STIX) is a standardized language for representing cyber threat information. It provides a common JSON-based structure so that a firewall produced by Vendor A can perfectly understand a threat report generated by Vendor B.
- Embedded within this ecosystem is Cyber Observable eXpression (CybOX). Where STIX outlines the broad threat campaign, Cyber Observable eXpression provides a standardized schema for specifying and capturing cyber observables—the precise, measurable events or stateful properties (like a specific registry key modification or a network connection).
- To move this structured data across the wire, we use Trusted Automated eXchange of Intelligence Information (TAXII). TAXII is an application layer protocol used to transmit Structured Threat Information eXpression data.
The Analogy: Think of STIX as the grammar and vocabulary of a language. CybOX provides the specific nouns and verbs. TAXII is the telephone line that carries the conversation between two machines.
Managing these streams of machine-readable data requires specialized infrastructure. Threat intelligence platforms (TIPs) aggregate, normalize, and distribute threat data from multiple external sources. A TIP acts as the grand junction box of a SOC. It pulls in STIX/TAXII feeds, strips out the duplicates, and pushes the refined data to the defensive tools. Consequently, ingesting shared threat intelligence feeds directly into a Security Information and Event Management (SIEM) system automates indicator matching. The moment a known-bad indicator touches the network, the SIEM triggers an alert without human intervention.

When organizations operate in silos, an adversary can use the exact same attack infrastructure against fifty different companies in sequence. But when the first victim shares the intelligence, the other forty-nine can block the attack before it reaches them. Threat intelligence sharing reduces the time required for security teams to detect new adversary campaigns.
To facilitate this, both government and private sectors have established formal sharing structures:
-
Automated Indicator Sharing (AIS): The Cybersecurity and Infrastructure Security Agency (CISA) manages the Automated Indicator Sharing initiative. Recognizing the need for speed, the Automated Indicator Sharing initiative enables the real-time exchange of machine-readable cyber threat indicators between the US federal government and the private sector. Unsurprisingly, the Automated Indicator Sharing initiative utilizes STIX and TAXII protocols to achieve this real-time pipeline.
-
ISACs: Because different industries face distinct threat actors (e.g., a financial group faces different malware than a power grid), Information Sharing and Analysis Centers facilitate threat intelligence sharing within specific critical infrastructure sectors. Examples include the FS-ISAC (Financial Services) and the E-ISAC (Electricity).

Information Sharing and Analysis Centers (ISACs) tailor threat intelligence sharing to the unique risks of specific critical infrastructure sectors, such as the electrical power grid. -
ISAOs: What if an organization does not fit neatly into a critical infrastructure sector, like a regional chamber of commerce or a group of specialized legal firms? Information Sharing and Analysis Organizations facilitate threat intelligence sharing across non-sector-specific communities.
By participating in these ecosystems, sharing threat intelligence helps organizations shift from reactive incident response to proactive risk management. Instead of waiting for an alarm to go off, defenders actively patch vulnerabilities and block adversary infrastructure preemptively based on community warnings.
Sharing intelligence is fraught with legal and reputational peril. If a hospital shares an indicator of compromise that accidentally includes a patient's personally identifiable information (PII), or admits to a breach prematurely, the consequences are severe.
To safely engage in community defense, organizations must adhere to strict governance frameworks. The National Institute of Standards and Technology (NIST) Special Publication 800-150 provides guidelines for establishing cyber threat information sharing relationships. These guidelines emphasize that threat intelligence sharing agreements must define legal boundaries regarding data privacy. Before a single IP address is transmitted, legal teams must agree on liability, data retention, and regulatory compliance.
Furthermore, anonymizing shared threat intelligence protects the identity of the reporting organization. If an ISAC broadcasts a new ransomware IoC, the feed strips away the victim's identity. The community gets the defensive value of the indicator without exposing the victim to public relations damage or regulatory scrutiny.

The Traffic Light Protocol (TLP)
To maintain trust, the community relies on the Traffic Light Protocol (TLP), which provides a standardized classification system for sharing sensitive threat intelligence. It uses color codes to explicitly dictate how far a piece of intelligence can be disseminated. A SOC analyst must memorize and strictly obey these boundaries.
- Traffic Light Protocol RED indicates information restricted strictly to the individuals present during the disclosure. You cannot forward this email. You cannot paste it into a collaborative chat. It is strictly for the eyes of the specific meeting attendees or direct recipients.
- Traffic Light Protocol AMBER allows information sharing only within the recipient organization or direct clients. Analysts can share this with their internal IR team or SIEM engineers to build defenses, but it cannot leave the company.
- Traffic Light Protocol GREEN permits information sharing within a specific community or industry sector. You may share this with your ISAC peers or partner organizations, but it is not for the general public.
- Traffic Light Protocol CLEAR allows intelligence to be distributed publicly without restrictions. (Note: In older versions of the standard, this was referred to as TLP:WHITE).
By blending rigorous automation (STIX/TAXII) with strict governance (TLP/NIST 800-150) and robust sharing communities (AIS/ISACs), security operations centers cease to be lone telescopes. They become an interconnected array, capable of illuminating the adversary's every move.