May 24 2022

How to Develop a Threat Intelligence Program in Higher Education

Understanding all four phases of the threat intelligence cycle is essential to taking action against cyberattacks.

In cyberspace, just like in sports, in-depth defensive preparation is necessary. This helps cybersecurity teams best position themselves to prevent adversaries from fulfilling their aims. Without it, teams are left to react to attacks in real time. Fortunately for higher ed institutions, threat intelligence can help university security teams prioritize defense efforts and prepare for potential cyberattacks.

In a recent Dark Reading webinar, experts discussed strategies for collecting and analyzing threat intelligence to inform cyber defense practices. Presenters explained how to integrate threat intelligence with defense and incident response initiatives so IT security teams can build processes and automated systems that speed the detection and mitigation of sophisticated cyberthreats.

Here are some of the key takeaways from the webinar.

Click the banner below for exclusive content about security in higher ed.

Understand the Threat Intelligence Cycle

To maximize the use of threat intelligence, it’s important to understand the threat intelligence cycle in all its phases. Planning and direction lead to the collection phase, which in turn leads to analysis, which leads to dissemination, which completes the cycle by leading back into the planning and direction phase.

Planning and Direction

It’s easy to work aimlessly if you don’t have an objective. Defining security objectives and mapping the route to achieving them is exactly what the planning and direction phase — arguably the most important phase of the cycle — is for. In this phase, team members must ask the right questions to best understand an objective, set the scope of work to be done, prioritize resources, and determine the goals, milestones and tasks to be completed along the way to the desired outcome.

This will require support from institutional management. But when this support is given, security teams can jump off the blocks and run a strong first leg before passing the baton for the second phase.


Collecting data is one thing. Gathering relevant threat intelligence data is an entirely different process, and what the collection phase is for. Generally speaking, it’s best to collect data from a wide range of internal sources (network logs, firewall logs) and external sources (open-source data feeds, solution providers), then integrate them.

It can be overwhelming to sift through sources of data about threats, vulnerabilities and indicators of compromise (IOCs) — forensic data that indicates a system or network may have been infiltrated by a cyberthreat. Across the board, however, data of interest will often include items like malware samples, URL queries, Domain Name System queries, endpoints and SaaS applications.

READ MORE: Three ways to elevate your college's cybersecurity defenses.


Just as collecting every piece of data can be an overwhelming and not necessarily useful process, analyzing every single piece of data isn’t particularly desirable, either. Data about threats, vulnerabilities and IOCs can be challenging to navigate, but a qualitative approach can make it easier. Additionally, artificial intelligence and machine learning can help by automating this analysis process. Overall, the goal is to make sense of the threat intelligence data to understand why and how an event occurred, and to provide this analysis in an unbiased and objective manner.


A full cyber analysis doesn’t do much good unless it’s delivered to the right people. That’s what the dissemination phase is for: delivering valuable and actionable complete intelligence reports to key people and teams. It’s important to remain aware of the frequency of delivery. A monthly report, for example, may not be frequent enough or may be too frequent, depending on the institution. Finding your institution’s sweet spot can go a long way toward enhancing the planning and direction phase as the threat intelligence cycle continues.

Take a Proactive Approach to Threat Intelligence

When faced with IOCs or indicators of attack (IOAs) — forensic data that indicates a system or network attack still in progress — it’s important to react accordingly. But you can’t stop there. Threat intelligence is most useful when you use it proactively. By asking and answering the questions of what happened and why with each IOC or IOA, security teams are able to use threat intelligence to turn reactivity into proactivity. By informing security practitioners about potential threats, methods, motives and vulnerabilities — threat intelligence enables institutions to plan ahead to mitigate future attacks.

LEARN MORE: What is SASE and how can it protect higher ed from ransomware?

Consider Threat Intelligence Management to Help Combat Challenges

In a rapidly evolving cyber world, threat intelligence isn’t a perfect, one-size-fits-all security solution. Threat intelligence has its fair share of challenges. Threat intelligence management, however, can help combat these challenges.

Palo Alto Networks’ Cortex XSOAR threat intelligence management, for example, is able to orchestrate and automate over 700 integrations, enable real-time collaboration across physically distant team members, unify threat feeds with incident alerts, and more. In doing this, Cortex XSOAR takes full control of your institution’s threat intelligence feeds and enriches every tool and process. This tool results in actionable intelligence, closing the loop between intelligence and action with playbook-driven automation and maximizing an institution’s threat intelligence program.

gorodenkoff/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.