Featured

Core Concepts of Cyber Threat Intelligence

Cyber threat intelligence (CTI) relies on a shared set of concepts that allow analysts, defenders, and decision-makers to interpret threats in a consistent and meaningful way.

 

Without a common vocabulary, the signals collected from networks, threat feeds, and investigations remain fragmented and difficult to translate into actionable insight. This section therefore introduces several core terms and conceptual elements that form the analytical foundation of CTI. Together, these concepts—ranging from threat actors and behavioral patterns to technical indicators and intelligence-sharing standards—provide the framework through which cyber incidents are interpreted, communicated, and ultimately transformed into defensive action.

 

Important CTI Terminology

In CTI, terminology forms an operational plan; misreading a term means mismanaging an attack. The terminology used in CTI may appear on the surface as another set of acronyms, but in reality, this language governs operations in the field. A misinterpreted term can lead either to underestimating the scale of an incident or, conversely, plunging an organization into unnecessary panic. Thus, these concepts aren’t dictionary entries but are in fact living tools that shape the fate of operations. We shouldn’t be confined by artificial order, so depending on the subject, it’s sometimes more instructive to start with behavior, sometimes with the actor, and sometimes with sharing standards.

Threat Actors

Recognizing a threat actor is like decoding the DNA of an attack. The motivation of a state-sponsored APT group isn’t the same as that of a financially motivated cybercrime syndicate. The former is patient, collecting information over the long term; the latter seeks quick profits. An insider threat actor, however, behaves in a completely different way: a person familiar with the organization, with privileged access from within.

 

Consider this example: In an attack on an energy company, the infrastructure may look ordinary at first glance. But if the attacker patiently collects data in the system for six months, this indicates a state-sponsored actor—not a typical ransomware gang. Unless the actor’s intent (strategic goal), capacity (technical capability), and opportunities (ability to exploit weaknesses) are connected, the picture remains incomplete.

Tactics, Techniques, and Procedures (TTPs)

The most persistent signature of a threat actor is their tactics, techniques, and procedures (TTPs). A hash may change tomorrow, an IP address may vanish within minutes, but how the attacker moves within the network, what tools they use for lateral movement, and at what times they are active tend to remain constant.

 

For example, in a financial institution, an attacker frequently using PowerShell with the -enc parameter, followed by deploying specific credential-dumping tools, creates a repeating rhythm. Detecting this rhythm provides a defensive advantage that lasts far longer than an IOC.

Indicators of Compromise (IOCs)

An IOC is the observable footprint of an attack. It could be an IP address, domain name, file hash, registry key, or an unusual process chain. But IOCs must always be evaluated with their lifetimes in mind:

  • Atomic IOCs (IP, hash) are short-lived.
  • Pattern-based IOCs (command-line regex, filename template) are valuable in the medium term.
  • Behavioral IOCs often last longer than atomic or pattern-based ones, but advanced actors can eventually alter these as well.

STIX/TAXII

Intelligence loses value if it doesn’t move beyond organizational boundaries. This is where STIX and TAXII come into play:

  • STIX: Defines threat information as structured objects. An IOC, a threat actor, a campaign, or a course of action can all be standardized as STIX objects.
  • TAXII: Enables secure interorganizational sharing of these objects.

Here’s a practical example: An SOC team identifies suspicious PowerShell usage and publishes it as an indicator object in STIX format. This IOC then flows via TAXII into the security platforms of other organizations. As a result, not just one institution but the entire ecosystem is strengthened simultaneously.

MITRE ATT&CK

MITRE ATT&CK is a knowledge base that documents real-world adversary behaviors in the form of TTPs. Rather than focusing only on technical indicators, the framework emphasizes how attackers operate within systems, such as privilege escalation, lateral movement, or credential dumping. By mapping observed activities to the ATT&CK matrix, analysts can identify defensive gaps and improve detection and threat hunting capabilities.

 

Learn more about the MITRE ATT&CK framework in this post.

Cyber Kill Chain

The cyber kill chain model breaks down the progression of a cyberattack into a sequence of stages, typically beginning with reconnaissance and ending with actions on objectives. By understanding these stages—such as weaponization, delivery, exploitation, and C2—security teams can identify where defensive controls may interrupt an attack before it reaches its final objective. The model therefore provides a structured way to analyze how intrusions unfold over time.

Diamond Model

The Diamond Model is an analytical framework that focuses on the relationships between four key elements of an intrusion: the adversary, the infrastructure used, the capabilities deployed, and the victim. By examining how these elements interact, analysts can build a more complete picture of an attack campaign. This approach is particularly useful for linking individual incidents into broader threat actor activities.

STRIDE

STRIDE is a threat modeling framework used primarily in software security and system design. It categorizes potential security threats into six types: spoofing, tampering, repudiation, information disclosure, denial of service (DoS), and elevation of privilege. By systematically evaluating systems against these categories, organizations can identify design weaknesses before they are exploited by attackers.

Process for Attack Simulation and Threat Analysis (PASTA)

PASTA is a risk-driven threat modeling methodology that connects business objectives with technical threat analysis. It guides organizations through multiple stages, including defining business impact, identifying threat actors, analyzing vulnerabilities, and simulating attack scenarios. This structured approach helps ensure that security decisions align with both technical realities and organizational risk priorities.

 

For instance, consider a scenario in which attackers attempt to compromise the payment infrastructure of an e-commerce platform. The MITRE ATT&CK framework can reveal which tactics and techniques were used during the intrusion, while the Diamond Model can link the attacker’s infrastructure and capabilities to the targeted organization. At the same time, STRIDE may highlight the underlying software vulnerability that made the attack possible. By combining these perspectives, analysts move beyond isolated indicators and gain a layered understanding of how the attack developed.

 

CTI terminology is a living language that establishes communication between defense and offense. Threat actors are the subjects of this language, TTPs are the verbs, IOCs are the evidence, STIX/TAXII are the channels of transmission, and modeling frameworks are the grammar of context. If we fail to learn this language properly, our data will devolve into meaningless numbers; but when we speak it correctly, data turns into decisions, and decisions into security strategy.

 

Threat Actors and Their Motivations

The effectiveness of CTI depends on understanding who the threat actors are, what capacities they possess, and why they act. Thus, threat actors comprise a strategic element of analysis. These actors can be classified into distinct categories, each defined by its resources, objectives, and methods of operation.

Nation-State Actors

  • State-sponsored or directly state-controlled groups.
  • Operate to protect political, military, economic, and diplomatic interests, or to weaken rival states.
  • Have high financial resources, sophisticated infrastructure, and long-term strategies.

Organized Crime Syndicates

  • Driven by financial gain.
  • Ransomware, credit card theft, banking trojans, and cryptocurrency theft are the main areas.
  • Since 2020, the ransomware as a service (RaaS) model has commercialized cybercrime.

Hacktivists

  • Politically or ideologically motivated.
  • Attack governments, corporations, or social targets in protest.
  • Effects are often symbolic but can gain significant media and public attention.

Insider Threats

  • Current or former employees, contractors, or third parties.
  • Motivated by personal gain, revenge, or corecion.
  • Often overlooked but can be among the most damaging threats.

Independent Cybercriminals and Script Kiddies

  • Limited technical skills; rely on ready-made tools or exploit kits.
  • While less sophisticated than professional groups, they still expand the overall attack surface.

Threat actors’ motivations can be categorized into four main groups:

  • Political and geopolitical: Nation-states aiming to gain strategic advantage, influence elections, or destabilize rivals. For example, the APT28 (Fancy Bear) operation linked to Russia targeted NATO, media, and electoral systems to gather political intelligence.
  • Economic: Organized crime groups profiting from ransomware, fraud, or data sales. For example, DarkSide ransomware conducted the 2021 Colonial Pipeline attack, paralyzing US energy infrastructure purely for financial gain.
  • Ideological: Hacktivists conducting attacks based on social, religious, or environmental causes. For example, the hacker group Anonymous has launched attacks on corporations, governments, and religious groups to broadcast social and political messages.
  • Personal: Revenge, self-interest, or coercion, as often seen in insider threats. A well-known illustration of an insider threat is the case of Edward Snowden in 2013. Snowden, who was working as a contractor supporting the US National Security Agency (NSA), used his legitimate system access to obtain and disclose a large volume of classified documents concerning global surveillance activities. Regardless of the political debates surrounding the incident, the case clearly demonstrated a fundamental risk in cybersecurity: individuals with authorized access can circumvent technical safeguards and expose highly sensitive information.

In classical literature, the motivations of threat actors are generally classified under these four main categories. However, the boundaries between these categories have increasingly blurred beginning in 2020. Today, many cyberattacks can no longer be explained by a single motivation alone; rather, they are the result of intersecting objectives. This development made hybrid motivations a central theme in CTI. Here are a few examples:

Intersection of Political and Economic Interests

One of the most evident examples of hybrid motivations is state-sponsored groups leveraging organized crime ecosystems. Such actors simultaneously target the critical infrastructure of rival states to gain geopolitical advantage, while also generating financial profit through ransomware or data theft. For instance, some Eastern European groups conduct operations aligned with their governments’ foreign policy objectives while also securing direct economic gain from the same campaigns.

Fusion of Economic Gain and Ideological Goals

Hacktivist collectives are increasingly turning to cryptocurrency theft, or campaigns that begin with ideological motives but gradually evolve into profit-driven operations. In such cases, financial motivation becomes a tool to support the ideological base or to ensure the sustainability of their activities.

Analytical Importance of Hybrid Motivations

From a CTI perspective, disregarding hybrid motivations may lead to misinterpretation of actors’ behaviors. For example, a group labeled purely as economically motivated may in fact be serving a strategic political objective. Therefore, recognizing the intersections of motivations is a critical requirement in actor analysis.

 

Today, hybrid motivations are expected to become even more widespread. The use of proxy actors in state cyber operations, the integration of organized crime groups into geopolitical agendas, and AI-enabled attacks that produce both economic and political consequences will make multidimensional motivation analysis indispensable in CTI.

 

Threat Actors and the Intelligence Cycle

In CTI, discussion of threat actors often begins with surface-level classifications: APT groups, cybercrime syndicates, hacktivists, insider threats, and so on. These categories sound orderly, but alone they don’t transform any organization’s defense. Understanding an actor isn’t simply labeling; it requires repositioning them at every stage of the intelligence cycle. If the actor isn’t placed correctly, collected data becomes meaningless, analysis becomes contextless, and shared output becomes useless.

 

To grasp their true impact, threat actors must be examined in relation to each stage of the intelligence cycle, where their traces, intentions, and consequences unfold in different yet complementary ways:

1 Collection Stage

The threat actor is the source of clues. A C2 server’s IP, alias information in domain registrations, hijacked social media accounts, or traces in dark web forums are all visible footprints. But it’s not enough to record them. The critical question is “Which infrastructure habits does this actor repeat?”

2 Analysis Stage

The actor emerges through external traces as well as intent and motivation. The same IOC set might belong to a financially driven gang or a state-sponsored group seeking strategic intelligence. The difference lies in intent. Analysts must seek to answer the “why” when connecting the dots.

3 Dissemination Stage

The actor’s identity determines the organization’s response. If it’s a ransomware gang, the priority is ensuring business continuity. If it’s a state-sponsored group, the issue escalates beyond the SOC to the boardroom—even into diplomatic discussions. Thus, threat-actor analysis becomes strategically valuable when conveyed to the right audience at the right stage.

 

The table below breaks these stages into their actor-focused elements, key outputs, and example scenarios.

 

Intelligence Cycle Stage Actor-Focused Elements Key Outputs Example Scenario
Collection Actor's infrastructure preferences (C2 servers, domain registration habits, hosting providers), tools and malware used, initial traces: IP, hash, domain, social media profiles IOC pool + early-warning signals APT group repeatedly using the same domain registrar in the finance sector
Analysis Actor's motivation (financial, espionage, sabotage), capacity (zero-day exploitation, supply chain abuse), operational habits (working hours, language, code signatures) TTP maps + actor profile + contextual risk assessment A phishing email to an energy firm resembling texts used by a known state-sponsored group
Dissemination Who receives the report (SOC analysts, management, legal, national authorities), prioritization (APT > strategic risk, ransomware > operational risk), defense strategy aligned to actor's behavior Strategic briefings, operational alerts, legal notifications Detection of state-sponsored actor leads to reports escalation to board and state agencies

 

The insights drawn gain their full significance when interpreted in context, as each stage of the intelligence cycle reveals a different layer of the actor’s identity, intent, and impact:

Collection Stage

The actor is recognized by their traces. The critical point here isn’t merely capturing IOCs, but identifying infrastructure usage habits.

Analysis Stage

The actor’s identity begins to take shape: Why are they attacking, what capabilities do they have, how do they behave? This is where TTPs come into play.

Dissemination Stage

The actor’s type and intent determine to whom the information is conveyed and how. The same IOC may be a rule for the SOC, a strategic alert for management, or evidence in a legal case.

 

Many reports present a threat actor as a fixed identity. This is misleading. An actor isn’t just a stage performer but rather a scriptwriter constantly rewriting the scene. Today, they register a C2 server in Russia; tomorrow, they repeat the same behavior using South American infrastructure. The scenery changes, but the scriptwriter’s handwriting—the TTPs—remains the same. The intelligence cycle is the art of rereading this script and placing it into the correct context over and over.

 

The abstract principles of the intelligence cycle gain their clearest meaning when brought to life through real-world narratives. Let’s consider the case of the Orion Collective—a story that shows how a threat actor’s presence can be traced, analyzed, and acted upon across every stage of the cycle: One ordinary Tuesday morning, the organization’s SOC noticed something unusual in the log stream. The phishing emails landing in inboxes looked unremarkable—fake invoices, misleading links, a sloppy PDF attachment. But a young analyst reviewing the code spotted a familiar marker: orion_key. This alias had once appeared on dark web forums from a user selling stolen credentials.

 

At first, no one paid much attention. After all, online fraudsters change aliases frequently. But within days, a series of attacks bearing the same signature began to appear against not only the finance teams but also the energy department’s servers.

 

As the day progressed, analysts pieced together the puzzle. This wasn’t a random phishing gang. This was the Orion Collective—a group that appeared to steal cryptocurrency but was also harvesting energy-investment documents. Their emergence unfolded like a script embedded across every stage of the intelligence cycle:

1 Collection

Orion’s traces were gathered-code snippets in fake emails, repeating usernames, and old forum posts. Each was a small fragment, but together they formed a mosaic.

2 Analysis

The picture changed. A typical ransomware gang would only seek money. Yet Orion sometimes chose to steal data rather than cash. This contradiction revealed dual motives: financial gain alongside strategic intelligence collection. Analysts now had to ask the following: “Are these thieves or pawns in a larger game?”

3 Dissemination

The matter escalated beyond SOC reports. A board briefing raised the possibility that Orion was state-sponsored. Suddenly, the issue drew the attention not of the CFO but of the foreign-relations director, because the matter now involved diplomacy as well as security.

 

That evening, an analyst noted that Orion’s scenery kept shifting: one day a server registered in Russia, the next day hosted in South America. But behind the curtain, the handwriting never changed. In the code’s margins remained the same habits, the same rigidity, the same impression. The analyst realized that the Orion Collective wasn’t just an actor on stage, but a scriptwriter rewriting the play daily. Different scenery and different costumes, but the same pen.

 

Threat actor analysis is more than producing an ID card. Without placing the actor into the intelligence cycle, they remain only a shadow in reports. But when their traces, intentions, and outcomes are contextualized across collection, analysis, and dissemination, the lines of a report transform into a decision-shaping force at the executive table.

 

The real question is whether you’ll stop at naming the actor, or you’ll redefine them at every stage of the cycle to steer your organization’s defense.

 

TTPs and Detection Engineering

To many security professionals, MITRE ATT&CK looks like a catalog: pages of tactics, techniques, and subtechniques. But reading this catalog is like standing on the shore staring at the ocean; the real task is to dive in and make it concrete through detection engineering.

 

TTPs describe adversary habits. Detection engineering is the art of converting those habits into detectable signals. Apart, TTPs remain abstract and detection engineering is directionless. Together, they yield long-lasting, behavior-based detectors that outlive IOCs.

 

Imagine an SOC analyst confronted with thousands of IOCs—IPs, hashes, domains. Many are outdated, and many are false positives. Eventually, the analyst drowns in noise. But if instead the analyst is handed the TTP “Credential Dumping - LSASS Access,” the situation changes. This TTP can be directly converted into a detection rule:

  • Windows Event ID 10 (Process Access) showing unusual access to the Local Security Authority Subsystem Service (LSASS) process.
  • EDR telemetry correlating specific memory-read calls.

Now the analyst no longer wastes time on dead IOCs but instead captures the attacker’s behavior.

 

Translating adversary behaviors into effective detection requires a disciplined workflow that turns abstract TTPs into actionable defenses through the following iterative process:

  1. Form a hypothesis: “The adversary wants to access LSASS.”
  2. Select signals: Windows Security Event ID 10, Sysmon Event ID 4656, EDR memory-access logs.
  3. Write the rule: Configure SIEM to alert on specific combinations.
  4. Test: Use adversary emulation (e.g., Mimikatz in a controlled attack).
  5. Refine: Reduce false positives, and set context-specific thresholds.

Repeatedly cycling through this process turns TTPs from static catalog entries into live detection strategies.

 

A hash may become invalid within hours as code is recompiled. But LSASS access habits, or requesting Kerberos tickets for lateral movement, don’t change so easily. Detection engineering’s power lies in turning such behaviors into catchable signals.

 

Examples

Let’s consider a few examples of this TTP cycle.

 

Example 1: Ransomware Behavior

  • TTP: Deleting shadow copies before encryption.
  • Detection: Windows Event ID 524 + “vssadmin delete shadows” command-line pattern.
  • Result: Detected even if the ransomware variant changes its hash.

Example 2: Cloud Identity Abuse

  • TTP: Unusual privilege granted to an OAuth app.
  • Detection: Microsoft Entra ID audit logs showing Mail.ReadWrite and Files. ReadWrite.All assigned simultaneously to one app.
  • Result: Behavioral alert instead of static IOC.

Example 3: Insider Threat

  • TTP: Abnormal data exfiltration.
  • Detection: Data loss prevention (DLP) sensors flagging large transfers outside business hours + a concurrent VPN session.
  • Result: Detects insider activity without relying solely on external IOCs.

Looking past its surface as a catalog of techniques, MITRE ATT&CK reveals itself as an architectural framework that, when mapped into detection engineering, provides three key advantages: gap analysis, structured testing, and a universal analytic language, as described here:

  1. Visualizing detection gaps: Which techniques do we have rules for, which do we not?
  2. Testing framework: Generating TTP-based scenarios for red-/purple-team exercises.
  3. Common language: When “T1055 - Process Injection” is mentioned, analysts worldwide understand the same thing.

In academic literature, this linkage is called TTP-to-signal mapping. Without it, modern SOCs can’t truly realize the value of threat intelligence.

 

Conclusion

Cyber threat intelligence is only as effective as the language and frameworks used to interpret it. Understanding threat actors, their motivations, and the TTPs that define their behavior transforms raw data into decisions that genuinely strengthen an organization's defenses. The frameworks covered here, from MITRE ATT&CK and the Diamond Model to STIX/TAXII and detection engineering workflows, are not independent tools but complementary lenses that, when applied together, reveal the full shape of an attack. Organizations that invest in learning this language and operationalizing it across the intelligence cycle move from reacting to incidents to anticipating them, which is ultimately what separates a defensive posture from a strategic one.

 

Editor’s note: This post has been adapted from a section of the book Cyber Threat Intelligence: The Comprehensive Guide by Haydar Yener Arici. Haydar is a senior systems and cybersecurity specialist with more than 23 years of experience in IT infrastructure, system administration, digital forensics, and open-source intelligence (OSINT). Throughout his career, he has conducted extensive work in critical areas such as the design, operation, and security of enterprise IT infrastructures; digital evidence analysis; and the establishment and development of corporate cybersecurity processes.

 

This post was originally published 6/2026.

Recommendation

Cyber Threat Intelligence
Collect, Process, and Analyze Cyber Threats to Secure Your System!

The best way to defend your organization is to understand how threats actually work. This guide walks you through the full intelligence lifecycle — from gathering OSINT, HUMINT, and SIGINT to profiling adversaries, analyzing network and host forensics, and hunting active threats — then shows you how to integrate cyber threat intelligence into incident response, automate your workflows, and build a program that keeps pace with evolving attacks.

Learn More
Rheinwerk Computing
by Rheinwerk Computing

Rheinwerk Computing is an imprint of Rheinwerk Publishing and publishes books by leading experts in the fields of programming, administration, security, analytics, and more.

Comments

The official Rheinwerk Computing Blog

Rheinwerk Computing is an imprint of Rheinwerk Publishing and publishes resources that will help you accelerate your computing journey. The Rheinwerk Computing Blog is designed to provide helpful, actionable information on a variety of topics, including programming, administration, security, and analytics!

© 2026 Rheinwerk Publishing, Inc. | Change Privacy Options