Centre for the Protection of National Infrastructure, Switched-on Security: Protecting networks through effective threat intelligence , 2015. Unclassified.
National Security Archive
A 2015 CPNI guide turned the abstract idea of cyber threat intelligence into a hands‑on playbook, shaping the UK's shift to proactive defence.
Source: Centre for the Protection of National Infrastructure, Switched-on Security: Protecting networks through effective threat intelligence , 2015. Unclassified. Date: Jan 1, 2015 Collection: Cyber Vault: Maintaining Cyber Readiness Nov 1, 2017
Editorial Analysis
Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.
From Policy Paper to Practice: How the UK’s 2015 Threat‑Intelligence Blueprint Shaped Modern Cyber Defence
The document titled Switched‑on Security: Protecting networks through effective threat intelligence is a 2015 guidance note produced by the Centre for the Protection of National Infrastructure (CPNI), the UK government body charged with safeguarding critical assets. Drafted in early 2015, it emerged as the United Kingdom wrestled with a surge of sophisticated cyber‑espionage campaigns—most notably the disclosures surrounding the Russian‑linked “APT28” group and the rise of ransomware targeting hospitals and utilities. The CPNI’s brief was not a classified briefing for senior officials; it was deliberately unclassified, intended for distribution across public‑sector bodies, private‑sector partners, and the nascent Cyber‑security Information Sharing Partnership (CiSP). Its purpose was to translate the abstract concept of “threat intelligence” into a concrete, actionable framework for organisations that lacked dedicated cyber‑analysts.
The paper sits squarely within the broader post‑2010 shift from reactive incident response to proactive intelligence‑driven security. After the 2007 cyber‑attacks on Estonia and the 2008 Georgian conflict, Western governments recognized that traditional defence—firewalls and antivirus—could not keep pace with adversaries who operated like intelligence services: gathering, analysing, and exploiting information. In the United Kingdom, this realization birthed the National Cyber Security Centre (NCSC) in 2016, but the 2015 CPNI guide pre‑figured many of the NCSC’s later doctrines. By codifying a “four‑tier model” (strategic, tactical, operational, technical), the document gave non‑technical executives a vocabulary to discuss risk alongside their boardrooms, while simultaneously equipping security operations centres (SOCs) with concrete feeds—such as the CiSP C2 list.
Key actors surface indirectly through the guide’s recommendations. The CPNI itself presents as a neutral convenor, yet its emphasis on “human contacts” and “trusted peer groups” betrays an awareness of the limits of automated feeds. The reference to CiSP underscores a governmental push to break the historic “information silos” that hampered earlier UK responses to threats like the 2013 Target breach. Moreover, the guide’s caution against “cool‑sounding products” hints at a skeptical stance toward the burgeoning cyber‑threat‑intel market, which in 2015 was saturated with vendor‑driven threat‑feeds of uneven quality.
Reading between the lines, the document reveals several strategic anxieties. First, the insistence on “tailored intelligence” suggests the CPNI feared a one‑size‑fits‑all approach would drown smaller organisations in noise, rendering threat feeds ineffective. Second, the operational checklist—googling the organisation’s name before a DDoS—exposes a concern that public perception and media cycles could be weaponised, a theme later confirmed by the 2016 “Mirai” botnet attacks that followed viral news stories. Third, the call to embed technical indicators directly into firewalls reflects an early acknowledgement that manual correlation was too slow for the velocity of modern attacks.
Why does this 2015 infographic still matter? Its four‑tier taxonomy endures in today’s cyber‑risk frameworks, from the NCSC’s own guidance to private‑sector standards like MITRE ATT&CK. The document’s push for “human‑to‑human” sharing anticipated the rise of Information Sharing and Analysis Centres (ISACs) that now form the backbone of sector‑wide defence. Finally, the CPNI’s blend of strategic awareness and low‑budget, actionable steps offers a template for today’s resource‑constrained organisations confronting a threat landscape that has only grown more complex.
In short, Switched‑on Security is more than a historical curiosity; it is a blueprint that helped steer the United Kingdom from a reactive posture to an intelligence‑centric cyber‑defence culture. Its lessons—prioritise relevance over volume, leverage trusted peer networks, and embed technical feeds into everyday tools—remain instructive for any entity seeking to turn data into decisive protection.
Switched-on security
Protecting networks through effective threat intelligence
1
USE YOUR RADAR
Threat intelligence can allow targeted defence
What is intelligence? Information that can aid decisions with the aim of preventing an attack or decreasing the time taken to discover an attack.
What is threat intelligence? A new field. Applies traditional intelligence to cyber threats. Targets defences, increases threat awareness and improves responses to potential attacks.
2
THE 4 TIER MODEL OF THREAT INTELLIGENCE
The four types of threat intelligence
Long term Short term High level Low level
- Strategic: High level information on changing risk
- Tactical: Attacker methodologies, tools and tactics
- Operational: Details of a specific incoming attack
- Technical: Indicators of specific malware
Strategic threat intelligence Consumed by: board and senior staff. Form: often written or verbal, such as reports, briefings or conversations. Example: reports on financial impact of cyber activity or attack trends that might impact on high-level business decisions.
Tactical threat intelligence Consumed by: architects and sysadmins. Gained by: reading white papers or the technical press, communication with peers in other organisations, purchasing from an intelligence provider. Example: it is discovered that attackers are using tools to obtain cleartext credentials and then replaying those credentials through PsExec.
Operational threat intelligence Consumed by: defenders, responders. It will be difficult for a private company to legally acquire operational intelligence on many groups. However some public groups are easier. Example: regular attacks in response to news coverage can be used to predict future attacks.
Technical threat intelligence Consumed by: SOC staff / IR. Form: data or information normally consumed through technical means. Often has a short lifetime. Example: a feed of IP addresses suspected of being malicious or implicated as command and control servers.
3
TAILORED INTELLIGENCE
Focus on your organisation's specific threat intelligence requirements
Ask the right questions Effective threat intelligence focuses on the questions that an organisation wants answered, rather than simply attempting to collect, process and act on vast quantities of data.
Don't just buy cool sounding products Not all threat intelligence products are useful. The most useful sources of threat intelligence - for example personal contacts in other organisations - are not necessarily the most expensive.
4
START SMART
Threat intelligence first steps that work
- even with minimal staff and budget
Organisational Identify where threat intelligence processes might be taking place unofficially and assess how they could be better supported
Strategic
- Identify whether current perceived cyber threats have been realised in the past.
- Liaise with industry peers to determine whether there are other threats.
- List all actors who would benefit from access to your sensitive data - or your inability to function effectively.
Tactical
- Extract key tactical indicators from incident reports and white papers on threat groups.
- Determine changes needed to make your organisation less susceptible.
- Identify planned refreshes of technologies, or systems. Feed tactical intelligence into those refreshes to mitigate attacks.
Operational
- List people to contact if your organisation receives notice of an impending attack.
- Google your organisation's name for dates immediately before DDOS attacks to determine whether negative coverage is leading to them.
- If not, attempt to identify other potential trigger factors.
Technical
- Obtain access to the daily C2 list from CiSP* or other free feeds and place the IP addresses in an 'alert' list on the primary firewall or IDS.
- Review regularly to determine whether outbound connections are being made from within your organisation.
- If so, initiate incident response.
5
TWO HEADS BETTER
One-to-one human contacts can be among the best information sources
Forums Discuss threat intelligence in forums. The CiSP* allow organisations to share information securely.
Organisations Meet with appropriate peers in similar organisations to discuss your joint perception of existing threats. Focus on relationships where there is already some trust and develop further trust.
- The Cyber-security Information Sharing Partnership (CiSP) is a joint industry government initiative to share cyber threat and vulnerability information in order to increase overall situational awareness of the cyber threat and therefore reduce the impact on UK business.
CPNI Centre for the Protection of National Infrastructure
This Infographic presents one perspective on the topic of Threat Intelligence.
For more information on the topic: www.cpni.gov.uk/advice/cyber/Threat-Intelligence
© Crown Copyright 2015
NATIONAL SECURITY ARCHIVE
National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu