Cyber threat intelligence (CTI) offers a broad range of capabilities, from tactical and operational to more strategic use cases.
Tactical Threat Intelligence
Tactical threat intelligence is geared towards a more technical audience - from security operations center (SOC) staff, and incident responders, to security experts. Tactical threat intelligence is usually available in a machine-readable format. It is easily integrated into various threat intelligence tools and platforms through APIs and programmatic threat intelligence feeds.
The data points leveraged to detect malicious activities are called Indicators of Compromise (IOCs) and are key elements of this type of threat intelligence delivery. IOCs include IP addresses linked to known threats, malicious domain names, and file hashes that are identified as harmful.
These indicators evolved very quickly, so it is important to have a source which is constantly updating.
Because it provides immediate, actionable data without long-term analysis or broad insights, tactical threat intelligence complements operational and strategic intelligence. When an organization relies on only tactical threat intelligence, there is an increased risk of false positives – i.e., instances where benign activities are incorrectly flagged as malicious.
Uses and Examples of Tactical Cyber Threat Intelligence (CTI)
· Threat Feeds: Continuous streams of data providing information about potential threats.
· Real-Time Alerts: Immediate notifications informing organizations of active threats in their environment.
· Automated Malware Analysis: Automated processes examining malicious software to understand its function and threat level.
Operational Threat Intelligence
Operational threat intelligence is all about the context. It assembles insights about cyberattacks to identify essential questions about adversarial campaigns and operations. The focus is on Tactics, Techniques, and Procedures (TTPs), as well as the intent and timing of attacks.
Obtaining information is not a straightforward process, as various sources are employed - from chat rooms, social media, and antivirus logs, to records from past attacks. The challenges of this approach are the result of malicious actors often using encryption, ambiguous or coded language, and private chat rooms. Data mining and machine learning are often used to process large volumes of data, but to produce a definitive analysis, the information must be contextualized by experts.
Operational threat intelligence, leveraged in Security Operations Centers (SOCs), enriches cybersecurity methodologies such as vulnerability management, threat monitoring, incident response, and so on, with operational threat intelligence.
Uses and Examples of Operational Cyber Threat Intelligence (CTI)
· Actor Profiling: Understanding and categorizing cyber adversaries based on their tactics, techniques, and procedures.
· Patch Prioritization: Determining which software vulnerabilities to address first based on threat intelligence.
· Incident Response: Actions taken to handle and mitigate threats once they’re detected.
Strategic Threat Intelligence
Strategic threat intelligence translates complex and detailed information into a language which stakeholders including board members, executives, and senior decision makers can action upon. Outputs of strategic threat intelligence may include presentations, organization-wide risk reports, and comparisons of past, present, and future risk within an organization and compared to industry standards and best practices. Identifying gaps in compliance is a fundamental driver of strategic threat intelligence.
While summarized in reports, this type of threat intelligence delivery must also encompass extensive analysis of local and global trends, emerging cyber risks, and even geopolitical factors. Strategic threat intelligence offers is an essential part of long-term planning, risk management, and broad policy decisions. Strategic threat intelligence is integral to long-term strategic planning to guide organizations in aligning cybersecurity strategies with business objectives.
Uses and Examples of Strategic Cyber Threat Intelligence (CTI)
· Insider Threat: Developing comprehensive strategies to identify and address threats that originate from within the organization through methods such as analyzing behavioral patterns and access logs.
· Deception Operations: Designing and implementing deception strategies to mislead and track potential attackers, revealing their techniques and intentions without compromising real assets.
· Resource Allocation: Determining how to best allocate resources for cybersecurity based on the threat landscape, investing in new security technologies, hiring specialized personnel, or allocating funds towards employee training programs.