Introduction
Cyber Threat Intelligence (CTI) is the collection, analysis, and dissemination of information about current and potential threats to an organization's information systems. Unlike raw security data, threat intelligence is contextualized, actionable, and tailored to specific decision-makers—from SOC analysts responding to alerts to executives allocating security budgets.
Effective CTI operations transform organizations from reactive defenders into proactive ones, enabling them to anticipate threats, prioritize defenses, and allocate resources based on real adversary behavior rather than theoretical risk assessments.
Strategic, Operational, and Tactical Intelligence
Threat intelligence operates at three levels, each serving different consumers and decision-making needs. Strategic intelligence informs executive leadership about broad threat trends, geopolitical risks, and long-term security investment priorities. It is typically delivered as reports and briefings using non-technical language.
Operational intelligence supports security managers and incident responders with information about specific threat campaigns, adversary capabilities, and attack methodologies. Tactical intelligence provides the most granular and immediately actionable data: indicators of compromise (IOCs), detection signatures, and MITRE ATT&CK technique mappings that SOC analysts use to detect and respond to active threats.
- Strategic: Threat trends, geopolitical risks, industry targeting patterns—consumed by executives and board members
- Operational: Campaign details, adversary TTPs, infrastructure analysis—consumed by security managers and hunt teams
- Tactical: IOCs, detection rules, malware signatures—consumed by SOC analysts and automated defense systems
The IOC Lifecycle
Indicators of Compromise have a lifecycle that directly affects their value. When first discovered, IOCs (IP addresses, domains, file hashes, URLs) are highly specific and actionable. Over time, adversaries rotate infrastructure, modify malware, and change tactics, rendering old IOCs less useful. Understanding this lifecycle is critical for maintaining effective detection.
File hashes have the shortest effective lifespan because malware authors routinely recompile or modify binaries to produce new hashes. Domain IOCs last longer but can be abandoned within days. IP address IOCs vary depending on whether the adversary uses dedicated infrastructure or shared hosting. Behavioral indicators (TTPs) have the longest lifespan because they are the most expensive for adversaries to change.
The Pyramid of Pain: David Bianco's Pyramid of Pain illustrates that hash-based IOCs are trivially changed by adversaries, while TTP-based detection forces attackers to fundamentally retool their operations. Organizations that detect based on behavior rather than indicators impose the highest cost on adversaries and maintain detection effectiveness the longest.
Threat Intelligence Platforms
Threat Intelligence Platforms (TIPs) aggregate, correlate, and distribute threat intelligence from multiple sources into a centralized system. They enable analysts to enrich IOCs with context, track adversary campaigns over time, and automate the distribution of detection rules to security infrastructure.
Open-source platforms like MISP (Malware Information Sharing Platform) and OpenCTI provide robust TIP capabilities without licensing costs. Commercial platforms like ThreatConnect, Recorded Future, and Anomali add AI-powered analysis, automated enrichment, and integration ecosystems that streamline intelligence workflows.
- MISP: Open-source platform for sharing, storing, and correlating IOCs with extensive community feed integration
- OpenCTI: Open-source CTI platform built on a knowledge graph model for relationship-rich intelligence analysis
- ThreatConnect: Commercial platform combining TIP capabilities with orchestration and automated response workflows
- Integration: TIPs connect to SIEMs, firewalls, and endpoint tools to automatically distribute IOCs for detection
The value of a TIP is directly proportional to the quality and diversity of its intelligence sources and the speed at which intelligence is translated into defensive action. AI is increasingly central to this translation process, as the next sections will explore.