SOC Analyst Hands-on Module 06: Threat Intelligence
They say knowledge is power, and nowhere is that truer than in cybersecurity. In fact, according to IBM, the average global cost of a data breach hit a staggering $4.88 million in 2024. Even more alarming, the year 2024 saw an unprecedented surge in cyberattacks as nation-state hackers from China, Russia, and Iran launched highly sophisticated global campaigns targeting critical infrastructure. Scary, right? This is exactly why Threat Intelligence has become a cornerstone of modern security operations. It is like having a cyber radar that alerts you to incoming threats so you can act before the damage is done. In this hands-on module, we will break down what threat intelligence really means, why it is essential, and how SOC Analysts can leverage it.
What is Threat Intelligence?
Threat Intelligence (TI), also called cyber threat intel or simply threat intel, is detailed, actionable information about cybersecurity threats and adversaries. Think of it as the “who, what, when, where, and how” of cyber threats. Threat intelligence is categorized into Strategic, Tactical, Operational, and Technical intelligence, each serving different levels of security decision-making. True threat intelligence has been correlated and analyzed to give security professionals an in-depth understanding of potential attacks and how to stop them.
Threat intelligence answers questions like: Which threat actors might target us and why? What tactics and malware are they using lately? What indicators (like suspicious domains or file hashes) should we look out for? By focusing on context (the motivations, techniques, and patterns behind threats), TI helps organizations move from reactive firefighting to proactive defense. Instead of just responding to incidents, you are anticipating them.
Why Do We Need Intelligence?
You might be thinking: “Our SOC already has alerts and logs flying in 24/7; why add threat intelligence to the mix?” The answer is focus and foresight. In a world of constant cyber bombardment, TI helps you separate the signal from the noise. It provides clarity on which threats truly matter to your organization and how to prioritize them. Consider that detection and escalation costs make up the largest chunk of breach expenses, averaging about $1.47 million in recent incidents. The faster you can detect and mitigate an attack (or even thwart it before it starts), thanks to good intel, the more you can limit damage and costs.
In SOC environments, this intelligence is integrated into SIEM tools like Splunk for real-time alerting, correlation, and threat detection.
Threats, Threat Actors, APTs, and Global Campaigns
In threat intelligence, it is crucial to distinguish between threats and threat actors. A threat is typically a potential danger or method of attack, such as malware, phishing, or an exploitable vulnerability. A threat actor, on the other hand, is the entity behind the threat: the person or group carrying out malicious activities. Threat actors come in many flavors, often categorized by their motives and sophistication.
- Cybercriminals: Motivated by financial gain (think ransomware crews and credit card thieves).
- Nation-State Actors: Government-funded hackers conducting espionage or sabotage. These are the folks behind many Advanced Persistent Threats (APTs).
- Hacktivists: Ideologically driven attackers, like those defacing websites or leaking data to make a political point.
- Insiders: Rogue or careless employees with inside access.
(And others like thrill-seekers, cyber terrorists, etc.; but the above are the major ones.)
Now, about those APTs (Advanced Persistent Threats): the name says a lot. They are advanced (skilled, well-funded, often using zero-days), persistent (they sneak in and stay hidden for long periods), and a serious threat (usually targeting high-value organizations or infrastructure). APTs are typically associated with nation-states or highly organized groups. Unlike a smash-and-grab malware hit, an APT might silently spy and siphon data for months.
Types of Threats
1. Network-Level Threats
Network-level threats are attacks targeting your networks and infrastructure; think of the highways and tunnels through which data travels. These threats often aim to eavesdrop on, disrupt, or impersonate network communications. Common examples include sniffing (packet eavesdropping to steal data in transit), spoofing (forging fake IP or MAC addresses to trick systems), session hijacking (taking over user sessions, a.k.a. man-in-the-middle attacks), and the ever-notorious DDoS (Distributed Denial of Service) attacks. In a DDoS, attackers flood your network or servers with fake traffic to overwhelm them.
2. Web Application-Level Threats
Web and application-level threats target the software that users interact with: websites, web apps, databases, etc. These threats exploit vulnerabilities in the application’s code or design. The infamous OWASP Top 10 list of web vulnerabilities highlights the usual suspects here: SQL Injection (inserting malicious queries to manipulate back-end databases), Cross-Site Scripting (XSS) (injecting malicious scripts into webpages seen by other users), Cross-Site Request Forgery (CSRF), and more. Attackers might also go after authentication flows (stealing session tokens, breaking weak passwords) or abuse business logic. Another big web-level threat is phishing, tricking users via fraudulent websites or emails, which often serves as the entry point for further attacks, like installing malware.
3. Host-Level Threats
Host-level threats are those aimed at individual systems: your servers, workstations, or endpoints. If network threats are like burglars trying the doors and windows, host-level threats are when they’re trying to mess with the valuables inside the house. These include the classic malware categories: viruses, worms, and Trojan horses (all malicious software with various propagation methods). Other host threats involve privilege escalation (exploiting a flaw to gain admin control on a machine), credential theft (keyloggers or dumping password hashes), and unauthorized access by abusing weak passwords or unpatched vulnerabilities. Host threats often manifest as Indicators of Compromise (IoCs) on the machine: strange processes, new startup registry keys, suspicious outbound connections, files suddenly encrypted (hello, ransomware!), etc.
Indicators of Compromise (IoCs) vs. Indicators of Attack (IoAs) vs. Precursors
These terms are the bread and butter of threat detection, and while they sound similar, there are subtle differences:
- Indicators of Compromise (IoCs): These are the forensic clues that a breach has already happened. Think of IoCs as the breadcrumbs attackers leave behind. For example, a suspicious file hash matching known malware, an unusual outbound IP address your server connected to, or admin logins at odd hours from an unfamiliar location, all can be IoCs signaling “we’ve been compromised”. IoCs are usually identified after or during an incident, and they help you investigate and understand the scope of an attack. They are essentially evidence.
- Indicators of Attack (IoAs): These are the signs that an attack is in progress or about to happen. IoAs are often mapped to attacker behaviors using frameworks like MITRE ATT&CK. For example, a user account suddenly trying to access lots of files it never touched before, or system processes spawning in a sequence that resembles known malicious activity – those could be IoAs. The key distinction is timing: IoAs are real-time clues of an ongoing attack, whereas IoCs are often historical clues after the fact. A way to remember it: IoAs = active attack signals, IoCs = compromise aftermath evidence.
- Precursors: Precursors are like the storm clouds on the horizon, signs that an incident may occur in the near future. In other words, a precursor is an observed event that strongly suggests an attacker is prepping for a hit. Examples: an uptick in scans/probes against your network (could mean someone is reconning your systems), threat intel of a new exploit being discussed in forums (indicating attacks might soon follow), or your SOC receiving a specific threat alert from law enforcement about your industry. According to NIST, a precursor is a sign that an incident may occur in the future. Not every attack has clear precursors, but when you do see one, it is an opportunity to fortify defenses before the storm strikes.
Traffic Light Protocol (TLP)
Sharing threat intelligence is a team sport, often involving multiple organizations or partners. But not all information is meant for everyone. That’s where the Traffic Light Protocol (TLP) comes in, a simple, color-coded system that sets ground rules for how intel can be disseminated. The protocol uses four colors (think of a stoplight plus one) to label sensitive info: TLP:RED, TLP:AMBER, TLP:GREEN, and TLP:CLEAR (formerly WHITE). Here’s what each means in plain language:
- TLP:RED – For your eyes only. This is the most sensitive level. Intel marked Red is highly restricted; it is usually shared in a closed meeting or one-to-one, and recipients cannot further share it. It might be something like detailed exploit code or a victim’s identity that could cause serious harm if leaked. As FIRST org puts it, Red is “for the eyes and ears of individual recipients only – no further disclosure”.
- TLP:AMBER – Limited disclosure. Amber means “share on a need-to-know basis within your organization (and possibly with clients who need to know).” It is sensitive info that should not go wide, but you can circulate it among your team or department if necessary to mitigate threats. There’s even an Amber+Strict variant to restrict sharing to just within your org. Example: an ISP might share an Amber alert with its abuse team about a malware campaign affecting customers, but it should not be posted publicly.
- TLP:GREEN – Community-wide. Green-labeled intel can be shared more freely within the broader community or industry, but not published publicly. The idea is to spread awareness to peers and trusted networks, just not to the whole internet. For example, indicators of a phishing campaign might be shared by Green at a security conference, attendees can take it back to their companies and partners, but should not post it on a public website. Green is about helping as many as possible who have a legitimate interest, while still keeping it somewhat controlled.
- TLP:CLEAR – Open season (introduced in TLP 2.0 by FIRST, replacing TLP:WHITE). TLP: ClEAR means the information is fully open and can be shared with anyone, even posted on social media or a blog. It carries minimal or no risk if spread. For example, after an investigation is complete, a CERT might release a report with Clear indicators so that the public and other defenders can benefit. TLP:CLEAR basically says “this intel can go out to the world”.
SOC Analyst Hands-on Training with InfosecTrain
Threat intelligence gives you the strategic edge in cybersecurity; it is like reading the attacker’s playbook before they even move. With the right intel, you can patch vulnerabilities early, spot phishing attempts faster, and shut down backdoors before they become breaches. As you advance through this module, remember: knowledge is power, and sharpening your threat intel skills keeps you one step ahead, right where every SOC Analyst needs to be.
Join InfosecTrain’s SOC Analyst Online Training Course and master the tools, labs, and techniques that top SOC teams rely on.
Learn it. Practice it. Defend with confidence.
TRAINING CALENDAR of Upcoming Batches For SOC Analyst Training Course
| Start Date | End Date | Start - End Time | Batch Type | Training Mode | Batch Status | |
|---|---|---|---|---|---|---|
| 02-May-2026 | 14-Jun-2026 | 09:00 - 13:00 IST | Weekend | Online | [ Open ] | |
| 11-Jul-2026 | 05-Sep-2026 | 19:00 - 23:00 IST | Weekend | Online | [ Open ] | |
| 05-Sep-2026 | 25-Oct-2026 | 09:00 - 13:00 IST | Weekend | Online | [ Open ] |