Threat intelligence
Threat intelligence is the systematic collection, processing and analysis of information about current cyber threats, attack methods and threat actors in order to derive actionable knowledge for defence and risk management.
Threat intelligence is the process by which an organisation collects, enriches, analyses and turns information about existing and emerging cyber threats into actionable knowledge. The material evaluated includes technical indicators such as malware signatures, malicious IP addresses, domains and file hashes (Indicators of Compromise), as well as the methods, tools and motives of attackers (Tactics, Techniques and Procedures). The goal is to move from a purely reactive defence to an informed, forward-looking security strategy that detects threats before they take effect.
Several levels are usually distinguished. Strategic threat intelligence is aimed at management and provides a high-level view of threat landscapes, trends and geopolitical risks. Tactical intelligence describes the methods of attackers and supports the derivation of protective measures. Operational intelligence delivers information on specific, ongoing campaigns, while technical intelligence provides machine-readable indicators for detection systems such as SIEM, intrusion detection systems or endpoint detection and response. Sources range from commercial services and industry sharing communities (ISACs) through open sources (OSINT) to governmental bodies such as the German BSI and CERT-Bund.
In the regulatory context, threat intelligence is gaining considerable importance. The NIS2 Directive requires essential and important entities to maintain risk-based security management that reflects the current threat situation, and it expressly encourages the voluntary sharing of threat information. In the financial sector, the DORA Regulation obliges institutions to exchange cyber threat information and incorporate it into their ICT risk management. ISO/IEC 27001:2022 also explicitly requires the gathering and analysis of threat intelligence in control A.5.7. At the same time, data protection requirements under the GDPR must be observed when obtaining and processing the data, because indicators such as IP addresses can be capable of identifying individuals.
Legal Basis
NIS2 Directive (EU) 2022/2555 (in particular Art. 21 on risk management and Art. 29 on information sharing); ISO/IEC 27001:2022 (control A.5.7 Threat intelligence); Regulation (EU) 2022/2554 (DORA), Art. 45 on cyber threat information sharing; BSI IT-Grundschutz (DER.1 Detection of security-relevant events)
Practical Example
An industrial supplier classified as an important entity subscribes to structured threat intelligence feeds through an industry ISAC. The information security officer receives a warning that a ransomware group is specifically exploiting a vulnerability in the VPN solution in use, together with the associated Indicators of Compromise. He feeds the indicators into the SIEM and the firewalls, prioritises patching of the affected systems and alerts the incident response team. When the first suspicious connection attempts appear shortly afterwards, they are detected and blocked immediately, preventing an attack before it can cause any damage.