• WRAVEN
  • Posts
  • Threat Intel for Beginners

Threat Intel for Beginners

What Is It and Why Does It Matter?

AuthorAuthor

WRAVEN Team & Lochlan McElroy
April 16, 2025

Threat Intel for Beginners: What Is It and Why Does It Matter?

So you’ve probably heard people throw around the term “threat intel” like it’s some spy agency secret. But what is it actually? And why does it matter for cybersecurity work—especially at the student level?

Let’s break it down.

What is threat intelligence?

Threat intelligence (aka threat intel) is just information about potential or current threats. That includes stuff like:

  • Who’s attacking

  • What tools they’re using

  • How they’re getting in

  • What they’re targeting

  • What signs (indicators) they leave behind

It’s like a constantly updating “most wanted” board, but for malware, hackers, and shady behavior on the internet.

Why does it matter?

Threat intel helps defenders make smarter decisions. Instead of blindly guessing where an attack might come from, we use intel to:

  • Prioritize alerts (so we’re not drowning in false alarms)

  • Patch the right vulnerabilities first

  • Detect attacks earlier

  • Understand why we might be a target

Even small buisnesses & student orgs can benefit from intel. If you know a certain phishing campaign is making the rounds, you can warn your members. If a specific APT is hitting universities, that’s your cue to look closer at your logs.

Types of threat intel

Not all intel is created equal. Some of it is raw data (like IPs and hashes), and some is more high-level strategy stuff. Here’s a quick rundown:

  • Tactical: Indicators of compromise (IOCs), like bad IPs, domains, file hashes, etc.

  • Operational: Info about specific attacks, malware campaigns, or exploits being used.

  • Strategic: Big-picture stuff—who’s attacking whom, and why. Good for org-level decisions.

  • Technical: Exploit details, reverse engineering reports, deep dives into malware behavior.

Where do you even get this stuff?

Good question. Some common places:

  • Public feeds (AlienVault OTX, AbuseIPDB, etc.)

  • Security blogs/researchers (Cisco Talos, Mandiant, etc.)

  • Government alerts (CISA, FBI)

  • Paid platforms (MISP, Recorded Future, etc.)

  • Even Twitter/X if you know who to follow (yes really)

At WRAVEN, we’re starting to use some open feeds and building tools to track actors and strains on our own, stay tuned for more on that!

How you can start using threat intel

You don’t need a million-dollar platform to start using intel. Try:

  • Following a few known threat feeds or blogs

  • Looking up IOCs in sample malware from TryHackMe or VirusTotal

  • Practicing correlating indicators with traffic in Wireshark

  • Joining WRAVEN projects (👀)

TL;DR:
Threat intel isn’t just for big corps. It’s useful, learnable, and kinda fun once you get the hang of it. Start small, stay curious, and you’ll be threat hunting in no time.

A post by the Western Research Advisory for Vulnerabilities, Exploits, & Networks.