RedSheep SecurityRedSheepSecurity
Academy/Advanced/Lesson 29
Advanced — Lesson 29 of 10

Threat Intelligence in Incident Response

10 min read

Cyber Threat Intelligence and Incident Response are deeply intertwined disciplines. When an incident occurs, CTI provides context that accelerates every phase of the response — from initial detection through recovery and lessons learned. Conversely, every incident produces raw intelligence that strengthens future defenses. This lesson examines how CTI integrates with each phase of the NIST incident response lifecycle and how organizations can build a virtuous cycle between their CTI and IR functions.

Learning Objectives

  • Map CTI contributions to each phase of the NIST SP 800-61 incident response lifecycle
  • Perform real-time indicator enrichment during incident triage
  • Produce tactical intelligence products from incident response findings
  • Design feedback loops that turn IR findings into improved CTI and detection capabilities
  • Understand deconfliction considerations when incidents involve law enforcement

The NIST Incident Response Lifecycle

NIST Special Publication 800-61 Revision 2, "Computer Security Incident Handling Guide," defines four phases of incident response. CTI has a distinct role in each.

IR Phase CTI Contribution
Preparation Threat landscape briefings, priority intelligence requirements, pre-staged enrichment tools
Detection & Analysis Indicator enrichment, threat actor identification, TTP contextualization
Containment, Eradication & Recovery Scoping guidance, related infrastructure identification, adversary playbook awareness
Post-Incident Activity Intelligence production, detection rule creation, lessons learned, strategic assessment

Phase 1: Preparation

CTI's most important contribution to incident response happens before any incident occurs. Preparation-phase intelligence work includes:

Threat Landscape Awareness

CTI teams should maintain current assessments of which threat actors are most likely to target the organization, based on industry vertical, geography, technology stack, and geopolitical factors. These assessments directly inform IR preparation — the team should have playbooks, detection rules, and response procedures oriented toward the most probable threats.

Priority Intelligence Requirements (PIRs)

PIRs established by the CTI program should include IR-relevant questions such as: What initial access techniques are threat actors currently using against our sector? What C2 infrastructure is associated with active campaigns? What new exploitation tools are circulating?

Pre-Staged Enrichment

Before an incident occurs, establish enrichment workflows and tool access. During an active incident is not the time to be requesting API keys or figuring out how to query threat intelligence platforms. Pre-stage:

  • API integrations with VirusTotal, Shodan, AbuseIPDB, GreyNoise, and your organization's commercial TI feeds
  • Lookup scripts or SOAR playbooks for common enrichment tasks
  • Reference materials on threat actors relevant to your organization
  • A curated IOC watchlist with context on why each indicator matters

Key Concept: The value of CTI in incident response is directly proportional to the preparation done before incidents occur. A well-prepared CTI function can provide context in minutes; an unprepared one takes hours or days.

Phase 2: Detection and Analysis

This is where CTI provides the most immediate, tangible value during an active incident.

Real-Time Indicator Enrichment

When responders identify suspicious indicators — IP addresses, domains, file hashes, URLs — the CTI analyst enriches them with context:

  • Is this indicator known? Check against commercial and open-source threat intelligence feeds, internal IOC databases, and information sharing communities (ISACs/ISAOs).
  • Who uses it? If the indicator is attributed to a specific threat actor or campaign, that immediately narrows the scope and informs the response strategy.
  • What else is associated? Pivot from the known indicator to find related infrastructure using passive DNS, certificate transparency, and WHOIS data (as covered in Lesson 28).
  • Is this commodity or targeted? GreyNoise data can quickly determine whether an IP is part of widespread scanning versus targeted activity. This distinction dramatically affects response priority.

Identifying the Threat Actor

During analysis, the CTI analyst works to attribute the activity — not necessarily to a specific nation-state or individual, but to a behavioral cluster. Attribution helps because:

  • Known threat actors have documented TTPs, allowing responders to predict what the adversary will do next
  • Attribution informs scoping — if the actor is known to deploy ransomware after 72 hours of dwelling, urgency increases dramatically
  • It helps determine whether the incident is targeted (requiring a more thorough response) or opportunistic

TTP Contextualization with ATT&CK

Map observed adversary behaviors to MITRE ATT&CK techniques. Then cross-reference against known threat actor profiles in ATT&CK to narrow attribution hypotheses. More importantly, use the ATT&CK mapping to identify techniques the adversary is likely to use next, guiding where responders should look.

For example, if you observe T1566.001 (Spearphishing Attachment) as the initial access vector and T1059.001 (PowerShell) for execution, and your threat assessment identifies APT groups known to use both, you can proactively hunt for their typical persistence mechanisms (such as scheduled tasks or registry run keys) rather than waiting to discover them reactively.

Phase 3: Containment, Eradication, and Recovery

Intelligence-Driven Scoping

One of the most critical contributions CTI makes during containment is helping define the scope of compromise. If the threat actor is known:

  • What lateral movement techniques do they typically use? This tells responders where else to look.
  • What data do they typically target? This informs data loss assessment.
  • Do they deploy multiple backdoors? This prevents incomplete eradication — a common failure mode where responders remove the initial access but miss secondary persistence.

Related Infrastructure Identification

CTI analysts should continuously pivot from newly discovered indicators to identify additional adversary infrastructure that hasn't been blocked yet. Every new IP address, domain, or hash found during IR should be run through the enrichment pipeline to find connected infrastructure.

Adversary Playbook Awareness

Understanding the adversary's typical operational sequence helps responders anticipate next moves during containment. If intelligence indicates the threat actor typically exfiltrates data before deploying ransomware, and you've contained the ransomware deployment, you need to investigate whether exfiltration already occurred.

Important: Intelligence assessments during an active incident should always include confidence levels. Telling the IR lead "we assess with moderate confidence this is Group X based on infrastructure overlap" is fundamentally different from "we confirm this is Group X." Overclaiming attribution during an incident can lead to inappropriate response actions.

Phase 4: Post-Incident Activity

The post-incident phase is where CTI transforms raw incident data into lasting intelligence value.

Producing Tactical Intelligence

Every incident generates intelligence products. At minimum:

  • IOC package: All indicators discovered during the incident, with context, confidence levels, and recommended detection logic. Formatted for ingestion into SIEMs and TIPs (STIX/TAXII or CSV at minimum).
  • TTP report: Documented adversary behaviors mapped to ATT&CK, with detection opportunities for each technique observed.
  • Campaign analysis: If the incident connects to a broader campaign, document the relationships and update campaign tracking.

Detection Rule Creation

Incident findings should directly produce new detection rules. For every technique the adversary used, ask: could we detect this if it happened again? Create or refine:

  • SIEM correlation rules for the specific behavioral patterns observed
  • Sigma rules for shareable, platform-agnostic detection logic
  • YARA rules for any unique malware or tools encountered
  • Network signatures for observed C2 communication patterns

The Virtuous Cycle

The most mature CTI programs create a feedback loop:

  1. CTI informs detection → intelligence about threat actor TTPs drives detection rule creation
  2. Detections trigger IR → those rules fire on real activity, initiating incident response
  3. IR produces intelligence → the incident generates new IOCs, TTPs, and adversary understanding
  4. New intelligence improves CTI → findings update threat actor profiles, PIRs, and future detection rules

Organizations that fail to close this loop waste the intelligence value of every incident they handle.

Strategic Assessment

Beyond tactical products, significant incidents warrant strategic intelligence assessments: What does this incident tell us about our threat landscape? Has our risk profile changed? Do our PIRs need updating? Should we adjust our security architecture based on the adversary's approach?

Organizational Models: Embedded vs. Separate CTI

There are two primary models for how CTI supports IR:

Embedded CTI Analyst

A CTI analyst is assigned to the IR team and participates directly in incident handling. This model provides the fastest intelligence support during incidents but can pull the analyst away from proactive intelligence work.

Separate CTI Team with Liaison

The CTI team operates independently but provides a designated point of contact during incidents. This preserves proactive intelligence capacity but introduces communication overhead and potential delays.

Most mature organizations use a hybrid approach: CTI operates independently for proactive work but has defined procedures for surging support during significant incidents, including clear escalation criteria for when CTI analysts join the IR team directly.

Deconfliction with Law Enforcement

When incidents may involve criminal activity, CTI analysts must understand deconfliction:

  • Preservation of evidence: Intelligence collection methods must not inadvertently destroy forensic evidence. Coordinate with your legal team and any law enforcement involvement before taking actions that modify adversary infrastructure or tip off the attacker.
  • Parallel investigations: If law enforcement is investigating the same threat actor, your intelligence activities (especially active reconnaissance of adversary infrastructure) could interfere with their operation. Establish communication channels early.
  • Information sharing boundaries: Understand what you can and cannot share, and with whom. Some incident details may be subject to legal holds, regulatory requirements (breach notification laws), or classification restrictions.
  • FBI and CISA coordination: In the United States, the FBI handles criminal cyber investigations while CISA provides technical assistance. Both can be valuable partners, but coordination requires clear organizational protocols established before an incident.

Best Practice: Establish relationships with your local FBI field office and CISA regional representative before an incident occurs. These relationships dramatically improve coordination during actual events.

Key Takeaways

  • CTI contributes to every phase of incident response, but preparation-phase work has the highest leverage
  • Real-time enrichment during triage accelerates detection and analysis by providing immediate context
  • Identifying the threat actor (even approximately) enables predictive response based on known TTPs
  • Post-incident intelligence production closes the feedback loop and improves future defenses
  • Every incident should produce IOC packages, TTP documentation, and new detection rules
  • Deconfliction with law enforcement requires pre-established protocols and relationships

Practical Exercise

Scenario: Your organization's SOC has escalated an alert. A workstation in the finance department made outbound connections to an IP address flagged by a threat intelligence feed as associated with the FIN7 threat group (a financially motivated cybercriminal group known for targeting financial and retail organizations).

Work through the following steps:

  1. Enrichment: Document what sources you would query to enrich the flagged IP address. What specific questions are you trying to answer? Write out at least five enrichment queries you would perform.

  2. TTP Prediction: Research FIN7's documented TTPs on MITRE ATT&CK (group G0046). Based on the initial access observation, list five additional techniques you would hunt for on the affected workstation and across the network.

  3. Scoping Questions: Write five questions you would ask the IR team to help scope the incident, informed by your knowledge of FIN7's typical operations.

  4. Post-Incident Products: Assume the incident is resolved. Outline the intelligence products you would create, including the target audience and format for each.

  5. Detection Rules: Write pseudocode or logic for two detection rules based on FIN7 TTPs that would catch similar activity in the future.

Further Reading

  • NIST SP 800-61 Rev. 2 — "Computer Security Incident Handling Guide" (NIST, 2012)
  • NIST SP 800-86 — "Guide to Integrating Forensic Techniques into Incident Response" (NIST, 2006)
  • Caltagirone, S., Pendergast, A., Betz, C. — "The Diamond Model of Intrusion Analysis" (2013)
  • MITRE ATT&CK Group Pages — FIN7 (G0046) for the practical exercise (attack.mitre.org)