Table of Contents
- Module 1: Cyber Threat Intelligence Fundamentals, Frameworks, and Emerging Threats
- Defining Threat Intelligence
- The Business Importance of Cyber Threat Intelligence
- The Three Main Types of Cyber Intelligence: Strategic, Operational, and Tactical
- Intelligence Gathering Methods: OSINT, TECHINT, and HUMINT
- Why Threat Intelligence Matters to IT Administrators
- The Phases of Incident Response
- The Cyber Kill Chain
- The MITRE ATT&CK Framework, TAXII, and STIX
- Demo Walkthrough: Exploring the MITRE ATT&CK Navigator
- Good Cyber Hygiene Practices
- Summary
Module 1: Cyber Threat Intelligence Fundamentals, Frameworks, and Emerging Threats
This module introduces cyber threat intelligence (CTI) from the perspective of an IT administrator who is stepping into the role of an “IT security champion” — someone who is not a full-time security analyst, but who nonetheless has direct influence over the systems, logs, and controls that make threat intelligence actionable. It covers what threat intelligence is, why it matters to the business, the different levels at which intelligence operates, how that intelligence is gathered, how incident response phases work, the structure of the cyber kill chain, the MITRE ATT&CK framework and its supporting standards (TAXII and STIX), a hands-on look at the MITRE ATT&CK Navigator tool, and a set of good cyber hygiene practices that reinforce everything else in the module.
Defining Threat Intelligence
Threat intelligence, or “threat intel,” is a collection of data that provides insight into threats and helps an organization defend, detect, and respond to attacks. It is not raw data by itself — it is data that has been processed and given context so that it becomes usable.
Threat intelligence is created and gathered as follows:
- Information is collected from a wide variety of sources.
- The raw data is correlated and analyzed to uncover trends, patterns, and relationships tied to actual or potential threats.
- The result is turned into actionable, organization-specific intelligence.
The benefit of this process is that it allows an organization to:
- Be proactive rather than purely reactive.
- Prioritize resources so that limited security budget and staff time are spent on the threats that matter most.
- Reduce detection costs by focusing effort where it is needed.
- Limit the impact of successful breaches.
In short, good threat intelligence keeps the company operating and keeps attackers — and unauthorized eyes — out of the organization’s data.
flowchart LR
A[Raw data from many sources] --> B[Correlation and Analysis]
B --> C[Identify trends, patterns, relationships]
C --> D[Actionable, organization-specific intelligence]
D --> E[Defend]
D --> F[Detect]
D --> G[Respond]
The Business Importance of Cyber Threat Intelligence
Threat intelligence is not just a technical exercise — it directly supports core business objectives. The main reasons cyber threat intelligence matters at the organizational level are:
| Business Objective | Why Threat Intelligence Helps |
|---|---|
| Protect against disruption to the business | Reduces downtime and outages caused by successful attacks, keeping revenue-generating operations running |
| Retain customer and shareholder confidence | Demonstrates due diligence and reduces the likelihood of breaches that damage trust and reputation |
| Increase profitability and partner value | Avoids the direct and indirect costs of incidents, and strengthens the organization’s standing with business partners |
Although these may sound like intangible, “big picture” goals, an IT administrator working alongside the security team has a direct and measurable impact on each of them — every patched system, hardened configuration, and monitored log contributes to these outcomes.
The Three Main Types of Cyber Intelligence: Strategic, Operational, and Tactical
Cyber threat intelligence is generally divided into three levels. Understanding where an IT administrator typically fits into this equation is important, because each level feeds into the next.
flowchart BT
T[Tactical Intelligence] -->|Feeds into| O[Operational Intelligence]
O -->|Feeds into| S[Strategic Intelligence]
S -.->|Informs priorities and funding| O
O -.->|Informs day-to-day focus| T
| Level | Focus | Time Horizon | Typical Owner | Description |
|---|---|---|---|---|
| Tactical | Immediate and specific threats or incidents | Real time / day-to-day | IT administrators, IT security, security operations | Real-time monitoring, analysis, and response to cyber threats; the day-to-day detection and mitigation of threats |
| Operational | Trends and patterns over a period of time | Medium term | Security teams (with occasional IT admin involvement) | Deeper analysis of cyber threats and risks to understand adversary tactics, techniques, and procedures (TTPs), as well as identifying vulnerabilities and weaknesses in the organization’s defenses |
| Strategic | Long-term planning and decision making | Long term | Executive management / C-suite | Forecasting future threats and trends, understanding the broader cyber threat landscape, and providing insight to support strategic decisions and funding |
As an IT administrator, you primarily operate in the tactical space — you may work closely with IT security or other security operations staff, or you may only be pulled into that space when a specific threat or breach occurs. Tactical intelligence feeds operational intelligence, which in turn feeds strategic intelligence, and — importantly — these relationships flow in both directions: strategic priorities and funding decisions shape what operational and tactical teams focus on day to day.
Intelligence Gathering Methods: OSINT, TECHINT, and HUMINT
There are three primary intelligence gathering methods that every IT security champion should be familiar with.
mindmap
root((Intelligence Gathering Methods))
OSINT
Publicly available sources
Internet, news, blogs
Social media
Official reports and publications
Television and radio broadcasts
TECHINT
SIGINT
Intercepting electronic communications
GEOINT
Mapping and analyzing geographical information
HUMINT
Espionage / spying
Confidential informants
Diplomatic contacts
Other human sources
| Method | Full Name | Description | Example Sources |
|---|---|---|---|
| OSINT | Open-Source Intelligence | Intelligence collected from publicly available sources | Internet sites, newspapers, blogs, social media, official reports/publications, television and radio broadcasts |
| TECHINT | Technical Intelligence | Intelligence gathered through the collection and analysis of technical data | Includes SIGINT (signals intelligence — intercepting communications through electronic means) and GEOINT (geospatial intelligence — mapping and analyzing geographical information) |
| HUMINT | Human Intelligence | Intelligence gathered through interpersonal contact | Espionage/spying, confidential informants, diplomatic contacts, and other human sources |
Each of these methods has its own strengths and weaknesses, and no single method is sufficient on its own. They work collectively to build a complete cyber intelligence, or threat intelligence, picture.
Why Threat Intelligence Matters to IT Administrators
For an IT administrator, the practical question is: “What’s in it for me?” The answer starts with a mindset shift: security is everyone’s job, not solely the responsibility of the IT security department. Adopting that mindset as a security champion brings several concrete benefits:
- Enhanced situational awareness — developing a security mindset means always watching for things that look unusual rather than assuming everything is normal, and speaking up (“if you see something, say something”) when something looks wrong.
- Proactive defense — including faster detection and response, which alone can significantly reduce the impact of a breach or cyber incident.
- Better-informed decision making — for example, in vendor and tool selection.
Ultimately, engaging with threat intelligence makes you a better IT administrator, makes systems more secure, and benefits the organization as a whole — because the end goal is always to secure the company’s assets and minimize disruption to the business.
The Phases of Incident Response
The phases of incident response are similar (but not identical) to the phases an organization would go through during an infrastructure failure or an application outage. This is a continuous lifecycle that is refined over time: lessons learned help identify gaps, increase preparedness, and bring additional resources into the response team’s arsenal.
flowchart LR
A[Preparation] --> B[Detection and Analysis]
B --> C[Containment]
C --> D[Eradication]
D --> E[Recovery]
E --> F[Documentation / Lessons Learned]
F -.->|Refines and strengthens| A
| Phase | Description | Typical IT Admin Involvement |
|---|---|---|
| Preparation | Establishing the tools, processes, and readiness needed before an incident occurs | Maintaining hardened systems, backups, and monitoring tools ahead of time |
| Detection and Analysis | Identifying that an incident has occurred and analyzing its scope | Providing event and log data from IDS, firewalls, routers, switches, directory servers, and other networked systems under the admin’s control |
| Containment | Isolating affected systems to prevent further damage or unauthorized access (“stop the spread”) | Isolating hosts, disabling accounts, segmenting networks |
| Eradication | Eliminating the root cause of the incident so it cannot recur — closing gaps, patching, and upgrading | Applying patches/upgrades to remove the specific vulnerability that was exploited |
| Recovery | Restoring affected systems to normal operation while ensuring they are secure | Rebuilding and validating systems, working alongside security and data protection specialists |
| Documentation / Lessons Learned | Capturing what happened and what was learned to improve future readiness | Feeding gaps and improvement ideas back into the preparation phase |
As an IT administrator, you will play a role in some or all of these phases, typically working closely with IT security to make sure each phase is properly covered.
The Cyber Kill Chain
The Cyber Kill Chain describes the sequence of steps an attacker (whether deploying malware or acting as a hands-on hacker) typically follows to compromise a target, exfiltrate data, or plant malware. The key defensive insight is that, like any chain, if you can interrupt and break just one link, you break the entire chain and stop the attack from succeeding.
flowchart TD
A[Reconnaissance] --> B[Weaponization]
B --> C[Delivery]
C --> D[Exploitation]
D --> E[Command and Control - C2]
E --> F[Actions on Objectives]
style A fill:#ffe0e0
style B fill:#ffe0e0
style C fill:#ffe0e0
style D fill:#ffe0e0
style E fill:#ffe0e0
style F fill:#ff8080
| Stage | Attacker Activity | Example |
|---|---|---|
| Reconnaissance | Probing for weaknesses, harvesting credentials or other information | Gathering details later used in a phishing attack |
| Weaponization | Creating a deliverable payload using an exploit or a back door | Building a malicious document or executable |
| Delivery | Sending the payload to the victim | A malicious email or a malicious file |
| Exploitation | Executing code on the remote system | Triggering the exploit and installing malware on the target asset |
| Command and Control (C2) | Establishing a channel or persistence mechanism | Allowing the attacker to control the compromised system remotely |
| Actions on Objectives | Carrying out the intended goal | Implanting ransomware, exfiltrating data, or conducting long-term espionage |
Understanding how an attacker executes each of these stages allows defenders to put systems and controls in place that block or break one of the links — disrupting the attacker’s ability to carry out their mission. As an IT administrator, you have direct influence and control over many of the systems (endpoints, network devices, directory services, email security) that can break the chain at multiple stages.
The MITRE ATT&CK Framework, TAXII, and STIX
MITRE is a not-for-profit organization that manages federally funded research and development across multiple government agencies. Most IT administrators are already indirectly familiar with MITRE’s work because MITRE maintains:
- The CVE (Common Vulnerabilities and Exposures) database.
- The CWE (Common Weakness Enumeration) database.
MITRE also maintains the MITRE ATT&CK framework (“Adversarial Tactics, Techniques, and Common Knowledge”), which catalogs known adversary tactics and techniques across a large number of categories, giving security teams and IT administrators a common reference for the TTPs a hacker might use to try to exploit a weakness or vulnerability, along with likely attacker goals.
Two standards work alongside the ATT&CK framework to support the sharing of this information:
| Standard | Full Name | Purpose |
|---|---|---|
| TAXII | Trusted Automated Exchange of Intelligence Information | A transport protocol that allows threat intelligence information to be shared over HTTPS using APIs |
| STIX | Structured Threat Information eXpression | A standardized format for presenting/structuring threat intelligence information |
MITRE ATT&CK organizes attacker behavior into a set of top-level tactic categories (the “why” — the adversary’s tactical objective), each of which contains a large number of specific techniques and sub-techniques (the “how” an adversary achieves that objective). The framework groups these techniques across categories such as reconnaissance, resource development, initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, command and control, exfiltration, and impact.
flowchart TB
subgraph MITRE["MITRE (Non-Profit Research Organization)"]
CVE[CVE Database]
CWE[CWE Database]
ATTACK[MITRE ATT&CK Framework]
end
ATTACK --> TACTICS[Tactic Categories\nReconnaissance, Initial Access,\nExecution, Persistence, etc.]
TACTICS --> TECHNIQUES[Techniques and Sub-techniques\nSpecific TTPs used by threat actors/groups]
ATTACK --> TAXII[TAXII\nTransport protocol over HTTPS/APIs]
ATTACK --> STIX[STIX\nStandardized threat intel data format]
The value of this framework for an IT administrator is that it allows you to research a specific threat, threat actor, or threat group, understand how that group operates, and then strengthen your organization’s defenses specifically against the TTPs that group is known to use.
Demo Walkthrough: Exploring the MITRE ATT&CK Navigator
The MITRE ATT&CK Navigator is a free, publicly available web tool that lets you visualize and compare techniques used by specific threat actor groups so that defensive resources can be focused where they matter most. The following steps walk through how the tool was used in the demonstration:
- Open the MITRE ATT&CK Navigator in a browser.
- Create a new empty layer. Choose a technology domain — in this walkthrough, Enterprise was selected (other domains, such as Mobile or ICS, are also available).
- The Navigator displays the full matrix of tactic categories (Reconnaissance, Resource Development, Initial Access, Execution, Persistence, and so on) as columns, with the associated techniques listed underneath each one. Hovering over a technique reveals more detail about that specific tactic or technique.
- Search for a known threat group. The Navigator’s search supports looking up techniques, threat groups, software, and mitigations. In the demo, the group APT29 was searched for and selected.
- Selecting the group highlights every technique associated with that group across Initial Access, Execution, Persistence, and all other applicable categories.
- Adjust scoring to make the highlighted results more legible — a score of
1was assigned to APT29’s techniques so they stand out visually (typically shown with a distinct color). - Create a second layer for another threat group — in the demo, APT32 was selected and assigned a score of
2. - Combine the two layers. A new layer is created “from other layers,” using an expression such as
a + bto combine the contents of the two individual layers (for example, named “MITRE ATT&CK Enterprise 14”). - The combined layer is now color-coded by score:
- Techniques used by only one group show a score of
1or2. - Techniques used by both groups combine to a score of
3and stand out as the highest priority.
- Techniques used by only one group show a score of
- This combined view lets defenders focus limited resources on the techniques shared across multiple threat groups — hardening against those specific techniques breaks the kill chain for more than one adversary at once. Color schemes can be reversed or customized (for example, red for “focus here,” green for “lower priority,” or vice versa) depending on organizational preference.
- Export the results for further use — as a JSON file, an Excel spreadsheet, or a graphic image suitable for a PowerPoint or other presentation.
sequenceDiagram
participant Analyst as IT Admin / Analyst
participant Nav as ATT&CK Navigator
Analyst->>Nav: Create new layer (Enterprise domain)
Analyst->>Nav: Search threat group "APT29"
Nav-->>Analyst: Highlight all APT29 techniques (score = 1)
Analyst->>Nav: Create second layer, search "APT32"
Nav-->>Analyst: Highlight all APT32 techniques (score = 2)
Analyst->>Nav: Create combined layer (expression a + b)
Nav-->>Analyst: Techniques used by BOTH groups scored 3
Analyst->>Analyst: Prioritize defenses on highest-scored techniques
Analyst->>Nav: Export as JSON / Excel / graphic
This same technique-overlay approach scales to any number of threat groups an organization considers relevant to its industry or threat profile, making it a practical, repeatable way to translate raw threat intelligence into a prioritized defensive action list.
Good Cyber Hygiene Practices
Regardless of role — IT administrator, end user, IT security professional, or C-level executive — everyone should practice good cyber hygiene. As an IT security champion, part of the role is watching your environment to make sure others are following these practices as well.
| # | Practice | Details |
|---|---|---|
| 1 | Use strong, complex passwords | Mix of uppercase, lowercase, numbers, and symbols; rotate frequently |
| 2 | Update software regularly | Apply patches and upgrades promptly |
| 3 | Enable two-factor authentication (2FA) wherever possible | Typically a one-time code via SMS or an authenticator app |
| 4 | Be cautious of phishing attacks | Watch for emails/messages that appear to come from a known contact but contain malicious links |
| 5 | Use secure connections | Prefer HTTPS to ensure communications are encrypted |
| 6 | Regularly back up data | Enables fast recovery from ransomware/encryption events or hardware failures |
| 7 | Secure your Wi-Fi network | Use strong, unique passwords; change the default SSID; avoid WEP/WPA — use WPA2 or WPA3 |
| 8 | Practice safe social media usage | Avoid posting sensitive personal details (full name, address, phone number, financial information); review and adjust privacy settings |
| 9 | Stay educated about cyber threats | Keep learning, and pass knowledge on to peers and coworkers |
| 10 | Be skeptical of unknown devices or links | Never plug in an unknown USB drive found lying around — a classic and effective malware/ransomware delivery method |
mindmap
root((Good Cyber Hygiene))
Strong, rotated passwords
Regular software updates/patching
Two-factor authentication
Phishing awareness
HTTPS / secure connections
Regular data backups
Secured Wi-Fi (WPA2/WPA3)
Safe social media habits
Continuous security education
Skepticism of unknown devices/links
Practicing these ten habits consistently goes a long way toward keeping information and networks secure — and as an IT security champion, it is part of the role to actively watch for these behaviors across the organization, not just practice them personally.
Summary
Security is everyone’s job — not solely the responsibility of the security department. Adopting a security culture and a security mindset is the foundation of being an effective IT security champion.
Key principles from this module:
- Threat intelligence is a force multiplier. It transforms raw data into actionable, organization-specific insight that supports defense, detection, and response.
- Intelligence operates at three levels — tactical (day-to-day, where most IT admins operate), operational (trends/TTPs, mostly security teams), and strategic (long-term planning, executive level) — and these levels continuously inform one another.
- Intelligence is gathered through multiple complementary methods — human (HUMINT), technical (TECHINT, including SIGINT and GEOINT), and open-source (OSINT) — each with distinct strengths and weaknesses.
- Incident response is a continuous lifecycle: preparation, detection and analysis, containment, eradication, recovery, and documentation/lessons learned — with lessons learned feeding back into future preparation.
- The Cyber Kill Chain shows how attackers progress from reconnaissance through weaponization, delivery, exploitation, command and control, to actions on objectives — and breaking any single link disrupts the entire attack.
- The MITRE ATT&CK framework, together with the TAXII transport protocol and the STIX data format, provides a common, structured way to understand and share adversary TTPs — and tools like the ATT&CK Navigator let defenders visualize and prioritize defenses against specific threat groups.
- Good cyber hygiene practices are the baseline that every individual in the organization — technical or not — must consistently follow.
Quick-Reference Checklist for IT Security Champions
- Understand the difference between tactical, operational, and strategic threat intelligence, and know where your role fits.
- Know the three intelligence gathering methods (OSINT, TECHINT, HUMINT) and how they complement each other.
- Be familiar with the six phases of incident response and your expected role in each.
- Understand the Cyber Kill Chain and identify which links your systems/controls can help break.
- Explore the MITRE ATT&CK Navigator and practice building layers for threat groups relevant to your industry.
- Understand how TAXII and STIX support the sharing and structuring of threat intelligence.
- Champion and model good cyber hygiene practices across the organization — passwords, patching, MFA, phishing awareness, secure connections, backups, secure Wi-Fi, safe social media use, ongoing education, and skepticism of unknown devices.
- Continue building security knowledge and share it with peers and coworkers — security awareness spreads only if it is actively shared.
Search Terms
security · champion · cyber · threat · intel · emerging · threats · hot · takes · networking · systems · intelligence · att · mitre