Do you consume and act on threat intelligence relevant to your industry?
Demonstrate that the organization systematically consumes industry-relevant threat intelligence, evaluates its applicability, and takes documented defensive actions in response to actionable intelligence.
Description
What this control does
This control ensures the organization subscribes to and operationalizes threat intelligence feeds, reports, and indicators of compromise (IoCs) relevant to its industry sector, technology stack, and geographic footprint. Threat intelligence sources may include commercial vendors, ISACs/ISAOs, open-source feeds (e.g., CISA alerts, vendor bulletins), and peer-sharing communities. The organization must demonstrate processes for ingesting, triaging, contextualizing, and acting upon intelligence through response activities such as vulnerability patching, signature updates, hunting operations, or defensive configuration changes. This control reduces the time between threat emergence and organizational defensive action.
Control objective
What auditing this proves
Demonstrate that the organization systematically consumes industry-relevant threat intelligence, evaluates its applicability, and takes documented defensive actions in response to actionable intelligence.
Associated risks
Risks this control addresses
- Exploitation of vulnerabilities or attack patterns already known to the threat intelligence community but not acted upon internally
- Delayed detection of industry-targeted campaigns (e.g., ransomware, supply chain attacks) due to lack of early warning indicators
- Failure to prioritize patching or mitigations for threats actively exploited against similar organizations in the same sector
- Inability to contextualize security events during incident response due to lack of adversary TTP (tactics, techniques, procedures) awareness
- Reactive security posture that responds only to incidents rather than proactively hardening defenses based on emerging threats
- Compromise via known malicious infrastructure (IP addresses, domains, file hashes) that could have been blocked preemptively
- Regulatory non-compliance in sectors requiring threat information sharing (e.g., financial services, critical infrastructure)
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's inventory of subscribed threat intelligence sources, including commercial feeds, ISAC/ISAO memberships, government bulletins, and open-source feeds.
- Interview the threat intelligence or security operations lead to understand the process for receiving, triaging, and disseminating threat intelligence internally.
- Select a sample period (e.g., previous 90 days) and obtain logs or records showing threat intelligence ingestion activity, such as feed update logs, ISAC alerts received, or vendor portal access records.
- Review documented procedures or playbooks that describe how threat intelligence triggers specific actions (e.g., IoC blocking, threat hunting, patch acceleration, user awareness alerts).
- Select three to five recent high-relevance threat intelligence items (e.g., industry-specific advisories, critical CVEs, active campaigns) and trace each through to documented organizational response or dispositioning decision.
- Examine technical evidence of intelligence operationalization, such as SIEM correlation rule updates, firewall block-list changes, EDR hunting queries, or vulnerability scan exception justifications tied to specific intelligence reports.
- Review metrics or dashboards tracking threat intelligence consumption and response, such as time-to-action, number of IoCs ingested, or percentage of applicable intelligence acted upon.
- Verify that threat intelligence sources align with the organization's industry vertical, technology environment, and geographic risk profile through cross-reference with asset inventory and risk register.