Cyber Threat Framework

Building Blocks of Cyber Intelligence

key challenges banner

We spend considerable time and effort producing cyber threat intelligence. Once a monopoly of government, the private sector as well is now actively producing as well as consuming 'actionable' cyber threat intelligence. The National Intelligence Manager for Cyber is charged with integrating this activity within the US Intelligence Community and of looking strategically for ways to improve the quantity, quality, and impact of cyber intelligence. As part of this dialogue within Government, we created this graphic and model as a simple way to describe the cyber threat intelligence process and frame dialogue about ways to improve performance. The model has been shared with private sector organizations looking to improve their performance dealing with diverse threats and complex information sharing environments.


White Paper on Cyber Threat Intelligence - PDF

Key Challenges Infographic - PDF

cyber attribution banner

The National Intelligence Manager for Cyber is charged with integrating cyber intelligence within the US Government and of looking strategically for ways to improve the quantity, quality, and impact of cyber intelligence. As part of this dialogue within Government, the National Intelligence Manager and the National Intelligence Office for Cyber jointly authored this compendium of analytic best practices and a simple rubric for describing attribution of malicious cyber operations in the face of incomplete or contradictory information.


A Guide to Cyber Attribution - PD

The Cyber Threat Framework was developed by the US Government to enable consistent characterization and categorization of cyber threat events, and to identify trends or changes in the activities of cyber adversaries.

The Cyber Threat Framework is applicable to anyone who works cyber-related activities, its principle benefit being that it provides a common language for describing and communicating information about cyber threat activity.

The framework and its associated lexicon provide a means for consistently describing cyber threat activity in a manner that enables efficient information sharing and cyber threat analysis, that is useful to both senior policy/decision makers and detail oriented cyber technicians alike.


The framework captures the adversary life cycle from PREPARATION of capabilities and targeting to initial ENGAGEMENT with the targets or temporary nonintrusive disruptions by the adversary, to establishing and expanding the PRESENCE on target networks, to the creation of EFFECTS and CONSEQUENCES from theft, manipulation, or disruption.



The CTF with an associated lexicon can be used to describe cyber activity in a consistent and repeatable fashion. The framework can:


  • Establish a shared ontology and enhance information-sharing. It is far easier to map the translation of multiple models to a common reference than directly to each other.
  • Characterize and categorize threat activity in a straightforward way that can support missions ranging from strategic decision-making to analysis and cybersecurity measures and users from generalist to technical experts.
  • Support common situational awareness across organizations.


Since 2012, the Office of the Director of National Intelligence has worked with interagency partners to build and refine a Common Cyber Threat Framework approach reflecting these key attributes and goals:


  • Incorporate a hierarchical/layered perspective that allows tailoring of focus on a level of detail appropriate to the audience while maintaining linkage and traceability to other layers of data
  • Employ structured and documented categories with explicitly defined terms and labels (lexicon)
  • Focus on empirical/sensor-derived "objective" data
  • Accommodate a wide variety of data sources, threat actors and activity
  • Provide a foundation for analysis and decision-making


The CTF is not intended to displace or replace an organizations existing model which should be tailored to its specific mission and requirements; rather it is intended to:


  • Serve as a viable Universal Translator (a cyber-Esperanto or Rosetta Stone) facilitating efficient and possibly automated exchange of data and insight across models once each has been mapped to it and the mappings shared
  • Provide a starting point for organizations that have not yet adopted a threat Framework. Built around simple model and value neutral concepts, the CTF can be customized for an organization's needs and these modifications from the original CTF are readily apparent, facilitating mapping and data exchange.

The idea of creating a cyber threat framework came from observations among the US policy community that cyber was being described by different agencies in a variety of ways that made consistent understanding difficult. There are over a dozen analytic models being used across government, academia, and the private sector. Each model reflects the priorities and interests of its developer, but the wide disparities across models made it difficult to facilitate efficient situational analysis that was based on objective data.


The framework will be scalable and facilitate data sharing at “machine speed.” Implementation within the USG will include processes to reduce or eliminate double-counting of threat data.

relationship ctf nistframework

While NIST has not promulgated or endorsed a specific threat framework, it advocates the use of a threat framework in addition to a cybersecurity framework to inform risk decisions and evaluate safeguards and actions taken.  NIST notes in its Cybersecurity Framework documentation that such threat frameworks may provide insight into which safeguards are more important at a given point in time and specific threat circumstances.  NIST’s FAQ cites the CTF as an exemplar of a threat framework that can standardize or normalize data collected within an organization or shared between them by providing a common ontology and lexicon.



This email address is being protected from spambots. You need JavaScript enabled to view it. Submit Questions or Comments about Cyber Threat Framework


ctiic    ODNI