What is Cyber Threat Intelligence?

Cyber Threat Intelligence (CTI) is evidence-based knowledge about existing or emerging cyber threats, including context, mechanisms, indicators, and actionable advice. A well-organized CTI Framework provides a structured approach to intelligence management—from collection and analysis to decision-making and incident response.

Strategic CTIHigh-level intelligence for executives. Focuses on business risks and long-term trends.
Tactical CTITechnical intelligence for security operations. Includes TTPs, IOCs, and detection rules.
Operational CTIIntelligence about specific incoming attacks. Campaign tracking, adversary profiles.
Technical CTIMachine-readable indicators: IP addresses, domains, hashes, YARA/Sigma rules.

Threat Intelligence Collection & Sources

HUMINT

Human Intelligence

SIGINT

Signals Intelligence

OSINT

Open Source Intelligence

IMINT

Imagery Intelligence

MASINT

Measurement & Signature Intel

GEOINT

Geospatial Intelligence

FININT

Financial Intelligence

Threat Feeds & Databases

Commercial FeedsAlienVault OTX, VirusTotal, Abuse.ch, CrowdStrike, Recorded Future
Dark Web MonitoringDetect mentions of organization, credentials, planned attacks
Social Media & CommunityCrowdsourced threat reporting, security researcher disclosures
ISACs & Sharing GroupsIndustry-specific intelligence sharing (FS-ISAC, MS-ISAC)

Threat Intelligence Frameworks

MITRE ATT&CK®Tactics, Techniques, and Sub-techniques. Maps adversary behaviors to detection and mitigation.
Cyber Kill ChainReconnaissance → Weaponization → Delivery → Exploitation → Installation → C2 → Actions
Diamond ModelRelationships between Adversary, Infrastructure, Capability, and Victim.
Pyramid of PainDisrupt adversaries by targeting higher-level TTPs rather than low-level IOCs.

MITRE ATT&CK Tactics (Enterprise)

TacticDescriptionKey Techniques
ReconnaissanceGathering informationActive Scanning, OSINT
Resource DevelopmentEstablishing resourcesInfrastructure, Accounts
Initial AccessGetting into environmentPhishing, Exploit Public Apps
ExecutionRunning malicious codePowerShell, Scheduled Tasks
PersistenceMaintaining footholdRegistry Run Keys
Privilege EscalationGaining higher permissionsBypass UAC
Defense EvasionAvoiding detectionObfuscation
Credential AccessStealing credentialsLSASS Memory
DiscoveryLearning environmentNetwork Scanning
Lateral MovementMoving through environmentRDP, SMB
CollectionGathering target dataData Staging
Command & ControlCommunicating with systemsDGA, Encrypted Channels
ExfiltrationStealing dataData Transfer
ImpactManipulating or destroyingData Encryption

Data Analysis & Threat Correlation

Indicators of Compromise (IOCs)File hashes, IPs, domains, URLs. Lifecycle: discovery → validation → use → enrichment → deprecation.
Tactics, Techniques, Procedures (TTPs)Map adversary behaviors to MITRE ATT&CK. Identify patterns and predict future behaviors.
Analysis of Competing Hypotheses (ACH)Investigate multiple hypotheses, weigh evidence, refine conclusions.
Anomaly DetectionSIEM tools, EDR systems, behavioral analytics to uncover hidden threats.

Threat Intelligence Dissemination

Traffic Light Protocol (TLP)

TLP:RED
Restricted to specific internal teams
TLP:AMBER
Limited sharing with trusted partners
TLP:GREEN
Limited external sharing within community
TLP:WHITE
Publicly releasable

Standardized Formats

STIXStructured Threat Information eXpression. JSON-based, machine-readable.
TAXIITrusted Automated eXchange of Intelligence Information. Protocol for exchanging STIX data.
MISPOpen-source threat intelligence platform. Sharing communities, correlation.
OpenCTIPlatform for managing, storing, and sharing CTI data. Integrates with MITRE ATT&CK.

Threat Hunting & Incident Response

Threat Hunting EnvironmentTIPs, SIEM, SOAR. Hypothesis-driven hunting methodology.
Red Teaming & Purple TeamingSimulated attacks using Cobalt Strike, Atomic Red Team.
Threat-Informed DefenseContinuously improve defenses based on intelligence.
Threat Intelligence PlatformsMISP, OpenCTI, ThreatConnect, Anomali
SIEM IntegrationSplunk ES, Sentinel, QRadar, ELK Stack
Adversary EmulationAtomic Red Team, Caldera, Strata Red Team
Threat Hunting ToolsVelociraptor, osquery, KAPE, Hayabusa

Continuous Improvement & Feedback Loop

Measuring EffectivenessKPIs: Time to detect, response effectiveness, intelligence quality.
Refining ProcessesIncorporate feedback from IR, threat hunting, and analysis.
Adapting to New ThreatsIntegrate new TTPs, IOCs, and indicators continuously.

CTI Lifecycle

PhaseActivities
1. Planning & DirectionDefine intelligence requirements, prioritize threats
2. CollectionGather data from OSINT, HUMINT, SIGINT, feeds, dark web
3. ProcessingConvert raw data into usable format, normalize, enrich
4. AnalysisInterpret data, identify patterns, develop conclusions
5. DisseminationShare intelligence with stakeholders (TLP classification)
6. FeedbackEvaluate impact, refine requirements, improve processes

Threat-Informed Defense Strategy

Dynamic Defensive MeasuresConfigure SIEM rules based on current intel. Update endpoint protection.
Adversary SimulationRegular red team exercises using latest TTPs.
Detection EngineeringCreate Sigma and YARA rules from intelligence.
Vulnerability ManagementPrioritize patching based on active threat intelligence.
Summary: By systematically collecting, analyzing, and acting on threat intelligence, this CTI framework provides organizations with the tools and strategies necessary to stay ahead of adversaries.

📚 This is an overview of the complete Cyber Threat Intelligence (CTI) Framework.

Access the Full Original Framework