Cybersecurity Threat Intelligence Reference Framework
CYBERSECURITY THREAT INTELLIGENCE REPORT CONFIDENTIAL | 2025
CYBERSECURITY THREAT INTELLIGENCE
REFERENCE FRAMEWORK
Threat Actor Taxonomy  |  APTs  |  RaaS  |  MITRE ATT&CK  |  Live Intelligence
Version2.0 — Q2 2025 ClassificationNA
Prepared BySecure In Security, External Authors Review CycleQuarterly
FrameworksMITRE ATT&CK v15, NIST CSF 2.0 DateApril 2026
This document provides a comprehensive overview of the current global cyber threat landscape, covering threat actor taxonomy, advanced persistent threat groups, ransomware-as-a-service ecosystems, MITRE ATT&CK framework mappings, and curated real-time intelligence resources for security operations teams.

1. Executive Summary

The cyber threat landscape has evolved into a highly stratified ecosystem of state-sponsored actors, organized criminal syndicates, hacktivists, and insider threats. Understanding the taxonomy of these actors—their motivations, capabilities, and preferred techniques—is foundational to building an effective defense posture.

This report consolidates intelligence from multiple authoritative sources to deliver a structured reference covering:

  • Threat actor categorization by motivation, sophistication, and attribution
  • Profiles of notable Advanced Persistent Threat (APT) groups active in 2024–2025
  • The Ransomware-as-a-Service (RaaS) syndicate model and key criminal organizations
  • MITRE ATT&CK framework mappings linking threat actors to specific tactics and techniques
  • Curated real-time threat intelligence platforms and feeds
Key finding: As of Q1 2025, 72% of data breaches involve a human element, ransomware median dwell time has decreased to 5 days, and state-sponsored intrusions account for an estimated 25% of all significant cyber incidents globally. (Source: Verizon DBIR 2024 / Mandiant M-Trends 2024)

2. Threat Actor Taxonomy

Effective threat intelligence begins with a consistent taxonomy. Threat actors are categorized across several dimensions: organizational structure, primary motivation, technical capability (sophistication), and operational objectives. The widely accepted taxonomy distinguishes six primary actor categories.

2.1 Primary Actor Categories

Category Primary Motivation Sophistication Common Objectives Examples
Nation-State / APT Geopolitical / Espionage Very High IP theft, sabotage, intelligence collection APT29, APT41, Lazarus
Cybercriminal Financial Gain Moderate–High Ransomware, fraud, data theft LockBit, ALPHV, FIN7
Hacktivist Ideology / Publicity Low–Moderate Defacement, DDoS, data leaks Anonymous, KillNet, IT Army
Insider Threat Personal / Coerced Variable Data exfiltration, sabotage Malicious employees, contractors
Script Kiddie Notoriety / Curiosity Low Website defacement, opportunistic attacks Skiddie toolkits
Terrorist / Extremist Political / Religious Low–Moderate Critical infrastructure disruption Various state-linked proxies

2.2 Diamond Model of Intrusion Analysis

The Diamond Model provides a structured framework for analyzing cyber intrusion events by examining four core features and their relationships:

  • Adversary — The threat actor or group conducting the intrusion
  • Infrastructure — Technical resources used (domains, IPs, C2 servers, botnets)
  • Capability — Malware, exploits, TTPs (Tactics, Techniques, and Procedures) employed
  • Victim — The targeted entity, system, or data

Meta-features such as timestamp, phase, result, direction, methodology, and social-political context extend the model for richer analytical value. Analysts use the Diamond Model in conjunction with the MITRE ATT&CK framework to correlate observed indicators with known actor profiles.

2.3 Threat Intelligence Confidence Levels

All intelligence products should be assigned confidence ratings. The following scale aligns with NATO / IC standards:

LevelDescription
HIGHBased on high-quality corroborated information from multiple reliable sources. Minimal doubt about accuracy.
MODERATEBased on credible information from a reliable source. Some gaps or inconsistencies exist but overall assessment is sound.
LOWBased on reporting from a source of uncertain reliability. Should be treated as preliminary and requires verification.

3. Advanced Persistent Threats (APTs)

Advanced Persistent Threats represent the apex of the threat actor hierarchy. These state-sponsored or state-tolerated groups operate with long-term strategic objectives, substantial resources, access to zero-day vulnerabilities, and sophisticated operational security. Their intrusions are characterized by persistence, stealth, and targeted data collection rather than immediate financial gain.

3.1 Defining Characteristics of APT Actors

  • Long-term access and persistence — dwell times historically averaging 16+ days (declining)
  • Custom or modified malware toolsets tailored to specific targets
  • Multi-stage attack chains: initial access → lateral movement → exfiltration
  • Living-off-the-land (LotL) techniques to evade detection using native tools
  • Supply chain compromise to access downstream victims
  • Operational security: deliberate obfuscation of attribution and infrastructure

3.2 Notable APT Groups — 2024–2025 Active Threats

Group Name Nation-State Known Aliases Target Sectors & Notable Activity
APT29 Russia Cozy Bear, Midnight Blizzard, NOBELIUM Government, defense, think tanks. Responsible for SolarWinds supply chain attack (2020), Microsoft email breach (2024).
APT28 Russia Fancy Bear, Forest Blizzard, Sofacy NATO governments, defense contractors, elections infrastructure. LAPSUS-style credential access.
Sandworm Russia Voodoo Bear, IRIDIUM, Seashell Blizzard Critical infrastructure (energy, water, ICS/SCADA). NotPetya wiper (2017), Ukraine power grid attacks.
APT41 China Double Dragon, Winnti, BARIUM, Bronze Atlas Healthcare, pharma, gaming, telecoms. Dual cyber espionage & financial crime operations.
APT10 China Stone Panda, menuPass, Cicada Managed service providers (MSPs), aerospace, engineering. Operation Cloud Hopper.
Volt Typhoon China Bronze Silhouette, VANGUARD PANDA US critical infrastructure pre-positioning. LotL focus. Disruption readiness mandate.
Lazarus Group DPRK Hidden Cobra, ZINC, Labyrinth Chollima Financial institutions, crypto exchanges, defense. Crypto theft $3B+ (2017–2023). WannaCry.
APT34 Iran OilRig, HELIX KITTEN, Crambus Energy sector, Middle East governments, financial. DNS tunneling, custom implants.
APT35 Iran Charming Kitten, TA453, Phosphorus Academics, journalists, NGOs, healthcare. Spear-phishing, credential harvesting.
Scattered Spider Criminal/EN UNC3944, Oktapus, Muddled Libra Finance, telecom, hospitality. MGM/Caesars attacks (2023). Social engineering mastery.

3.3 APT Attack Lifecycle

APT intrusions generally follow a predictable multi-phase kill chain that security teams should monitor for early indicators of compromise (IoCs):

  • Phase 1 — Reconnaissance: Passive OSINT, active scanning, social profiling of targets
  • Phase 2 — Initial Access: Spear-phishing, supply chain compromise, VPN/RDP exploitation, watering hole attacks
  • Phase 3 — Execution & Persistence: Malware deployment, scheduled tasks, registry modification, valid account abuse
  • Phase 4 — Privilege Escalation: Local/domain privilege escalation, Kerberoasting, token manipulation
  • Phase 5 — Defense Evasion: Process injection, log clearing, signed binary proxy execution, timestomping
  • Phase 6 — Lateral Movement: Pass-the-Hash, PsExec, SMB exploitation, remote services abuse
  • Phase 7 — Collection & Exfiltration: Data staging, compressed archives, encrypted C2 channels, DNS tunneling
  • Phase 8 — Impact / Objective Completion: Espionage, sabotage, financial theft, pre-positioned disruption capability
Defense recommendation: Implement network segmentation, privileged access workstations (PAWs), canary tokens, and deception technologies. Monitor for behavioral anomalies—APTs increasingly avoid traditional IoCs in favor of living-off-the-land techniques that blend with normal operations.

4. Ransomware-as-a-Service (RaaS) Syndicates

Ransomware-as-a-Service represents the commercialization of ransomware operations. RaaS operates on a franchise model in which core developers (operators) build and maintain ransomware infrastructure, then lease it to affiliates who conduct attacks in exchange for a revenue share—typically 70-80% affiliate / 20-30% operator.

4.1 The RaaS Business Model

  • Operators develop and maintain the ransomware binary, encryptor, decryptor key management, and victim-facing payment portals
  • Affiliates handle initial access, lateral movement, and deployment—often purchasing stolen credentials from initial access brokers (IABs)
  • Initial Access Brokers (IABs) sell pre-established footholds into compromised networks on dark web marketplaces
  • Double extortion: data is exfiltrated before encryption; victims threatened with publication on leak sites if ransom is unpaid
  • Triple extortion: adds DDoS attacks or customer/partner notifications as additional leverage
  • Revenue sharing typically conducted in Monero (XMR) for privacy, with Bitcoin (BTC) also used

4.2 Active RaaS Syndicates — 2024–2025

Syndicate Status Notable Activity & Characteristics
LockBit 3.0 Active/Disrupted Most prolific RaaS 2022–2024; law enforcement disruption (Feb 2024, Operation Cronos) led to LockBit 4.0 emergence. Automated affiliate panel, bug bounty program. Healthcare, critical infrastructure targets.
ALPHV / BlackCat Defunct (2024) Rust-based cross-platform ransomware. Change Healthcare attack (Feb 2024) caused national healthcare payment disruption. Exit scam after FBI seizure; affiliates migrated to RansomHub.
RansomHub Active (2024–) Emerged post-ALPHV/BlackCat collapse absorbing displaced affiliates. Rapidly became dominant RaaS platform. Christie’s auction house, Halliburton breaches in 2024.
Cl0p Active MOVEit Transfer mass exploitation campaign (2023) affecting 2,700+ organizations. SQL injection as initial access vector. Notable for zero-day exploitation at scale.
Black Basta Active Believed linked to Conti diaspora. Ascension Health attack (2024) disrupted patient care. Qakbot/BATLOADER for initial access. Double extortion standard.
Play Active Government, manufacturing, healthcare focus. RDP exploitation as primary access vector. Operates own data leak site. Average ransom demand $500K–$2M.
Akira Active (2023–) VMware ESXi targeting. Cisco VPN zero-day exploitation (2023). Dual-platform (Windows/Linux) encryptor. Retro 1980s aesthetic on leak site.
Medusa Active (2023–) Healthcare, education, government sectors. Medusa Blog leak site. Telegram channel for pressure. Multi-extortion model.
Hunters Int. Active (2023–) Suspected Hive successor. Focus on manufacturing, healthcare. Exfiltration-first approach. Data-only extortion option.

4.3 Ransomware Threat Statistics — 2024

  • Average ransom payment: $2.73 million (Sophos State of Ransomware 2024, up 500% YoY)
  • Average ransom demand: $5.3 million across tracked incidents
  • Only 47% of data is recovered on average after paying ransom
  • Healthcare sector targeted in 67% of organizations surveyed in 2024
  • Critical infrastructure accounted for 16% of CISA-tracked ransomware incidents
  • Median dwell time (initial access to encryption): 5 days (Mandiant M-Trends 2024)
  • Initial access vector: 29% exploited vulnerabilities, 23% phishing, 20% compromised credentials

4.4 Ransomware Defense & Recovery Framework

The following controls significantly reduce ransomware risk and recovery time when an incident occurs:

  • Immutable Backups: 3-2-1 backup strategy with at least one air-gapped or immutable offline copy tested quarterly
  • Patch Management: Prioritize internet-facing systems; CISA KEV (Known Exploited Vulnerabilities) catalog as baseline
  • EDR/XDR Deployment: Behavioral detection with rollback capability; ensure ransomware-specific detections are enabled
  • Network Segmentation: Micro-segmentation prevents lateral movement; isolate backup infrastructure and OT/ICS networks
  • MFA Everywhere: Phishing-resistant MFA (FIDO2/hardware tokens) for all remote access, VPN, and privileged accounts
  • Incident Response Plan: Pre-established RaaS-specific playbook including legal, comms, and law enforcement coordination
Regulatory note: Ransomware payments may violate OFAC sanctions regulations if funds flow to sanctioned actors. Organizations must conduct OFAC screening before any payment and may require a specific license. Notify FBI/CISA prior to payment decisions when possible.

5. MITRE ATT&CK Framework Mappings

The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is the globally accepted knowledge base of adversary behavior derived from real-world observations. Version 15 (2024) includes 14 Enterprise tactics, 196 techniques, and 411 sub-techniques. The framework enables defenders to map threat actor TTPs to specific defensive controls.

5.1 Enterprise Tactic Overview (ATT&CK v15)

Tactic Tactic ID Description High-Impact Techniques
Reconnaissance TA0043 Gathering information to plan future adversary operations T1595 Active Scanning, T1596 Search Open Tech DBs, T1598 Phishing for Info
Resource Development TA0042 Establishing resources to support operations T1583 Acquire Infrastructure, T1586 Compromise Accounts, T1588 Obtain Capabilities
Initial Access TA0001 Attempting to get into your network T1566 Phishing, T1190 Exploit Public-Facing App, T1195 Supply Chain Compromise
Execution TA0002 Running adversary-controlled code T1059 Command & Scripting Interpreter, T1203 Exploitation for Client Execution
Persistence TA0003 Maintaining foothold across restarts T1053 Scheduled Task/Job, T1543 Create/Modify System Process, T1547 Boot Autostart
Privilege Escalation TA0004 Gaining higher-level permissions T1055 Process Injection, T1068 Exploit for Priv Escalation, T1134 Access Token Manipulation
Defense Evasion TA0005 Avoiding being detected T1027 Obfuscated Files, T1036 Masquerading, T1562 Impair Defenses, T1070 Indicator Removal
Credential Access TA0006 Stealing account names and passwords T1003 OS Credential Dumping, T1110 Brute Force, T1558 Kerberoasting, T1539 Steal Web Session
Discovery TA0007 Figuring out your environment T1082 System Info Discovery, T1083 File/Dir Discovery, T1018 Remote System Discovery
Lateral Movement TA0008 Moving through your environment T1021 Remote Services, T1550 Use Alt Auth Material (PtH), T1080 Taint Shared Content
Collection TA0009 Gathering data of interest to their goal T1074 Data Staged, T1114 Email Collection, T1560 Archive Collected Data
C2 (Command & Control) TA0011 Communicating with compromised systems T1071 App Layer Protocol, T1090 Proxy, T1095 Non-App Layer Protocol, T1572 Protocol Tunneling
Exfiltration TA0010 Stealing data from your network T1041 Exfil Over C2, T1048 Exfil Alt Protocol, T1567 Exfil to Cloud Service
Impact TA0040 Manipulating, interrupting, or destroying systems/data T1486 Data Encrypted for Impact, T1490 Inhibit Recovery, T1499 Endpoint DoS

5.2 Threat Actor to ATT&CK Mappings

The following table maps selected high-priority threat actors to their predominantly observed MITRE ATT&CK techniques, enabling security operations teams to tune detections accordingly.

Actor Category Key Initial Access TTPs Signature Techniques Common Malware / Tools
APT29 / Midnight Blizzard Nation-State (RU) T1566.002 Spearphish Link, T1195.002 Compromise SW Supply Chain T1027 Obfuscation, T1550.001 PtH, T1071.001 Web Protocols C2 SUNBURST, BOOMBOX, ROOTSAW, Cobalt Strike
APT28 / Fancy Bear Nation-State (RU) T1566.001 Spearphish Attachment, T1078 Valid Accounts T1036 Masquerading, T1003.003 NTDS, T1059.003 Cmd Shell X-Agent, Fancy Bear Implant, Drovorub, LoJax
Volt Typhoon Nation-State (CN) T1190 Exploit Pub-Facing App, T1078.003 Local Accts T1036.003 Rename System Util, T1003.001 LSASS Dump Fast Reverse Proxy (FRP), Impacket, native OS tools
Lazarus Group Nation-State (DPRK) T1566.001 Spearphish, T1195.001 Compromise HW Supply Chain T1055 Process Injection, T1486 Data Encrypted (crypto theft) BLINDINGCAN, FALLCHILL, AppleJeus, DRATzarus
LockBit 3.0 Criminal / RaaS T1190 Exploit Vuln, T1078 Valid Accts (IABs), T1566 Phishing T1486 Encrypt for Impact, T1490 Inhibit Sys Recovery LockBit payload, Cobalt Strike, AnyDesk, WinSCP
Cl0p Criminal / RaaS T1190 Exploit Public App (MOVEit, GoAnywhere), T1133 External Remote T1048 Exfil Alt Protocol, T1560 Archive Data Truebot, FlawedAmmyy, Cl0p encryptor
Scattered Spider Criminal T1078 Valid Accts (SIM swap, social eng), T1621 MFA Request Gen T1557 AiTM, T1534 Internal Spearphish, T1059.007 JS BYOVD techniques, Okta phishing kits, Raccoon Stealer

5.3 ATT&CK Navigator & Detection Engineering

MITRE ATT&CK Navigator (https://mitre-attack.github.io/attack-navigator/) enables security teams to visualize coverage, gaps, and adversary profiles. Key operational uses include:

  • Detection Coverage Mapping: Overlay existing SIEM/EDR detection rules to identify uncovered techniques
  • Threat-Informed Defense: Prioritize detection engineering investments based on actor-specific TTP heat maps
  • Red Team Planning: Develop adversary emulation plans based on actor-specific TTP profiles
  • SOC Metrics: Track MTTD (Mean Time to Detect) per ATT&CK tactic phase over time
  • Purple Team Exercises: Validate detection coverage using Atomic Red Team tests mapped to ATT&CK IDs
Tool recommendation: Combine MITRE ATT&CK with SIGMA rules (generic detection signatures), Atomic Red Team (automated validation tests), and the D3FEND framework (defensive countermeasures ontology) for a complete threat-informed detection engineering lifecycle.

6. Real-Time Intelligence Resources

Timely and accurate threat intelligence is a force multiplier for security operations. The resources below are organized into government/regulatory sources, commercial platforms, open-source feeds, community-driven intelligence, and operational tools.

6.1 Government & Regulatory Sources

  • CISA (cisa.gov): US Cybersecurity & Infrastructure Security Agency. Publishes advisories, KEV catalog, SHIELDS UP campaigns, and sector-specific threat alerts. Mandatory reference for critical infrastructure defenders.
  • FBI IC3 (ic3.gov): Internet Crime Complaint Center. Annual Internet Crime Report, ransomware complaint portal, law enforcement liaison.
  • NSA Cybersecurity Directorate (nsa.gov/cybersecurity): Technical guidance documents, security configuration benchmarks, joint advisories with CISA.
  • NCSC UK (ncsc.gov.uk): National Cyber Security Centre threat reports, weekly threat summaries, and PDNS (Protective DNS) service guidance.
  • ENISA (enisa.europa.eu): EU Agency for Cybersecurity. Annual Threat Landscape (ETL) report, sector-specific threat profiles, NIS2 implementation guidance.
  • US-CERT / CISA Alerts: https://www.cisa.gov/news-events/cybersecurity-advisories — RSS feed available for near-real-time advisory monitoring.

6.2 Commercial Threat Intelligence Platforms

  • Mandiant Advantage (mandiant.com): Premium actor profiles, breach intelligence, malware analysis. M-Trends annual report is industry gold standard.
  • CrowdStrike Falcon Intelligence (crowdstrike.com): Adversary intelligence, Indicator feeds, global threat reports. Global Threat Report published annually.
  • Recorded Future (recordedfuture.com): Machine learning-driven risk scoring, dark web monitoring, geopolitical intelligence fusion.
  • Palo Alto Unit 42 (unit42.paloaltonetworks.com): Threat research blog, actor profiles, cloud threat intelligence, incident response insights.
  • Microsoft MSTIC (microsoft.com/security/blog): Microsoft Threat Intelligence Center blog covers APT activity using Microsoft’s naming convention (e.g., Midnight Blizzard).
  • Secureworks CTU (secureworks.com): Counter Threat Unit research. BRONZE/IRON/GOLD actor naming convention with detailed TTP reporting.

6.3 Open-Source & Free Intelligence Resources

  • VirusTotal (virustotal.com): File and URL reputation, YARA hunting, retrohunt capabilities. Multi-engine scan results with behavioral analysis.
  • AlienVault OTX (otx.alienvault.com): Open Threat Exchange. Community-contributed IoC pulses. Free API for SIEM integration.
  • Shodan (shodan.io): Internet-connected device search engine. Essential for external attack surface management and CVE exposure assessment.
  • Censys (censys.io): Attack surface management platform. Continuous internet scanning with certificate transparency monitoring.
  • URLhaus (urlhaus.abuse.ch): Malicious URL database with API. Part of the Abuse.ch abuse-fighting ecosystem.
  • MalwareBazaar (bazaar.abuse.ch): Malware sample sharing platform. YARA signature submissions and hash lookups.
  • MISP (misp-project.org): Malware Information Sharing Platform. Self-hosted or community feeds. STIX/TAXII protocol support.
  • Threat Fox (threatfox.abuse.ch): IoC sharing platform with API. Focus on botnet C2s, malware hashes, domains, and IPs.

6.4 ISAC / Community Intelligence Sharing

  • FS-ISAC (fsisac.com): Financial Services ISAC. Real-time alerts for financial sector threats, cross-industry threat sharing.
  • H-ISAC (h-isac.org): Health ISAC. Healthcare-specific threat intelligence, ransomware early warnings.
  • E-ISAC (eisac.com): Electricity ISAC operated by NERC. Critical infrastructure OT/IT convergence threat sharing.
  • MS-ISAC (cisecurity.org/ms-isac): Multi-State ISAC for US SLTT (State, Local, Tribal, Territorial) governments.
  • ISC2 / ISACA Communities: Professional communities for threat research discussion, Slack/Discord channels for community IoC sharing.

6.5 Vulnerability & Exploit Intelligence

  • CISA KEV Catalog (cisa.gov/known-exploited-vulnerabilities): Authoritative list of CVEs with active exploitation. Mandatory patching deadlines for federal agencies; benchmark for all organizations.
  • NVD (nvd.nist.gov): National Vulnerability Database. Full CVE details, CVSS scoring, CPE affected product mappings.
  • Exploit-DB (exploit-db.com): The Offensive Security exploit archive. PoC exploits with CVE cross-referencing.
  • VulnCheck (vulncheck.com): Exploit intelligence platform tracking PoC availability, weaponization status, KEV correlation.
  • Greynoise (greynoise.io): Internet-wide scan and exploit attempt tracking. Context on whether CVEs are being mass-exploited.
  • AttackerKB (attackerkb.com): Rapid7 community vulnerability assessment. Analyst exploitation feasibility ratings alongside CVSS.

6.6 Dark Web & Underground Intelligence

Monitoring criminal underground forums provides early warning of credential exposure, planned attacks, and new tooling. These capabilities should be deployed with appropriate legal authorization and operational security controls.

  • Flare (flare.io): Automated dark web, deep web, and Telegram monitoring for credential exposure and threat actor chatter.
  • DarkOwl Vision (darkowl.com): Largest commercially available darknet dataset. Used for credential exposure and actor tracking.
  • Intel471 (intel471.com): Criminal underground intelligence. Actor profiles, forum monitoring, malware-as-a-service tracking.
  • SpyCloud (spycloud.com): Enterprise-focused breach data recapture and ATO (account takeover) prevention.
Operational security reminder: Dark web monitoring should be conducted by trained analysts using isolated infrastructure, VPNs/Tor, and non-attributable identities. Direct interaction with threat actors requires legal counsel review and, in many jurisdictions, law enforcement coordination.

7. Threat-Informed Defense Recommendations

7.1 Security Control Priorities by Threat Category

Threat Category Priority Controls Detection Focus
APT / Nation-State Phishing-resistant MFA, PAW (Privileged Access Workstations), network segmentation, supply chain vetting, hunt team capability Anomalous LDAP/AD queries, unusual outbound encrypted traffic, lateral movement via legitimate tools (PsExec, WMI)
RaaS / Ransomware Immutable backups, EDR with rollback, VPN MFA, RDP restriction, IAB credential monitoring, SIEM alert on mass encryption events Rapid file modification rates, VSS (shadow copy) deletion, RDP brute force, new scheduled tasks, LOLbin abuse
Credential Theft Password manager policy, privileged account tiering, Credential Guard, LAPS, monitoring LSASS access 4625/4771 event IDs, secretsdump activity, Kerberoasting (excessive SPN requests), NTDS.dit access
Supply Chain SBOM (Software Bill of Materials), vendor security assessments, network baselining post-updates, code signing enforcement Unexpected outbound connections from trusted software, behavioral deviation from baseline after software updates
Insider Threat Zero trust architecture, DLP (Data Loss Prevention), UEBA (User Entity Behavior Analytics), least-privilege enforcement Unusual access patterns, after-hours bulk downloads, access to sensitive data by role-inappropriate accounts

7.2 Intelligence-Driven Security Operations Maturity

Organizations should assess their threat intelligence maturity against the following model and use this document as part of a roadmap to advance capability:

  • Level 1 — Reactive: IoC consumption only, manual processes, perimeter-focused, no TI team
  • Level 2 — Informed: Subscribed to one or more TI feeds, SIEM integration, threat hunting initiated
  • Level 3 — Integrated: TI team operational, ATT&CK-based detection coverage mapped, MISP/TAXII feeds active
  • Level 4 — Threat-Informed: Actor-specific defense posture, purple team exercises, detection engineering loop active
  • Level 5 — Predictive: Threat modeling per actor, pre-emptive hunt campaigns, contributing intelligence to ISACs
Organizations at maturity levels 1–2 should prioritize foundational controls (MFA, EDR, patch management) and consumption of free government intelligence (CISA KEV, NCSC). Investment in commercial TI platforms and a dedicated TI analyst role becomes valuable at levels 3 and above.

8. References & Further Reading

The following authoritative sources were referenced in the development of this document and are recommended for ongoing intelligence consumption:

  • MITRE ATT&CK Framework: https://attack.mitre.org — Version 15, Enterprise, Mobile, and ICS matrices
  • MITRE D3FEND: https://d3fend.mitre.org — Defensive technique ontology mapped to ATT&CK
  • Verizon DBIR 2024: https://www.verizon.com/business/resources/reports/dbir/ — Annual Data Breach Investigations Report
  • Mandiant M-Trends 2024: https://www.mandiant.com/m-trends — Annual threat intelligence report
  • CrowdStrike Global Threat Report 2024: https://www.crowdstrike.com/global-threat-report/
  • ENISA Threat Landscape 2024: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024
  • CISA Advisories: https://www.cisa.gov/news-events/cybersecurity-advisories
  • NIST Cybersecurity Framework 2.0: https://www.nist.gov/cyberframework
  • Sophos State of Ransomware 2024: https://www.sophos.com/en-us/content/state-of-ransomware
  • Atomic Red Team: https://github.com/redcanaryco/atomic-red-team — ATT&CK-mapped detection validation tests
Threat Actor Taxonomy & Intelligence Framework  |  Version 2.0  |  Q2 2025  |  Cyber Intelligence Unit This document is intended for authorized cybersecurity personnel only.