Threat Intelligence for Developers: Using CTI to Prioritize Security

Security teams face a paradox: vulnerability scanners surface thousands of issues, but the team has capacity to fix maybe a dozen per sprint. Without a principled way to prioritize, teams either work through CVEs by severity score (which correlates poorly with exploitation likelihood) or by gut feel (which correlates worse).

Cyber Threat Intelligence (CTI) closes this gap by providing context about who is attacking organizations like yours, what techniques they use, and which vulnerabilities they actually exploit in the wild.

What Is Threat Intelligence?

Threat intelligence is evidence-based knowledge about threats — including context, mechanisms, indicators, implications, and actionable advice — that can be used to inform decisions about the subject's response.

There are four levels of threat intelligence, each suited to different audiences:

Level	Audience	Example
Strategic	CISOs, executives	"Nation-state actors are targeting SaaS identity providers"
Operational	Security management	"Threat group UNC4736 is targeting developers via npm packages"
Tactical	SOC analysts, incident responders	TTPs mapped to MITRE ATT&CK
Technical	Security engineers, developers	Specific IOCs: IP addresses, domains, file hashes

Developers benefit most from tactical and technical intelligence — understanding the techniques attackers use helps you build applications that do not provide easy footholds.

Indicators of Compromise (IOCs)

IOCs are artifacts that indicate a system may have been compromised. Common types:

IP addresses — C2 server IPs, scanner IPs
Domains — Phishing domains, malware distribution sites, C2 domains
File hashes — SHA256 hashes of known malware samples
URLs — Specific malicious URLs
Registry keys — Windows registry entries created by malware
Email indicators — Sender addresses, subject lines, attachment hashes

IOCs are the most perishable form of intelligence. IP addresses and domains change. Hashes change with each recompile. Relying solely on IOCs is like locking a door with a padlock that the attacker already has a key to.

Where to get IOC feeds:

VirusTotal — upload suspicious files/URLs for multi-engine analysis
AlienVault OTX — free community threat intelligence with millions of IOCs
Abuse.ch (Feodo Tracker, URLhaus, MalwareBazaar) — specialized feeds for banking trojans, botnet C2, malware samples
CISA Known Exploited Vulnerabilities Catalog — CVEs actively exploited in the wild

TTPs: Tactics, Techniques, and Procedures

TTPs describe how attackers operate — their tooling, procedures, and behavioral patterns. They are far more durable than IOCs because changing TTPs requires the attacker to retrain their operators and rebuild their infrastructure.

Tactics — The adversary's high-level goals (e.g., "Initial Access," "Persistence")
Techniques — How they achieve those goals (e.g., "Phishing," "Supply Chain Compromise")
Procedures — The specific implementation (e.g., the exact phishing email template and payload delivery mechanism used by a specific group)

Understanding the TTPs used against companies in your sector lets you prioritize defenses that neutralize multiple techniques at once.

MITRE ATT&CK: The Standard TTP Library

MITRE ATT&CK is the industry-standard knowledge base of adversary TTPs, organized into 14 tactics for enterprise environments.

Enterprise ATT&CK tactics:

Reconnaissance
Resource Development
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact

Each tactic contains dozens of techniques. For example, under Initial Access:

T1566 — Phishing
T1190 — Exploit Public-Facing Application
T1195 — Supply Chain Compromise
T1078 — Valid Accounts (credential stuffing, purchased credentials)

Using ATT&CK to guide security investments:

Map your current detective and preventive controls against the ATT&CK matrix to identify gaps. If you have no coverage for T1195 (Supply Chain Compromise) and your sector is being actively targeted via npm packages, that gap becomes a high-priority investment.

The ATT&CK Navigator (navigator.attack.mitre.org) provides a visual interface for creating these coverage maps.

Threat Feeds: Integrating Intelligence into Your Stack

Threat feeds provide automated, machine-readable streams of IOCs and TTPs that can be integrated into your security tooling.

STIX/TAXII is the standard format and transport for sharing threat intelligence. Most commercial threat feeds and many open-source ones support this format.

Common integration points:

SIEM — Feed IP and domain IOCs into your SIEM for automated correlation. Any traffic to/from known-bad indicators triggers an alert.
WAF — Block known-malicious IP ranges and Tor exit nodes at the edge.
DNS — Integrate threat feeds into your DNS resolver to block malware C2 domains company-wide (Cisco Umbrella, Cloudflare Gateway).
EDR — Modern EDR platforms ingest threat feeds automatically and block known-malicious hashes and processes.

Free/open-source feeds:

CISA KEV Catalog (JSON API available)
Emerging Threats (Proofpoint) — network IDS rules
Spamhaus — IP reputation for email
PhishTank — phishing URLs

Commercial feeds (Recorded Future, Mandiant Advantage, CrowdStrike Intel) provide higher-quality, curated intelligence with analyst context, attribution, and predictive capability.

Making Intelligence Actionable for Developers

CTI is most valuable when it directly influences what developers build and what security engineers monitor.

Scenario 1: Prioritizing vulnerability remediation

Your scanner flags 200 CVEs. The CISA KEV Catalog lists 8 of them as actively exploited. Fix those 8 first — they have confirmed real-world exploitation, regardless of their CVSS score.

# Download the CISA KEV catalog
curl -s https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json \
  | jq '.vulnerabilities[].cveID' | head -20

Cross-reference your scanner output against the KEV catalog to instantly surface the highest-priority remediations.

Scenario 2: Hardening based on known attacker TTPs

Intel reports indicate that threat actors targeting SaaS companies are abusing OAuth application consent grants to maintain persistent access (T1550.001). Your response:

Audit existing OAuth grants in your identity provider
Implement alerts for new high-privilege OAuth grants
Restrict which third-party apps users can authorize
Add OAuth grant review to your quarterly access review process

Scenario 3: Detection engineering

A threat report describes a ransomware group that uses a specific technique: executing PowerShell Base64-encoded commands from macro-enabled Office documents. Even if you have no Windows infrastructure today, understanding this TTP helps you:

Write detection rules for if you ever do
Evaluate whether your EDR vendor detects this technique
Understand the attack chain so you can recognize precursor activity

Building an Intelligence Program

You do not need a dedicated threat intelligence team to benefit from CTI. A lightweight program for a mid-size SaaS company:

Subscribe to 2-3 free feeds (CISA KEV, AlienVault OTX, sector-specific ISAC)
Read monthly threat reports from CISA, Mandiant, and CrowdStrike — 1 hour per month
Track APT groups relevant to your sector using ATT&CK groups
Maintain a threat model that reflects current attacker TTPs against companies like you
Review KEV catalog weekly and fast-track patching for any CVEs relevant to your stack

The output is not a threat intel dashboard — it is better security decisions: which vulnerabilities to fix first, which detections to write, and which controls to invest in next quarter.

Intelligence without action is just information. The measure of a CTI program is whether it changes what your team does.