How to Build an Effective Threat Intelligence Team

January 7, 2019  |  Irfan Shakeel

Cyber threats are rapidly evolving due to broadening motivations behind attacks, and the increased sophistication of attacks themselves. Protecting organizations from cyber threats often requires expertise available outside the organization.

For security professionals and executives, threat intelligence is the information that expands your visibility into cyber threats beyond the physical edge of your network. Conducting threat intelligence that is significant and actionable requires specialized proficiency, knowledge and tools. Experts must know where to dig for information that may be hiding in the most unexpected areas of the Internet, including hacker communities, to create the “big picture” from thousands of different pieces of data.

Threat intelligence is evidence-based facts, including framework, mechanisms, implications and actionable suggestions, about an existing or emerging threats and risks to organization’s assets that can be used to make decisions regarding the response to that threat and risk.

Why Threat Intelligence?

Organizations are under terrific pressure to handle threats. However, there is a vast variety of information available, but it’s hard and time-consuming to get meaningful information from it. This caused many users and organizations to look towards threat intelligence, as it can help prioritize threats and alerts and provide actionable information. Threat intelligence can:

Prevent Financial Loss

Whenever informed decisions are made in a timely manner, it prevents system downtime. Moreover, it also prevents the theft of confidential data, protects your intellectual property, and saves your organization’s reputation and customers. Not only would a breach cost your organization upfront, but the post-incident remediation and restoration costs can run in the millions of dollars.

Encourage Efficient Utilization of IT Resources

Conducting threat intelligence is a time- and resource-consuming process. Most organizations do not have enough specialized staff to generate relevant information fast enough. Instead of engaging internal resources to organically generate this intelligence, leveraging platforms that are designed to automatically generate and integrate this intelligence in an organization’s infrastructure can free up staffing resources for other work. This can save organizations hundreds of thousands of dollars.

Let You Invest Wisely in Your Infrastructure

Threat intelligence helps you make informed decisions about investing in your infrastructure and business. For example, when you notice an increase in connections from a specific geographic location that are suspicious to your company, you can consider investing in a tool to counter the issue.

In order to prevent risks and threats to your organization’s processes, a threat intelligence team should be prepared to deliberately look for potential threats to the organization’s intellectual information. There are many factors that should be considered before creating a team to effectively use intelligence to drive enterprise security, some of which include:

1. Establish an intelligence priorities framework

To effectively use intelligence, organizations must first set up and prioritize the information they will need. This can be done by identifying intelligence gaps that exist, formulating requirements, and then classifying requirements into categories that are suitable to the organization’s framework.

2. Incorporate and consolidate intelligence sources

There are various sources that can be used to collect intelligence for enterprise security:

  • Technical sources: This includes the IDS, firewall, next-generation endpoint security, and log files from number of devices.
  • Open / Free Sources: Sources such as published vendor reports, white papers, vendor vulnerability lists (Microsoft, Apple, Adobe, etc.), and tools like AlienVault OTX as well as other media sources.
  • Closed Sources: This may include community mailing lists, or organizations such as ISACs
  • Paid Intelligence Feeds

3. Mapping Intelligence Collection

You need to store intelligence collected intelligence in a searchable repository. Moreover, you need to use information from your organization’s operations. This info needs to be analyzed to make decisions and take actions, such as creating a firewall block or logging event, creating an IDS rule, or blocking the hash in the endpoint intrusion prevention system.

4. Specialized Threat Intelligence Experts

Employing intelligence analysts who can review inbound intelligence and produce analysis for the organization can be key for large organizations. As new intelligence is collected, an expert can assess if it is significant to the organization, explain how it is significant, decide who it is significant for, and produce cogent analysis around scenarios in which it might be significant. Smaller organizations with small IT budgets may need to rely on some of the free and open source threat intelligence options described above.

5. Adapting Finished Products To The Audience:

Lastly, distributing intelligence in an effective and acceptable way is a critical task for the intelligence team. Weekly or even daily propagation of intelligence that is analyzed and collected over a specific period of time allows the intelligence team to keep track of performance. Moreover, intelligence products should be tailored to the audience and contain information to help them be more effective.


The threat intelligence team can help large organizations in providing current information related to potential attack sources relevant to their businesses. So it is essential for a large organization to have a dedicated team for performing threat intelligence and stay ahead from different attacks and risks. Smaller organizations need to be creative in looking for open source and free threat intelligence sources. Alternatively, smaller organizations can use a tool that incorporates threat intelligence into their security solution for a unified approach to threat detection and response.

Share this with others

Featured resources



2024 Futures Report

Get price Free trial