We are dealing with threat intelligence in a series of posts here on the blog. Earlier, we talked about how this strategy works; we point out the cycle to be traversed to reach it.
Today we are going to help you think about the different types of threat intelligence. You will see that each one of them responds to an objective, or a business reality in terms of information security.
Follow us!
3 types of threat intelligence
Threat intelligence is generally divided into three subcategories:
- Advisory — broader trends normally aimed at a non-technical audience;
- tactic — outlines of threat actors' tactics, techniques, and procedures for a more technical audience;
- Efficiency — technical details about specific attacks and campaigns.
Check out a breakdown of each of these subcategories below!
1. Strategic threat intelligence
Strategic threat intelligence provides a broad overview of the organization's threat landscape. It is intended to inform high-level decisions made by executives and other decision makers in an organization — as such, the content is often less technical and is presented through reports or briefings.
Good strategic intelligence should provide insights into areas such as the risks associated with certain courses of action, broad patterns in the tactics and targets of threat actors, and geopolitical events and trends.
Common sources of information for strategic threat intelligence include:
- policy documents from nation-states or non-governmental organizations;
- news from local and national media, industry and subject-specific publications or other subject matter experts;
- white papers, research reports and other content produced by security organizations.
Producing strong strategic threat intelligence starts with specific, focused questions to define intelligence requirements. Analysts with experience outside of typical cybersecurity skills are also needed—in particular, a strong understanding of socio-political and business concepts.
While the final product is not technical, producing effective strategic intelligence requires deep research through large volumes of data, often in multiple languages.
This can make the initial collection and processing of data very difficult to perform manually, even for those rare analysts who have the right language skills, technical background and skill.
So a threat intelligence solution that automates the collection and processing of data helps reduce this burden and allows less experienced analysts to work more efficiently.
2. Tactical threat intelligence
Tactical threat intelligence describes the tactics, techniques, and procedures of threat actors. It should help defenders understand, in specific terms, how their organization can be attacked and the best ways to defend against or mitigate those attacks.
It typically includes technical context and is used by personnel directly involved in an organization's defense, such as system architects, administrators, and security personnel.
Reports produced by security vendors are often the easiest way to obtain tactical threat intelligence.
Actively looking for information in reports about the attack vectors, tools, and infrastructure attackers are using. Including details on what vulnerabilities are being targeted and what exploits attackers are taking advantage of, as well as what strategies and tools they may be using to avoid or delay detection.
3. Operational threat intelligence
Operational intelligence is knowledge about cyber attacks, events or campaigns. It provides expert insights that help incident response teams understand the nature, intent, and timing of specific attacks.
Because this often includes technical information—such as what attack vector is being used, what vulnerabilities are being exploited, or what command and control domains are being employed—this type of intelligence is also called technical threat intelligence.
A common source of technical information is threat data feeds, which often focus on a single type of indicator, such as malware hashes or suspicious domains.
But if technical threat intelligence is strictly thought of as derived from technical information, such as threat data feeds, technical and operational threat intelligence are not entirely synonymous — more like a Venn diagram with large overlaps.
Other sources of information about specific attacks may come from closed sources, such as intercepting communications from threat groups, either through infiltration or intrusion of these communication channels.
Consequently, there are some barriers to collecting this kind of intelligence:
- Access — Threat groups can communicate over private, encrypted channels or require some proof of identification. There are also language barriers with threat groups located in foreign countries.
- Noise — It can be difficult or impossible to manually gather good intelligence from high-volume sources such as chat rooms and social media.
- Obfuscation — To avoid detection, threat groups may employ obfuscation tactics, such as using aliases.
Threat intelligence solutions that rely on machine learning processes for automated large-scale data collection can overcome many of these issues when trying to develop effective threat operational intelligence.
A solution that uses natural language processing, for example, will be able to collect information from foreign language sources without needing human knowledge to decipher it.
How is the topic of threat intelligence being handled in your company? Go deeper into this concept by downloading the eBook that we just released!
