09 Oct

Introduction to Threat Intelligence.

Security Threat Intelligence is the process of collecting, analyzing, and disseminating information about potential or ongoing threats that may impact an organization’s security [1]. This information includes data on threat actors, attack targets, as well as the tactics, techniques, and procedures (TTPs) they employ. The goal of Threat Intelligence is to provide actionable insights that help security teams make timely decisions before, during, and after incidents [1].

Threat Intelligence enables organizations to filter out noise from the vast amount of threat data available today and focus on truly relevant risks. For example, instead of being overwhelmed by millions of logs and alerts, a well-implemented threat intelligence program helps prioritize the most critical threats based on the organization’s context [1]. High-quality intelligence answers key questions such as: Who is targeting the organization? What methods are they using? Which vulnerabilities could be exploited, and how can defenses be strengthened effectively?

Why Threat Intelligence is important? In today’s digital landscape, the volume of threat data is massive and diverse – ranging from open sources (OSINT) to proprietary reports[1]. Without a systematic approach, organizations can easily become overwhelmed by information. Threat Intelligence helps transform raw data into meaningful insights, enhancing security decision-making. According to research, leading (Threat Intelligence Platforms – TIPs) can turn a “haystack” of data into an actionable compass. They provide benefits such as:

More accurate decisions: TIP platforms aggregate and process multi-source data, enabling security teams to decide which vulnerabilities to patch, which malicious IPs to block, or how to fine-tune detection rules[1].
Proactive defense: By leveraging advanced analytics and artificial intelligence (AI), many modern TIPs can predict and prevent attacks before they occur [1]. By understanding adversary tactics, organizations can stay ahead of threats.
Enhanced incident response: When an attack occurs, Threat Intelligence provides rich context (about adversaries’ motives and methods) to help response teams handle incidents more effectively[1]. For example, Palo Alto Networks’ Cortex XDR integrates threat intel to deliver a unified threat view, enabling faster response [1].
Strategic planning: At the management level, Threat Intelligence provides overview reports that help executives understand the broader risk landscape. For example, CrowdStrike Falcon delivers detailed reports on critical threats, supporting leadership in shaping security strategies [1].

In summary, Threat Intelligence is an indispensable component for building a proactive and effective cybersecurity strategy in an increasingly sophisticated threat environment.

Notable Threat Intelligence Solutions

There are many Threat Intelligence solution providers in the market. Below are some representative products from the mentioned vendors:

Cyble (Cyble Vision): The Cyble Vision platform is an AI-powered threat intelligence solution that provides real-time visibility into threats across the surface web, deep web, and dark web. Cyble Vision uses machine learning to gather information on data leaks, brand mentions, and hacker activities, thereby generating actionable alerts. The solution helps security teams detect, analyze, and respond quickly to risks, enabling organizations to proactively mitigate threats [1].
CloudSEK (XVigil, BeVigil): CloudSEK focuses on digital risk protection with its main products, XVigil and BeVigil. The XVigil platform monitors multiple attack surfaces (the organization’s digital assets) in real time, providing detailed analysis and alerts about potential threats. XVigil can integrate with existing security systems, enhancing incident response and proactive defense capabilities. Meanwhile, BeVigil focuses on scanning and monitoring vulnerabilities across the organization’s digital assets, using AI/ML to analyze data and deliver contextual information about weaknesses [2]. CloudSEK emphasizes predicting and preventing threats through contextual AI, helping organizations stay one step ahead in defense.
CrowdStrike (Falcon Intelligence): CrowdStrike provides integrated threat intelligence services within its cloud security ecosystem, notably through CrowdStrike Falcon Intelligence (also known as Adversary Intelligence). This solution combines automated intelligence collection and orchestration with AI-driven investigative tools. CrowdStrike Falcon continuously monitors multiple layers of the web — from the surface web to the dark web — and delivers real-time alerts on emerging threats.A key strength of CrowdStrike lies in building detailed adversary profiles and automated threat modeling, enabling organizations to quickly identify critical threats. Falcon Intelligence is also tightly integrated with other components of the CrowdStrike suite (such as EDR/XDR), forming a comprehensive defense strategy [1].
SOCRadar (Extended Threat Intelligence): SOCRadar offers an Extended Threat Intelligence (XTI) platform that combines multiple capabilities, including brand protection, dark web monitoring, and external attack surface management. It is an all-in-one solution featuring modules that span from strategic to operational levels. SOCRadar acts as the organization’s “eyes and ears” across the internet: monitoring hacker forums, Telegram channels, dark web marketplaces, social networks, and various other sources to detect early signs of attacks targeting the organization [3]. The platform provides contextual intelligence and actionable alerts through one of the largest threat databases in the industry [3]. In addition, SOCRadar employs autonomous AI agents (referred to as “Agentic Threat Intelligence”) — AI-driven entities that can reason, adapt, and act automatically — reducing the detection and response time from several hours to just a few minutes, according to the company’s statement.
Palo Alto Networks (Unit 42 & Cortex XSOAR): Palo Alto Networks delivers Threat Intelligence capabilities through its Unit 42 research team, integrated across its product ecosystem — notably via Cortex XSOAR Threat Intelligence Management and the AutoFocus service. Cortex XSOAR combines threat intelligence with automated security orchestration and response (SOAR). The platform leverages AI together with Unit 42’s expertise to manage a massive threat data repository, supporting real-time threat analysis and automated incident response workflows. A key strength of Palo Alto Networks lies in its high-confidence threat indicator repository, collected from an extensive sensor network and analyzed by Unit 42 [1]. Additionally, the AutoFocus service allows customers to quickly query Palo Alto’s shared threat intelligence database (including malware analysis results from WildFire and various other sources) to visually identify threats within their own systems [4]. Palo Alto’s solutions also emphasize integration capabilities: for example, integrating AutoFocus feeds into firewalls, SIEM systems, or SOAR platforms to achieve synchronized defense [5].
Mandiant (Google Cloud Threat Intelligence): Mandiant, recognized as a global leader in Threat Intelligence, is now part of Google Cloud. The Mandiant Threat Intelligence solution (also known as Google Threat Intelligence) provides deep visibility and detailed context on the most critical threats facing each organization [6]. VWith the advantage of observing billions of users and handling millions of incidents annually, Mandiant/Google offers unprecedented coverage of the global threat landscape [6]. Mandiant’s services help organizations “identify who is targeting them” and closely monitor their top adversaries on a daily basis [6]. Its intelligence is highly actionable, focusing on understanding threat actors and their Tactics, Techniques, and Procedures (TTPs) so that organizations can proactively build appropriate defenses, hunt threats, and respond to new attacks within minutes [6]. Notably, Mandiant customers gain direct access to the company’s elite intelligence experts — for training, threat prioritization consulting, and on-demand analytical support during active investigations [6]. The Mandiant Threat Intelligence platform also integrates Google’s vast data repositories (e.g., Google SafeBrowsing, VirusTotal) with Mandiant’s frontline expertise to deliver unified risk assessments of threat indicators, helping reduce noise and increase reliability [6].

(In addition to the vendors mentioned above, the Threat Intelligence market includes many other prominent names. For example, Cisco Talos — one of the world’s largest cyber intelligence units under Cisco; IBM X-Force — IBM’s security research team that provides intelligence through X-Force Exchange; and specialized Threat Intelligence Platforms (TIPs) such as Recorded Future, Anomali, and ThreatConnect. These solutions also play a vital role in the threat intelligence ecosystem, offering organizations rich data sources and powerful analytical tools.)

Criteria for Selecting a Threat Intelligence Solution & Evaluation KPIs

Selecting an appropriate Threat Intelligence solution requires organizations to consider multiple criteria, along with establishing a set of Key Performance Indicators (KPIs) to assess the effectiveness of the Threat Intelligence program after deployment. Below are the key criteria and related KPIs:

Criteria for Selecting a Threat Intelligence Solution

Data Diversity (Data Collection): The solution should collect data from multiple sources (both internal and external) covering all layers of strategic, tactical, and technical information. A good threat intelligence platform must be capable of aggregating malware samples, attack characteristics, and Indicators of Compromise (IoCs) from internal networks, the internet, the dark web, and threat-sharing communities, without limitations on data volum [7].
Immediacy & Accuracy: Real-time capability is crucial — threat information must be updated quickly and accurately so that organizations can identify and respond to threats early. When evaluating, it is important to check whether the provider commits to continuous updates, minimizes latency, and includes data verification mechanisms to eliminate false or misleading information [7]. The quality of threat intelligence is reflected in a high true-positive rate and a very low false-alert rate
Customization: The solution should allow customization according to the organization’s specific needs. This includes the ability to set alert thresholds, select relevant threat types, and flexibly configure dashboards and reports. In addition, the platform should support the creation of custom workflows for analysts, as well as built-in team collaboration mechanisms within the tool [7]. This flexibility ensures that Threat Intelligence aligns with the unique characteristics of each organization rather than following a “one-size-fits-all” approach.
Integration: An ideal Threat Intelligence platform must seamlessly integrate into the organization’s existing security ecosystem. This means the TIP should be able to connect with SIEM (Security Information and Event Management) systems, EDR/XDR solutions, firewalls, vulnerability management systems, and SOAR platforms. Such integration enables cross-system threat information sharing, automated response (e.g., blocking malicious IPs on the firewall based on intelligence), and enhances overall defense effectiveness [7].
Reporting & Analysis: The solution should provide visual analysis and reporting tools that help organizations understand the nature and impact of threats. This includes detailed technical reports for SOC teams (e.g., malware analysis, attack infrastructure) and executive summaries for leadership (e.g., threat trends, risk indicators). The ability to turn data into a clear narrative, accompanied by actionable recommendations, is a major advantage that helps organizations adjust their security strategies and enhance response capabilities [7].
Security & Compliance: The Threat Intelligence platform itself must implement strong security measures to protect sensitive data. This includes data encryption, strict access control, and compliance with relevant standards and regulations (e.g., GDPR for personal data protection). For highly regulated industries such as finance and healthcare, compliance in sharing and storing threat intelligence is particularly important. The selected solution should demonstrate compliance with these requirements, ensuring that intelligence data is securely protected and legally aligned [7].

KPIs for Evaluating Threat Intelligence Effectiveness

After deploying the solution, organizations need to measure the effectiveness of their Threat Intelligence program using Key Performance Indicators (KPIs). Some important KPIs include:

Analyst Efficiency: Measures the improvement in the security team’s performance enabled by threat intelligence. For example: the number of incidents/detections each analyst can handle per week, or the percentage of investigated threats over the total number of alerts. Improvement is reflected in the amount of time saved and the increased workload the team can manage [8]. This KPI shows how Threat Intelligence helps “do more with the same resources” – meaning automation and information filtering have effectively reduced the burden on human analysts.
Mean Time to Respond (MTTR): This is a key metric for measuring how quickly an organization responds to threats thanks to threat intelligence. MTTR can be calculated from the moment the intel alerts about a threat to when the security team analyzes and takes action. High-quality Threat Intelligence significantly shortens this period (as early warnings and contextualized information enable faster decisions) [8].The lower the MTTR, the more effective the threat intelligence program is, minimizing the window of opportunity for attackers.
Business Impact Reduction: This group of KPIs measures the organizational-level benefits, such as minimizing service downtime through successful incident prevention or reducing financial losses from cyberattacks. A specific example: thanks to threat intelligence providing early warnings and blocking a ransomware campaign, the company avoided production system shutdowns, saving X hours of downtime (equivalent to Y USD in revenue). Another metric relates to business productivity: non-IT teams (such as operations or sales) can continue working without disruption from security incidents, thereby improving overall efficiency [8]. Although these KPIs are difficult to measure precisely, they are highly meaningful in demonstrating the ROI of Threat Intelligence investments to executives.
Quality and Scope of Intelligence Data: Since Threat Intelligence primarily revolves around data, it is essential to track metrics that reflect the quality of the intelligence. These include: the number of unique IoCs collected from various sources (this figure indicates information coverage — the more unique indicators, the richer the data) [9]; Average lifespan of IoC (whether IoCs become outdated or are retained too long — reflecting the update mechanism); the false positive rate of alerts generated by threat intelligence (incorrect or irrelevant alerts must stay below a defined threshold); and the percentage of critical threats supported by threat intel (for example, among incidents that occurred in the past month, what percentage could have been detected or prevented thanks to prior intel). These metrics help assess both the data quality and the operational effectiveness of the Threat Intelligence program.
Effectiveness of Intelligence Sources: If the organization uses multiple threat intelligence feeds, KPIs can be established to compare the quality of each source. For example, the credibility of each provider (measured based on the number of unique IoCs it contributes, the duplication rate of its IoCs, and the false positive rate per source) [9]. This allows the organization to optimize investments by identifying which intel sources deliver the highest value and which generate the most noise, enabling informed adjustments.

Additionally, organizations can track other KPIs such as the Mean Time to Operationalize Intelligence (how long it takes for new intel to be integrated into operational systems), or the level of community sharing participation (e.g., the number of intel reports contributed by the organization to ISAC communities, if applicable). Depending on specific objectives, each Threat Intelligence program will develop a tailored set of KPIs to continuously measure and improve its operational effectiveness [9].

Trends in the Threat Intelligence Field

The field of Threat Intelligence is continuously evolving to respond to emerging attack trends and new technologies. Below are some prominent trends for 2024–2025:

AI-Driven and Automated Attacks: Cybercriminals are increasingly leveraging AI to enhance the scale and sophistication of their attacks. For instance, they use large language models (LLMs) to generate highly customized phishing emails with natural language, making victims more likely to fall for them. AI is also being used to automatically scan for vulnerabilities and to create polymorphic malware that continuously changes its signature to evade detection [10]. In addition, automated attack toolkits are becoming more widespread—such as phishing kits bundled with info-stealer malware designed to collect login credentials in bulk and automatically validate stolen data. This trend enables criminals to monetize stolen data rapidly—for example, using compromised information within hours to launch follow-up attackso [10]. In summary, AI is significantly shortening the attack lifecycle—from reconnaissance to execution—posing major challenges for defenders.
Deepfake and sophisticated identity fraud: Deepfake technology (AI-generated image and voice forgery) has become a new weapon for hackers. There have been cases of scams using a fake CEO’s voice to request fund transfers or forged videos that make employees believe they are receiving legitimate instructions. Criminals also create synthetic identities to open accounts and carry out financial fraud [10]. These attack methods bypass traditional authentication measures (as the audio and visual content appear very real), forcing organizations to rethink how they verify customer identities and approve transactions [10].The deepfake trend requires a combination of deepfake detection technology and enhanced user awareness of these new types of scams.
Application of AI in real-time analysis and response: Conversely, defenders are actively integrating AI into Threat Intelligence processes. Generative AI is used to support the analysis of large volumes of threat data in real time – for example, answering analysts’ queries in natural language, automatically summarizing security events in just a few seconds [10]. Modern TIP platforms are beginning to integrate AI assistant features to suggest analysis, prioritize alerts, and even automate initial incident handling steps. Gartner predicts that by 2028, 70% of AI deployments in security will involve multi-agent models supporting detection and incident response, aiming to augment rather than replace security personnel [11]. This trend promises to help small SOC teams “do more” with AI, but also requires them to upgrade skills to master AI tools in operations.
Focus on Supply Chain and Third-Party Risks: Recent years have witnessed numerous supply chain attacks (such as SolarWinds and Log4j) that caused cascading impacts. As a result, Threat Intelligence has expanded its scope to include monitoring the risks posed by suppliers and partners of an organization.Many solutions now include Third-Party Intelligence modules — tracking vulnerabilities of vendors within the industry, monitoring hacker group activities targeting related sectors, and issuing early warnings if a security incident arises within the supply chain [10]. This trend is especially important because a single vulnerability in a third-party entity can become an entry point for attackers, triggering widespread consequences. Additionally, the sharing of threat intelligence within industries (through specialized ISACs) is being strengthened, allowing communities to collectively warn each other about common threats.
Expanding the Scope of Threat Intelligence into New Domains: Beyond traditional threats such as malware and phishing, the scope of intelligence is expanding into areas like cloud security, IoT/OT, and information manipulation (misinformation). For example, many providers now offer Cloud Threat Intelligence focusing on threats targeting cloud environments—such as detecting misconfigurations or exposed cloud credentials. Similarly, OT/ICS intelligence is being developed to protect industrial systems. Even the concept of “narrative attacks” (attacks on trust and information) is emerging, requiring Threat Intelligence capabilities to identify disinformation campaigns that could harm organizations [12]. In other words, the landscape of threat intelligence is becoming increasingly multidimensional, demanding that organizations remain adaptive and invest strategically in the most relevant areas.

In summary, the overall trend is that Threat Intelligence is becoming smarter, faster, and more comprehensive thanks to AI and collaborative information sharing. At the same time, the boundaries between security domains (IT, OT, cloud, and physical) are blurring, requiring threat intelligence to be integrated and capable of supporting unified defense across all fronts.

Opportunities and Challenges of Implementing Threat Intelligence by Industry

The adoption of Threat Intelligence brings numerous benefits but also comes with unique challenges for each sector. Below is an overview of key opportunities and challenges across several representative industries: Telecommunications, Finance–Banking, Energy–Utilities, Manufacturing, and Retail.

Telecom

Opportunities: The telecommunications industry manages critical infrastructure and often serves as the frontline in defending against cyberattacks at the national level. Implementing Threat Intelligence helps telecom companies better protect their complex network infrastructure and their customers. Specifically, intelligence enables early detection of attack campaigns targeting telecom infrastructure (such as fiber optic sabotage or core network intrusions), allowing proactive response. Threat Intelligence also supports telcos in making data-driven business decisions and strengthening their reputation for secure services. With timely intel, telecom incident response teams can handle threats more quickly and accurately, minimizing service downtime for millions of customers [13]. Some major telecom providers even leverage their vast data advantage to offer Threat Intelligence services to enterprise clients, creating new revenue streams (e.g., NTT and AT&T have adopted this approach).
Challenges: The scale and complexity of telecommunications networks pose major challenges. Telecom systems consist of countless components (switches, BTS stations, submarine cables, satellites, etc.) and specialized protocols (SS7, SIP, etc.), making the collection and analysis of threat intelligence highly complex. Telecom attacks are often carried out by APT groups or organized cybercriminals, characterized by sophistication and persistence (e.g., network eavesdropping or core network intrusions to steal user data). Many national telecom operators are top targets for hackers due to the value of their data and critical infrastructure, yet paradoxically, not all companies detect breaches early—some intrusions remain undetected for long periods[13]. Additionally, cost is a significant concern: building an in-house threat intelligence team and analysis infrastructure requires major investment, which not all telecoms can afford. Furthermore, industry-wide information sharing remains limited compared to the financial sector—there is currently no dedicated global ISAC for telecommunications (though some regional sharing groups exist). This sometimes leaves telcos “alone” when facing large-scale attack campaigns. Therefore, the key challenge lies in maintaining effective threat intelligence capabilities at an acceptable cost while fostering greater collaboration and intelligence sharing within the industry to raise overall security standards [13].

Financial Services

Opportunities: The finance and banking sector has always been a prime target for cybercriminals, making the adoption of Threat Intelligence virtually mandatory. The most obvious benefit is that intelligence enables banks and financial institutions to detect and prevent fraud and theft attacks early. For example, threat intel can warn about a phishing campaign targeting Bank A’s customers, allowing the bank to promptly alert clients and block the fake domain. In the financial sector, threat intelligence is often combined with fraud intelligence to stop suspicious transactions and protect customer assets and data. Additionally, with intel, banks can prioritize patching critical vulnerabilities (e.g., zero-day flaws being exploited against ATMs or online banking systems) before attackers can take advantage of them. From a compliance standpoint, many cybersecurity regulations for finance (such as PCI-DSS or NYDFS Cybersecurity Regulation) encourage or require institutions to monitor threat intelligence, so implementing intel also helps banks meet legal and regulatory requirements. Notably, the financial sector has a highly developed intelligence-sharing network—most prominently FS-ISAC (Financial Services Information Sharing and Analysis Center), where banks around the world share real-time updates on emerging threats and fraud patterns [14]. Active participation in FS-ISAC and leveraging its intel allow financial institutions to stay ahead of new attack techniques appearing elsewhere. In short, Threat Intelligence provides banks with a proactive defense advantage, minimizing the risk of financial loss and reputational damage.
Challenges: Alongside the major opportunities, the financial sector also faces several challenges in implementing threat intelligence. First is the volume and velocity of data. Every day, the banking industry must process tens of thousands of security alerts, from abnormal transactions and fraud warnings to signals from threat intelligence about malware and phishing. SOC teams can easily become overloaded if the intel adds more data without automated classification. The challenge lies in integrating threat intelligence smoothly to reduce noise instead of increasing the burden on analysts. Second, regulatory and reputational pressure means financial institutions “cannot afford mistakes.” Banks must maintain a high level of cyber resilience to comply with strict regulations and protect customer trust. Ironically, attackers exploit this weakness—for example, they know that banks fear customer data exposure (due to fines and reputational loss), so ransomware operators threaten to leak data to force payment [15]. This puts security teams in a difficult position—needing to both stop attacks and report transparently to regulators. While implementing threat intelligence improves preparedness, it cannot eliminate this pressure entirely. Third, skills and cost are significant challenges. To operate an effective threat intelligence program, banks need highly skilled analysts (e.g., experts in malware analysis, familiar with financial attack campaigns like ATMPinch or Carbanak). Attracting and retaining such talent amid fierce competition is difficult. In terms of tooling, purchasing too many intel feeds incurs high costs, but buying too few risks missing vital data—so balancing cost and value requires ongoing adjustment. Finally, attack surface complexity: the financial sector faces not only external hackers but also “insider threats” and supply chain risks (e.g., payment service providers, fintech partners connected via APIs). Traditional threat intelligence often provides limited coverage for insider threats, so banks must complement it with behavioral monitoring and vendor risk assessments.In short, the main challenge for the financial sector is to manage massive volumes of intelligence in a highly accuracy-demanding environment, while continuously investing in the right people and technologies to maximize the value of threat intelligence.

Energy & Utilities (Oil & Gas, Electricity, Water)

Opportunities: The energy and utilities sectors (electricity, oil & gas, water, etc.) are part of Critical Infrastructure and therefore greatly benefit from Threat Intelligence. These industries often face risks from state-sponsored APT groups or hackers aiming to cause large-scale disruptions. Threat Intelligence helps energy companies identify targeted attack campaigns early—for example, intel from security agencies or partners can warn of malware targeting SCADA systems in the power grid. This enables companies to strengthen defenses before attacks occur. Many governments and international organizations (such as NATO and ENISA) also share specialized threat intelligence to protect energy infrastructure, allowing utility companies to access high-quality intel from these sources. Implementing threat intelligence further enhances monitoring capabilities for ICS/OT environments, which historically received limited security oversight. For example, some intel platforms provide indicators of ICS-targeted malware (e.g., Industroyer, Triton) to help organizations detect threats early within operational networks and prevent safety disasters. Regarding industry collaboration, specialized security intelligence-sharing centers exist, such as (Electricity ISAC) for the North American power sector, enabling electricity companies to receive real-time alerts on threats to the grid [16]. Overall, Threat Intelligence provides critical benefits for utility companies: continuous protection of energy flows, prevention of wide-scale service disruptions, and ensuring economic and societal security.
Challenges: On the other hand, implementing threat intelligence in ICS/OT (Industrial Control Systems/Operational Technology) environments is far from simple.First, the OT context is very different from IT—industrial operational systems prioritize safety and continuity, often use specialized protocols, and include legacy devices. OT threat intelligence must be highly industry-contextual to be effective (e.g., alerts about malware targeting Siemens PLCs in a nuclear power plant). Without appropriate context, OT intel becomes meaningless. As experts note, threat intelligence for OT depends heavily on the specific context of each vertical, because every sector has different systems and distinct threats [17]. Currently, there are few experts who deeply understand both security and industrial operations, creating a skills gap. Second, monitoring infrastructure limitations: many OT networks are air-gapped or have very limited connectivity, making it harder to collect threat intelligence and deploy monitoring sensors compared to IT networks. Installing agents or updating OT systems to integrate intel can disrupt production—something no company wants.Third, OT threats are increasingly severe: reports indicate that ransomware attacks on industrial systems doubled in a single year (2022) [18]. showing hackers increasingly target production and operational disruption. There is also the risk of industrial espionage: many APT groups silently infiltrate oil, gas, and power networks to steal sensitive data or remain dormant for future sabotage [18]. These threats are difficult to detect (long-term hiding, using custom malware), posing significant challenges for OT threat intelligence programs. Finally, cost and investment priorities: utilities historically focused on physical safety, with limited investment in OT cybersecurity. Convincing leadership to invest heavily in threat intelligence—something perceived as abstract and not immediately beneficial—is difficult unless a major incident has already occurred.In short, the challenges include OT technical characteristics, lack of specialized personnel, increasing severity of threats, and resource constraints, requiring energy and utility companies to gradually build suitable OT Threat Intelligence capabilities with a clear roadmap and focused priorities.

Manufacturing

Opportunities: The manufacturing sector is entering the era of Digital Transformation and Industry 4.0, making cybersecurity—especially Threat Intelligence—a critical factor in protecting smart production lines. Manufacturers have numerous valuable assets that need protection through intel: technological secrets, production processes, robotic systems, supply chains, and more. Implementing Threat Intelligence helps manufacturing companies safeguard intellectual property (IP) from theft—for example, by detecting early if a hacker group is targeting a new product design to sell to competitors. Additionally, threat intel can provide warnings about ransomware extortion campaigns in the sector (which are increasingly common), allowing companies to proactively enhance security before attacks disrupt production. There are now specialized Threat Intelligence solutions for manufacturing OT—for example, Dragos offers OT Cyber Threat Intelligence that monitors hacker groups targeting manufacturing and ICS [19]. This specialized intel provides factories with adversary profiles, such as the CHERNOVITE group, which targets manufacturing with PIPEDREAM malware aimed at industrial PLCs [19]. This enables plant security teams to focus on protecting critical equipment and recognizing key indicators. Moreover, in the context of production tightly linked with global supply chains, Threat Intelligence supports companies in monitoring the cybersecurity risks of suppliers and distributors (e.g., being aware if a component supplier is under attack to implement contingency plans). Many organizations have established Manufacturing ISACs and security experience-sharing forums for the manufacturing industry, helping rapidly disseminate threat alerts within the community. In summary, Threat Intelligence provides a proactive shield for manufacturers, protecting valuable assets, preventing production disruptions, and maintaining competitive advantage.
Challenges: The manufacturing sector faces two main types of threats: industrial espionage (APT stealing secrets) and sabotage/extortion (ransomware halting production lines). Both have been increasing significantly recently, posing major challenges for Threat Intelligence capabilities. First, production systems are increasingly connected (IT–OT convergence), expanding the attack surface. A vulnerability on the office IT network can serve as a stepping stone into the factory OT network. Intel collection must cover both domains and coordinate with OT operations teams—this requires cultural changes, as IT and OT were previously separate. Second, ransomware is rampant: IBM reports that ransomware attacks on ICS systems in factories doubled in 2022 [18]. Attackers realize that stopping production for just a few days can cause enormous losses, pressuring victims to pay (an automaker can lose USD 22k per minute of downtime [18]). As a result, attackers ruthlessly target OT. Even with early Threat Intelligence warnings, many small and medium manufacturers lack sufficient backup systems, making it difficult to upgrade infrastructure in time. Third, targeted espionage: APT groups such as Winnti and APT10 have infiltrated manufacturing companies to steal designs and product secrets, often remaining undetected for long periods. Detecting these stealth attacks is a major challenge for threat intel, as there may be no clear signs (hackers use valid certificates or hide within legitimate traffic). Strategic intel (who wants what) combined with technical intel (specific IoCs and TTPs) is required for effective detection. Fourth, limited security resources: The manufacturing sector—especially traditional companies—has historically invested little in IT, and even less in cybersecurity. Building an internal Threat Intelligence team is nearly impossible for most companies. They often rely on external services or public feeds, which limits effectiveness. Finally, complex supply chains: A large manufacturer may have hundreds of suppliers. Even if intel protects the company itself, it can still be indirectly attacked via a compromised supplier (supply chain attack) [18]. Managing this risk goes beyond the scope of a typical Threat Intelligence program and requires cross-industry coordination. In summary, the challenges for manufacturing are integrating intel into the specialized OT environment, addressing the escalation of ransomware and APT threats, and overcoming limited resources. This requires innovative approaches, such as using XDR platforms combined with Threat Intelligence to automatically detect anomalies in OT, and actively participating in industry intel-sharing communities to benefit from “many eyes watching.”

Retail

Opportunities: The retail and hospitality sector is increasingly targeted by cybercriminals (notably the Target 2013 and Marriott 2018 incidents). Implementing Threat Intelligence helps retail companies proactively protect customer information and brand reputation. Firstly, intel supports dark web monitoring to detect if payment card data or customer information from the retail chain is being sold, allowing the company to promptly alert banks to block cards or notify customers to change passwords. Threat intelligence platforms also provide brand protection services, helping identify fraudulent websites and imitation apps designed to scam customers—an ongoing headache for large retailers as phishing sites appear constantly. With threat intel, companies can request the removal of fake sites more quickly. In addition, intel enables monitoring of global attack campaigns targeting the retail sector. For example, if a supermarket chain in Europe is attacked by hacker group X, threat intel can alert the chain in Asia to be prepared in case the group expands its scope. The RH-ISAC (Retail & Hospitality ISAC) community serves as an effective channel for retail companies to share threat information in real time. In practice, RH-ISAC helped major retailers coordinate against the Scattered Spider hacker group in 2023–2024 by sharing attack scenarios, IoCs, and response experiences among members[20]. This demonstrates the value of collaborative threat intel: “one gets attacked, the whole community learns.” Moreover, threat intel helps the retail sector raise cybersecurity awareness among frontline employees. For instance, if intel warns of social engineering attacks targeting customer service desks (e.g., impersonating IT to request a password reset), the company can immediately train store staff to recognize and respond to such tactics. In summary, Threat Intelligence provides early protection for retail, safeguarding customers, digital assets (websites, applications), and supporting industry-wide collaboration to minimize damage if incidents occur.
Challenges: The retail sector has several characteristics that make effective threat intelligence deployment difficult. First is the human factor: the service-oriented culture emphasizes friendliness and customer care, so retail staff are often less suspicious—precisely a point that hackers exploit through social engineering [20]. Even with threat intel warnings, translating them into frontline employee action is challenging, as employees must balance being welcoming to customers while staying vigilant. Additionally, there is the issue of dispersion: retail chains have hundreds of stores, each with varying levels of security. POS devices in stores may be outdated, and IT networks fragmented. Uneven security standards make applying intel (e.g., patching vulnerabilities across all POS devices after receiving alerts) slow or inconsistent. Small and medium retailers often lack the resources to deploy expensive threat intelligence solutions or hire specialists. Statistics from the Retail ISAC show that most members are companies with revenue over $1 billion, while smaller companies participate less [20]. This creates a fragmented security landscape: large enterprises are well-protected, while smaller businesses become weak links targeted by hackers. Another challenge is that retail is less regulated for security compared to finance or healthcare, so the motivation to invest in threat intelligence may not be fully realized until a major incident occurs. From a technical standpoint, the omni-channel retail environment, including e-commerce, in-store POS, and mobile apps creates multiple attack vectors (phishing, malware, JavaScript skimming on websites…). Threat intelligence must cover all these types of attacks, requiring integration of multiple data sources (from online transaction logs to in-store network monitoring), which is difficult to implement in practice. Finally, seasonal pressure: peak shopping periods (holiday season) are both times of high revenue and opportunities for hackers, as employees are fatigued and less vigilant [20]. Implementing any security measures during these periods is challenging (fearing business disruption), so even if threat intel issues warnings, response measures may be delayed “until after the holidays” . All these factors make Threat Intelligence in retail a complex challenge, requiring a flexible approach: prioritizing managed services to support smaller companies; enhancing employee training on emerging scams; and promoting information sharing across the industry (via ISAC, partnerships with banks and tech firms) so that no company is left behind in the cybersecurity battle.

List of Abbreviations

Below are explanations of the English abbreviations used in this document:

AI – Artificial Intelligence
APT – Advanced Persistent Threat
CTI – Cyber Threat Intelligence
EDR – Endpoint Detection & Response
ICS – Industrial Control Systems
IoC – Indicator of Compromise
IoT – Internet of Things
ISAC – Information Sharing and Analysis Center
IT – Information Technology
LLM – Large Language Model
MITRE ATT&CK – A knowledge framework of attack tactics and techniques developed by MITRE.
ML – Machine Learning
OT – Operational Technology
OSINT – Open-Source Intelligence
PCI-DSS – Payment Card Industry Data Security Standard
PHISHING – Tấn công giả mạo (lừa đảo qua email/trang web)
SCADA – Supervisory Control and Data Acquisition
SIEM – Security Information & Event Management
SOC – Security Operations Center
SOAR – Security Orchestration, Automation and Response
TTP – Tactics, Techniques, and Procedures
XDR – Extended Detection & Response