Ransomware attacks are not only failing to slow down, but are clearly accelerating — (in Q1 2025, the number of disclosed ransomware victims increased by 126% year over year, reaching a record level.)[https://blog.checkpoint.com/research/the-state-of-ransomware-in-the-first-quarter-of-2025-a-126-increase-in-ransomware-yoy/?] This shows that organizations are increasingly becoming targets of actions planned in advance, rather than random campaigns.

Cyber Threat Intelligence addresses this trend by enabling earlier threat detection, analysis of threat actors and attack techniques, and response before a real incident occurs — instead of only after the fact. The number of ransomware attacks continues to grow, constituting a major threat to Polish companies and organizations. The consequences of such an attack include a range of negative effects: from multi-million financial losses, through operational paralysis, to lasting damage to reputation.

But what if it is possible to stay ahead of cybercriminals’ moves? The key here is the Cyber Threat Intelligence (CTI) process, which allows not only understanding who and why may attack a given organization, but also anticipating attack techniques. CTI uses, among other things, Dark Web monitoring to identify data leaks, alarming mentions of companies, or other signs of planned activities, enabling organizations to respond before the threat becomes reality.

In this article, we uncover the fundamentals of Cyber Threat Intelligence – explaining what its types and methods are, what the so-called CTI lifecycle looks like, and what benefits its application can bring to an organization.

What is Cyber Threat Intelligence?

Cyber Threat Intelligence is a process involving the collection, analysis, distribution, and exchange of information about cyberattacks and their perpetrators, aimed at improving security measures.

Many organizations, including governments, law enforcement agencies, security solution providers, as well as private and public companies, use CTI to strengthen their defenses. This can take place in two ways: proactive use of Threat Intelligence helps in building an effective security strategy, while reactive use supports procedures for defending against cyberattacks.

Types of Threat Intelligence and their applications

There are three main types of Threat Intelligence, each of which plays a slightly different role, addresses different needs, and can be used at different stages of an organization’s security process:

• Tactical Threat Intelligence provides real-time information about threats that are actively targeting the organization. It supports the day-to-day activities of security teams by giving them the data necessary for detecting, responding to, and neutralizing security incidents.

• Operational Threat Intelligence offers a more comprehensive threat landscape through analysis of the motives, capabilities, and intentions of attackers. It helps organizations understand who is attacking them, why they are becoming a target, and how attackers may attempt to break through their defenses.

• Strategic Threat Intelligence delivers high-level analyses, focusing on long-term trends, emerging risks, and geopolitical factors influencing the cyber threat landscape. This type of data helps decision-makers understand the broader context of cyber threats, enabling informed decisions regarding overall security strategy.

Cyber Threat Intelligence Lifecycle

Regardless of which type of CTI we decide to implement in our organization, we should follow specific steps that organize the entire process and help transform raw data into actionable information.

This refers to a methodology known as the Cyber Threat Intelligence Lifecycle, originally developed by the CIA to collect intelligence information and build defensive mechanisms. Over time, this model was adopted and adapted by other organizations and today constitutes the gold standard in this area.

Cyber Threat Intelligence Lifecycle consists of six steps:

1. Planning (Planning & Direction) – includes defining requirements, methods, and objectives for a specific CTI operation.
2. Collection – gathering information from various sources, such as security logs, threat intelligence feeds, forums, social media, domain experts, etc. The main assumption is to collect as much relevant information as possible.
3. Processing – assessing the relevance of collected data, filtering it, removing irrelevant details, translating information from foreign-language sources, and structuring key data for further analysis.
4. Analysis – aims to transform dispersed information into usable knowledge. This includes profiling threat actors, correlating threats, and analyzing their behaviors.
5. Dissemination – at this stage, teams ensure that key findings and recommendations are delivered to the appropriate stakeholders.
6. Feedback – obtaining feedback from involved parties and stakeholders in order to determine what adjustments and improvements should be made in the next cycle.

CTI process in SOC360:

1. Acquisition (from external sources and based on SOC360 incidents), consumption, analysis, and distribution of knowledge in the area of:

   a. Activities of cybercriminal groups and APT.

   b. Techniques, tactics, and procedures (TTP) used in cyberattacks.

   c. Reports and publications about attacks.

   d. Reports and publications on vulnerabilities.

   e. Information and data about tools.

2. Acquiring skills related to the operation and use of tools employed by threat actors.

3. Reproducing and simulating attacks.

4. Analysis of indicators (IoC and IoA) obtained from CTI sources, incidents, and simulations for use in the Detection Engineering process.

5. Acquisition, maintenance, and distribution of CTI sources.

6. Distribution of CTI information within SOC360 and to SOC360 customers.

Threat Intelligence sources

The sources on which the CTI process should be built largely depend on who conducts it and for what purpose. The strategy adopted by a SOC team, whose primary objective is to enrich detection rules and identify various techniques, tactics, trends, as well as new criminal groups and the methods they use, will not be suitable for an internal security team that focuses on acquiring threat intelligence related to a specific industry or geographic area.

Collecting logs from internal security systems and gathering experience from incident analysis and response will certainly prove valuable, as this can help organizations protect themselves against recurring threats and avoid repeating the same mistakes.

• Industry reports – documents provided by security companies, e.g. reports on the latest threats and attack methods, such as the DFIR Report.
• Threat databases – e.g. MITRE ATT&CK, CVE (Common Vulnerabilities and Exposures), which provide information on known vulnerabilities and attacker tactics.
• Communities and forums – information-sharing groups, both public and closed (e.g. ISACs – Information Sharing and Analysis Centers).
• Open-source intelligence (OSINT) – publicly available data, e.g. articles, blogs, social media, internet forums.
• Darknet – monitoring hidden forums, marketplaces, or websites where cybercriminals exchange information or trade tools used to carry out attacks.
• Cybercriminal groups – tracking the activity of known APT (Advanced Persistent Threat) groups.