Design preview · adopts the Kaharagian design system
An official training service of the State of the Kaharagians
Royal Army CollegeRoyal Army CollegeRoyal Kaharagian ArmyThe College of the Army
CIS 310 Cyber Incident Response and Continuity
Lesson 6 of 10CIS 310

Threat Intelligence and Knowing the Adversary

Lesson Overview

The earlier lessons taught how to prepare for, detect, contain, and recover from incidents, but they treated the threat largely as a given, something that happens, to be responded to. This lesson turns to the threat itself: knowing the adversary, understanding who attacks digital systems, how they do it, and why, so that defence and response are informed rather than blind. Threat intelligence is the disciplined knowledge of threats and adversaries, turned into something a defender can use: to prepare against the attacks actually likely, to recognise them faster when they come, and to respond better because the adversary's methods are understood. A team that knows the adversary defends and responds with foresight; one that does not is forever surprised, meeting each attack as if it were the first of its kind. This lesson is about gaining and using that knowledge, at the realistic scale of a small digital Principality.

The governing idea is that defence is far more effective when it is informed by knowledge of the actual threat, and that knowledge is largely available to those who seek it. An attacker has the advantage of choosing the time, place, and method; the defender narrows that advantage by understanding the attacker's likely methods in advance, so as to prepare for them, watch for them, and recognise them quickly. Much of this knowledge already exists, in the wider security community's advisories and shared intelligence, in public reports of how attacks are carried out, and in the lessons of one's own and others' past incidents, so a small force need not discover it all alone but can learn from the collective knowledge of defenders everywhere. Threat intelligence is therefore largely the discipline of gathering this available knowledge and applying it to one's own defence, which is well within a small force's reach and turns blind defence into informed defence. And it is, throughout, defensive: knowing the adversary to defend against them, never to attack anyone.

This is the knowledge layer; the practice of gathering and applying threat intelligence is done under those who lead the Principality's cyber defence. It rests on recognised threat-intelligence practice and the threat picture of the wider courses, and is strictly defensive, in keeping with the speciality's posture. Read this to understand knowing the adversary; the practice comes under guidance.

By the end you will be able to explain what threat intelligence is and why knowing the adversary improves defence, gather threat knowledge from the available sources, understand the realistic threats to a small digital Principality, use intelligence to inform preparation, detection, and response, and recognise the limits and the strictly defensive posture.

Key Terms

  • Threat intelligence: disciplined knowledge of threats and adversaries, turned into a form a defender can use to prepare, detect, and respond.
  • Adversary: one who attacks or would attack digital systems, ranging from opportunistic criminals to capable, targeted attackers.
  • Threat: a potential cause of harm to systems or data, whether a person, a method, or a circumstance.
  • Tactics, techniques, and procedures (TTPs): the characteristic ways an adversary operates, from broad approach down to specific methods, by which attacks can be recognised.
  • Indicator of compromise (IOC): a specific, observable sign that an attack has occurred or is occurring, such as a known malicious address or file.
  • Opportunistic attack: an attack that strikes whatever weak target it finds, not aimed at a particular victim; the commonest kind.
  • Targeted attack: an attack aimed deliberately at a particular victim, typically by a more capable and determined adversary.
  • Threat landscape: the overall picture of the threats relevant to an organisation, who and what is likely to attack it and how.
  • Shared intelligence: threat knowledge shared among defenders, in advisories, reports, and communities, so each benefits from all.
  • Defensive posture: the principle that this knowledge is used to defend, never to attack, in keeping with the Army's strictly defensive cyber stance.

Why knowing the adversary improves defence

Defence undertaken in ignorance of the threat is defence at a disadvantage, because the attacker chooses the method and the moment while the defender, knowing nothing of what to expect, must guard against everything equally and recognise nothing quickly. Knowing the adversary changes this: a defender who understands who is likely to attack, how they operate, and what they seek can prepare against the likely, concentrating defence where attacks actually come rather than spreading it thin against every conceivable threat; can detect faster, because knowing the adversary's methods means knowing the signs to watch for; and can respond better, because an attack whose nature is understood is contained and eradicated more surely than one met in bafflement. Knowledge of the threat narrows the attacker's advantage of surprise, which is much of the value of threat intelligence.

The reason this works is that adversaries are not infinitely various; they follow patterns. Attackers reuse methods, tools, and approaches, their tactics, techniques, and procedures, because what works is repeated, so the same kinds of attack recur across many victims, and an attack a defender has never personally seen has very likely been seen, documented, and analysed by others. This patterning is what makes threat intelligence possible: because attacks are not unique snowflakes but recurring patterns, a defender can learn those patterns in advance and recognise them when they appear, turning "an unknown attack" into "the kind of attack we prepared for." The defender who knows the adversary's patterns meets a new attack with recognition; the one who does not meets it with surprise.

This reframes the relationship between the defender and the threat from passive to informed. Rather than waiting to be attacked and then reacting in ignorance, the team that knows the adversary anticipates: it understands the threats it actually faces, prepares its defences and detection for them, and responds to incidents with the adversary's likely methods already in mind. For a small force this informed posture is especially valuable, because it lets limited defensive resources be concentrated where the real threats are rather than wasted guarding against the irrelevant, which is much of how a small force defends effectively against adversaries it cannot match in resources. Knowing the adversary is the foundation of that focus.

What threat intelligence is, and gathering it

Threat intelligence is knowledge of threats and adversaries turned into a usable form, and the emphasis is on usable: raw information about threats becomes intelligence when it is gathered, made sense of, and applied to one's own defence, telling the defender something they can act on, who is likely to attack, how, and what to do about it. The aim is not to accumulate threat information for its own sake but to answer the practical questions defence asks: what threats do we actually face, how would they come, how would we recognise them, and where should we concentrate our defence? Threat intelligence is the disciplined answering of those questions from available knowledge.

The good news for a small force is that much of this knowledge is available to be gathered, so the work is largely collection and application rather than original discovery. The principal sources are three. Shared intelligence from the wider security community: advisories from recognised authorities, threat reports, and the knowledge shared among defenders, which describe current threats, adversary methods, and specific indicators of compromise as they emerge, so that each defender benefits from the collective observation of all. Public reporting and analysis: the substantial published body of how attacks are carried out, what adversaries do, and how incidents unfold, which lets a small force learn the patterns of attack without having suffered them. And one's own and others' past incidents: the lessons of incidents already experienced, by the force or by similar organisations, which are among the most relevant intelligence of all because they show what actually happens to people like you, connecting directly to the after-incident learning of Lesson 10.

Gathering this is within any small force's reach, because it is mostly a matter of paying attention to the available knowledge: following the relevant advisories and reports, learning the documented patterns of common attacks, and capturing the lessons of incidents. A small force cannot field a large intelligence operation, but it does not need to, because the collective knowledge of the defender community is largely open to those who seek it, and applying that shared knowledge to one's own defence is most of practical threat intelligence. The member who keeps abreast of the available threat knowledge, and turns it into preparation and detection for their own systems, is doing threat intelligence at the scale a small force needs.

   THREAT INTELLIGENCE  (available knowledge, applied to your own defence)

   GATHER FROM:
     SHARED INTELLIGENCE   advisories, threat reports, defender communities
                           (each benefits from the collective observation)
     PUBLIC REPORTING       documented patterns of how attacks are carried out
     PAST INCIDENTS         your own + similar orgs' (the most relevant; ties
                            to the after-incident learning of Lesson 10)

   TURN INTO usable answers: what threats do we face? how would they come?
   how would we recognise them? where do we concentrate defence?

   Mostly COLLECTION + APPLICATION, not original discovery -> within a small
   force's reach. And strictly DEFENSIVE: to defend, never to attack.

Knowing the adversary, and tactics, techniques, and procedures

Applying threat intelligence begins with understanding the realistic threats to one's own organisation, the threat landscape, because defence should be informed by the threats one actually faces, not by every threat that exists. For a small, lawful, humanitarian, digitally-organised Principality, the realistic threats are a particular mix, and honest about it. Most attacks any organisation faces are opportunistic: attacks that strike whatever weak target they find, not aimed at a particular victim, the broad, automated, indiscriminate attacks that sweep the internet for the unpatched, the default-credentialled, the careless, which is why the cyber-hygiene and hardening disciplines matter so much, since they remove a force from the opportunistic attacker's reach. But a digital Principality may also face targeted attacks: attacks aimed deliberately at it, by more capable and determined adversaries who attack because of what it is, which is the more dangerous if rarer threat, and which the wider threat-picture courses (PME 430, SIG 220) place in context. Knowing which threats are realistic, the constant opportunistic background and the possible targeted attention, focuses defence where it is needed.

Understanding how adversaries operate is the work of learning their tactics, techniques, and procedures (TTPs), the characteristic ways they attack, from broad approach down to specific methods. Adversaries gain entry, move, and act in patterned ways, and learning these patterns lets a defender recognise an attack by its method even when its specific details are new: knowing that attackers commonly phish for credentials, then use them to move through systems, then seek privileged access, then exfiltrate or encrypt data, lets a defender watch for that pattern and recognise it unfolding. Indicators of compromise, the specific observable signs of an attack (a known malicious address, a particular file, a characteristic behaviour), are the most concrete intelligence, fed into detection so that known signs of attack are spotted automatically. TTPs give the defender the patterns to recognise; IOCs give the specific signs to watch for; together they turn the abstract "know the adversary" into the concrete ability to see attacks coming and in progress.

For the member, knowing the adversary's TTPs connects directly to the detection and response of the earlier lessons. The detection of Lesson 02 is far sharper when it knows what to watch for, the patterns and indicators threat intelligence provides; the playbooks of Lesson 04 are built around the adversary's likely methods; the response is surer when the attack's nature is recognised. So threat intelligence is not a separate, academic exercise but the knowledge that makes all the response disciplines more effective, by replacing ignorance of the threat with understanding of it. The member who learns the realistic threats and the adversary's patterns defends and responds with the foresight that knowing the adversary gives.

Using intelligence, the limits, and the defensive posture

Threat intelligence is worth gathering only if it is used, and its uses run through the whole of defence and response. It informs preparation: knowing the realistic threats and the adversary's methods, the force prepares its defences, hardening, backups, plans, against what is actually likely, concentrating effort where the threat is. It sharpens detection: the patterns and indicators of intelligence become the signs the force watches for, so attacks are recognised faster (Lesson 02). It shapes the playbooks: the responses to common incidents (Lesson 04) are built around how those incidents actually unfold. It guides prioritisation: limited defensive resources are directed at the threats that matter most, which for a small force is essential. And it improves response: an incident whose adversary and methods are understood is contained and eradicated more surely. Threat intelligence applied across preparation, detection, playbooks, prioritisation, and response makes the whole defensive effort more effective, which is its purpose.

Two limits keep the use of intelligence honest. First, intelligence is not prediction: knowing the threat landscape and the adversary's patterns improves the odds but does not foretell exactly what will happen, so threat intelligence informs defence without replacing the general preparedness, the broad hygiene, the backups, the plans, that guards against the unforeseen as well as the foreseen. A force that defended only against the specific threats it had intelligence on, and neglected general defence, would be exposed to the attack it did not anticipate; intelligence focuses defence, it does not narrow it to the predicted alone. Second, intelligence can be wrong or outdated, adversaries change their methods, so it is kept current and held with appropriate uncertainty, used as informed guidance rather than certain knowledge.

Finally, and in keeping with the speciality's whole stance, the use of threat intelligence is strictly defensive. Knowing the adversary, here, means understanding threats in order to defend against them, never in order to attack, retaliate, surveil, or pursue anyone; the knowledge is gathered and applied to protect the Principality's systems and people, full stop. The Army's cyber posture, as every CIS lesson insists, is defensive and lawful, and threat intelligence serves that posture: it is the knowledge a defender needs to defend well, used to harden, watch, and respond, and not for any offensive purpose. The member who knows the adversary uses that knowledge as a shield, to anticipate and withstand attacks, which is exactly what knowing the adversary, in a defensive force, is for.

In Practice: Defending with Foresight

A member of the Royal Kaharagian Army helping lead the Principality's cyber defence studies how knowing the adversary changes the defence from blind to informed. A team ignorant of the threat guards everything equally, recognises nothing quickly, and meets each attack as a surprise; the team that knows the adversary anticipates, focuses, and recognises, which is the difference threat intelligence makes.

The member gathers the available threat knowledge, not by mounting a large intelligence operation, which a small force cannot, but by attending to what is open: the shared intelligence of advisories and the defender community, the public reporting of how attacks are carried out, and the lessons of past incidents, the force's own and similar organisations', which show what actually happens to people like them. From this they understand the realistic threat landscape: the constant background of opportunistic attacks that sweep for the weak, which good hygiene and hardening remove the force from, and the possibility of targeted attacks aimed at the Principality for what it is. They learn the adversary's TTPs, the patterned ways attacks unfold, phish, move, escalate, exfiltrate, and the indicators to watch for.

Then they use the intelligence across the defence: preparing and hardening against the likely threats, sharpening detection (Lesson 02) with the patterns and indicators to watch for, building the playbooks (Lesson 04) around how incidents actually unfold, prioritising scarce defensive effort where the real threats are, and responding to incidents with the adversary's methods already understood. They hold the limits honestly, intelligence focuses defence but does not replace general preparedness or foretell the future, and keep it current. And they use it strictly defensively, to anticipate and withstand attacks, never to attack anyone, in keeping with the Army's posture. The result is a force that defends with foresight, concentrating its limited strength where the threat is real and meeting attacks with recognition rather than surprise, which is what knowing the adversary gives a small defender, and the whole point of this lesson.

Check Your Understanding

  1. Explain why defence is more effective when informed by knowledge of the threat, and why threat intelligence is possible at all, that adversaries follow patterns (TTPs) rather than being infinitely various. How does this help a small force focus limited defensive resources?
  2. Explain what threat intelligence is (usable knowledge of threats, applied to one's own defence) and the available sources a small force can gather from (shared intelligence, public reporting, past incidents). Why is this mostly collection and application rather than original discovery?
  3. Describe the realistic threat landscape for a small digital Principality (the opportunistic background and possible targeted attacks), how TTPs and indicators of compromise are used, the uses of intelligence across defence and response, and the limits and the strictly defensive posture.

Reflection (write a short paragraph): This lesson argues that an attack you have never personally seen has very likely been seen, documented, and analysed by others, so a small force can learn the patterns of attack from the collective knowledge of defenders without having suffered them. Why is it tempting for a small team to neglect threat intelligence as something only large organisations do, and what does that neglect cost in surprise and misdirected effort? Then consider the strictly defensive posture: why does the Army insist that knowing the adversary is for defending against them and never for attacking, and how does that distinguish threat intelligence as a shield from any offensive use?

Summary

  • Knowing the adversary turns blind defence into informed defence: a defender who understands who attacks, how, and why can prepare against the likely, detect faster (knowing the signs), and respond better (the attack understood). This works because adversaries follow patterns (TTPs), so attacks recur and can be learned in advance.
  • Threat intelligence is usable knowledge of threats applied to one's own defence, answering what threats we face, how they come, how to recognise them, and where to concentrate. Much of it is available to gather, from shared intelligence (advisories, communities), public reporting, and past incidents (own and similar orgs'), so for a small force it is mostly collection and application, well within reach.
  • The realistic threat landscape for a small digital Principality is mostly opportunistic attacks (sweeping for the weak, defeated by hygiene and hardening) plus possible targeted attacks (aimed at it for what it is). Learn the adversary's TTPs (patterned methods) and indicators of compromise (specific signs), which sharpen detection and shape playbooks.
  • Use intelligence across preparation, detection, playbooks, prioritisation, and response to make the whole defence more effective. Hold the limits: intelligence is not prediction (don't neglect general preparedness) and can be outdated (keep it current). Use it strictly defensively, to anticipate and withstand attacks, never to attack, in keeping with the Army's posture.
  • This is the knowledge layer; gathering and applying threat intelligence is done under those who lead the Principality's cyber defence. The lesson informs the preparation of Lesson 01, sharpens the detection of Lesson 02 and the playbooks of Lesson 04, draws on the wider threat picture of PME 430 and SIG 220, and feeds and is fed by the after-incident learning of Lesson 10. Everything here is strictly defensive and lawful.

Crown Copyright © 2026 | Published by Authority of H.R.H. The Prince of Kaharagia

Lesson 6 · Knowledge Check

Question 1 of 3

Why does knowing the adversary work?