Description

This curriculum spans the design and operation of a mature threat intelligence function, comparable in scope to a multi-phase advisory engagement supporting enterprise-wide integration of intelligence across risk management, detection, and response workflows.

Module 1: Defining Threat Intelligence Requirements in Enterprise Risk Context

Selecting intelligence sources based on industry-specific threat landscapes, such as APT groups targeting financial services versus healthcare
Determining whether to prioritize strategic, tactical, or operational intelligence based on stakeholder needs (e.g., CISO vs. SOC)
Aligning intelligence collection objectives with existing risk assessment frameworks like NIST CSF or ISO 27001
Establishing criteria for evaluating third-party intelligence feeds, including timeliness, accuracy, and relevance to the organization’s attack surface
Deciding on internal versus external intelligence sourcing, considering cost, sensitivity, and control over data
Integrating threat intelligence requirements into enterprise risk appetite statements and board-level reporting cycles
Mapping intelligence use cases to MITRE ATT&CK techniques relevant to the organization’s infrastructure and applications
Documenting intelligence requirements in a formal charter that defines ownership, review cycles, and escalation paths

Module 2: Building and Governing a Threat Intelligence Program Structure

Assigning ownership of the threat intelligence function—centralized SOC, dedicated team, or distributed model across business units
Defining roles and responsibilities for intelligence analysts, coordinators, and consumers across security and business functions
Establishing governance committees to review intelligence priorities, resource allocation, and cross-functional dependencies
Creating service-level agreements (SLAs) for intelligence delivery to incident response, vulnerability management, and fraud teams
Implementing version control and change management for intelligence playbooks and taxonomy definitions
Designing escalation workflows for high-confidence, high-impact threat indicators requiring immediate action
Integrating threat intelligence governance with enterprise risk and compliance oversight bodies
Developing audit trails for intelligence decisions to support regulatory and internal audit requirements

Module 3: Sourcing and Validating Threat Intelligence Feeds

Conducting due diligence on commercial intelligence vendors, including sample data analysis and false positive rate evaluation
Assessing the reliability of open-source intelligence (OSINT) by cross-referencing multiple independent sources
Onboarding government or ISAC-sourced intelligence while managing classification and dissemination restrictions
Validating IOCs (Indicators of Compromise) through sandboxing, passive DNS, and historical log correlation
Filtering out irrelevant or redundant data from aggregated feeds to reduce analyst fatigue
Implementing automated reputation scoring for intelligence sources based on historical accuracy and timeliness
Managing legal and privacy constraints when ingesting intelligence containing PII or jurisdiction-specific data
Establishing feedback loops with vendors to report false positives and improve future data quality

Module 4: Integrating Threat Intelligence into Security Tools and Workflows

Configuring SIEM correlation rules to trigger on high-fidelity IOCs from trusted intelligence sources
Populating firewall and EDR blocklists with actionable threat indicators using automated STIX/TAXII pipelines
Mapping intelligence to vulnerability management by prioritizing patching based on active exploitation data
Enabling SOAR platforms to auto-enrich incidents with threat actor context and campaign history
Adjusting email gateway rules based on intelligence about phishing infrastructure and sender patterns
Synchronizing threat intelligence with cloud security posture management (CSPM) tools to detect exposed assets targeted by threat actors
Ensuring API rate limits and authentication mechanisms do not disrupt intelligence ingestion into security systems
Validating integration reliability through red team exercises that test detection and response based on intelligence triggers

Module 5: Operationalizing Threat Intelligence in Incident Response

Using threat actor TTPs to scope incident investigations and identify lateral movement patterns
Adjusting containment strategies based on adversary objectives, such as data exfiltration versus system destruction
Leveraging historical campaign data to predict attacker next steps during active incidents
Sharing internal incident findings with trusted ISACs or peer organizations under legal and confidentiality agreements
Updating IR playbooks with intelligence-derived detection logic and adversary-specific mitigation steps
Conducting post-incident threat assessments to determine if the attack was targeted or opportunistic
Coordinating with external incident response firms using shared intelligence formats to accelerate handover
Archiving incident-related intelligence for future threat hunting and adversary profiling

Module 6: Conducting Threat Actor Attribution and Campaign Analysis

Assessing the evidentiary threshold required for internal attribution versus public disclosure
Correlating malware artifacts, infrastructure, and TTPs to known threat actors using MITRE ATT&CK and proprietary databases
Weighing the risks of misattribution and its potential impact on legal, diplomatic, or business relationships
Documenting confidence levels for attribution claims using structured analytic techniques (SATs)
Using geolocation, language, and timing data to infer adversary origin while accounting for spoofing
Integrating attribution findings into executive risk briefings without disclosing sensitive sources or methods
Managing access to attribution data based on clearance and operational need-to-know
Updating threat models when new actor capabilities or motivations are observed in the wild

Module 7: Measuring the Impact and ROI of Threat Intelligence

Tracking the number of incidents detected or prevented due to intelligence-driven alerts
Calculating mean time to detect (MTTD) reductions attributable to proactive threat hunting based on intelligence
Quantifying the number of high-risk vulnerabilities remediated ahead of exploitation due to intelligence alerts
Measuring false positive rates across intelligence sources to optimize feed selection and filtering
Assessing analyst efficiency gains through automation of intelligence ingestion and enrichment tasks
Conducting tabletop exercises to validate intelligence utility in simulated breach scenarios
Comparing intelligence program costs against incident response savings and avoided breach impacts
Reporting intelligence effectiveness metrics to executive leadership using risk-based KPIs

Module 8: Governing Threat Intelligence Sharing and Collaboration

Establishing data anonymization protocols for sharing IOCs and attack patterns with industry peers
Defining membership criteria and data contribution expectations for participation in ISACs or information-sharing communities
Implementing secure sharing platforms (e.g., TIPs with sharing groups) with role-based access controls
Negotiating legal agreements (e.g., DCLAs) to govern liability and permitted use of shared intelligence
Classifying intelligence by sensitivity and determining appropriate dissemination levels within the organization
Monitoring downstream use of shared intelligence to prevent misuse or unauthorized redistribution
Coordinating with law enforcement on intelligence sharing while preserving investigative integrity
Conducting periodic reviews of sharing partners to assess data quality and trustworthiness

Module 9: Scaling Threat Intelligence Across Global and Regulated Environments

Adapting intelligence collection and dissemination practices to comply with GDPR, CCPA, and other privacy regulations
Managing cross-border data flows of threat intelligence in multinational organizations with local data residency laws
Customizing threat intelligence priorities by region based on localized threat actor activity and regulatory requirements
Ensuring language and cultural factors do not hinder intelligence interpretation in global security operations centers
Implementing centralized governance with decentralized execution to balance control and responsiveness
Integrating threat intelligence into third-party risk management for vendors with access to critical systems
Scaling automation to handle increased volume of intelligence in large, complex environments
Conducting regional threat briefings that contextualize global campaigns for local security teams

Module 10: Evolving Threat Intelligence in Response to Emerging Threats

Updating intelligence collection priorities in response to zero-day vulnerabilities with active exploitation
Monitoring dark web forums and underground markets for early signals of attacks targeting the organization’s sector
Adjusting detection logic for AI-driven attacks, such as deepfake social engineering or LLM-powered phishing
Integrating supply chain compromise intelligence into software bill of materials (SBOM) analysis
Assessing the threat landscape implications of geopolitical events on cyber adversary behavior
Revising intelligence taxonomy to include new attack vectors like cloud misconfigurations or API abuse
Conducting red team/blue team exercises based on emerging TTPs to validate detection coverage
Re-evaluating intelligence sources and tools annually to ensure alignment with evolving threat landscapes