Threat intelligence comes from several sources, both internal and external. Fusing internal and external threat intelligence allows an organization to create the most relevant and accurate threat profile, and also to rate and rank the value of threat intelligence sources.
Your own network shows which intelligence is truly relevant to your organization. By leveraging threat data from your own network, (i.e. log files, alerts, and incident response reports) you can recognize and stop threats. If you use a SIEM, this is a great place to start. Several raw sources of internal network event data (such as event logs, DNS logs, firewall logs, etc.) are already in your SIEM. Also, maintaining historic knowledge of past incident responses is helpful in leveraging more mature threat awareness based on internal sources including: retaining accessible data on the systems affected during an incident; the vulnerabilities exploited; the related indicators and malware; and, if known, the attribution and motivation of adversaries. Also, retaining malware used, relevant packet capture, and netflow can be invaluable sources of intelligence.
External sources can be pretty varied, with many degrees of trustworthiness. “Open source” intelligence (i.e., security researcher, vendor blogs, and publicly available reputation and block lists) can provide indicators for detection and context. Private or commercial sources of threat intelligence can include threat intelligence feeds, structured data reports (such as STIX), unstructured reports (such as PDF and Word documents), emails from sharing groups, etc. Some of this data, particularly that from vendors, may be refined with context for your particular industry. Ultimately, it’s up to your security team or someone with specific knowledge of your organization’s threat landscape to determine it’s relevance.