Comprehensive and Detailed Explanation (Based on CTIA Official Concepts)
According to the EC-Council Certified Threat Intelligence Analyst (CTIA) study materials, the incident response process generally consists of four phases—Preplanning, Event, Incident, and Breach. Each phase corresponds to specific activities and the application of different types of threat intelligence.
This question focuses on the point in the process where operational and tactical threat intelligence are actively used to provide context to alerts generated by security mechanisms. The correct phase for this activity is the Incident phase.
Phase 1: Preplanning
In this phase, an organization prepares and designs its incident response framework. The main tasks include defining roles, establishing policies, and creating communication channels and procedures.
Strategic threat intelligence is primarily used here to understand high-level threat trends, organizational risks, and to develop incident response playbooks and policies.
Operational and tactical threat intelligence are not yet applied at this stage because no alerts or incidents have occurred. Therefore, Phase 1 is not the correct answer.
Phase 2: Event
In the event phase, security systems such as firewalls, IDS, IPS, and SIEM generate alerts that indicate potential malicious activity. Security analysts begin initial triage, trying to determine if an alert is a false positive or represents real suspicious behavior.
At this point, analysts may reference technical indicators such as IP addresses, domains, or file hashes, but detailed operational or tactical intelligence is not yet used in depth. The main goal here is identification and classification, not full analysis and contextualization. Thus, this is not the correct phase.
Phase 3: Incident
When a suspicious event is confirmed as a legitimate security incident, the organization moves into the incident phase. In this stage, incident response teams investigate, analyze, and respond to the threat.
This is the phase where operational and tactical threat intelligence are actively applied.
Operational Threat Intelligence provides information about the attacker’s motives, campaign objectives, and current attack methods. It helps the organization understand who is attacking, why, and with what resources.
Tactical Threat Intelligence focuses on the adversaries’ tactics, techniques, and procedures (TTPs), such as exploit methods, malware behavior, and persistence mechanisms.
By using operational and tactical threat intelligence during the incident phase, the organization can:
Correlate alerts with known threat actor campaigns.
Add context to security events to understand their significance.
Prioritize incidents based on real-world threat activity.
Guide containment, eradication, and recovery actions more effectively.
In CTIA documentation, this process is described as “leveraging threat intelligence to enrich alerts with contextual data to accelerate incident detection and response.” Therefore, Phase 3: Incident is the correct answer.
Phase 4: Breach
This phase occurs after an incident has escalated into an actual compromise or data loss event. The focus here is on containment, eradication, recovery, and post-breach reporting or legal coordination.
Strategic intelligence may be used for lessons learned and long-term improvement, but operational and tactical intelligence are no longer central to this phase. Therefore, this is not the correct answer.
Summary Table
Phase
Type of Threat Intelligence
Purpose
Phase 1: Preplanning
Strategic
Planning and policy development
Phase 2: Event
Technical
Alert generation and detection
Phase 3: Incident
Operational and Tactical
Contextualize alerts, guide investigation and response
Phase 4: Breach
Strategic
Recovery, compliance, and lessons learned
Final Answer: C. Phase 3: Incident
Explanation Reference:
Derived from EC-Council Certified Threat Intelligence Analyst (CTIA) Official Study Guide, topics: “Integration of Threat Intelligence in Incident Response” and “Application of Operational and Tactical Threat Intelligence in SOC and IR Operations.”
Submit