Cyber Threat Intelligence (CTI) Fundamentals: Sources, Types, and the Intelligence Lifecycle

Objective: Understand what Cyber Threat Intelligence is, the four intelligence types, the six-phase intelligence lifecycle, primary collection sources, the exchange standards (STIX/TAXII/TLP), and the analytic frameworks — Kill Chain, Diamond Model, Pyramid of Pain, and MITRE ATT&CK — that let defenders and authorized red teamers operationalize intelligence into detection.

1. What Is CTI? (And What It Is Not)

Cyber Threat Intelligence is evidence-based knowledge about adversaries — their capabilities, infrastructure, motivations, and behaviors — refined to support decisions. CTI is not a raw feed of IP addresses, and it is not a SIEM alert. It is the product of a deliberate analytic process.

The distinction is a pipeline:

• Data — discrete, context-free observations (a hash, a domain, a log line).
• Information — data aggregated and given context (a domain resolving to a host serving a known dropper).
• Intelligence — analyzed information answering a stakeholder question (“Is the group behind this dropper targeting our sector, and can our controls detect them?”).

CTI exists to reduce uncertainty for a decision-maker. If a piece of output does not change a defensive action, an investment, or a hunt hypothesis, it is information — not intelligence.

2. The Four Intelligence Types

CTI is stratified by audience and shelf-life. The four-type model (used by NIST SP 800-150 and several vendors) cleanly separates human-consumable TTPs from machine-consumable IOCs.

Trace one actor across all four levels. Strategic: “An espionage group aligned with Nation X is escalating against the energy sector.” Operational: “That group is running a spearphishing campaign against utility OT vendors this quarter.” Tactical: “They use T1566.001 (Spearphishing Attachment) followed by T1059.001 (PowerShell) for execution.” Technical: “The current dropper SHA-256 is e3b0c4... and the C2 domain is cdn-update.example.”

Note the inversion of value and durability: technical IOCs are the most actionable but decay in minutes; strategic intelligence shapes decisions for years.

3. CTI Sources: Where the Data Comes From

CTI is collected across the classic intelligence disciplines, adapted to the cyber domain.

Additional subcategories include measurement-and-signature intelligence, social-media intelligence (SOCMINT), geospatial intelligence (GEOINT), and Deep/Dark Web intelligence.

Sharing communities multiply source value. Sharing anonymized insights with trusted partners — notably Information Sharing and Analysis Centers (ISACs) — helps peers prepare for the same threats. Sector examples include FS-ISAC (financial services), H-ISAC (health), and E-ISAC (electricity). Membership turns one organization’s incident into the whole sector’s early warning.

4. The Intelligence Lifecycle (Six Phases)

The lifecycle is a continuous loop. Output from one cycle refines the inputs of the next.

The feedback loop is what separates an intelligence program from an IOC firehose. If the SOC reports that disseminated intelligence never fired a single detection, the next planning phase re-scopes collection.

Governing standard: NIST SP 800-150 (Guide to Cyber Threat Information Sharing) establishes governance, legal, and technical best practices for inter-organizational sharing. ISO/IEC 27001:2022 Control 5.7 formally requires organizations to collect, analyze, and share relevant threat intelligence — making a documented lifecycle a compliance artifact, not just good hygiene.

5. Intelligence Formats & Sharing Standards

Machine-to-machine sharing requires structure. Four standards govern format, transport, and handling.

STIX models intelligence as graph objects. STIX Domain Objects (SDOs) are the nodes; STIX Relationship Objects (SROs) are the edges.

Building a STIX 2.1 Bundle (Python):

from stix2 import ThreatActor, AttackPattern, Relationship, Bundle

actor = ThreatActor(
    name="Fictitious Bear",
    description="Illustrative espionage group (teaching example)",
    threat_actor_types=["nation-state"],
)

technique = AttackPattern(
    name="Spearphishing Attachment",
    external_references=[{
        "source_name": "mitre-attack",
        "external_id": "T1566.001",   # technique reference
    }],
)

# SRO: actor 'uses' technique
uses = Relationship(actor, "uses", technique)

bundle = Bundle(actor, technique, uses)
print(bundle.serialize(pretty=True))

A minimal STIX 2.1 Indicator (JSON):

{
  "type": "indicator",
  "spec_version": "2.1",
  "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
  "created": "2026-01-15T12:00:00.000Z",
  "modified": "2026-01-15T12:00:00.000Z",
  "name": "Dropper file hash (fictitious)",
  "indicator_types": ["malicious-activity"],
  "pattern": "[file:hashes.'SHA-256' = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855']",
  "pattern_type": "stix",
  "valid_from": "2026-01-15T12:00:00Z"
}

TLP discipline is operational, not decorative. TLP:RED intelligence must never be imported into a shared SIEM tenant or multi-tenant TIP. TAXII 2.1 collections are pulled over HTTPS with a bearer token (Authorization: Bearer <token>); enforce TLP at ingestion so a marking can never be stripped downstream.

6. Analytic Frameworks: Kill Chain, Diamond Model, Pyramid of Pain

Frameworks impose structure on raw observations. Each answers a different question.

The Lockheed Martin Cyber Kill Chain (Hutchins et al., 2011) models an intrusion as seven sequential phases: Reconnaissance → Weaponization → Delivery → Exploitation → Installation → Command & Control → Actions on Objectives. Use it to check coverage balance — an adversary who evades detection at Delivery should still trip a control at C2.

The Diamond Model of Intrusion Analysis (Caltagirone, Pendergast, Betz — articulated 2006, published 2013) conceptualizes any event as relationships between four vertices: Adversary, Capability, Infrastructure, Victim. It is predictive: known three vertices often imply the fourth.

The Pyramid of Pain (David Bianco, 2013) ranks indicators by how much pain their loss causes the adversary:

                    /\
                   /  \   TTPs ............... hardest to change (apex)
                  /----\
                 / Tools \  Cobalt Strike, Mimikatz, malware families
                /--------\
               / Network &  \  JA3, URI patterns, registry keys, named pipes
              /  Host Artifacts\
             /------------------\
            /   Domain Names      \  trivial to rotate
           /----------------------\
          /  IP Addresses           \  trivial to rotate
         /--------------------------\
        /   Hash Values               \  changed in seconds (base)
       /------------------------------\

Hashes and IPs sit at the base — trivial detection value, replaced in seconds. TTPs occupy the apex: forcing an adversary to abandon PowerShell-based execution or spearphishing imposes real engineering cost. This is the strategic argument for behavior-based detection.

7. MITRE ATT&CK as a CTI Backbone

MITRE ATT&CK is a globally accessible knowledge base of adversary behaviors built from real-world observation. Unlike IOC-centric models, it focuses on TTPs — a behavioral approach. Every technique carries a stable ID such as T1021 or T1059.003, giving detection engineering, reporting, and red-team planning a shared vocabulary.

Key ATT&CK objects in CTI workflows:

• Groups (intrusion-set) — e.g., APT29 (G0016), APT41 (G0096), Lazarus Group (G0032)
• Software (malware/tool) — e.g., Cobalt Strike (S0154), Mimikatz (S0002)
• Campaigns (campaign) — e.g., C0017, C0018
• Techniques — e.g., T1566 (Phishing), T1071.001 (Web Protocols C2), T1003 (OS Credential Dumping)

ATT&CK ships as STIX, so it is programmatically queryable. Enumerate every technique attributed to a group:

from mitreattack.stix20 import MitreAttackData

attack = MitreAttackData("enterprise-attack.json")
group = attack.get_groups_by_alias("APT29")[0]
techniques = attack.get_techniques_used_by_group(group.id)

for t in techniques:
    tech = t["object"]
    tid = tech.external_references[0].external_id
    print(f"{tid}\t{tech.name}")

Feed the resulting technique list into ATT&CK Navigator to build a heat-map. Overlay your detection coverage against the group’s TTPs and the gaps become your next intelligence requirements.

8. From Intelligence to Detection: Operationalizing CTI

Intelligence that never reaches a sensor is wasted. The pipeline is: ATT&CK technique → detection hypothesis → log source → detection rule.

Take T1059.001 (PowerShell). Hypothesis: encoded command execution is rare in this environment and worth alerting. Log source: PowerShell Script Block Logging (Event ID 4104). Rule:

title: Suspicious PowerShell Encoded Command Execution
id: 6e8a1f3c-2b7d-4f9a-9c1e-0a2b3c4d5e6f
status: experimental
logsource:
  product: windows
  service: powershell
detection:
  selection:
    EventID: 4104
    ScriptBlockText|contains:
      - '-enc '
      - 'FromBase64String'
  condition: selection
level: high
tags:
  - attack.execution
  - attack.t1059.001

Every Sigma rule tied to a technique is a step up the Pyramid of Pain. The tags field (attack.<tactic>, attack.t<technique>) keeps each rule linked to the framework, so coverage roll-up is automatic.

Invest accordingly: spend disposable effort on IOC matching (high churn, low pain to adversary) and durable engineering effort on TTP detections (low churn, high pain). STIX/TAXII feeds drive SIEM/SOAR enrichment so analysts triage against context instead of researching every artifact by hand.

9. CTI for Red Teams and Defenders: Two Sides of the Same Brief

Adversary emulation is CTI consumed offensively. A red team ingests a finished report on “Fictitious Bear,” extracts the ATT&CK technique set, and emulates only those TTPs to validate whether controls fire. The blue team consumes the identical brief to confirm the same detections exist. One brief, two scopes, one shared technique vocabulary.

Scope is a legal control, not a courtesy. Emulation must stay inside an authorized rules-of-engagement document. Respect TLP on the source intelligence: a TLP:AMBER report informs an internal exercise but cannot be republished in a public write-up.

10. Common Attacker Techniques

Adversaries run their own intelligence cycle against you. CTI teams must practice counter-intelligence awareness.

Counter-intelligence implication: assume your public footprint (and your IOC feeds) are adversary collection targets. Watch for reconnaissance against your own brand and credentials.

11. Defensive Strategies & Detection

CTI is itself a defensive discipline. Operationalize feeds against host and network telemetry.

Sysmon Event IDs for IOC operationalization:

ETW providers for TTP-level hunting: Microsoft-Windows-DNS-Client (domain IOC matching), Microsoft-Windows-PowerShell/Operational (T1059.001), and Microsoft-Windows-Sysmon/Operational (broad process/network/file telemetry).

Audit policy: enable Audit Process Creation (Success) for process-IOC correlation, and turn on PowerShell Script Block Logging via GPO for behavioral visibility.

A Sigma rule matching a CTI-sourced malicious domain against DNS telemetry:

title: DNS Query to CTI-Listed Malicious Domain
id: 1f2a3b4c-5d6e-7f80-91a2-b3c4d5e6f708
status: experimental
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 22
    QueryName|endswith:
      - 'cdn-update.example'    # fictitious C2 domain
  condition: selection
level: high
tags:
  - attack.command_and_control
  - attack.t1071.001

Program controls: enforce TLP at ingestion in the TIP; gate raw IOC feeds behind de-duplication and decay scoring before SIEM import; run an intelligence-requirement review tied to ATT&CK Navigator coverage gaps; and use the Kill Chain quarterly to check detection balance across the attack lifecycle.

12. Tools for CTI Analysis

13. MITRE ATT&CK Mapping

14. Summary

• CTI is analyzed, decision-ready knowledge about adversaries — not a raw IOC feed — produced by a disciplined six-phase lifecycle.
• The four intelligence types (strategic, operational, tactical, technical) trade durability against immediacy; technical IOCs decay in minutes while strategic intelligence endures for years.
• STIX 2.1, TAXII 2.1, and TLP standardize how intelligence is represented, exchanged, and handled — enforce TLP at ingestion so TLP:RED never leaks downstream.
• The Diamond Model, Kill Chain, Pyramid of Pain, and MITRE ATT&CK interlock; TTP-level intelligence at the pyramid apex outlasts IOC-level intelligence at its base.
• Operationalize CTI by converting ATT&CK techniques into Sigma rules and matching IOC feeds against Sysmon EventID 1/3/7/22, closing the loop with stakeholder feedback.

Related Tutorials

• Threat-Informed Defense: Principles, Frameworks, and the Intelligence-Driven Security Cycle
• APT Profiling: How to Build a Comprehensive Adversary Profile from Open-Source Intelligence
• Mapping CTI Reports to ATT&CK TTPs: A Step-by-Step Methodology
• Red Teaming Fundamentals: Mindset, Methodology, and Engagement Types
• Navigating ATT&CK Navigator: Building, Annotating, and Exporting Technique Layers

References

• MITRE ATT&CK® – Adversary Emulation Plans
• MITRE ATT&CK® – Get Started: Threat Intelligence
• MITRE ATT&CK® for Cyber Threat Intelligence (CTI) Training
• NIST SP 800-150 – Guide to Cyber Threat Information Sharing
• CISA – Service Models for Cyber Threat Intelligence (White Paper)
• CISA – Cyber Threat Information Sharing (CTIS) – Shared Cybersecurity Services