3 Types of Threat Intelligence

Threat Intelligence can empower us with knowledge about existing or potential threats. The information can be straightforward, such as a malicious domain name, or complex, such as an in-depth profile of a known adversary. Keep in mind that there is a maturity curve when it comes to intelligence represented by the three levels listed below. With each level, the context and analysis of CTI becomes deeper and more sophisticated, caters to different audiences, and can get more costly.

• Tactical intelligence
• Operational intelligence
• Strategic intelligence

Tactical Threat Intelligence

Tactical intelligence is focused on the immediate future, is technical in nature, and identifies simple indicators of compromise (IOCs). IOCs are things such as bad IP addresses, URLs, file hashes and known malicious domain names. It can be machine-readable, which means that security products can ingest it through feeds or API integration.

Tactical intelligence is the easiest type of intelligence to generate and is almost always automated. As a result, it can be found via open source and free feeds, but it usually has a very short lifespan because IOCs such as malicious IPs or domain names can become obsolete in days or even hours.

It’s important to note that simply subscribing to Intel feeds can result in plenty of data, but offers little means to digest and strategically analyze the threats relevant to you. Also, false positives can occur when the source is not timely or of high fidelity.

Operational Threat Intelligence

In the same way that poker players study each other’s quirks so they can predict their opponents’ next move, cybersecurity professionals study their adversaries.

Behind every attack is a “who,” “why,” and “how.” The “who” is called attribution. The “why” is called motivation or intent. The “how” is made up of the TTPs the adversary employs. Together, these factors provide context, and context provides insight into how adversaries plan, conduct, and sustain campaigns and major operations. This insight is operational intelligence.

type of malware or infrastructure.

Operational intelligence is most useful for those cybersecurity professionals who work in a SOC (security operations center) and are responsible for performing day-to-day operations. Cybersecurity disciplines such as vulnerability management, incident response and threat monitoring are the biggest consumers of operational intelligence as it helps make them more proficient and more effective at their assigned functions.

Strategic Threat Intelligence

Adversaries don’t operate in a vacuum — in fact, there are almost always higher level factors that surround the execution of cyber attacks. For example, nation-state attacks are typically linked to geopolitical conditions, and geopolitical conditions are linked to risk. Furthermore, with the adoption of financially motivated Big Game Hunting, cyber-crime groups are constantly evolving their techniques and should not be ignored.

Strategic intelligence helps decision-makers understand the risks posed to their organizations by cyber threats. With this understanding, they can make cybersecurity investments that effectively protect their organizations and are aligned with its strategic priorities.

Strategic intelligence tends to be the hardest form of intelligence to generate. Strategic intelligence requires human collection and analysis that demands an intimate understanding of both cybersecurity and the nuances of the world’s geopolitical situation. Strategic intelligence usually comes in the form of reports. For more info: cyber threat intelligence