Types of Cyber Threat Intelligence

Cyber Threat Intelligence (CTI) is one of the main pillars of cybersecurity strategies. Although it is not the answer to all cybersecurity problems, CTI is one of the most relevant tools for incident prevention, detection, and response to cyberattacks.

In this article, we will clarify why it is important to understand the different applications, this way you can choose products and services that best meet your business needs.

We can categorize and divide Cyber Threat Intelligence into three levels: strategic, tactical, and operational.

Strategic CTI

It is non-technical and meant to shed light on trends and motivations affecting the threat landscape.

Strategic cyber threat intelligence exposes the reasons and motivations behind attacks. Specifically seeking to determine who is behind specific threats or campaigns. Also, it focuses on understanding why hackers are interested in an organization or industry data.

Finally, it is usually available as white papers, briefings, and reports. Usually, the primary audience is C-suite and board members.

Tactical CTI

Helps identify the how and where of attacks.

The how relates to threat actor Tactics, Techniques, and Procedures (TTP), helping understand the details of cyberattacks. The where relates to tasks like threat hunting. Both identify the extent of incidents and how to prevent and prepare for them.

Tactical threat intelligence is technical information and is often delivered as vendor reports. The audience is the professionals responsible for network security, architecture, and administration. Cyber security uses this information to trigger improvements in defense mechanisms and also to better understand and respond to incidents.

Operational CTI

Mostly comprised of machine-readable data, also known as indicators of compromise (IOCs). It can be URLs, file names and hashes, domain names, IP addresses, etc.

Its use ranges from blocking attacks to triaging and validating alerts and searching and eliminating specific threats within a network.

The outdated of the IOCs, usually, happens in a matter of hours. Still, it is important to note that aging indicators aren’t good practice as threats may remain active for months or even years, continuing to pose danger to enterprises. As the most volatile of the three types of intelligence, operational indicators are closely vetted and monitored to assure their dependability. The best way to consume it is by tools like SPAM filters, firewalls, IDS/IPS, SIEM, SOAR, etc, helping security teams quickly respond to malicious campaigns.

The collection of operational indicators comes from active campaigns, attacks performed against honeypots, and data shared by third parties.

Malware Patrol offers a wide variety of threat intelligence feeds for use within organizations of all sizes and industries. We verify our feeds constantly – every hour in most cases – to ensure they contain only actionable indicators that protect our customers against malware infections and data breaches.

For ease of use, we format the feeds for compatibility with the most popular security tools and platforms. To learn more or to request a free evaluation, you can contact us and our cybersecurity experts will get in touch with you.

Andre Correa

CEO, Malware Patrol