Unit 4: Threat Intelligence

UNIT TITLE Plan and implement a threat intelligence programme

This unit develops the skills and knowledge required to build a cyber security team capable of identifying, tracking and infiltrating cyber-criminal organisations for the purpose of designing and implementing tailored security measures that defend nations, governments and private sector organisations.

It applies to individuals, employed or contractors who are working in positions of authority and are approved to implement change within a department or across the organisation. They have responsibility for directly supervising others.

No occupational licensing, certification or specific legislative requirements apply to this unit at the time of publication.

Elements describe the essential outcomes of the unit Performance criteria describe the performance needed to demonstrate achievement of the element.
1. Build a threat intelligence programme

1.1 Determine threat intelligence goals and requirements in consultation with senior management or the client

1.2 Establish required human, technological, equipment and time resource requirements to achieve goals

1.3 Establish data sources from which to collect threat data and data collection techniques to be implemented

1.4 Establish team requirements and roles and responsibilities of team members

1.5 Define the methodologies to employ to process threat data into threat intelligence

1.6 Develop the policies, procedures and supporting documents for use during threat intelligence activities

2. Undertake intelligence collection activities

2.1 Establish, source and collect threat data to identify and track threat actors

2.2 Undertake intelligence collection activities whilst remaining undetected and untraceable

2.3 Analyse and process threat data collected and create threat intelligence

2.4 Establish intelligence-driven security recommendations

2.5 Provide leadership to team members to achieve programme goals

2.5 Communicate threat intelligence with relevant stakeholders

2.6 Capture stakeholder feedback on the usefulness and effectiveness of the intelligence provided

2.7 Assess effectiveness of intelligence activities and refine according to lessons learnt

2.8 Identify and resolve issues and technical challenges

3. Report on programme outcomes

3.1 Report findings and recommendations relevant to executive team members and Information Technology (IT) personnel

3.2 Make separate presentations to executive team members and IT personnel providing relevant information


Foundation skills essential to performance are explicit in the performance criteria of this unit of competency

TITLE Assessment Requirements for CYBPIT004 Plan and implement a threat intelligence programme

Evidence of the ability to complete tasks outlined in elements and performance criteria of this unit in the context of the job role, and:

  • Effective use of verbal and nonverbal communication to extract information from range of people and clearly communicate with senior management, clients, stakeholders and team members
  • Language skills to translate technical findings to be understood by business and lay persons
  • On a minimum of one (1) occasion build:
    • an attack indicators database
    • a cyber deception tool
  • On a minimum of three (3) occasions:
    • write signatures to track adversaries in the network
    • convert threat data into threat intelligence and share with relevant personnel and make recommendations for prevention cyber attacks

The learner must be able to demonstrate essential knowledge required to effectively do the task outlined in elements and performance criteria of this unit, manage the task and manage contingencies in the context of the work role.

This includes knowledge of:

  • Common terminology relating to threat intelligence, business risk and information security
  • Conversion of threat data into relevant and actionable threat intelligence
  • Types of cyber threat intelligence:
    • Tactical Intelligence: Attacker methodologies, tactics, tools and procedures
    • Technical Intelligence: Attacker malware details
    • Operational Intelligence: Details of incoming attacks
    • Strategic Intelligence: High-level information of changing risks
  • Typical methodologies used to collect intelligence and their application including:
    • Open Source Intelligence:
      • Registration records
      • o Domain name servers
      • Web enumeration and social media
      • Document metadata
      • Dump site scraping
      • TCP/IP information
    • Human Intelligence:
      • Agent recruitment
      • Agent management
      • Adversary group infiltration
    • Proactive Surveillance:
      • Honeypots
      • Honeynets
      • Honeyprofiles
      • Honeytokens
      • Decloaking
  • Common attacker tactics, techniques and procedures
  • Common types of attackers and their motivation and intent
  • Various intrusion analysis models including:
    • The Diamond Model
    • Deny, detect, respond, deter, deceive, disrupt, destroy
    • The Kill-Chain model

Assessment may be in the form of:

  • work samples
  • written assignments
  • theoretical examination
  • observation

Both practical skills and knowledge must be assessed. Skills must be demonstrated in a real or simulated work environment. Simulated assessment environments must simulate the real-life working environment with access to all the relevant equipment and resources of that working environment.

Assessor requirements

No specialist vocational competency requirements for Assessors apply to this unit.