This is the second blog in a series called, “What is Threat Intelligence?” The first blog in the series can be found here. Stay tuned for future installments in this series.
Maintaining a strong security posture requires developing and answering many questions specific to the organization. Many of these questions must be answered continually as situations and environments evolve. Will bringing in additional security solutions really provide that much more additional protection? Is it worth the cost to update each and every legacy system? Who are my adversaries and how might they attack me? Many organizations choose to tackle these questions and make more informed decisions with context from threat intelligence. This curated information is generally divided into three subsets:
Strategic intelligence (who/why) is the 100,000 foot view, providing a big picture look at how threat and attacks are changing over time. Strategic intel may be able to identify historical trends, motivations, or attributions as to who is behind an attack. Who is attacking you and why? Who might attack organizations in your sector? Why are you within scope for an attack? What are the major trends happening? What kind of things do you need to do to reduce your risk profile? Knowing the who and why of your adversaries also provides clues to their future operations and tactics. This makes strategic intelligence a solid starting point for deciding which defensive measures will be most effective.
Strategic intelligence might include information on the following topic areas:
If you are in the education sector, you may wonder what nation states and what groups you should be concerned about. Where do you need to focus your resources to reduce risk of an intrusion and theft of intellectual property? Or perhaps if you know you’re in an industry or region that is frequently targeted by the actor APT29.
Strategic threat intelligence is built upon a huge body of knowledge and includes expert opinions and insights that are based on aggregating both operational and tactical intelligence from known cyber attacks.
There are many uses for strategic intel including, but not limited to, the following:
Next up - What is Operational Threat Intelligence?
Steve Miller is an incident response professional and a threat intelligence analyst. Steve has ten years of experience in the broader security and IT industries in areas such as computer forensics, communications signals analysis and intelligence program management. Steve has built security operations centers around the world, conducted hundreds of intrusion investigations and, of course, chased down a lot of evil – work that directly led to the discovery of tons of new zero-days, APT malware families, and targeted attack campaigns.