There are four types of threat intelligence: strategic, tactical, operational and technical. It should be noted that while technical and operational threat intelligence are often treated synonymously, there are differences between the two.
Strategic threat intelligence: Strategic threat intelligence is the assimilation of the broad, overall factors that affect an organization’s threat landscape and the use of that information to refine the organization’s cybersecurity strategy. The goal of strategic threat intelligence is to evaluate what vulnerabilities and risks an organization faces, and which threat actors might pose the biggest risk. It assists with determining high-level patterns, targets and events that could affect an organization’s threat landscape, also taking into account geopolitical factors and cyber trends.
Strategic threat intelligence involves massive amounts of data, often in multiple languages, that then have to be processed into useful information. It requires the knowledge of cybersecurity, the nuances of political situations and global diplomacy, and the business value of the organization. Because the process of collecting and processing threat intelligence can be incredibly time consuming and labor intensive, organizations can often benefit from using a threat intelligence solution capable of automating the collection and processing of data; it then can be used to create an intelligence report, allowing security professionals and analysts to focus more on the application of that strategic threat intelligence.
Tactical threat intelligence: Tactical threat intelligence is the formulation of tactics, techniques and procedures (TTPs) of cyber threat actors. It provides insight on potential attack vectors and allows security professionals to evolve defenses to better withstand those attacks.
Tactical threat intelligence also takes into account any preferred vulnerabilities and common infrastructure a threat actor might use. The goal of tactical threat intelligence is to scout out what the enemy is planning and prepare for it with appropriate security controls and security solutions, especially if you can learn the threat actors’ modes for avoiding or delaying detection. You can then use that information to improve the existing security strategy and assist in making incident management and response more efficient.
Tactical threat intelligence is usually used by those directly involved with the decision making and implementation of the organization’s cybersecurity strategy, such as CISOs, systems administrators, system architects and the security team, as well as security intelligence reports, subject matter experts and various data feeds. However, the organization’s own network data is also crucial to this process, as tactical intelligence will cause organizations across various industries to take different actions best suited for their business.
Operational threat intelligence: Operational threat intelligence is the process of gathering knowledge about specific cyberattacks, threat actors, campaigns and/or events into profiles of threat actors, focusing specifically on answering the five w’s: who, what, when, where and why? These profiles are a culmination of investigating all facets of their involvement, motives and past attack plans in order to predict how they may act in the future.
Operational threat intelligence is very helpful for cybersecurity professionals who are responsible for daily operations. It assists threat monitoring and incident response because it provides a better understanding of what these professionals are looking for and what action to take when they find suspicious events.
Technical Threat Intelligence: Technical threat intelligence is the process of gathering specific evidence of an attack and then using that information to build a defense against the threat. It looks for known indicators of compromise (IOCs), such as the content of phishing emails, malware samples, fraudulent URLs and reported IP addresses.
Technical threat intelligence ties into operational threat intelligence because profiles of specific attacks can be added to profiles of specific groups, and likewise is most useful to the security team that is actively interacting with the system. This threat intelligence is shared via specific threat data feeds, which are often aligned to a single indicator type, such as fraudulent URLs or malware hashes.
The biggest issue with technical threat intelligence is that it has a very short shelf life. Many times, fraudulent URLs and malicious IPs are gone within days. In order for technical threat intelligence to be most useful, it must be shared quickly and efficiently.