Intermediate

IT Security Champion: Cyber Threat Intel and Emerging Threats

Security is everyone's job — not solely the responsibility of the security department. Adopting a security culture and a security mindset is the foundation of being an effective IT securi...

Table of Contents

Module 1: Cyber Threat Intelligence Fundamentals, Frameworks, and Emerging Threats

This module introduces cyber threat intelligence (CTI) from the perspective of an IT administrator who is stepping into the role of an “IT security champion” — someone who is not a full-time security analyst, but who nonetheless has direct influence over the systems, logs, and controls that make threat intelligence actionable. It covers what threat intelligence is, why it matters to the business, the different levels at which intelligence operates, how that intelligence is gathered, how incident response phases work, the structure of the cyber kill chain, the MITRE ATT&CK framework and its supporting standards (TAXII and STIX), a hands-on look at the MITRE ATT&CK Navigator tool, and a set of good cyber hygiene practices that reinforce everything else in the module.

Defining Threat Intelligence

Threat intelligence, or “threat intel,” is a collection of data that provides insight into threats and helps an organization defend, detect, and respond to attacks. It is not raw data by itself — it is data that has been processed and given context so that it becomes usable.

Threat intelligence is created and gathered as follows:

  1. Information is collected from a wide variety of sources.
  2. The raw data is correlated and analyzed to uncover trends, patterns, and relationships tied to actual or potential threats.
  3. The result is turned into actionable, organization-specific intelligence.

The benefit of this process is that it allows an organization to:

  • Be proactive rather than purely reactive.
  • Prioritize resources so that limited security budget and staff time are spent on the threats that matter most.
  • Reduce detection costs by focusing effort where it is needed.
  • Limit the impact of successful breaches.

In short, good threat intelligence keeps the company operating and keeps attackers — and unauthorized eyes — out of the organization’s data.

flowchart LR
    A[Raw data from many sources] --> B[Correlation and Analysis]
    B --> C[Identify trends, patterns, relationships]
    C --> D[Actionable, organization-specific intelligence]
    D --> E[Defend]
    D --> F[Detect]
    D --> G[Respond]

The Business Importance of Cyber Threat Intelligence

Threat intelligence is not just a technical exercise — it directly supports core business objectives. The main reasons cyber threat intelligence matters at the organizational level are:

Business ObjectiveWhy Threat Intelligence Helps
Protect against disruption to the businessReduces downtime and outages caused by successful attacks, keeping revenue-generating operations running
Retain customer and shareholder confidenceDemonstrates due diligence and reduces the likelihood of breaches that damage trust and reputation
Increase profitability and partner valueAvoids the direct and indirect costs of incidents, and strengthens the organization’s standing with business partners

Although these may sound like intangible, “big picture” goals, an IT administrator working alongside the security team has a direct and measurable impact on each of them — every patched system, hardened configuration, and monitored log contributes to these outcomes.

The Three Main Types of Cyber Intelligence: Strategic, Operational, and Tactical

Cyber threat intelligence is generally divided into three levels. Understanding where an IT administrator typically fits into this equation is important, because each level feeds into the next.

flowchart BT
    T[Tactical Intelligence] -->|Feeds into| O[Operational Intelligence]
    O -->|Feeds into| S[Strategic Intelligence]
    S -.->|Informs priorities and funding| O
    O -.->|Informs day-to-day focus| T
LevelFocusTime HorizonTypical OwnerDescription
TacticalImmediate and specific threats or incidentsReal time / day-to-dayIT administrators, IT security, security operationsReal-time monitoring, analysis, and response to cyber threats; the day-to-day detection and mitigation of threats
OperationalTrends and patterns over a period of timeMedium termSecurity teams (with occasional IT admin involvement)Deeper analysis of cyber threats and risks to understand adversary tactics, techniques, and procedures (TTPs), as well as identifying vulnerabilities and weaknesses in the organization’s defenses
StrategicLong-term planning and decision makingLong termExecutive management / C-suiteForecasting future threats and trends, understanding the broader cyber threat landscape, and providing insight to support strategic decisions and funding

As an IT administrator, you primarily operate in the tactical space — you may work closely with IT security or other security operations staff, or you may only be pulled into that space when a specific threat or breach occurs. Tactical intelligence feeds operational intelligence, which in turn feeds strategic intelligence, and — importantly — these relationships flow in both directions: strategic priorities and funding decisions shape what operational and tactical teams focus on day to day.

Intelligence Gathering Methods: OSINT, TECHINT, and HUMINT

There are three primary intelligence gathering methods that every IT security champion should be familiar with.

mindmap
  root((Intelligence Gathering Methods))
    OSINT
      Publicly available sources
      Internet, news, blogs
      Social media
      Official reports and publications
      Television and radio broadcasts
    TECHINT
      SIGINT
        Intercepting electronic communications
      GEOINT
        Mapping and analyzing geographical information
    HUMINT
      Espionage / spying
      Confidential informants
      Diplomatic contacts
      Other human sources
MethodFull NameDescriptionExample Sources
OSINTOpen-Source IntelligenceIntelligence collected from publicly available sourcesInternet sites, newspapers, blogs, social media, official reports/publications, television and radio broadcasts
TECHINTTechnical IntelligenceIntelligence gathered through the collection and analysis of technical dataIncludes SIGINT (signals intelligence — intercepting communications through electronic means) and GEOINT (geospatial intelligence — mapping and analyzing geographical information)
HUMINTHuman IntelligenceIntelligence gathered through interpersonal contactEspionage/spying, confidential informants, diplomatic contacts, and other human sources

Each of these methods has its own strengths and weaknesses, and no single method is sufficient on its own. They work collectively to build a complete cyber intelligence, or threat intelligence, picture.

Why Threat Intelligence Matters to IT Administrators

For an IT administrator, the practical question is: “What’s in it for me?” The answer starts with a mindset shift: security is everyone’s job, not solely the responsibility of the IT security department. Adopting that mindset as a security champion brings several concrete benefits:

  • Enhanced situational awareness — developing a security mindset means always watching for things that look unusual rather than assuming everything is normal, and speaking up (“if you see something, say something”) when something looks wrong.
  • Proactive defense — including faster detection and response, which alone can significantly reduce the impact of a breach or cyber incident.
  • Better-informed decision making — for example, in vendor and tool selection.

Ultimately, engaging with threat intelligence makes you a better IT administrator, makes systems more secure, and benefits the organization as a whole — because the end goal is always to secure the company’s assets and minimize disruption to the business.

The Phases of Incident Response

The phases of incident response are similar (but not identical) to the phases an organization would go through during an infrastructure failure or an application outage. This is a continuous lifecycle that is refined over time: lessons learned help identify gaps, increase preparedness, and bring additional resources into the response team’s arsenal.

flowchart LR
    A[Preparation] --> B[Detection and Analysis]
    B --> C[Containment]
    C --> D[Eradication]
    D --> E[Recovery]
    E --> F[Documentation / Lessons Learned]
    F -.->|Refines and strengthens| A
PhaseDescriptionTypical IT Admin Involvement
PreparationEstablishing the tools, processes, and readiness needed before an incident occursMaintaining hardened systems, backups, and monitoring tools ahead of time
Detection and AnalysisIdentifying that an incident has occurred and analyzing its scopeProviding event and log data from IDS, firewalls, routers, switches, directory servers, and other networked systems under the admin’s control
ContainmentIsolating affected systems to prevent further damage or unauthorized access (“stop the spread”)Isolating hosts, disabling accounts, segmenting networks
EradicationEliminating the root cause of the incident so it cannot recur — closing gaps, patching, and upgradingApplying patches/upgrades to remove the specific vulnerability that was exploited
RecoveryRestoring affected systems to normal operation while ensuring they are secureRebuilding and validating systems, working alongside security and data protection specialists
Documentation / Lessons LearnedCapturing what happened and what was learned to improve future readinessFeeding gaps and improvement ideas back into the preparation phase

As an IT administrator, you will play a role in some or all of these phases, typically working closely with IT security to make sure each phase is properly covered.

The Cyber Kill Chain

The Cyber Kill Chain describes the sequence of steps an attacker (whether deploying malware or acting as a hands-on hacker) typically follows to compromise a target, exfiltrate data, or plant malware. The key defensive insight is that, like any chain, if you can interrupt and break just one link, you break the entire chain and stop the attack from succeeding.

flowchart TD
    A[Reconnaissance] --> B[Weaponization]
    B --> C[Delivery]
    C --> D[Exploitation]
    D --> E[Command and Control - C2]
    E --> F[Actions on Objectives]

    style A fill:#ffe0e0
    style B fill:#ffe0e0
    style C fill:#ffe0e0
    style D fill:#ffe0e0
    style E fill:#ffe0e0
    style F fill:#ff8080
StageAttacker ActivityExample
ReconnaissanceProbing for weaknesses, harvesting credentials or other informationGathering details later used in a phishing attack
WeaponizationCreating a deliverable payload using an exploit or a back doorBuilding a malicious document or executable
DeliverySending the payload to the victimA malicious email or a malicious file
ExploitationExecuting code on the remote systemTriggering the exploit and installing malware on the target asset
Command and Control (C2)Establishing a channel or persistence mechanismAllowing the attacker to control the compromised system remotely
Actions on ObjectivesCarrying out the intended goalImplanting ransomware, exfiltrating data, or conducting long-term espionage

Understanding how an attacker executes each of these stages allows defenders to put systems and controls in place that block or break one of the links — disrupting the attacker’s ability to carry out their mission. As an IT administrator, you have direct influence and control over many of the systems (endpoints, network devices, directory services, email security) that can break the chain at multiple stages.

The MITRE ATT&CK Framework, TAXII, and STIX

MITRE is a not-for-profit organization that manages federally funded research and development across multiple government agencies. Most IT administrators are already indirectly familiar with MITRE’s work because MITRE maintains:

  • The CVE (Common Vulnerabilities and Exposures) database.
  • The CWE (Common Weakness Enumeration) database.

MITRE also maintains the MITRE ATT&CK framework (“Adversarial Tactics, Techniques, and Common Knowledge”), which catalogs known adversary tactics and techniques across a large number of categories, giving security teams and IT administrators a common reference for the TTPs a hacker might use to try to exploit a weakness or vulnerability, along with likely attacker goals.

Two standards work alongside the ATT&CK framework to support the sharing of this information:

StandardFull NamePurpose
TAXIITrusted Automated Exchange of Intelligence InformationA transport protocol that allows threat intelligence information to be shared over HTTPS using APIs
STIXStructured Threat Information eXpressionA standardized format for presenting/structuring threat intelligence information

MITRE ATT&CK organizes attacker behavior into a set of top-level tactic categories (the “why” — the adversary’s tactical objective), each of which contains a large number of specific techniques and sub-techniques (the “how” an adversary achieves that objective). The framework groups these techniques across categories such as reconnaissance, resource development, initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, command and control, exfiltration, and impact.

flowchart TB
    subgraph MITRE["MITRE (Non-Profit Research Organization)"]
        CVE[CVE Database]
        CWE[CWE Database]
        ATTACK[MITRE ATT&CK Framework]
    end
    ATTACK --> TACTICS[Tactic Categories\nReconnaissance, Initial Access,\nExecution, Persistence, etc.]
    TACTICS --> TECHNIQUES[Techniques and Sub-techniques\nSpecific TTPs used by threat actors/groups]
    ATTACK --> TAXII[TAXII\nTransport protocol over HTTPS/APIs]
    ATTACK --> STIX[STIX\nStandardized threat intel data format]

The value of this framework for an IT administrator is that it allows you to research a specific threat, threat actor, or threat group, understand how that group operates, and then strengthen your organization’s defenses specifically against the TTPs that group is known to use.

Demo Walkthrough: Exploring the MITRE ATT&CK Navigator

The MITRE ATT&CK Navigator is a free, publicly available web tool that lets you visualize and compare techniques used by specific threat actor groups so that defensive resources can be focused where they matter most. The following steps walk through how the tool was used in the demonstration:

  1. Open the MITRE ATT&CK Navigator in a browser.
  2. Create a new empty layer. Choose a technology domain — in this walkthrough, Enterprise was selected (other domains, such as Mobile or ICS, are also available).
  3. The Navigator displays the full matrix of tactic categories (Reconnaissance, Resource Development, Initial Access, Execution, Persistence, and so on) as columns, with the associated techniques listed underneath each one. Hovering over a technique reveals more detail about that specific tactic or technique.
  4. Search for a known threat group. The Navigator’s search supports looking up techniques, threat groups, software, and mitigations. In the demo, the group APT29 was searched for and selected.
  5. Selecting the group highlights every technique associated with that group across Initial Access, Execution, Persistence, and all other applicable categories.
  6. Adjust scoring to make the highlighted results more legible — a score of 1 was assigned to APT29’s techniques so they stand out visually (typically shown with a distinct color).
  7. Create a second layer for another threat group — in the demo, APT32 was selected and assigned a score of 2.
  8. Combine the two layers. A new layer is created “from other layers,” using an expression such as a + b to combine the contents of the two individual layers (for example, named “MITRE ATT&CK Enterprise 14”).
  9. The combined layer is now color-coded by score:
    • Techniques used by only one group show a score of 1 or 2.
    • Techniques used by both groups combine to a score of 3 and stand out as the highest priority.
  10. This combined view lets defenders focus limited resources on the techniques shared across multiple threat groups — hardening against those specific techniques breaks the kill chain for more than one adversary at once. Color schemes can be reversed or customized (for example, red for “focus here,” green for “lower priority,” or vice versa) depending on organizational preference.
  11. Export the results for further use — as a JSON file, an Excel spreadsheet, or a graphic image suitable for a PowerPoint or other presentation.
sequenceDiagram
    participant Analyst as IT Admin / Analyst
    participant Nav as ATT&CK Navigator
    Analyst->>Nav: Create new layer (Enterprise domain)
    Analyst->>Nav: Search threat group "APT29"
    Nav-->>Analyst: Highlight all APT29 techniques (score = 1)
    Analyst->>Nav: Create second layer, search "APT32"
    Nav-->>Analyst: Highlight all APT32 techniques (score = 2)
    Analyst->>Nav: Create combined layer (expression a + b)
    Nav-->>Analyst: Techniques used by BOTH groups scored 3
    Analyst->>Analyst: Prioritize defenses on highest-scored techniques
    Analyst->>Nav: Export as JSON / Excel / graphic

This same technique-overlay approach scales to any number of threat groups an organization considers relevant to its industry or threat profile, making it a practical, repeatable way to translate raw threat intelligence into a prioritized defensive action list.

Good Cyber Hygiene Practices

Regardless of role — IT administrator, end user, IT security professional, or C-level executive — everyone should practice good cyber hygiene. As an IT security champion, part of the role is watching your environment to make sure others are following these practices as well.

#PracticeDetails
1Use strong, complex passwordsMix of uppercase, lowercase, numbers, and symbols; rotate frequently
2Update software regularlyApply patches and upgrades promptly
3Enable two-factor authentication (2FA) wherever possibleTypically a one-time code via SMS or an authenticator app
4Be cautious of phishing attacksWatch for emails/messages that appear to come from a known contact but contain malicious links
5Use secure connectionsPrefer HTTPS to ensure communications are encrypted
6Regularly back up dataEnables fast recovery from ransomware/encryption events or hardware failures
7Secure your Wi-Fi networkUse strong, unique passwords; change the default SSID; avoid WEP/WPA — use WPA2 or WPA3
8Practice safe social media usageAvoid posting sensitive personal details (full name, address, phone number, financial information); review and adjust privacy settings
9Stay educated about cyber threatsKeep learning, and pass knowledge on to peers and coworkers
10Be skeptical of unknown devices or linksNever plug in an unknown USB drive found lying around — a classic and effective malware/ransomware delivery method
mindmap
  root((Good Cyber Hygiene))
    Strong, rotated passwords
    Regular software updates/patching
    Two-factor authentication
    Phishing awareness
    HTTPS / secure connections
    Regular data backups
    Secured Wi-Fi (WPA2/WPA3)
    Safe social media habits
    Continuous security education
    Skepticism of unknown devices/links

Practicing these ten habits consistently goes a long way toward keeping information and networks secure — and as an IT security champion, it is part of the role to actively watch for these behaviors across the organization, not just practice them personally.

Summary

Security is everyone’s job — not solely the responsibility of the security department. Adopting a security culture and a security mindset is the foundation of being an effective IT security champion.

Key principles from this module:

  • Threat intelligence is a force multiplier. It transforms raw data into actionable, organization-specific insight that supports defense, detection, and response.
  • Intelligence operates at three levels — tactical (day-to-day, where most IT admins operate), operational (trends/TTPs, mostly security teams), and strategic (long-term planning, executive level) — and these levels continuously inform one another.
  • Intelligence is gathered through multiple complementary methods — human (HUMINT), technical (TECHINT, including SIGINT and GEOINT), and open-source (OSINT) — each with distinct strengths and weaknesses.
  • Incident response is a continuous lifecycle: preparation, detection and analysis, containment, eradication, recovery, and documentation/lessons learned — with lessons learned feeding back into future preparation.
  • The Cyber Kill Chain shows how attackers progress from reconnaissance through weaponization, delivery, exploitation, command and control, to actions on objectives — and breaking any single link disrupts the entire attack.
  • The MITRE ATT&CK framework, together with the TAXII transport protocol and the STIX data format, provides a common, structured way to understand and share adversary TTPs — and tools like the ATT&CK Navigator let defenders visualize and prioritize defenses against specific threat groups.
  • Good cyber hygiene practices are the baseline that every individual in the organization — technical or not — must consistently follow.

Quick-Reference Checklist for IT Security Champions

  • Understand the difference between tactical, operational, and strategic threat intelligence, and know where your role fits.
  • Know the three intelligence gathering methods (OSINT, TECHINT, HUMINT) and how they complement each other.
  • Be familiar with the six phases of incident response and your expected role in each.
  • Understand the Cyber Kill Chain and identify which links your systems/controls can help break.
  • Explore the MITRE ATT&CK Navigator and practice building layers for threat groups relevant to your industry.
  • Understand how TAXII and STIX support the sharing and structuring of threat intelligence.
  • Champion and model good cyber hygiene practices across the organization — passwords, patching, MFA, phishing awareness, secure connections, backups, secure Wi-Fi, safe social media use, ongoing education, and skepticism of unknown devices.
  • Continue building security knowledge and share it with peers and coworkers — security awareness spreads only if it is actively shared.

Search Terms

security · champion · cyber · threat · intel · emerging · threats · hot · takes · networking · systems · intelligence · att · mitre

More Security Hot Takes & Threat Intel courses

View all 21

Interested in this course?

Contact us to book it or get a custom training plan for your team.