1.4 Compare and contrast threat-intelligence and threat-hunting concepts.
📘CompTIA CySA+ (CS0-003)
When working with threat intelligence, security analysts must evaluate how trustworthy and useful the information is.
Not all threat intelligence is equal. Some reports are very reliable, some are outdated, and some may not apply to your organization at all.
To measure the quality of threat intelligence, analysts evaluate:
- Timeliness
- Relevancy
- Accuracy
These factors help determine the confidence level of the intelligence.
What is a Confidence Level?
A confidence level is the degree of trust you have in threat intelligence.
It tells you:
- How reliable the information is
- Whether you should act on it immediately
- Whether further investigation is needed
Confidence levels are often described as:
- High confidence
- Medium confidence
- Low confidence
For the CySA+ exam, you must understand how timeliness, relevancy, and accuracy directly affect confidence.
2. Timeliness
What is Timeliness?
Timeliness refers to how current or up-to-date the threat intelligence is.
Cyber threats change very quickly. An indicator of compromise (IOC) from last year may no longer be useful today.
Why Timeliness Matters
Attackers:
- Change IP addresses
- Modify malware signatures
- Update command-and-control (C2) servers
- Create new phishing domains
If intelligence is outdated, it may:
- Miss active attacks
- Trigger false positives
- Waste analyst time
IT Environment Example
A threat feed reports a malicious IP address used in ransomware attacks.
- If the IP is still active → High value
- If the IP was shut down 6 months ago → Low value
An outdated IOC reduces the confidence level.
Timeliness and Threat Hunting
In threat hunting:
- Analysts search for active threats inside the environment
- Recent intelligence is much more valuable
If intelligence is old, it may not help hunters find current threats.
Exam Tip
If intelligence is:
- Old
- Not updated
- From a past campaign
→ It has lower confidence due to poor timeliness
3. Relevancy
What is Relevancy?
Relevancy means how applicable the intelligence is to your organization.
Just because a threat is real does not mean it affects your organization.
Why Relevancy Matters
Every organization is different:
- Different operating systems
- Different cloud providers
- Different industries
- Different security controls
Threat intelligence must match your environment to be useful.
IT Environment Example
Scenario 1:
Threat intelligence warns about malware targeting Linux web servers running Apache.
If your company:
- Runs Linux
- Uses Apache
→ This intelligence is highly relevant
Scenario 2:
If your company:
- Uses only Windows servers
- No Apache
→ The intelligence is low relevancy
Relevancy and Threat Hunting
Threat hunters create hypotheses like:
- “Is this malware present in our cloud environment?”
- “Are we vulnerable to this specific exploit?”
If intelligence does not apply to your infrastructure, hunting for it wastes time.
Industry Relevance
Some attacks target specific industries:
- Healthcare
- Financial services
- Government
- Education
If you work in finance and receive intelligence about attacks targeting hospitals, it may have lower relevance.
Exam Tip
High relevancy increases confidence.
Low relevancy lowers confidence — even if the intelligence is accurate.
4. Accuracy
What is Accuracy?
Accuracy refers to whether the intelligence is correct and free from errors.
Inaccurate intelligence can cause:
- False positives
- Alert fatigue
- Blocking legitimate traffic
- Disruption of services
Why Accuracy Matters
Threat intelligence may contain:
- Incorrect IP addresses
- Wrong file hashes
- False attributions
- Misidentified malware
If analysts act on incorrect data, they may:
- Block legitimate business services
- Investigate non-existent threats
- Miss the real attack
IT Environment Example
A threat feed flags a file hash as malicious.
You scan your systems and find the same hash on many servers.
If later discovered that:
- The hash was incorrectly classified
You may have wasted hours investigating safe systems.
Source Reliability and Accuracy
Accuracy depends on:
- The reputation of the intelligence provider
- Whether the information was verified
- Whether multiple sources confirm it
When multiple trusted sources report the same threat, confidence increases.
Accuracy in Threat Hunting
If hunters search for incorrect indicators:
- They will not find real threats
- They may ignore actual suspicious behavior
Accurate intelligence improves hunting effectiveness.
Exam Tip
If intelligence:
- Comes from a trusted vendor
- Is confirmed by multiple sources
- Has technical evidence
→ It has higher accuracy and higher confidence.
5. How Timeliness, Relevancy, and Accuracy Work Together
These three factors combine to determine the overall confidence level.
| Factor | Question to Ask | Impact on Confidence |
|---|---|---|
| Timeliness | Is it recent? | Old data lowers confidence |
| Relevancy | Does it apply to us? | Irrelevant data lowers confidence |
| Accuracy | Is it correct and verified? | Incorrect data lowers confidence |
High-Confidence Intelligence
- Recently updated
- Applies to your environment
- Verified and accurate
→ Analysts can act quickly and confidently.
Medium-Confidence Intelligence
- Somewhat recent
- Partially relevant
- Limited verification
→ Requires further validation before major action.
Low-Confidence Intelligence
- Old data
- Not relevant to infrastructure
- Unverified or questionable source
→ Should not be trusted without investigation.
6. Relationship to Threat Intelligence vs Threat Hunting
For CySA+, you must understand how this applies to both concepts.
In Threat Intelligence
Threat intelligence focuses on:
- Collecting
- Analyzing
- Sharing
- Evaluating threat data
Confidence levels help determine:
- Whether to create detection rules
- Whether to block IP addresses
- Whether to update firewalls
- Whether to alert leadership
In Threat Hunting
Threat hunting focuses on:
- Proactively searching for hidden threats
Hunters rely on intelligence to:
- Form hypotheses
- Identify suspicious patterns
- Create search queries in SIEM
If intelligence has low confidence:
- Hunting may be ineffective
- Time may be wasted
High-confidence intelligence improves hunting success.
7. Common CySA+ Exam Scenarios
You may see questions like:
- Which intelligence should the analyst prioritize?
- Which feed provides the highest confidence?
- Why should intelligence be validated before action?
- Why is a certain IOC not useful?
The correct answer often relates to:
- Timeliness (new vs old)
- Relevancy (applies to environment or not)
- Accuracy (verified vs unverified source)
8. Quick Exam Summary
To pass this section, remember:
1. Timeliness
- Intelligence must be current
- Old IOCs reduce value
2. Relevancy
- Must match your systems, industry, or technology
- Irrelevant threats waste resources
3. Accuracy
- Must be correct and verified
- Incorrect intelligence causes false positives
Final Key Point for the Exam
High-confidence threat intelligence is:
- Recent
- Relevant to your environment
- Accurate and verified
If any of these are weak, the confidence level drops.
Understanding this helps analysts:
- Make better security decisions
- Improve threat hunting effectiveness
- Reduce false positives
- Focus on real risks
