During my researches at Group-IB on hacking groups activity I noticed that some trojan families use templates in communication processes and infrastructure used in attacks. The idea is to identify such templates and use them to predict attacks on the initial stage when Threat Actors set up their infrastructure. The following information should be processed to do such things:

• Opened ports
• Available services on ports (fingerprints)
• Answers on opened ports
• SSL certificates on opened ports

Using this information you can predict attacks on preparation stage (sometimes before the attack conducted). This type of intelligence more useful than intel collected after the attack happened.