Threat Intelligence

Threat intelligence is structured, contextualised information about the cybersecurity threat landscape — who is attacking, what methods they use, which vulnerabilities they exploit, and which types of targets they focus on. It is distinguished from raw data (logs, alerts) by being processed, analysed, and made actionable. Threat intelligence is typically categorised by level: strategic intelligence (high-level trends for executive decision-making), operational intelligence (specific campaigns and attacker behaviours for security operations), and tactical intelligence (indicators of compromise, malware signatures, and exploit signatures for technical response teams). For product manufacturers, threat intelligence primarily supports threat modelling during development and exploitation monitoring during the operational phase.

The CRA's Annex I requires manufacturers to address cybersecurity risks through risk assessments and threat modelling. Threat intelligence is a critical input to these processes: it grounds theoretical threat models in real-world attacker behaviour rather than abstract risk categories. Key CRA-relevant uses of threat intelligence include:

• Threat modelling: Using intelligence about attacker TTPs relevant to the product category (e.g., known attack patterns against IoT devices or industrial controllers) to inform the product's security design.
• Active exploitation monitoring: Subscribing to intelligence feeds that notify manufacturers when vulnerabilities in their product's component stack are being exploited — feeding the CRA Article 14 notification trigger.
• SBOM vulnerability prioritisation: Using exploitation frequency data (EPSS) and active exploit intelligence (CISA KEV) to prioritise which SBOM-correlated CVEs require immediate remediation.

Manufacturers should monitor multiple intelligence sources based on their product categories and technology stack:

• CISA KEV: The US Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalogue — the most authoritative public source of confirmed active exploitation.
• ENISA threat landscape reports: Annual and sector-specific reports on the EU threat landscape, with relevance to CRA-covered product categories.
• National CSIRT advisories: Real-time alerts from EU member state CSIRTs on active threats and exploited vulnerabilities.
• FIRST EPSS: Exploit prediction scores for prioritising patching based on exploitation likelihood.
• MITRE ATT&CK: A structured knowledge base of adversary tactics and techniques relevant to threat modelling.
• Vendor intelligence feeds: Threat intelligence from security vendors with relevant product coverage (e.g., OT/ICS threat intelligence for industrial product manufacturers).

A PSIRT operating under CRA obligations should have defined processes for consuming and acting on threat intelligence. Recommended practices:

• Feed subscription and triage: Subscribe to relevant intelligence feeds and have a defined process for converting intelligence alerts into vulnerability triage actions.
• CVE correlation against SBOM: Automate the matching of newly published CVEs (particularly those with active exploitation indicators) against the SBOM to identify which internal products are affected.
• Intelligence-driven severity adjustment: Use threat intelligence to upgrade severity assessments beyond CVSS base score when active exploitation or attacker focus on a specific technology stack is identified.
• Intelligence sharing: Participate in sector ISACs and share threat intelligence with peers and national CSIRTs — the CRA encourages information sharing within the ecosystem.