Threat intelligence and threat monitoring
Threat intelligence sounds like something only large security teams do. It's not. At its core, threat intelligence is answering a simple question: "What attacks are happening to companies like us, and are we vulnerable?"
You don't need a dedicated threat analyst. You need the right sources, a process to review them, and a way to turn information into action.
What is threat intelligence?
Threat intelligence is information about threats—who's attacking, how they're doing it, and what they're targeting. It comes in several forms:
| Type | What it tells you | Example | Actionability |
|---|---|---|---|
| Strategic | Long-term trends, threat actor motivations | "Ransomware groups are targeting healthcare" | Informs planning |
| Tactical | TTPs (tactics, techniques, procedures) | "Attackers use spear-phishing with PDF attachments" | Informs defenses |
| Operational | Specific campaigns, timing | "Campaign X is active this week targeting our industry" | Informs response |
| Technical | IOCs (indicators of compromise) | IP addresses, malware hashes, domains | Direct blocking |
For small companies, focus on tactical and operational intelligence. Strategic is nice-to-know. Technical IOCs are useful only if you have the infrastructure to use them.
Why threat intelligence matters
Know your enemy
Without intelligence, security is generic. With it, you can focus on what matters.
Without intelligence: "We should probably worry about... everything?"
With intelligence: "Ransomware groups are actively targeting companies using [software we use]. We should verify our patches and backup strategy."
Proactive vs. reactive
Intelligence lets you prepare before attacks hit. When a new vulnerability drops, you'll know if your industry is being targeted before you're targeted.
Prioritization
Limited resources mean choosing what to work on. Intelligence tells you which vulnerabilities are being actively exploited, not just theoretically exploitable.
Free threat intelligence sources
You don't need to pay for threat intelligence. Many high-quality sources are free.
CISA (Cybersecurity and Infrastructure Security Agency)
Known Exploited Vulnerabilities (KEV) Catalog
The KEV catalog lists vulnerabilities that are actively being exploited in the wild. If it's on this list, patch it immediately.
Link: cisa.gov/known-exploited-vulnerabilities-catalog
How to use:
- Subscribe to updates via email or RSS
- Cross-reference with your vulnerability scans
- KEV vulnerabilities should be highest priority
Other CISA resources:
- CISA Alerts — Advisories on current threats
- Shields Up — Heightened threat guidance
- StopRansomware.gov — Ransomware-specific guidance
MITRE ATT&CK
ATT&CK is a knowledge base of adversary tactics and techniques. It tells you HOW attackers operate.
Link: attack.mitre.org
How to use:
- Understand attack patterns
- Map your defenses to techniques
- Use for threat modeling and detection rules
Key sections:
- Enterprise Matrix — Tactics/techniques for enterprise environments
- Groups — Known threat actor profiles
- Software — Malware and tools used by attackers
Have I Been Pwned (HIBP)
Troy Hunt's service tracks data breaches. If your company domain appears in breaches, attackers have employee credentials.
Link: haveibeenpwned.com
How to use:
- Register your domain for notifications: haveibeenpwned.com/DomainSearch
- Receive alerts when employee emails appear in breaches
- Force password resets for affected accounts
- API available for automation
Domain search setup:
- Prove domain ownership (DNS TXT record or email verification)
- Subscribe to notifications
- Receive alerts when new breaches include your domain
- Act on notifications within 24 hours
Industry ISACs
Information Sharing and Analysis Centers (ISACs) share threat intelligence specific to industries.
| Industry | ISAC | Link |
|---|---|---|
| Financial Services | FS-ISAC | fsisac.com |
| Healthcare | Health-ISAC | h-isac.org |
| Retail | Retail & Hospitality ISAC | rhisac.org |
| Technology | IT-ISAC | it-isac.org |
| Multi-State | MS-ISAC | cisecurity.org/ms-isac |
Most offer free membership tiers or are free for small organizations.
Vendor security bulletins
Your technology vendors publish security advisories. Subscribe to them.
| Vendor | Security bulletin link |
|---|---|
| Microsoft | msrc.microsoft.com |
| Apple | support.apple.com/security-updates |
| Google (Cloud) | cloud.google.com/security/bulletins |
| AWS | aws.amazon.com/security/security-bulletins |
| GitHub | github.blog/changelog (security tagged) |
| Atlassian | confluence.atlassian.com/security |
Other free sources
| Source | What it provides | Link |
|---|---|---|
| NIST NVD | Vulnerability database | nvd.nist.gov |
| Exploit-DB | Public exploits | exploit-db.com |
| AlienVault OTX | Community threat indicators | otx.alienvault.com |
| SANS Internet Storm Center | Current internet threats | isc.sans.edu |
| The Hacker News | Security news | thehackernews.com |
| Krebs on Security | In-depth breach coverage | krebsonsecurity.com |
| BleepingComputer | Ransomware and malware news | bleepingcomputer.com |
Setting up breach monitoring
Domain monitoring with HIBP
Step-by-step setup:
-
Enter your domain and choose verification method:
- DNS TXT record (add
have-i-been-pwned-verification=...to DNS) - Email verification (email to security@, admin@, etc.)
- DNS TXT record (add
-
Once verified, you'll see any existing breaches containing your domain
-
Configure notifications:
- Immediate notification for new breaches
- Specify recipient email addresses
-
Set up a response process (see below)
Breach notification response process
When you receive a breach notification:
## Breach Alert Response Procedure
### Within 1 hour
1. Identify affected accounts
- Which email addresses are in the breach?
- What systems do those users have access to?
2. Assess breach contents
- Passwords? (force reset immediately)
- Personal data? (notify affected users)
- Other credentials? (rotate)
3. Immediate actions
- Force password reset for affected users
- Invalidate active sessions
- Enable MFA if not already (force re-enrollment if already enabled)
### Within 24 hours
4. Investigate potential access
- Check login logs for suspicious activity
- Review access to sensitive systems
- Look for signs of compromise
5. User notification
- Inform affected users about the breach
- Explain what data was exposed
- Guide on password changes and vigilance
### Within 1 week
6. Remediation
- Address any vulnerabilities the breach reveals
- Strengthen controls if needed
7. Documentation
- Document incident in security log
- Note lessons learned
Credential monitoring services
Beyond HIBP, consider these services for credential monitoring:
| Service | Features | Cost |
|---|---|---|
| SpyCloud | Enterprise credential monitoring | Paid |
| Recorded Future | Dark web monitoring | Paid |
| Flare | Dark web intelligence | Paid |
| HIBP Enterprise | API for credential checks | Moderate |
| Dehashed | Breach search | Low-cost |
For small companies, HIBP domain monitoring covers the essentials. Upgrade when scale demands it.
Turning intelligence into action
Intelligence is useless if you don't act on it.
Intelligence consumption workflow
- Collect sources — CISA, HIBP, vendor bulletins, news
- Filter & triage — relevant to our stack? actively exploited?
- Assess impact — are we vulnerable? what's at risk?
- Take action — patch, block, alert, investigate
- Document & learn — update runbooks, improve detection
Weekly threat review process
Block 30-60 minutes weekly for threat intelligence review:
## Weekly Threat Intelligence Review
Date: [Date]
Reviewer: [Name]
### Sources reviewed
- [ ] CISA KEV updates
- [ ] Vendor security bulletins (list relevant ones)
- [ ] HIBP notifications
- [ ] Security news (major stories)
- [ ] Industry ISAC alerts
### Relevant items this week
| Source | Threat/Vulnerability | Relevant to us? | Action needed |
|--------|---------------------|-----------------|---------------|
| CISA KEV | CVE-2024-XXXX (Name) | Yes (we use X) | Patch by [date] |
| AWS bulletin | S3 policy update | Yes | Review policies |
| News | Industry ransomware campaign | Awareness | Share with team |
### Actions taken
1. [Action taken with details]
2. [Action taken with details]
### Shared with team
- [ ] Critical items shared in #security channel
- [ ] Relevant items added to next team meeting
### Notes for next week
[Any follow-up items or things to watch]
Integrating intelligence with vulnerability management
Connect threat intel to your patching priorities:
| Intelligence source | Integration with vuln management |
|---|---|
| CISA KEV | Auto-escalate any vuln on KEV list to Critical |
| Vendor bulletins | Check scanner results against bulletins |
| Exploit-DB | If exploit exists, increase priority |
| Industry alerts | Focus on systems mentioned in alerts |
Example: CISA KEV integration
# Example: Check vulnerabilities against KEV
import requests
def check_against_kev(cve_ids: list) -> list:
"""Check if CVEs are in CISA KEV catalog"""
kev_url = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
response = requests.get(kev_url)
kev_data = response.json()
kev_cves = {vuln['cveID'] for vuln in kev_data['vulnerabilities']}
return [cve for cve in cve_ids if cve in kev_cves]
# Usage: Check your vulnerability scan results
scan_results = ['CVE-2024-1234', 'CVE-2023-5678', 'CVE-2022-9999']
critical_vulns = check_against_kev(scan_results)
print(f"CVEs in KEV (patch immediately): {critical_vulns}")
Industry-specific threat landscape
Different industries face different threats. Focus your intelligence accordingly.
Technology/SaaS
Primary threats:
- Supply chain attacks (dependencies, CI/CD)
- Credential stuffing against user accounts
- API abuse
- Source code theft
Focus areas:
- Dependency vulnerability alerts
- GitHub security advisories
- Cloud provider bulletins
Financial services
Primary threats:
- Business email compromise
- Credential theft
- Wire fraud
- ATM/payment card fraud
Focus areas:
- FS-ISAC alerts
- Fraud trend reports
- Regulatory guidance
Healthcare
Primary threats:
- Ransomware (very high target)
- Medical device vulnerabilities
- PHI theft
Focus areas:
- Health-ISAC
- FDA medical device alerts
- HHS cybersecurity guidance
E-commerce/Retail
Primary threats:
- Payment skimming (Magecart)
- Account takeover
- Inventory/pricing manipulation
- DDoS during peak seasons
Focus areas:
- PCI Security Council alerts
- Retail-ISAC
- Holiday threat advisories
Threat intelligence without overload
A common failure mode: subscribing to everything and drowning in alerts.
Managing volume
Tier your sources:
- Tier 1 (daily check): CISA KEV, HIBP, critical vendor bulletins
- Tier 2 (weekly review): Industry ISAC, security news, other bulletins
- Tier 3 (monthly scan): Research reports, strategic analysis
Filter ruthlessly:
- Is this relevant to our tech stack?
- Is it actively exploited?
- Do we have the affected component?
Automate where possible:
- RSS feeds to one aggregator
- Email rules to categorize by urgency
- Scripts to check KEV against your inventory
Signal vs. noise
| High signal (act on) | Low signal (awareness only) |
|---|---|
| CVE in component you use | CVE in component you don't use |
| Actively exploited (KEV) | Theoretical vulnerability |
| Breach containing your domain | Breach at unrelated company |
| Attack targeting your industry | General threat landscape |
| Your vendor's security bulletin | Random vendor's bulletin |
Building detection from intelligence
Threat intelligence informs what to look for in your logs.
Example: Converting intelligence to detection
Intelligence: "Attackers are targeting VPN appliances with credential stuffing using credentials from breach X."
Detection response:
- Check if any employees were in breach X (HIBP)
- Review VPN login failures (look for spikes)
- Create alert: "Failed VPN logins from new IP ranges"
- Force password reset for potentially compromised accounts
Pseudo-alert rule:
# Alert: Potential VPN credential stuffing
name: VPN Credential Stuffing Detection
trigger:
condition: count > 10
window: 5m
filter:
event_type: vpn_login_failed
group_by: source_ip
action:
- alert: security-team
- severity: high
MITRE ATT&CK-based detection
Map your detection capabilities to ATT&CK techniques:
| ATT&CK Technique | Detection method | Log source |
|---|---|---|
| T1078 (Valid Accounts) | Impossible travel, unusual hours | IdP logs |
| T1566 (Phishing) | Suspicious email patterns | Email gateway |
| T1110 (Brute Force) | Multiple failed logins | Auth logs |
| T1486 (Data Encrypted) | Mass file encryption | Endpoint/file logs |
| T1071 (Application Layer Protocol) | Unusual outbound traffic | Network logs |
Resource: MITRE ATT&CK Navigator — Visualize your coverage
Real stories: threat intelligence in action
Story 1: The breach notification that saved accounts
A 50-person SaaS company had HIBP domain monitoring set up. On Tuesday morning, they received an alert: 12 employee email addresses appeared in a breach of a third-party service.
Within 1 hour:
- Security Champion identified the 12 affected accounts
- Checked which accounts had MFA enabled (9 did, 3 didn't)
- Forced password reset for all 12
- Pushed MFA enrollment for the 3 without it
Within 24 hours:
- Reviewed login logs for suspicious activity
- Found one account had login attempts from unusual location (failed due to MFA)
- Notified affected employees about the source breach
Outcome: No compromise. The attackers tried the credentials within hours of the breach becoming public, but MFA blocked them. Without HIBP monitoring, they wouldn't have known about the exposure.
Story 2: The CVE that got patched before exploitation
A startup's Security Champion included CISA KEV in their weekly review. One Monday, a new CVE for their web framework appeared in KEV.
Actions:
- Checked production systems — vulnerable version confirmed
- Escalated to dev team immediately
- Emergency patch deployed within 6 hours
- Verified no exploitation in logs
Three days later: Security news reported mass exploitation of that CVE. Companies that hadn't patched were compromised. This startup wasn't.
Story 3: Industry ISAC warning
A fintech company participated in FS-ISAC. They received an alert: a threat actor was targeting companies with their specific payment processor integration.
Actions:
- Reviewed the TTPs shared in the alert
- Added specific detection rules for described behavior
- Conducted focused access review on payment systems
- Briefed the team on what to watch for
Two weeks later: They detected and blocked an attack matching the exact pattern. The ISAC alert had described the initial reconnaissance phase, which they spotted in their logs.
Automation for threat intelligence
Don't rely on manual checking. Automate where possible.
RSS feed aggregation
Collect all your sources in one place:
Free RSS readers:
- Feedly — Free tier available, good for security feeds
- Inoreader — Free tier with filters
- Miniflux — Self-hosted, open source
Security-specific RSS feeds:
# Essential feeds to add
https://www.cisa.gov/cybersecurity-advisories/all.xml
https://krebsonsecurity.com/feed/
https://www.bleepingcomputer.com/feed/
https://feeds.feedburner.com/TheHackersNews
https://isc.sans.edu/rssfeed_full.xml
# Vendor-specific (add your vendors)
https://github.blog/feed/
https://aws.amazon.com/security/security-bulletins/feed/
HIBP API automation
Automate credential checks for employee emails:
#!/bin/bash
# Weekly employee email breach check
# Requires HIBP API key for domain search
HIBP_API_KEY="your-api-key"
DOMAIN="yourcompany.com"
SLACK_WEBHOOK="your-slack-webhook"
# Get breached accounts
BREACHES=$(curl -s -H "hibp-api-key: $HIBP_API_KEY" \
"https://haveibeenpwned.com/api/v3/breacheddomain/$DOMAIN")
if [ ! -z "$BREACHES" ]; then
curl -X POST $SLACK_WEBHOOK \
-H 'Content-type: application/json' \
-d "{\"text\":\"HIBP Alert: New breaches detected for $DOMAIN. Review immediately.\"}"
fi
GitHub Actions for weekly review
# .github/workflows/threat-intel.yml
name: Weekly Threat Intelligence Check
on:
schedule:
- cron: '0 9 * * 1' # Monday 9 AM UTC
workflow_dispatch:
jobs:
check-kev:
runs-on: ubuntu-latest
steps:
- name: Download CISA KEV
run: |
curl -o kev.json https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
- name: Check for new entries
run: |
# Compare with last week's snapshot
# Alert on new entries
- name: Send summary
run: |
# Post to Slack/email with any new relevant CVEs
Common mistakes
-
Information overload — Subscribing to everything, reading nothing. Prioritize ruthlessly.
-
No action process — Collecting intelligence without a workflow to act on it.
-
Generic focus — Following threats to industries you're not in. Focus on YOUR threat landscape.
-
Ignoring context — A CVE isn't critical just because it's 9.8 CVSS. Is it in your environment? Is it exploited?
-
One-person dependency — If only one person reads threat intel, it's a single point of failure.
-
Delayed response — HIBP notification sitting in inbox for a week. Act fast.
-
No documentation — "We saw something about this" isn't useful. Track what you reviewed and decided.
-
Forgetting vendors — Your vendors' vulnerabilities are your vulnerabilities.
Expert tips
The 15-minute daily scan
Can't do an hour weekly? Do 15 minutes daily:
- CISA KEV RSS (2 min) — Any new entries?
- HIBP dashboard (1 min) — Any notifications?
- Security news headline scan (5 min) — Any major stories?
- Vendor bulletins (5 min) — Any critical patches?
- Action item update (2 min) — Update tracking
Building institutional knowledge
Don't just react—build a knowledge base:
## Threat Intel Log — 2024
### Active threats affecting us
| Threat | First seen | Status | Our exposure | Actions taken |
|--------|-----------|--------|--------------|---------------|
| CVE-2024-XXXX | 2024-01-15 | Patched | 3 servers | Patched 01/17 |
| Phishing campaign Y | 2024-02-01 | Ongoing | Awareness | Training sent |
| Ransomware group Z | 2024-02-20 | Active | Monitoring | Extra backups |
### Intelligence sources evaluation
| Source | Signal quality | Relevance | Keep/Drop |
|--------|---------------|-----------|-----------|
| CISA KEV | High | High | Keep |
| Random vendor X | Low | Low | Drop |
Sharing intelligence with your team
Not everyone needs all intelligence. Tier your sharing:
| Audience | What to share | How often | Format |
|---|---|---|---|
| Security team | All relevant intel | Real-time | Slack channel |
| Dev team | Dependency vulns, coding guidance | Weekly | Email digest |
| All employees | Phishing campaigns, awareness | When relevant | Slack/email |
| Leadership | Major threats, industry trends | Monthly | Brief summary |
Workshop: threat intelligence program
Part 1: Set up sources (1 hour)
-
CISA KEV:
- Subscribe to RSS/email updates
- Bookmark the catalog
-
Have I Been Pwned:
- Register your company domain
- Configure notification emails
- Document response process
-
Vendor bulletins:
- List your critical vendors
- Subscribe to each security bulletin
- Set up email folder for triage
-
Industry sources:
- Identify relevant ISAC
- Subscribe to free tier/newsletter
- Add to weekly review list
Deliverable: List of subscribed sources with links
Part 2: Create review process (1 hour)
- Document weekly review procedure
- Create review template
- Set up tracking spreadsheet or system
- Schedule recurring calendar time
Deliverable: Documented threat intel review process
Part 3: Build response workflows (1 hour)
- HIBP breach notification response procedure
- Critical vulnerability response procedure
- Escalation criteria
Deliverable: Response procedures for common scenarios
Part 4: First review (30 minutes)
- Complete your first threat intel review using the new process
- Document any findings
- Take action on anything relevant
Deliverable: Completed first review with any actions noted
How to explain this to leadership
The pitch:
"I want to set up a simple process to track threats relevant to our company. This means monitoring for breached credentials, tracking vulnerabilities that are actively being exploited, and staying aware of attacks targeting our industry. 30 minutes per week keeps us ahead of threats instead of reacting to them."
The value:
- Proactive instead of reactive
- Prioritized patching based on actual exploitation
- Early warning of credential exposure
- Industry-specific threat awareness
The ask:
"I need 30-60 minutes weekly protected time for threat intelligence review, plus permission to set up breach monitoring for our domains."
The metric:
"I'll track: (1) how many vulnerabilities we patched before exploitation, (2) credential breaches detected and remediated, (3) relevant threats identified and addressed."
Conclusion
Threat intelligence is only useful if it changes what you do. A feed of CVEs you never act on is noise. Thirty minutes a week reviewing what's being actively exploited and checking if you're vulnerable — that's a program.
What's next
Next: attack surface management — understanding what attackers can see from the outside before they find it themselves.