This article establishes a tri‐level decision‐making model supporting critical infrastructure (CI) resilience optimization against intentional attacks. A novel decomposition algorithm is proposed to exactly identify the best pre‐event defense strategy (protecting vulnerable components and building new lines), the worst‐case attack scenario, and the optimal postevent repair sequence of damaged components. As different types of CIs have different flow models, this article mainly considers the direct current power flow model and the maximal flow model for illustrative purposes. The proposed framework is illustrated by a simple but representative case system with nine nodes, and main results include: (1) the marginal value of extra defense investment under low defense budget is more considerable for mitigating system resilience loss, especially under large intentional attacks; (2) no defense strategy is always the best under different attack budgets; (3) increasing amount of repair resources can dramatically enhance CI resilience, but makes the pre‐event defense strategy less effective; (4) the use of maximal flow model can provide a lower bound estimation of the resilience loss from the power flow model; (5) the optimum defense strategy and the worst‐case attack identified by minimizing CI resilience loss largely differ from those by minimizing CI vulnerability, where the latter does not consider the recovery actions. Finally, the algorithm complexity is analyzed by comparing with the enumeration method and by testing two larger electric power systems.