Threat intelligence is a subset of intelligence focused on information security. Gartner (sorry, people) defines threat intelligence as “evidence-based knowledge...about an existing or emerging menace or hazard...to inform decisions regarding the subject’s response to that menace or hazard.” In short, threat intelligence is curated information intended to inform you and help you make better decisions about how to stop bad things from happening to you.
There are a few schools of thought and several sets of vernacular used to describe cyber threat intelligence. But there are generally three “levels” of cyber threat intelligence: strategic, operational and tactical. Some of the similarities and differences between these kinds of intelligence are summarized below:
Collecting each flavor of intelligence is important because they serve different functions.
|Type||Tagline||Half life of utility (for good guys and bad guys)||Focus||Built on the analysis of||Output data types|
|Long (multiyear)||Non-technical||Big campaigns, groups, multi victim intrusions (and operational intel)||Long form writing about: victimology, YoY methodology, mapping intrusions and campaigns to conflicts, events and geopolitical pressures|
|Medium (one year plus)||Mixed (both really)||Whole malware families, threat groups, human behavior analysis (and tactical intel)||Short form writing, bulleted lists, about: persistence and comms techniques, victims, group profiles, family profiles, TTP descriptions, triggers, patterns, and methodology rules|
|Tactical||What?||Short (months)||Technical||Security events, individual malware samples, phishing emails, attacker infrastructure||Atomic and machine-readable indicators such as IPs, domains, IOCs, “signatures”|
Analysts deal with a lot of alerts. Alerts enriched with tactical intelligence provide more context and help analysts determine which threats are worth worrying about and which can safely be ignored. These atomic indicators are often changed quickly though, making it important to also incorporate operational and strategic intelligence into decisions.
Operational intelligence helps fuel meaningful detection, incident response and hunting programs. For example, it can help identify patterns in attacks with which we can create logical rules in tech systems that will detect malicious activity specific indicators.
Strategic intelligence can help with assessing and mitigating current and future risks to organizations. For example, a corporation releasing a new product or completing a merger will want to understand not only the potential impact but also the associated risks. This intelligence is particularly useful for people in leadership roles such as CISOs and executive leadership who must justify budgets and make better informed investment decisions.
The sum of these different kinds of threat intelligence is the ability to make informed decisions on how to proactively and reactively respond to threats. This includes what solutions to use, how they should be leveraged, and even just who to keep tabs on.
Check back in January for a deeper look into what these three kinds of intelligence look like and how they’re used.
Steve Miller is an incident response professional and a threat intelligence analyst. Steve has ten years of experience in the broader security and IT industries in areas such as computer forensics, communications signals analysis and intelligence program management. Steve has built security operations centers around the world, conducted hundreds of intrusion investigations and, of course, chased down a lot of evil – work that directly led to the discovery of tons of new zero-days, APT malware families, and targeted attack campaigns.