___ # Tags #threat-intel #training #cybersecurity #certifications ![[Pasted image 20220506220121.png]] So how does Threat Intelligence help you? In short - it doesn't. Not on its own anyway, so what's the point? Sounds like a pretty big problem to solve right? If you've been in the field for even a little bit you have probably seen a cybersecurity vendor talk about threat intelligence. Often times this takes the form of a "feed" they want to sell you. This is a misconception, intel is not just a list of things a vendor says is bad. If you think about it, what good is a giant list of domains, IPs, emails, etc. These things require context. What does this list of indicators mean to you? What do they mean to your organization? Why should you even care? Bad stuff happens on the internet all of the time which 99% of it is not professionally relevant for you. Threat Intelligence is built on a set of requirements called **PIRs (Priority Intelligence Requirements)**. Think of it like a list of things you are trying to prove to demonstrate the value of the data you are aiming to collect. You also have things called **stakeholders**, these are people for who the data matters most. Cybersecurity isn't an revenue stream so you have to justify the cost of what you are doing by generating value in other ways. The PIRs are the context that matter to your organization. The stakeholders are the people that provide the PIRs for what you are trying to prove. The next step is to **operationalize** this information. This can be done through metrics and visuals which allows the stakeholders to make informed decisions as a result of the data. Good threat intelligence should feed directly into your SOC/CSIRT/CSOC or whatever the acronym your organization uses for their internal cybersecurity operations group that manages incident response. It should also be something that is used to develop intel products that inform the key stakeholders within your organization to drive cybersecurity within those internal teams.