Cyber threat intelligence (CTI) is one of the main pillars of cybersecurity strategies. Although it is not the answer to all cybersecurity problems, it is a very important tool for incident prevention, detection and response. It is helpful to understand its different applications so you can choose products and services that best meet your business’ needs. Do you know how threat intelligence can be categorized?

Cyber Threat Intelligence can be divided into three levels: strategic, tactical and operational.

Strategic Cyber Threat Intelligence

Strategic threat intelligence is non-technical. It is meant to shed light on trends and motivations affecting the threat landscape. Strategic CTI exposes the reasons and motivations behind attacks, specifically seeking to determine who is behind specific threats or campaigns and why they are interested in an organization or industry vertical.

Strategic CTI is usually produced in the form of white papers, briefings and reports, and its primary audience is C-suite and board members.

Tactical Cyber Threat Intelligence

Tactical CTI helps identify the how and where of attacks. The how relates to threat actor Tactics, Techniques, and Procedures (TTP), helping understand the details of cyberattacks. The where relates to tasks like threat hunting. Both identify the extent of incidents and how to prevent and prepare for them.

Tactical threat intelligence is technical information and often delivered as vendor reports. Its audience is professionals involved in network security, architecture and administration. This information should be used to trigger improvements in defense mechanisms and to better understand and respond to incidents.

Operational Cyber Threat Intelligence

Operational intelligence is mostly comprised of machine-readable data, also known as indicators of compromise (IOCs). It can be URLs, file names and hashes, domain names, IP addresses, etc. Its use ranges from blocking attacks to triaging and validating alerts and searching and eliminating specific threats within a network.

IOCs usually become outdated in a matter of hours. Still, it is important to note that aging indicators aren’t good practice as threats may remain active for months or even years, continuing to pose danger to enterprises. As the most volatile of the three types of intelligence, Operational indicators should be closely vetted and monitored to assure their dependability. They are better consumed by tools like SPAM filters, firewalls, IDS/IPS, SIEM, SOAR, etc, helping security teams quickly respond to malicious campaigns.

Operational threat intelligence indicators are collected from active campaigns, attacks performed against honeypots and data shared by third parties.

Andre Correa

CEO, Malware Patrol