The 3 Types of Cyber Threat Intelligence – Which one are you using?
By Alex Duffy, CSO emt Distribution
CYBERTHREAT INTELLIGENCE (CTI) is not a buzz-phrase; it’s an essential pillar of a mature cybersecurity strategy. When used and applied correctly, CTI can help security teams prepare for, and defend against, the evolving threat landscape. CTI gives organisations evidence-based, mature and effective cybersecurity strategies.
There are levels of maturity to using and understanding CTI. With each level of maturity, the context and analysis of threat intelligence becomes deeper and more sophisticated, caters to different audiences, and requires more investment.
CTI comes in three levels: tactical intelligence, operational intelligence and strategic intelligence.
Tactical intelligence is the level most commonly used by organisations and represents first level maturity of cyber threat intelligence. It is based on real-time events, investigations and/or activities and provides day-to-day support to operations. Many may use it in their security information and event management (SIEM) tools or on perimeter firewalls, and it consists of indicators of compromise, and files hashes, malicious IPs and domains. These usually have a short life span, as IPs and domains can be repurposed or taken down in days or even hours.
Operational intelligence is data that is designed to drive your day-to-day decision making, resource allocation and task prioritisation. It contains the technical direction of threat actors, indicators of targets and can contain the threats malicious tactics, techniques and procedures (TTPs). Operational intelligence has a longer shelf life because adversaries can’t change their TTPs as easily as they can change their tools like types of malware they use.
Cybersecurity professionals that manage vulnerability management, incident response and threat monitoring are the biggest consumers of operational intelligence as it can help them focus and prioritise their work.
Strategic intelligence is high-level cyber intelligence, usually containing information about foreign policy, global events and internet-based risks against organisations. This intelligence is vital for C-suite executives to allocate budget and align their cyber goals towards real-world objectives. For example, a mining company can review the analysis that the mining sector is under increasing attacks, and can then react appropriately by investing resources into strategic cyber defences.
Strategic intelligence tends to be the hardest form of intelligence to collect. It requires human collection and analysis to understand both cyber security and the worlds geopolitical situation. Strategic intelligence is usually consumed through the use of reports.
CTI increases your organisation’s ability to not only defend itself against current attacks and threats, but also to predict future attacks. The trick is to choose the right intelligence for your needs, and to make the sheer volume of intelligence actionable, whether it be reactive, proactive or futureproofing.
See how Flashpoint and ThreatConnect can help you incorporate all three levels of cyber threat intelligence
This is an extended post from our original article which was first published in AISA.org’s Cyber Cyber Conference Magazine.