惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

N
Netflix TechBlog - Medium
罗磊的独立博客
H
Help Net Security
I
Intezer
G
Google Developers Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
T
Troy Hunt's Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
U
Unit 42
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
N
News and Events Feed by Topic
J
Java Code Geeks
S
Security Affairs
T
The Blog of Author Tim Ferriss
Recent Commits to openclaw:main
Recent Commits to openclaw:main
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
D
Docker
The GitHub Blog
The GitHub Blog
F
Full Disclosure
N
News and Events Feed by Topic
Webroot Blog
Webroot Blog
S
Security @ Cisco Blogs
腾讯CDC
人人都是产品经理
人人都是产品经理
M
MIT News - Artificial intelligence
Blog — PlanetScale
Blog — PlanetScale
T
Threatpost
D
DataBreaches.Net
Recent Announcements
Recent Announcements
博客园 - 三生石上(FineUI控件)
MongoDB | Blog
MongoDB | Blog
博客园 - 【当耐特】
L
LINUX DO - 最新话题
Google Online Security Blog
Google Online Security Blog
S
Schneier on Security
S
Securelist
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Help Net Security
Help Net Security
P
Proofpoint News Feed
Project Zero
Project Zero
S
SegmentFault 最新的问题
H
Hackread – Cybersecurity News, Data Breaches, AI and More
MyScale Blog
MyScale Blog
Google DeepMind News
Google DeepMind News
宝玉的分享
宝玉的分享
Y
Y Combinator Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
博客园 - 叶小钗

Intel 471 Blog

TeamPCP Supply Chain Attacks Turning Geopolitical Tension into Actionable Intelligence CVE-2025-68613: Zerobot botnet exploits critical vulnerability impacting n8n AI orchestration platform Introducing Cyber Threat Exposure Bundle: A Unified Approach to External Risk CVE-2026-20127: Critical Cisco SD-WAN vulnerability exploited in wild Handala Threat Group OpenClaw: A viral AI assistant and a magnet for infostealer malware and ClickFix trickery Israeli, US strikes against Iran triggers a surge in hacktivist activity CVE-2026-1731: Finding a critical RCE in an age of AI-driven vulnerability research Born to bypass MFA: Taking down Tycoon 2FA The UK Cyber Security Resilience Bill How AI and the human advantage beat tomorrow’s threats Winter Olympics 2026: Hacktivism Surges Ahead of Protests and Suspected Sabotage How Threat Hunting and “Good” Metrics Help The Business Likely fake ransomware operator 0APT causes panic — Our analysis Hunting APTs: from state policy to TTPs CrazyHunter Ransomware DevMan Ransomware Introducing HUNTER Tuning: a New Tool for Driving Behavioral Threat Hunt Detections Battling check fraud in the U.S. Gootloader Malware Update Shai-Hulud Worm 2.0 New FvncBot Android banking trojan targets Poland White Paper Preview: Black "Fraud Day” and Beyond — The Key Cyber Threats Facing the Retail Sector this Holiday Season Threat hunting case study: Detecting IAB activity Using deception to extract cyber threat intelligence Lynx Ransomware Qilin Ransomware Group ClickFix: Tricking users into installing infostealers Cybercrime Takedowns: Trust, Partnerships and Focus How card fraud is powered by underground card checkers Tracking down The Com Turning Chaos into Clarity: The Next Phase of Intel 471’s Geopolitical Intelligence Solution The FBI’s Group 78: Covertly fighting ransomware? How threat actors bypass multifactor authentication Crimson Collective In a digital age, US paper check fraud flourishes How you can defend against AI-driven fraud and phishing Detecting cybercriminal activity on Telegram NPM - Shai-Hulud Worm Threat hunting case study: ToolShell AMOS Stealer How AI can (and can’t) help in threat hunting The Phrack leak: Examining an APT’s workstation How initial access offers power intrusions and ransomware Drawing value from cyber threat intelligence “Pig-Butchering” Scams: The Dark Side of Social Engineering and Why Terminology Matters After disruption, XSS cybercrime forum faces loss of trust Update: Salt Typhoon Bridging the CTI Gap: New Exposure Modules on Verity471 Deliver Market-Disrupting Views of Threats Introducing Verity471: Cyber Threat Intelligence Ready to Operationalize FileFix Social Engineering Technique Guided Threat Hunts Takes Your Behavioral Threat Hunting to the Next Level Defending against doxing CVE-2025-53770 - Microsoft Sharepoint Mass Exploitation (ToolShell) Threat hunting case study: Lumma infostealer Pro-Russian hacktivism: Shifting alliances, new groups and risks mommy Access Broker NATO summit commences in tandem with tense cyber, kinetic conflict A look at ‘Tinker,’ Black Basta’s phishing fixer, negotiator Threat hunting case study: DragonForce Two critical challenges facing CTI teams and how to overcome them: Intel 471’s additional insights into the SANS 2025 CTI Survey Android malware trends: Stealthier, easier-to-use Fingerprinting threat actors by their anonymity techniques DanaBot malware disrupted, threat actors named Intel 471 brings HUNTER behavioral threat hunts to Google Security Operations SANS 2025 CTI Survey: It’s Business Time for Cyber Risk How an alleged Russian hacker slipped away Threat hunting case study: Medusa ransomware CVE-2025-31324 - SAP NetWeaver Vulnerability DragonForce Ransomware Managing a cyber crisis LabHost: A defunct but potent phishing service Understanding and threat hunting for RMM software misuse Threat-hunting case study: Windows Management Instrumentation abuse VanHelsing Ransomware An in-depth look at Black Basta's TTPs Six Key Takeaways From the SANS 2025 Threat Hunting Survey Update: Medusa Ransomware Writing high-quality IDS detection rules Threat hunting case study: RMM software Update: LockBit Ransomware Zservers: Bulletproof hosting for online crime Update: Black Basta Ransomware and Threat Group Black Basta exposed: A look at a cybercrime data leak BadPilot Campaign The evolution of Russian cybercrime Android trojan TgToxic updates its capabilities Threat hunting case study: SocGholish DeepSeek AI poses cybersecurity risks Law enforcement hammered cybercrime in 2024. Is it working? Remote Monitoring and Management (RMM) Abuse How threat actors are using artificial intelligence Threat hunting case study: PsExec How ransomware may trend in 2025 What 2025 May Hold for Cybersecurity Bring Your Own Hunts to HUNTER ‘Tis the Season to Be Alert for Cyber Threats: 5 Unjoyful Holiday Tactics Collecting Useful CTI from Underground Markets Expanding source coverage: adding Signal chats to threat intelligence
Cyber threat intelligence requirements: What are they, what are they for and how do they fit in the…
2016-05-19 · via Intel 471 Blog

By Mark Arena, CEO of Intel 471.

There are many definitions of what is an intelligence requirement but the definition to me that is most accurate is:

“Any subject, general or specific, upon which there is a need for the collection of information, or the production of intelligence.”

Ref:http://www.thefreedictionary.com/intelligence+requirement

With the above definition I want to highlight that an intelligence requirement could be one of two things: something where there is a need for the collection of information or the production of intelligence. Based on this, breaking out these two differing types of intelligence requirements into separate lists is the best approach.

Let’s take an example:
The CISO/CSO (Chief Information Security Officer) of your organization wants to know of any vulnerabilities that are being exploited in the wild that your organization can’t defend against or detect.

As you can see in the above example, breaking out what is needed for the production of intelligence and renaming it production requirements makes it clear that this is what is required for the production of intelligence therefore:

  • Production requirements (what the intelligence consumer needs)

-> Intelligence requirements (what questions do we need our intelligence collection to answer to meet our production requirements)

Now we have two separate tables of what our intelligence consumers need versus what we need to collect. Next we need to identify what observables or data inputs we would need to answer our intelligence requirements, which we’ll call our collection requirements. Lets take another example:

In the above example what we have is:

  • Intelligence requirements (what questions do we need our intelligence collection to answer to meet our production requirements)

-> Collection requirements (what observables/data inputs do we need to answer our intelligence requirements)

By breaking out your organization’s collection requirements this way, it will allow you to better assign the responsibility to collect for a specific collection requirement to a team, capability or external provider which can be regularly assessed to see how it fits into helping meet your organization’s intelligence requirements. When it comes to external providers of intelligence, there’s a number that sit in the intelligence cycle between collection and dissemination. Intel 471 sits primarily in the collection part of the intelligence cycle and works with organizations to more effectively collect against their externally focused collection requirements. When we refer to “externally focused” collection requirements, what we mean is that collection requirements can either be internally focused or externally focused where internally focused collection requirements require visibility on the subject organization’s attack surface. Externally focused collection requirements involves requirements that are adversary/cyber threat actor focused.

The holy grail of cyber threat intelligence prioritization?

The holy grail of cyber threat intelligence prioritization is to have a single long-term prioritized list of production requirements that is updated twice a year. The production requirements should be broad enough to encompass short-term requirements that immediately head to the top of the priority list but are very narrowly focused and only last at maximum 30 days, for example a requirement to assist with incident response to a security breach. In the absence of a single prioritized list, breaking down intelligence priorities by high, medium and low priorities is acceptable and is common practice with most resources going into satisfying high priority items.

Intelligence requirements: Attack surface or adversary focused?

A common question cyber threat intelligence professionals encounter is whether their organization’s intelligence requirements should be attack surface or adversary focused. A single intelligence requirement could be either but not both. An intelligence requirement in the context described above needs to relate to a specific observable that is eventually tasked to a team, capability or external provider so will need to be attack surface or adversary focused.

As you can see in the above example, breaking out what is needed for the production of intelligence and renaming it production requirements makes it clear that this is what is required for the production of intelligence therefore:

  • Production requirements (what the intelligence consumer needs)

-> Intelligence requirements (what questions do we need our intelligence collection to answer to meet our production requirements)

Now we have two separate tables of what our intelligence consumers need versus what we need to collect. Next we need to identify what observables or data inputs we would need to answer our intelligence requirements, which we’ll call our collection requirements. Lets take another example:

In the above example what we have is:

  • Intelligence requirements (what questions do we need our intelligence collection to answer to meet our production requirements)

-> Collection requirements (what observables/data inputs do we need to answer our intelligence requirements)

By breaking out your organization’s collection requirements this way, it will allow you to better assign the responsibility to collect for a specific collection requirement to a team, capability or external provider which can be regularly assessed to see how it fits into helping meet your organization’s intelligence requirements. When it comes to external providers of intelligence, there’s a number that sit in the intelligence cycle between collection and dissemination. Intel 471 sits primarily in the collection part of the intelligence cycle and works with organizations to more effectively collect against their externally focused collection requirements. When we refer to “externally focused” collection requirements, what we mean is that collection requirements can either be internally focused or externally focused where internally focused collection requirements require visibility on the subject organization’s attack surface. Externally focused collection requirements involves requirements that are adversary/cyber threat actor focused.

The holy grail of cyber threat intelligence prioritization?

The holy grail of cyber threat intelligence prioritization is to have a single long-term prioritized list of production requirements that is updated twice a year. The production requirements should be broad enough to encompass short-term requirements that immediately head to the top of the priority list but are very narrowly focused and only last at maximum 30 days, for example a requirement to assist with incident response to a security breach. In the absence of a single prioritized list, breaking down intelligence priorities by high, medium and low priorities is acceptable and is common practice with most resources going into satisfying high priority items.

Intelligence requirements: Attack surface or adversary focused?

A common question cyber threat intelligence professionals encounter is whether their organization’s intelligence requirements should be attack surface or adversary focused. A single intelligence requirement could be either but not both. An intelligence requirement in the context described above needs to relate to a specific observable that is eventually tasked to a team, capability or external provider so will need to be attack surface or adversary focused.