What is Cyber Threat Intelligence?
Cyber Threat Intelligence (CTI) is evidence-based knowledge about existing or emerging cyber threats, including context, mechanisms, indicators, and actionable advice. A well-organized CTI Framework provides a structured approach to intelligence management—from collection and analysis to decision-making and incident response.
Strategic CTIHigh-level intelligence for executives. Focuses on business risks and long-term trends.
Tactical CTITechnical intelligence for security operations. Includes TTPs, IOCs, and detection rules.
Operational CTIIntelligence about specific incoming attacks. Campaign tracking, adversary profiles.
Technical CTIMachine-readable indicators: IP addresses, domains, hashes, YARA/Sigma rules.
Threat Intelligence Collection & Sources
HUMINT
Human IntelligenceSIGINT
Signals IntelligenceOSINT
Open Source IntelligenceIMINT
Imagery IntelligenceMASINT
Measurement & Signature IntelGEOINT
Geospatial IntelligenceFININT
Financial IntelligenceThreat Feeds & Databases
Commercial FeedsAlienVault OTX, VirusTotal, Abuse.ch, CrowdStrike, Recorded Future
Dark Web MonitoringDetect mentions of organization, credentials, planned attacks
Social Media & CommunityCrowdsourced threat reporting, security researcher disclosures
ISACs & Sharing GroupsIndustry-specific intelligence sharing (FS-ISAC, MS-ISAC)
Threat Intelligence Frameworks
MITRE ATT&CK®Tactics, Techniques, and Sub-techniques. Maps adversary behaviors to detection and mitigation.
Cyber Kill ChainReconnaissance → Weaponization → Delivery → Exploitation → Installation → C2 → Actions
Diamond ModelRelationships between Adversary, Infrastructure, Capability, and Victim.
Pyramid of PainDisrupt adversaries by targeting higher-level TTPs rather than low-level IOCs.
MITRE ATT&CK Tactics (Enterprise)
| Tactic | Description | Key Techniques |
|---|---|---|
| Reconnaissance | Gathering information | Active Scanning, OSINT |
| Resource Development | Establishing resources | Infrastructure, Accounts |
| Initial Access | Getting into environment | Phishing, Exploit Public Apps |
| Execution | Running malicious code | PowerShell, Scheduled Tasks |
| Persistence | Maintaining foothold | Registry Run Keys |
| Privilege Escalation | Gaining higher permissions | Bypass UAC |
| Defense Evasion | Avoiding detection | Obfuscation |
| Credential Access | Stealing credentials | LSASS Memory |
| Discovery | Learning environment | Network Scanning |
| Lateral Movement | Moving through environment | RDP, SMB |
| Collection | Gathering target data | Data Staging |
| Command & Control | Communicating with systems | DGA, Encrypted Channels |
| Exfiltration | Stealing data | Data Transfer |
| Impact | Manipulating or destroying | Data Encryption |
Data Analysis & Threat Correlation
Indicators of Compromise (IOCs)File hashes, IPs, domains, URLs. Lifecycle: discovery → validation → use → enrichment → deprecation.
Tactics, Techniques, Procedures (TTPs)Map adversary behaviors to MITRE ATT&CK. Identify patterns and predict future behaviors.
Analysis of Competing Hypotheses (ACH)Investigate multiple hypotheses, weigh evidence, refine conclusions.
Anomaly DetectionSIEM tools, EDR systems, behavioral analytics to uncover hidden threats.
Threat Intelligence Dissemination
Traffic Light Protocol (TLP)
TLP:RED
Restricted to specific internal teams
Restricted to specific internal teams
TLP:AMBER
Limited sharing with trusted partners
Limited sharing with trusted partners
TLP:GREEN
Limited external sharing within community
Limited external sharing within community
TLP:WHITE
Publicly releasable
Publicly releasable
Standardized Formats
STIXStructured Threat Information eXpression. JSON-based, machine-readable.
TAXIITrusted Automated eXchange of Intelligence Information. Protocol for exchanging STIX data.
MISPOpen-source threat intelligence platform. Sharing communities, correlation.
OpenCTIPlatform for managing, storing, and sharing CTI data. Integrates with MITRE ATT&CK.
Threat Hunting & Incident Response
Threat Hunting EnvironmentTIPs, SIEM, SOAR. Hypothesis-driven hunting methodology.
Red Teaming & Purple TeamingSimulated attacks using Cobalt Strike, Atomic Red Team.
Threat-Informed DefenseContinuously improve defenses based on intelligence.
Threat Intelligence PlatformsMISP, OpenCTI, ThreatConnect, Anomali
SIEM IntegrationSplunk ES, Sentinel, QRadar, ELK Stack
Adversary EmulationAtomic Red Team, Caldera, Strata Red Team
Threat Hunting ToolsVelociraptor, osquery, KAPE, Hayabusa
Continuous Improvement & Feedback Loop
Measuring EffectivenessKPIs: Time to detect, response effectiveness, intelligence quality.
Refining ProcessesIncorporate feedback from IR, threat hunting, and analysis.
Adapting to New ThreatsIntegrate new TTPs, IOCs, and indicators continuously.
CTI Lifecycle
| Phase | Activities |
|---|---|
| 1. Planning & Direction | Define intelligence requirements, prioritize threats |
| 2. Collection | Gather data from OSINT, HUMINT, SIGINT, feeds, dark web |
| 3. Processing | Convert raw data into usable format, normalize, enrich |
| 4. Analysis | Interpret data, identify patterns, develop conclusions |
| 5. Dissemination | Share intelligence with stakeholders (TLP classification) |
| 6. Feedback | Evaluate impact, refine requirements, improve processes |
Threat-Informed Defense Strategy
Dynamic Defensive MeasuresConfigure SIEM rules based on current intel. Update endpoint protection.
Adversary SimulationRegular red team exercises using latest TTPs.
Detection EngineeringCreate Sigma and YARA rules from intelligence.
Vulnerability ManagementPrioritize patching based on active threat intelligence.
Summary: By systematically collecting, analyzing, and acting on threat intelligence, this CTI framework provides organizations with the tools and strategies necessary to stay ahead of adversaries.
📚 This is an overview of the complete Cyber Threat Intelligence (CTI) Framework.
Access the Full Original Framework