Overview
Cyber Threat Intelligence (CTI) is the evidence-based collection and analysis of information regarding existing or emerging threats to an organization’s digital assets. Its primary value lies in enabling security teams to transition from a reactive posture — managing the aftermath of incidents — to a proactive one, anticipating and preventing threats before they materialize.
Core Components
CTI provides context, mechanisms, and actionable guidance by analyzing the following elements:
- Attacker Profiles: Understanding adversary motivations, intent, and resourcing.
- TTPs (Tactics, Techniques, and Procedures): Identifying the specific methods adversaries use to achieve their objectives. Mapped to the MITRE ATT&CK framework.
- Threat Range: Monitoring the full spectrum of threats, from common phishing campaigns to sophisticated nation-state operations.
Reactive vs. Proactive Cyber Defense
The core distinction between reactive and proactive defense is timing and intent: one manages the aftermath of a breach, the other seeks to prevent it.
Reactive Cyber Defense
- Trigger: Initiated after a security breach or incident has been detected.
- Primary Goals: Containment, damage control, and system restoration.
- Key Actions: Threat identification, isolation of affected systems, and return to operational status.
- Drawbacks: Financial loss and reputational damage are frequently unavoidable, as the attack has already succeeded.
Proactive Cyber Defense
- Trigger: Initiated before an attack manifests.
- Primary Goals: Prevention, risk anticipation, and infrastructure hardening.
- Key Actions: Threat hunting, vulnerability management, and applying threat intelligence to close security gaps.
- Advantages: Reduces the likelihood of a successful breach and minimizes potential impact through early detection.
Comparison Summary
| Feature | Reactive Defense | Proactive Defense |
|---|---|---|
| Timing | Post-attack | Pre-attack |
| Focus | Minimizing damage | Preventing entry |
| Tools | Firewalls, detection systems | Threat hunting, intelligence feeds |
| Outcome | Recovery and restoration | Resilience and infrastructure hardening |
Four Categories of Cyber Threat Intelligence
CTI is segmented into four categories, each differentiated by target audience, level of detail, and operational purpose.
1. Strategic CTI
- Focus: High-level trends, attacker motivations, and long-term geopolitical or economic risks.
- Audience: Executives, board members, and policy-makers.
- Purpose: Informs risk management, resource allocation, and long-term cybersecurity strategy.
- Example: Assessing the risk of state-sponsored economic espionage to inform adjustments to annual security budgets and investment priorities.
2. Tactical CTI
- Focus: Immediate, technical indicators of compromise (IOCs) such as IP addresses, URLs, and file hashes.
- Audience: Security practitioners and automated defense systems.
- Purpose: Provides machine-readable data for real-time detection, blocking, and mitigation of active threats.
- Example: Ingesting known command-and-control (C2) IP addresses into a firewall or intrusion prevention system (IPS) for automated blocking. See ransomware C2 infrastructure for a real-world application.
3. Operational CTI
- Focus: Adversary TTPs and the specific sequencing of an attack campaign.
- Audience: Incident responders, security analysts, and threat hunters.
- Purpose: Enables teams to understand adversary movement patterns — reconnaissance, lateral movement, exfiltration — to proactively hunt for active intrusions.
- Example: Identifying that a specific threat group uses PowerShell for privilege escalation (MITRE ATT&CK: T1059.001) in order to tune detection logic for anomalous script execution. See cti-landscape for current threat actor TTP profiles.
4. Technical CTI
- Focus: Highly granular data on specific malware variants, exploits, and vulnerabilities.
- Audience: Security engineers, malware analysts, and red teams.
- Purpose: Derived from reverse engineering and deep forensic analysis to produce specific detection signatures and targeted patch strategies.
- Example: Analyzing a malware sample’s unique command-and-control communication protocol to develop custom network-based detection signatures.
CTI Category Reference
| Category | Audience | Focus | Primary Output |
|---|---|---|---|
| Strategic | Executives, policy-makers | Trends, geopolitics, risk | Risk reports, strategic guidance |
| Tactical | Security practitioners, systems | IOCs, immediate indicators | Blocklists, detection rules |
| Operational | Incident responders, analysts | TTPs, attack sequences | Hunt hypotheses, playbooks |
| Technical | Engineers, malware analysts | Malware, exploits, CVEs | Signatures, patches, YARA rules |