Cyber Threat Intelligence (CTI) is one of the main pillars of cybersecurity. Although it is not the answer to all problems, CTI is one of the most relevant tools for the prevention, detection, and response to cyberattacks. In this article, we will clarify why it is important to understand the different types and applications of CTI so that you can better choose products and services that meet your business needs.

Cyber threat intelligence comes in many shapes and sizes and can broadly be classified in three types: strategic, tactical, and operational. Each type of threat intelligence has its own unique purpose and uses, and when used together, they can give organizations a comprehensive overview of the threats they face.

Strategic CTI

Strategic threat intelligence (STI) is focused on longterm planning and identifying broad trends. It can be used to assess an organization’s overall risk posture and to formulate strategies for mitigating those risks. This type of intelligence helps organizations identify potential threats and vulnerabilities, as well as understand the motives and capabilities of adversaries. By understanding the current and future threats, organizations can develop appropriate countermeasures and mitigate the impact of future attacks. For example, if strategic threat intelligence shows that attacks against your industry are on the rise, you may decide to invest in additional security measures or training for your employees. Strategic cyber threat intelligence is usually in the form of white papers, briefings, and reports. The primary audience is the C-suite and board members. 


Tactical CTI

Tactical threat intelligence (TTI) is the gathering and analysis of information about potential threats to an organization, with the goal of identifying and mitigating those threats. It is shorter–term and more actionable than strategic intelligence. Effective TTI requires a deep understanding of the adversary, their capabilities and intentions, and the operating environment. It also requires ongoing collection and analysis of data from a variety of sources, both human and technical.

TTI is typically used to support specific operations or investigations, and can be tailored to the specific needs of a team or individual. For example, if you’re looking into a suspected phishing attack, tactical intelligence can help you understand the methods and motives of the attackers, and the best ways to defend against them. In short, it helps identify the how and where of attacks.

The how relates to threat actor Tactics, Techniques, and Procedures (TTP), helping understand the methods employed by cybercriminals and their tools to infiltrate your networks. The where relates to tasks like threat hunting. Both identify the extent of incidents and how to prevent and prepare for them. The audience for it is those in the organization who are responsible for network security, architecture, and administration.

Operational CTI

Operational threat intelligence (OTI) is the real–time information that’s most useful for responding to active threats. It can be used to track adversary movements and take immediate action to thwart an attack.

This kind of intelligence is critical for pinpointing and responding to threats in a timely manner. It can help organisations understand the motives and capabilities of their adversaries, as well as their likely next steps. This type of intelligence can be used to improve security posture, defend against attacks, and investigate incidents.

OTI is mostly comprised of machine-readable data, also known as indicators of compromise (IOCs). It is composed of URLs, hashes, domain names, IPs, and so on. Its use ranges from blocking attacks to triaging alerts and searching for threats within a network. The most efficient way to consume it is via tools like firewalls, IDS/IPS, SIEMs, TIPs, and SOARs.

For actionable, current OTI, Malware Patrol offers a wide variety of threat intelligence feeds for use within organizations of all sizes and industries. We verify our feeds constantly – every hour in most cases – to ensure they contain only actionable indicators that protect our customers against malware infections and data breaches.  For ease of use, we format the feeds for compatibility with the most popular security tools and platforms. Contact us to learn more or to request a free evaluation.

Andre Correa

CEO, Malware Patrol