1.4 Compare and contrast threat-intelligence and threat-hunting concepts.
📘CompTIA CySA+ (CS0-003)
1. Introduction to Threat Intelligence Collection
Before security teams can detect or hunt threats, they must first collect information. This process is called threat intelligence collection.
Threat intelligence collection means:
Gathering information about threats, attackers, vulnerabilities, and attack techniques from different sources so an organization can defend itself.
For the CySA+ exam, you must understand:
- The difference between open-source and closed-source intelligence
- The types of sources in each category
- How they are used in an IT environment
- Their advantages and limitations
2. Open-Source Intelligence (OSINT)
What is Open-Source Intelligence?
Open-source intelligence (OSINT) is:
Information that is publicly available and can be accessed without special permission or payment.
Anyone can access this information. Security teams use OSINT to identify new threats, malware campaigns, and vulnerabilities.
Open-Source Collection Methods and Sources
1. Social Media
Security teams monitor platforms such as:
- Security researchers posting threat findings
- Attackers leaking stolen data
- Discussions about new vulnerabilities
How it is used in IT:
- A security analyst monitors social media for posts about a new ransomware campaign.
- If indicators of compromise (IOCs) are shared (such as malicious IP addresses or file hashes), the analyst adds them to the company’s firewall or SIEM.
Exam Tip:
Social media can provide early warning, but the information must be validated because it may not always be accurate.
2. Blogs and Forums
Security researchers and ethical hackers often publish:
- Malware analysis reports
- Exploit techniques
- Vulnerability research
Attackers also communicate in underground forums.
How it is used in IT:
- Analysts read a blog describing a new phishing technique.
- They update email filtering rules.
- They adjust detection rules in the SIEM.
Risk:
Information may be incomplete or unverified.
3. Government Bulletins
Governments publish cybersecurity alerts and advisories.
Examples include:
- Cybersecurity and Infrastructure Security Agency (CISA)
- National Institute of Standards and Technology (NIST)
These bulletins include:
- Vulnerability alerts
- Patch guidance
- Active threat campaigns
- Mitigation recommendations
How it is used in IT:
- A government alert warns about a critical vulnerability in web servers.
- The IT team checks whether their systems are affected.
- They apply patches and monitor logs.
Exam Tip:
Government sources are usually highly reliable and validated.
4. Computer Emergency Response Team (CERT)
A CERT is a team that responds to cybersecurity incidents.
Example:
- CERT Coordination Center
CERT organizations:
- Publish security advisories
- Provide vulnerability alerts
- Share mitigation strategies
How it is used in IT:
- Analysts subscribe to CERT alerts.
- If a new exploit is announced, detection rules are updated immediately.
5. Cybersecurity Incident Response Team (CSIRT)
A CSIRT is similar to a CERT but may exist within:
- A country
- A government
- A large enterprise
CSIRTs:
- Share threat intelligence
- Provide incident response support
- Coordinate responses between organizations
How it is used in IT:
- A company receives a CSIRT alert about targeted attacks against its industry.
- The SOC increases monitoring on related attack techniques.
6. Deep Web and Dark Web
Deep web:
- Not indexed by search engines
- Includes private databases and internal systems
Dark web:
- Hidden networks
- Often used for illegal activity
Security teams monitor:
- Stolen credentials
- Data leaks
- Malware marketplaces
How it is used in IT:
- Analysts find leaked company credentials on a dark web forum.
- Password resets are forced.
- MFA enforcement is increased.
Exam Tip:
Dark web monitoring is useful for detecting data breaches and insider leaks.
3. Closed-Source Intelligence
What is Closed-Source Intelligence?
Closed-source intelligence includes:
Information that requires payment, membership, or special access.
It is often more structured, curated, and validated.
Closed-Source Collection Methods and Sources
1. Paid Feeds
These are commercial threat intelligence services.
They provide:
- Real-time IOCs
- Malware signatures
- Reputation scores
- Threat actor profiles
Examples of providers include:
- CrowdStrike
- Recorded Future
How it is used in IT:
- The SIEM automatically imports threat feed data.
- Firewalls block malicious IP addresses.
- EDR tools detect known malware hashes.
Exam Tip:
Paid feeds provide automated, machine-readable intelligence.
2. Information Sharing Organizations
Organizations share intelligence within trusted communities.
Examples include:
- Information Sharing and Analysis Center (ISAC)
- Information Sharing and Analysis Organization (ISAO)
ISACs are usually industry-specific (finance, healthcare, energy, etc.).
They share:
- Threat trends
- Targeted attack data
- Sector-specific risks
How it is used in IT:
- A financial institution receives alerts from its ISAC.
- It adjusts fraud detection rules.
- It strengthens authentication controls.
Exam Tip:
ISACs improve collaboration and collective defense.
3. Internal Sources
Internal intelligence is often the most valuable.
It includes:
- SIEM logs
- Firewall logs
- IDS/IPS alerts
- EDR alerts
- Incident response reports
- Vulnerability scan results
Why Internal Intelligence is Important
It shows:
- What attacks are actually targeting your environment
- What vulnerabilities exist internally
- Which systems are most at risk
How it is used in IT:
- Analysts review authentication logs and detect repeated failed login attempts.
- They identify brute-force activity.
- They block the attacking IP.
Exam Tip:
Internal sources are highly relevant because they are environment-specific.
4. Open Source vs Closed Source (Exam Comparison)
| Feature | Open Source | Closed Source |
|---|---|---|
| Cost | Free | Paid or membership-based |
| Access | Public | Restricted |
| Validation | May require verification | Usually curated and validated |
| Speed | Often early reporting | Structured delivery |
| Automation | Sometimes manual | Often machine-readable |
| Reliability | Varies | Generally higher |
5. How Collection Supports Threat Hunting
Threat hunting is:
Proactively searching for threats inside the environment.
Collected intelligence supports hunting by providing:
- Indicators of compromise (IOCs)
- Tactics, techniques, and procedures (TTPs)
- Threat actor behavior patterns
Example in an IT environment:
- A paid feed reports a new malicious domain.
- The analyst searches DNS logs for connections to that domain.
- If found, they investigate endpoints.
This is intelligence-driven threat hunting.
6. Key Exam Concepts to Remember
For the CySA+ CS0-003 exam, remember:
1. Open Source (OSINT)
- Social media
- Blogs/forums
- Government bulletins
- CERT
- CSIRT
- Deep/dark web
2. Closed Source
- Paid feeds
- Information sharing organizations (ISAC/ISAO)
- Internal sources
3. Important Differences
- Open = public
- Closed = restricted
- Internal data = environment-specific
- Paid feeds = automated and structured
4. Validation is Critical
Not all intelligence is accurate. Analysts must:
- Verify sources
- Correlate multiple sources
- Avoid false positives
7. Final Summary
Threat intelligence collection is the foundation of cybersecurity analysis.
Security teams collect data from:
- Public sources (open-source intelligence)
- Private and commercial sources (closed-source intelligence)
- Their own internal systems
They then:
- Validate the information
- Add IOCs to security tools
- Update detection rules
- Support threat hunting activities
Understanding the sources, differences, advantages, and usage of each collection method is essential to pass the CySA+ CS0-003 exam.
