Skip to main content
TACUNS
Academy/Threat Intelligence/Module 1
Module 1 of 4
25% complete
Module 1

Introduction to Threat Intelligence

What Is Cyber Threat Intelligence?

Cyber Threat Intelligence (CTI) is evidence-based knowledge about existing or potential threats to an organization's assets. The word evidence is critical — CTI is not speculation or guesswork. It is derived from analysis of real-world threat data, adversary behavior, and attack patterns.

Raw data (logs, alerts, news stories) is not intelligence. Intelligence emerges when that data is collected, processed, analyzed, and transformed into actionable insight that helps security teams make faster and better- informed decisions.

The Four Types of CTI

CTI TypeAudienceTime HorizonExamples
StrategicExecutives, Board, Risk teamsLong-term (months–years)Nation-state threat landscape report, sector risk assessment, trend analysis
TacticalSecurity architects, SOC managersMedium-term (weeks–months)APT group TTPs, campaign analysis, attacker tooling profiles
OperationalIncident responders, threat huntersShort-term (hours–days)Specific incoming attack warning, active campaign IoCs, attacker objectives
TechnicalSIEM engineers, security toolsReal-time (immediate)IP addresses, domain names, file hashes, YARA rules, Suricata signatures

Key Insight

Most organizations consume only Technical CTI (IoC feeds). Mature security programs consume all four types. Strategic intelligence informs security investment decisions; tactical intelligence improves defensive architecture; operational intelligence accelerates incident response.

Intelligence Lifecycle

Intelligence does not appear spontaneously. It is produced through a structured lifecycle — a repeating cycle of directed collection, analysis, and improvement.

1. Planning and Direction: Define intelligence requirements. What questions does the security team need answered? Which threat actors are most relevant to your industry and geography?

2. Collection: Gather raw data from sources: open source intelligence (OSINT), dark web monitoring, threat intel feeds, internal telemetry, ISACs, vendor reports, honeypots.

3. Processing: Normalize, deduplicate, and structure collected data. Parse different formats into a common schema (STIX, JSON, CSV). Filter irrelevant data and enrich with context.

4. Analysis: Identify patterns, attribute activity to threat actors, assess likelihood and impact, and draw conclusions. This is the human-intensive step that transforms data into intelligence.

5. Dissemination: Deliver finished intelligence to the right audience in the right format. Executive briefings, incident response reports, automated IoC feeds, detection rule updates.

6. Feedback: Consumers evaluate the intelligence and provide feedback. Was it actionable? Was it timely? Feedback drives improvement in the next planning cycle.

Threat Actor Categories

CategoryMotivationSophisticationExamples
Nation-State APTEspionage, sabotage, geopolitical influenceVery HighAPT28 (Fancy Bear), APT41, Lazarus Group
Cybercriminal GroupsFinancial gainHigh to Very HighREvil, LockBit, Carbanak
HacktivistsIdeological, political, social agendaLow to MediumAnonymous, KillNet
Insider ThreatsFinancial, ideological, grievance, coercionVariesDisgruntled employee, recruited insider
Script KiddiesFame, curiosity, minor disruptionLowOpportunistic attackers using public tools

Threat Actor Attributes

  • Intent — what do they want to achieve? Data theft, ransomware, disruption, or espionage?
  • Capability — what tools, exploits, and techniques can they deploy? What is their operational security?
  • Opportunity — does your organization provide a viable target? Are your defenses aligned to their known TTPs?

Understanding intent + capability + opportunity gives you a realistic threat assessment for your organization, which is the foundation of risk-based security prioritization.

Diamond Model of Intrusion Analysis

The Diamond Model, developed by Caltagirone, Pendergast, and Betz, is an analytic framework for describing and relating the elements of a cyber intrusion. It places four core features at the vertices of a diamond:

VertexDescriptionExamples
AdversaryThe threat actor orchestrating the operationNation-state group, criminal gang, insider
CapabilityTools, malware, and techniques usedCobalt Strike, custom RAT, phishing kit, CVE exploit
InfrastructureSystems and services used to operateC2 servers, domains, compromised hosts, bulletproof hosting
VictimThe targeted organization or individualA bank, a government ministry, an individual executive

Every intrusion event (an atomic intrusion) can be plotted on a Diamond. Multiple related events share meta-features and form an Activity Thread. Multiple activity threads across a campaign form an Activity Group — the adversary's overall operation.

Analytic Power

The Diamond Model's power lies in pivoting. If you identify one vertex — say, the malware sample (capability) — you can pivot to find other victims (infrastructure shared with other campaigns), other capabilities (malware variants from the same adversary), or infrastructure (C2 servers hosting the malware). This pivoting methodology is how threat analysts expand their understanding of a campaign.

Introduction to MITRE ATT&CK

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary behavior based on real- world observations. It is organized as a matrix of Tactics (the adversary's goal at each stage) and Techniques (the specific method used to achieve that goal).

ATT&CK is not a theoretical model — every entry is derived from documented, real intrusions. It is maintained by MITRE Corporation and is freely available at attack.mitre.org.

ATT&CK Tactics (14 in Enterprise Matrix)

Tactic IDTacticWhat the Adversary Is Doing
TA0043ReconnaissanceGathering information about the target
TA0042Resource DevelopmentBuilding or acquiring attack infrastructure
TA0001Initial AccessGetting a foothold in the target environment
TA0002ExecutionRunning malicious code on target systems
TA0003PersistenceMaintaining access across reboots and credential changes
TA0004Privilege EscalationGaining higher-level permissions
TA0005Defense EvasionAvoiding detection and analysis
TA0006Credential AccessStealing credentials
TA0007DiscoveryMapping the internal environment
TA0008Lateral MovementMoving to other systems within the network
TA0009CollectionGathering data of interest
TA0011Command and ControlCommunicating with compromised systems
TA0010ExfiltrationStealing data from the target
TA0040ImpactDisrupting, destroying, or manipulating systems/data

MITRE ATT&CK

Visit attack.mitre.org for the full ATT&CK matrix, technique details, and detection guidance for every documented technique. ATT&CK Navigator (also free) lets you visualize which techniques are covered by your current detection capabilities and identify gaps.

CTI Sharing Communities

  • ISACs (Information Sharing and Analysis Centers) — sector-specific organizations (Financial Services ISAC, Health-ISAC, MS-ISAC for government). Members share threat intelligence within their industry sector.
  • ISAOs (Information Sharing and Analysis Organizations) — less structured, more flexible than ISACs; open to any organization type
  • FIRST (Forum of Incident Response and Security Teams) — global community for CERTs and security teams
  • OpenCTI, MISP — open-source platforms that enable automated CTI sharing between organizations using STIX/TAXII standards

Challenges in CTI Sharing

  • Trust — organizations are reluctant to share breach information that may damage reputation
  • Classification — shared intelligence may contain sensitive business or government information
  • Timeliness — by the time intelligence is approved for sharing, it may already be stale
  • Actionability — raw IoC dumps without context have low value; analyzed intelligence with TTPs has high value
Next Module