Threat intelligence is contextual information that describes threats and helps organizations in taking different business decisions. It is extracted from a huge collection of sources and information. It provides operational insight by looking outside the organization and issuing alerts on evolving threats to the organization. To better manage information that is collected from different sources, it is essential to subdivide threat intelligence into various types. This subdivision is executed based on the consumers and goals of the intelligence. It can be divided into four different types based on the consumption of threat intelligence. They are namely strategic, tactical, operational, and technical threat intelligence. These four types differ in terms of data collection, data analysis, and intelligence consumption.
Strategic Threat Intelligence
Strategic threat intelligence provides high-level information about cyber security posture, threats, attack trends, details about the financial impact of various cyber activities, and the impact of high-level business decisions. This information is consumed by high-level executives and management of the organization such as IT management and CISO. It assists the management in identifying current cyber risks, unknown future risks, threat groups, and attribution of breaches. The intelligence obtained provides a risk based view that primarily focuses on high-level concepts of risks and their probability. It mainly focuses on long-term issues and provides real-time alerts of threats on the organization’s critical assets such as IT infrastructure, employees, customers, and applications. The management uses this intelligence to make strategic business decisions and analyze the effect of these decisions. Based on the analysis, the management can allocate sufficient budget and staff to protect critical IT assets and business processes.
The strategic threat intelligence is usually in the form of a report that mainly focuses on high-level business strategies. Since the characteristic of this type is preeminent, the data collection also relates to high-level sources and requires highly skilled professionals to extract intelligence. This intelligence is collected from sources such as OSINT, CTI vendors, and ISAO/ISACS. The strategic threat intelligence helps organizations identify similar incidents that might have happened in the past, also their intentions or attribution to know the adversaries of an attack, why the organization is within the scope of an attack, major attack trends, and how to reduce the risk level.
Strategic threat intelligence includes the following information:
- Attribution for intrusions and data breaches
- The financial impact of the cyber activity
- Threat actors and attack trends
- Threat landscape for various industry sectors
- Geopolitical conflicts of various cyber attacks
- Statistical information on data breaches, data theft, and malware
- Information on how adversary TTPs are changing over time
- Industry sectors that might impact due to high-level business decisions
Tactical Threat Intelligence
Tactical threat intelligence plays a key role in protecting the resources of the organization. It provides information concerning TTPs used by threat actors (attackers) to perform attacks. Tactical threat intelligence is consumed by cyber security professionals, for instance, IT service managers, security operations managers, network operations center (NOC) staff, administrators, and architects. It helps the cyber security professionals in understanding how the adversaries are expected to perform the attack on the organization, identifying the information leakage from the organization, and the technical capabilities and goals of the attackers along with the attack vectors. By using this type, security personnel can develop detection and mitigation strategies beforehand by updating security products with identified indicators, patching vulnerable systems, etc.
The collection sources for tactical threat intelligence include campaign reports, malware, incident reports, attack group reports, human intelligence, etc. This intelligence is generally obtained by reading white/technical papers, communicating with other organizations, or purchasing intelligence from third parties. It includes highly technical information such as malware, campaigns, techniques, and tools in the form of forensic reports. Furthermore, it provides day-to-day operational support by helping analysts assess various security incidents related to events, investigations and other activities. It also helps in guiding high-level executives of organizations in arriving at strategic business decisions.
Operational Threat Intelligence
Operational threat intelligence provides information about specific threats against the organization. It provides contextual information about security events and incidents that help defenders disclose potential risks, provide more understanding of attacker methodologies, identify past malicious activities, and perform investigations on malicious activity in a more competent way.
Operational Threat Intelligence is consumed by security managers or heads of incident response, network defenders, security forensics, and fraud detection teams. It helps organizations in understanding the possible threat actors and their intention, their capability, and their opportunities to attack, vulnerable IT assets, and the impact of the attack if it is successful. In many cases, only government organizations can collect this type of intelligence; which also helps IR and forensic teams in deploying security assets with the aim of identifying and stopping upcoming attacks, improving the capability of detecting attacks at an early stage, and reducing its damage on IT assets. It is generally collected from sources such as humans, social media and chat rooms, and also from real-world activities and events that result in cyberattacks.
Operational threat intelligence is obtained by analyzing human behavior, threat groups, and so on. This information helps in predicting future attacks and thus enhancing incident response plans and mitigation strategies as required. Operational threat intelligence is generally in the form of a report that contains identified malicious activities, recommended courses of action, and warnings of emerging attacks.
Technical Threat Intelligence
Technical threat intelligence provides information about an attacker’s resources that they use to perform the attack; this includes command and control channels, tools, etc. It has a shorter lifespan compared to tactical threat intelligence and mainly focuses on a specific loc. It provides rapid distribution and response to threats. For example, a malware used to perform an attack is tactical threat intelligence, whereas the details related to the specific implementation of the malware come under technical threat intelligence. Other examples of this tyoe include specific IP addresses and domains used by malicious endpoints, phishing email headers, hash checksums of malware, etc.
Technical threat intelligence is consumed by SOC staff and IR teams. The indicators of technical threat intelligence are collected from active campaigns, attacks that are performed on other organizations, or data feeds provided by external third parties. These indicators are generally collected as part of investigations on attacks performed on various organizations. This information helps security professionals add the identified indicators to the defensive systems such as IDS/IPS, firewalls, and endpoint security systems, thereby enhancing the detection mechanisms used to identify the attacks at an early stage. It also helps them identify malicious traffic and suspected IP addresses used to spread malware and spam mails. This intelligence is directly fed into the security devices in digital format to block and identify inbound and outbound malicious traffic entering the organization’s network.
Previously, we discussed how Threat Hunting helps organizations.
Secure Your Organization’s Mind with Securemind.se