M1019: Threat Intelligence Program
A Threat Intelligence Program enables organizations to proactively identify, analyze, and act on cyber threats by leveraging internal and external data sources. The program supports decision-making processes, prioritizes defenses, and improves incident response by delivering actionable intelligence tailored to the organization's risk profile and operational environment. This mitigation can be implemented through the following measures:
Establish a Threat Intelligence Team:
- Form a dedicated team or assign responsibility to existing security personnel to collect, analyze, and act on threat intelligence.
Define Intelligence Requirements:
- Identify the organization’s critical assets and focus intelligence gathering efforts on threats targeting these assets.
Leverage Internal and External Data Sources:
- Collect intelligence from internal sources such as logs, incidents, and alerts. Subscribe to external threat intelligence feeds, participate in ISACs, and monitor open-source intelligence (OSINT).
Implement Tools for Automation:
- Use threat intelligence platforms (TIPs) to automate the collection, enrichment, and dissemination of threat data. - Integrate threat intelligence with SIEMs to correlate IOCs with internal events.
Analyze and Act on Intelligence:
- Use frameworks like MITRE ATT&CK to map intelligence to adversary TTPs. - Prioritize defensive measures, such as patching vulnerabilities or deploying IOCs, based on analyzed threats.
Share and Collaborate:
- Share intelligence with industry peers through ISACs or threat-sharing platforms to enhance collective defense.
Evaluate and Update the Program:
- Regularly assess the effectiveness of the threat intelligence program. - Update intelligence priorities and capabilities as new threats emerge.
*Tools for Implementation*
Threat Intelligence Platforms (TIPs):
- OpenCTI: An open-source platform for structuring and sharing threat intelligence. - MISP: A threat intelligence sharing platform for sharing structured threat data.
Threat Intelligence Feeds:
- Open Threat Exchange (OTX): Provides free access to a large repository of threat intelligence. - CIRCL OSINT Feed: A free source for IOCs and threat information.
Automation and Enrichment Tools:
- TheHive: An open-source incident response platform with threat intelligence integration. - Yeti: A platform for managing and structuring knowledge about threats.
Analysis Frameworks:
- MITRE ATT&CK Navigator: A tool for mapping threat intelligence to adversary behaviors. - Cuckoo Sandbox: Analyzes malware to extract behavioral indicators.
Community and Collaboration Tools:
- ISAC Memberships: Join industry-specific ISACs for intelligence sharing. - Slack/Discord Channels: Participate in threat intelligence communities for real-time collaboration.
Analyst context for executives and security teams
A threat intelligence program is a governance and operations capability that helps an organization decide which threats, vulnerabilities, and defensive actions matter most. In this ATT&CK context, its value is not a single control; it is the process for turning internal logs, incidents, alerts, external feeds, OSINT, ISAC sharing, and ATT&CK mapping into prioritized action for incident response, vulnerability management, and detection engineering.
Executive priority
Treat this as a decision-support capability for resilience and risk prioritization. The related ATT&CK coverage connects threat intelligence to exploitation-driven risks: privilege escalation, remote service exploitation for lateral movement, stealth through vulnerable components, credential access through exploited weaknesses, and impersonation. Leaders should ask whether intelligence requirements are tied to critical assets, whether vulnerability and detection priorities are influenced by relevant threat reporting, and whether the program produces evidence useful for incident decisions, audit readiness, and control investment.
Technical view
SOC, IR, vulnerability management, and detection engineering teams should validate that intelligence is collected from both internal sources such as logs, incidents, and alerts and external sources such as threat feeds, OSINT, ISACs, and sharing communities. The program should map intelligence to ATT&CK TTPs, enrich indicators, correlate IOCs in the SIEM where appropriate, and convert findings into actions such as patch prioritization, detection tuning, investigation leads, or incident response playbooks. Relationship context suggests special attention to exploitation affecting Windows, Linux, macOS, Containers, ESXi, SaaS, Identity Provider, Office Suite, and related remote service or credential-access exposure where present in the local environment.
Likely telemetry
- Internal security logs relevant to critical assets
- Incident records and investigation findings
- Alert history from detection tools and SIEM correlation
- Vulnerability and patch management data used for prioritization
- Threat intelligence feed data and OSINT reporting
Detection direction
- Do not measure success only by the number of feeds consumed; validate whether intelligence produces actionable detections, investigations, or prioritization decisions.
- Confirm SIEM or analytic workflows can correlate relevant IOCs with internal events, while accounting for false positives, stale indicators, and low-confidence feed data.
- Use ATT&CK mapping to identify whether intelligence addresses the related exploitation and impersonation behaviors rather than only malware or IP/domain indicators.
- Review whether intelligence from past incidents and alerts feeds back into detection tuning and response procedures.
- Identify blind spots where critical assets, identity systems, SaaS, remote services, containers, or ESXi are in scope locally but not represented in intelligence requirements or telemetry.
Mitigation priorities
- Define intelligence requirements around critical assets, business services, and operational risk before buying or adding more feeds.
- Assign ownership to a dedicated threat intelligence team or existing security personnel with clear responsibilities to collect, analyze, and act.
- Integrate internal evidence, external intelligence, ATT&CK mapping, vulnerability prioritization, and incident response workflows.
- Use automation such as TIP and SIEM integration to enrich and disseminate intelligence, but keep analyst review for context and confidence.
- Participate in appropriate sharing communities such as ISACs when relevant to the organization.
Analyst notes and limits
This is a mitigation object, not a detection analytic. Its defensive value depends on program maturity, clear requirements, useful data sources, and operational integration with SOC, IR, vulnerability management, and risk owners. The supplied relationship context supports using threat intelligence to prioritize defenses against exploitation for privilege escalation, lateral movement through remote services, stealth, credential access, and impersonation.
ATT&CK does not provide official detection guidance for this mitigation, and the object does not specify platforms or tactics directly. Platform references come only from the related mitigated techniques and should be applied only where those technologies exist in the local environment. Local evidence is required to determine program effectiveness, telemetry coverage, feed quality, and response outcomes.
Threat Intelligence Program
A Threat Intelligence Program enables organizations to proactively identify, analyze, and act on cyber threats by leveraging internal and external data sources. The program supports decision-making processes, prioritizes defenses, and improves incident response by delivering actionable intelligence tailored to the organization's risk profile and operational environment. This mitigation can be implemented through the following measures:
Establish a Threat Intelligence Team:
- Form a dedicated team or assign responsibility to existing security personnel to collect, analyze, and act on threat intelligence.
Define Intelligence Requirements:
- Identify the organization’s critical assets and focus intelligence gathering efforts on threats targeting these assets.
Leverage Internal and External Data Sources:
- Collect intelligence from internal sources such as logs, incidents, and alerts. Subscribe to external threat intelligence feeds, participate in ISACs, and monitor open-source intelligence (OSINT).
Implement Tools for Automation:
- Use threat intelligence platforms (TIPs) to automate the collection, enrichment, and dissemination of threat data. - Integrate threat intelligence with SIEMs to correlate IOCs with internal events.
Analyze and Act on Intelligence:
- Use frameworks like MITRE ATT&CK to map intelligence to adversary TTPs. - Prioritize defensive measures, such as patching vulnerabilities or deploying IOCs, based on analyzed threats.
Share and Collaborate:
- Share intelligence with industry peers through ISACs or threat-sharing platforms to enhance collective defense.
Evaluate and Update the Program:
- Regularly assess the effectiveness of the threat intelligence program. - Update intelligence priorities and capabilities as new threats emerge.
*Tools for Implementation*
Threat Intelligence Platforms (TIPs):
- OpenCTI: An open-source platform for structuring and sharing threat intelligence. - MISP: A threat intelligence sharing platform for sharing structured threat data.
Threat Intelligence Feeds:
- Open Threat Exchange (OTX): Provides free access to a large repository of threat intelligence. - CIRCL OSINT Feed: A free source for IOCs and threat information.
Automation and Enrichment Tools:
- TheHive: An open-source incident response platform with threat intelligence integration. - Yeti: A platform for managing and structuring knowledge about threats.
Analysis Frameworks:
- MITRE ATT&CK Navigator: A tool for mapping threat intelligence to adversary behaviors. - Cuckoo Sandbox: Analyzes malware to extract behavioral indicators.
Community and Collaboration Tools:
- ISAC Memberships: Join industry-specific ISACs for intelligence sharing. - Slack/Discord Channels: Participate in threat intelligence communities for real-time collaboration.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1210 | Exploitation of Remote Services | Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. |
| Enterprise | T1684.001 | Impersonation Sub-technique | Threat intelligence helps defenders and users be aware of and defend against common lures and active campaigns that have been used for impersonation. |
| Enterprise | T1068 | Exploitation for Privilege Escalation | Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. |
| Enterprise | T1211 | Exploitation for Stealth | Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. |
| Enterprise | T1212 | Exploitation for Credential Access | Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 8b94dd96e025… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M1019Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.