Cover

As part of my learning journey through the Hack The Box Certified Defensive Security Analyst (CDSA) certification, I’ve recently explored a fascinating topic—threat hunting. The more I dive in, the more I realize how important it is to distinguish between threat hunting and cyber threat intelligence (CTI). While both disciplines play vital roles in modern cybersecurity programs, they serve different functions and require distinct approaches.

In this inaugural post for my new blog section dedicated to threat hunting, CTI, and threat actors, I want to explore how these two areas intersect, how they differ, and why both are essential to defending against today’s cyber threats.

Understanding Cyber Threat Intelligence (CTI)

Cyber threat intelligence (CTI) is the practice of collecting, analyzing, and disseminating data about current and potential threats. It transforms raw data into actionable insights that help organizations anticipate, prepare for, and respond to cyberattacks.

In short, CTI is about knowing your enemy.

But it’s important to recognize that intelligence is not simply information or data:

  • Data is raw and unprocessed (e.g., log entries, IP addresses).
  • Information is structured and organized data.
  • Intelligence is the final, actionable product derived from analysis.

For CTI to be useful, it must meet three critical conditions:

  • Accurate – Is the intelligence reliable and precise?
  • Relevant – Does it apply to your environment or industry?
  • Timely – Is the information recent and actionable?

Types of Threat Intelligence

CTI is typically categorized into three levels:

  • Strategic Intelligence: Focuses on the big picture. It informs long-term security decisions and risk management, and is tailored for executive leadership and senior stakeholders.
  • Tactical Intelligence: Focuses on adversary Tactics, Techniques, and Procedures (TTPs). This form of intelligence directly informs security tools and threat-hunting strategies. For example, it may involve mapping known behaviors to the MITRE ATT&CK framework.
  • Operational Intelligence: Delivers real-time insights on specific, ongoing threats. This might include dark web chatter, malware analysis, or vulnerabilities currently being exploited.

Traditionally, CTI has operated somewhat independently, producing intelligence reports in isolation. However, modern security teams are increasingly integrating CTI into their overall operations—informing SOC workflows, guiding hunts, and even influencing business strategy.

What Is Threat Hunting?

While CTI focuses on understanding and anticipating threats, threat hunting is the process of actively seeking them out within your environment.

It’s a proactive, hypothesis-driven activity aimed at uncovering hidden adversaries that have bypassed traditional security controls. Unlike incident response, which is reactive and initiated by alerts or alarms, threat hunting is an active pursuit—looking for threats before they announce themselves.

Threat Hunting Triggers

A hunt is typically initiated by one of three drivers:

  • Threat Intelligence: For example, a new indicator of compromise (IOC) or known adversary TTPs may prompt an investigation.
  • Situational Awareness: Understanding your environment helps define “normal” and detect anomalies that suggest malicious activity.
  • Analytics: Behavioral analytics and machine learning models can uncover deviations from expected patterns that warrant a hunt.

Threat hunting closes the loop on threat intelligence—it begins where CTI ends. While CTI provides the “what” and “who”, threat hunting delivers the “where”, “when”, and “how” within your own network.

How They Work Together

Here’s the most important point: threat hunting and CTI are not competing functions—they’re complementary.

CTI:

  • Informs defenders about what threats exist.
  • Delivers context and patterns.
  • Guides strategic planning and tactical defenses.

Threat Hunting:

  • Uses CTI as a launchpad.
  • Validates whether threats exist in the current environment.
  • Actively detects and disrupts adversary activity.

Think of CTI as the compass that points toward potential danger, while threat hunting is the expedition into the jungle to confront it.

Final Thoughts

As organizations face increasingly sophisticated cyber adversaries, both CTI and threat hunting are essential capabilities. Understanding how to transform data into actionable intelligence—and then use that intelligence to proactively seek out threats—is the cornerstone of modern defensive security.

This is just the beginning of my journey into the world of threat hunting and CTI. Stay tuned as I dive deeper into techniques, frameworks like MITRE ATT&CK, case studies, and insights into the ever-evolving threat landscape.