Cyber Threat Intelligence (CTI) Overview

Most cybersecurity tools and technologies are reactive, waiting for something malicious to occur before taking action. Heuristic-based security software, such as antivirus, Intrusion Detection/Prevention Systems (IDS/IPS), and Access Control List (ACL)-based boundary security tools, are pervasive examples of this reactive posture. These tools are designed to detect, quarantine, and eliminate malware *after* it has been introduced to a network. Often, the logs from these tools become the primary evidence for observing an attack in progress or investigating a breach long after the initial compromise. The time an adversary remains undetected in a network, known as "dwell time," remains a significant challenge. In 2023, the median dwell time for ransomware attacks was just 5 days, while the overall median dwell time across all intrusions was 13 days, a significant decrease from previous years, showcasing improved detection but also faster-acting adversaries [1].

Cyber Threat Intelligence (CTI) is the evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice, about an existing or emerging menace or hazard to assets. This intelligence is used to inform decisions regarding the subject's response to that menace or hazard [2]. CTI does not prevent a cyber attack by itself, but the information sharing and the understanding of adversary Tactics, Techniques, and Procedures (TTPs) enable organizations to shift from a reactive to a proactive defense. This proactive stance significantly increases an organization's ability to anticipate and prevent attacks, thereby reducing risk and shortening dwell times.

What is Cyber Threat Intelligence (CTI)?

To fully grasp CTI, we must understand its component parts:

Cyber - The cyberspace domain consists of the interdependent networks of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. It is often described in three layers: the physical network (hardware), the logical network (software and protocols), and the cyber-persona (digital identities) [3].

Threat - A potential cause of an unwanted incident, which may result in harm to a system or organization. A threat is realized by a threat actor exploiting a vulnerability. It is a combination of capability, opportunity, and intent [4].


Intelligence - Not just data or information, but *analyzed* information that provides meaningful context relevant to a specific user and purpose. In cybersecurity, this includes technical and operational information that enables teams to optimize People, Processes, and Technologies to protect the mission. This intelligence is leveraged by a wide range of teams—from cyber threat analysts and vulnerability management to Incident Response (IR) and executive leadership—using tools like Threat Intelligence Platforms (TIPs), Security Orchestration, Automation and Response (SOAR), and Security Information and Event Management (SIEM) systems.

CTI filters the immense volume of available data to address specific risks to an organization's mission. It accomplishes this by creating and delivering tailored intelligence products that inform decision-making at all levels, from strategic executive planning to tactical threat hunting.

The Cyber Threat Intelligence (CTI) Lifecycle

Before intelligence can be used, it must be produced through a structured process known as the intelligence cycle. This iterative process ensures that the intelligence is relevant, timely, and actionable.

1. Planning and Direction: This phase defines the intelligence requirements based on stakeholder needs. What are the organization's critical assets? What are the priority threats? For example, a financial institution's leadership might direct the CTI team to focus on threats to its new mobile banking application.
2. Collection: Raw data is gathered from various sources. These include internal sources (e.g., network logs, endpoint data) and external sources (e.g., open-source intelligence (OSINT), threat feeds from the U.S. Cybersecurity and Infrastructure Security Agency, dark web forums).
3. Processing: The collected raw data is converted into a format suitable for analysis. This can involve translating data from different languages, normalizing data formats, and decrypting information.
4. Analysis and Production: This is where information becomes intelligence. Analysts examine the processed data to identify patterns, model threat actor behavior, and produce finished intelligence products like reports, briefings, or automated alerts. This stage answers the crucial "so what?" question for stakeholders.
5. Dissemination: The finished intelligence is delivered to the stakeholders who need it, in a format they can use. A technical report with Indicators of Compromise (IOCs) goes to the Security Operations Center (SOC), while a high-level strategic brief goes to the C-suite.
6. Feedback: Stakeholders provide feedback on whether the intelligence met their needs. This feedback is critical for refining the entire cycle and improving the quality of future intelligence products [5].

Who is involved in the Cyber Threat Intelligence (CTI) Process?

The maturity and structure of a cybersecurity program dictate how CTI is managed. A small organization might rely on a single IT security professional, while a large enterprise may have a dedicated Cyber Fusion Center (CFC) that integrates intelligence with other security functions.

Key Cyber Threat Intelligence (CTI) Stakeholders

Prevention. The Security Operations Center (SOC), IT operations, and vulnerability management (risk management and compliance) teams use CTI to proactively defend the organization. This includes tuning security controls, patching critical vulnerabilities exploited by active threat groups, and managing system configurations.

Response. During an incident, the Incident Response (IR) and Computer Emergency Response Teams (CERT), along with threat hunting and Security Information and Event Management (SIEM) teams, use CTI to understand the adversary's actions, contain the threat, and eradicate it from the network.

Strategic. The executive team (e.g., Chief Information Security Officer (CISO), Chief Executive Officer (CEO)), legal, finance, and business operations leaders use strategic CTI to make informed risk management decisions, allocate resources, and align cybersecurity priorities with the organization's mission.

Cyber Threat Intelligence (CTI) in the United States Military

The U.S. military and Department of Defense (DoD) are at the forefront of CTI development and application. Their approach is formalized and integrated into joint military doctrine. The military views cyberspace as a warfighting domain, and CTI is critical for achieving mission objectives and maintaining information superiority.

U.S. Cyber Command (USCYBERCOM) leads the DoD's cyberspace operations and relies heavily on CTI. The process is often framed within the Joint Intelligence Preparation of the Operational Environment (JIPOE) framework, which is adapted for cyberspace. This involves four major steps:

1. Define the Cyberspace Operational Environment: Mapping friendly and adversary networks, key cyber terrain (e.g., critical servers, data repositories), and logical pathways.
2. Describe the Operational Environment's Effects: Analyzing how the terrain affects adversary and friendly capabilities. This includes identifying vulnerabilities in systems and personnel.
3. Evaluate the Adversary: A deep dive into known adversary groups (often state-sponsored Advanced Persistent Threats (APTs)), their TTPs, motivations, and historical campaign data. This aligns closely with civilian CTI's focus on threat actor profiling.
4. Determine Adversary Courses of Action (COAs): Predicting how adversaries are most likely to attack based on the previous steps. This informs both defensive ("defend the nation") and offensive cyber operations [6].

Military CTI teams, function as part of the Cyber Mission Force (CMF) teams, share intelligence through robust networks like the DoD's Secret Internet Protocol Router Network (SIPRNet) and Joint Worldwide Intelligence Communications System (JWICS). They collaborate closely with the intelligence community (e.g., National Security Agency (NSA), Central Intelligence Agency (CIA), Defense Intelligence Agency (DIA), and many others) to produce and disseminate intelligence that supports tactical operators, theater commanders, and national-level decision-makers [7].

How is Cyber Threat Intelligence (CTI) employed?

CTI is categorized into three main levels, each serving a different purpose and audience.

Strategic CTI. High-level intelligence for executive leadership. It focuses on the "who" and "why" of threats, addressing business risk, threat actor motivations, and geopolitical trends.

• Use Case: A board of directors at a major energy company receives a strategic report on the rising threat from the Volt Typhoon APT group (a People's Republic of China state-sponsored actor). The report details how the group targets critical infrastructure to pre-position for potential disruptive attacks during geopolitical crises. This intelligence, sourced from CISA alerts and security vendor reporting, informs the board's decision to increase investment in network segmentation and operational technology (OT) security monitoring [8].

Operational CTI. Information for security managers and response teams about specific impending attacks. It details the "how" and "where," focusing on adversary TTPs and campaigns.

• Use Case: Your SOC manager receives an operational intelligence bulletin about a new ransomware campaign by the ALPHV/BlackCat group, which has been observed exploiting a recently disclosed vulnerability in a popular corporate Virtual Private Network (VPN) device. The bulletin, based on reporting from threat researchers who analyzed recent attacks, provides specific TTPs, such as the use of legitimate remote access tools like AnyDesk for lateral movement. The SOC manager uses this to create new detection rules in the SIEM and directs the threat hunting team to search for signs of this specific activity [9].

Tactical (AKA Technical) CTI. Information focused on specific indicators of an attack that can be used for detection and blocking. This is the "what" and includes IOCs.

• Use Case: A CTI analyst receives a feed of technical indicators associated with a recent Scattered Spider (also known as 0ktapus) campaign targeting corporate help desks. This feed includes malicious IP addresses, file hashes of new malware variants, and domains used for phishing. These IOCs are automatically ingested by the organization's SOAR platform, which updates firewall blocklists, Endpoint Detection and Response (EDR) watchlists, and email security filters in near real-time [10].

CAUTION: Do not attempt to reach out or contact Command and Control (C2) networks of cyber threat actors. This includes searching for associated files, domains, and other IOCs as you may unintentionally establish a connection or attribute connection requests to your personal/corporate computer networks.

Where are CTI sources published?

Reliable sources of CTI are crucial. Government agencies like the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) provide authoritative public alerts. Commercial threat intelligence services from companies like CrowdStrike, Mandiant (now part of Google), and Recorded Future offer deep, curated intelligence for subscribers. Open-source platforms like VirusTotal provide invaluable tools for analyzing files and URLs against a vast repository of data.

Activity: Threat Hunting

Threat hunting is a proactive search through networks to detect and isolate advanced threats that evade existing security solutions. Let's run through a basic threat hunting process using a real-world IOC.

Run through the step-by-step threat hunting process below to look into an IOC that would feed into the CTI and response teams.

1. Open a browser and navigate to the VirusTotal website.
2. Investigate the following file hash IOC. This hash is for a custom DLL dropper used in the CoffeeLoader campaign: c930eca887fdf45aef9553c258a403374c51b9c92c481c452ecf1a4e586d79d9


  Check Answer View Question


3. Search for reports on "CoffeeLoader" or "Zscaler ThreatLabz" on a trusted cybersecurity news source or search engine.


  Check Answer View Question


4. In VirusTotal, review the Behavior and Community tabs. The community section often contains comments from other security researchers that provide valuable context about the malware and the campaign it was used in.

Cyber Threat Modeling

Threat modeling is a structured process for identifying and prioritizing potential threats to a system and validating mitigations. It's a proactive exercise to "think like an attacker."

Common frameworks include:

• STRIDE. This is a mnemonic for Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. It helps analysts brainstorm threats against a system.
• PASTA. An acronym for Process for Attack Simulation and Threat Analysis. PASTA is a seven-step, risk-centric methodology that aims to align business objectives with security requirements.
• MITRE ATT&CK®. (Adversarial Tactics, Techniques, and Common Knowledge) A globally accessible knowledge base of adversary tactics and techniques based on real-world observations. While not a formal modeling process itself, it is the de facto framework for understanding and categorizing adversary behavior, making it an essential tool for threat modeling.

Threat Actors

Cyber threat actors are the individuals or groups behind a threat. Understanding their motivations and capabilities is central to CTI.

Advanced Persistent Threats (APTs): Highly sophisticated, well-resourced groups, often sponsored by a nation-state. Their goals are typically espionage, data theft, or disruption (e.g., Volt Typhoon).

Organized Crime: Financially motivated groups that operate like a business. They are responsible for most ransomware attacks, data theft for resale, and financial fraud (e.g., ALPHV/BlackCat, LockBit).

Hacktivists: Individuals or groups driven by a political, social, or ideological cause. Their goal is to bring attention to an issue by disrupting or defacing a target's web presence.

Insider Threats: A current or former employee, contractor, or partner who has or had authorized access and uses it, intentionally or unintentionally, to harm the organization.

Script Kiddies: Amateur attackers who use pre-made scripts and tools developed by others. They typically lack deep technical skills and are often motivated by curiosity, a desire for attention, or causing low-level disruption rather than significant financial gain or espionage.

Below is a table of monikers used to identify threat actors that have been attributed to cyber attacks:

Country/Entity	CrowdStrike	Microsoft	Mandiant (Google)	AKA
Russia	BEAR	Blizzard	APT28, APT29	Fancy Bear, Cozy Bear, Energetic Bear, Voodoo Bear, Ember Bear, ...
China	PANDA	Typhoon	APT41, APT10	Volt Typhoon, Flax Typhoon, Vixen Panda, Panda Dynamite, ...
Iran	KITTEN	Sandstorm	APT33, APT34, APT35	Charming Kitten, Helix Kitten, Twisted Kitten, Ferocious Kitten, ...
North Korea	CHOLLIMA	Sleet	APT38, APT37	Lazarus Group, Ricochet Chollima, Labyrinth Chollima, ...
Financial	SPIDER	Tempest	FIN6, FIN7, FIN12	Scattered Spider, ALPHV/BlackCat, LockBit
Hacktivists	JACKAL	Based upon objective		Anonymous

Source: Adapted from various public sources and the MITRE ATT&CK Groups page [12].

The cyber threat landscape is a continuously evolving environment. To stay ahead of threat actors, organizations must continually adapt their cybersecurity measures, optimizing capabilities and technologies through the effective use of cyber threat intelligence and threat modeling.

---