Threat
Intelligence can empower us with knowledge about existing or potential
threats. The information can be straightforward, such as a malicious domain
name, or complex, such as an in-depth profile of a known adversary. Keep in
mind that there is a maturity curve when it comes to intelligence represented
by the three levels listed below. With each level, the context and analysis of
CTI becomes deeper and more sophisticated, caters to different audiences, and
can get more costly.
- Tactical intelligence
- Operational intelligence
- Strategic intelligence
Tactical Threat Intelligence
Tactical
intelligence is focused on the immediate future, is technical in nature, and
identifies simple indicators of compromise (IOCs). IOCs are things such as bad
IP addresses, URLs, file hashes and known malicious domain names. It can be
machine-readable, which means that security products can ingest it through
feeds or API integration.
Tactical
intelligence is the easiest type of intelligence to generate and is almost
always automated. As a result, it can be found via open source and free feeds,
but it usually has a very short lifespan because IOCs such as malicious IPs or
domain names can become obsolete in days or even hours.
It’s
important to note that simply subscribing to Intel feeds can result in plenty
of data, but offers little means to digest and strategically analyze the
threats relevant to you. Also, false positives can occur when the source is not
timely or of high fidelity.
Operational Threat Intelligence
In the same
way that poker players study each other’s quirks so they can predict their
opponents’ next move, cybersecurity professionals study their adversaries.
Behind every attack is a “who,”
“why,” and “how.” The
“who” is called attribution. The “why” is called motivation or intent. The
“how” is made up of the TTPs the adversary employs. Together, these factors
provide context, and context provides insight into how adversaries plan,
conduct, and sustain campaigns and major operations. This insight is
operational intelligence.
type of malware or infrastructure.
Operational
intelligence is most useful for those cybersecurity professionals who work in a
SOC (security operations center) and are responsible for performing day-to-day
operations. Cybersecurity disciplines such as vulnerability management, incident
response and threat monitoring are the biggest consumers of operational
intelligence as it helps make them more proficient and more effective at their
assigned functions.
Strategic Threat Intelligence
Adversaries
don’t operate in a vacuum — in fact, there are almost always
higher level factors that surround the execution of cyber attacks. For example,
nation-state attacks are typically linked to geopolitical conditions, and
geopolitical conditions are linked to risk. Furthermore, with the adoption of
financially motivated Big
Game Hunting, cyber-crime groups are constantly evolving their
techniques and should not be ignored.
Strategic intelligence helps decision-makers understand the risks posed to their organizations by cyber threats. With this understanding, they can make cybersecurity investments that effectively protect their organizations and are aligned with its strategic priorities.
Strategic intelligence tends to be the hardest form of intelligence to generate. Strategic intelligence requires human collection and analysis that demands an intimate understanding of both cybersecurity and the nuances of the world’s geopolitical situation. Strategic intelligence usually comes in the form of reports. For more info: cyber threat intelligence
Strategic intelligence helps decision-makers understand the risks posed to their organizations by cyber threats. With this understanding, they can make cybersecurity investments that effectively protect their organizations and are aligned with its strategic priorities.
Strategic intelligence tends to be the hardest form of intelligence to generate. Strategic intelligence requires human collection and analysis that demands an intimate understanding of both cybersecurity and the nuances of the world’s geopolitical situation. Strategic intelligence usually comes in the form of reports. For more info: cyber threat intelligence