View More guides on Cyber Threat Intelligence
Strategic vs. Tactical Threat Intelligence
- Cyber Threat Intelligence
Posted on: May 10, 2021
Threat intelligence comes in various forms - broad and generic, highly technical, informative, or urgent actionable insights. If we brush through the surface, threat intelligence might seem like a singular discipline. However, diving deep, threat intel can be categorized into strategic, technical, tactical, and operational types. This educational guide will talk about strategic and tactical threat intelligence and how one is different from the other. While these two differ in various ways, an apt analogy would be that while strategic intelligence is a widescreen view, tactical is a close-up view. Both have their own significance.
Strategic Threat Intelligence
To simply define it, strategic threat intelligence is meant to provide a high-level view of the threats faced by an organization and how it can defend itself. It is human analyzed and human-readable. Strategic threat intel is usually consumed based on the role-, location-, and industry. It is offered to concerned individuals and stakeholders based on these criteria to make it more relevant and actionable for them.
From a strategic intelligence viewpoint, organizations need to know about the processes, tools, and capabilities that should be executed to properly defend themselves against threats. In an ideal situation, security teams need to know about adversaries that might target their infrastructure and their related Tactics, Techniques, and Procedures (TTPs), before an incident occurs. Strategic intelligence helps in filling the gaps in an organization’s capability to address a potential threat.
Strategic intelligence includes determining and examining risks that can impact an enterprise’s core assets such as employees, clients, vendors, and the overall infrastructure. It requires highly-skilled analysts to collect proprietary information, follow up on current trends, detect threats, and build defensive mechanisms to address those threats. This kind of threat intelligence provides relevant information in a clear and concise form while defining mitigation strategies that help security teams in decision-making. Strategic intelligence encompasses historical trends, motivations, or key characteristics of an attack that helps organizations look at the bigger picture and take necessary measures to be more secure.
Tactical Threat Intelligence
Tactical threat intelligence focuses on what an organization needs to do while responding to security incidents. It provides details about the techniques, tactics, and procedures (TTPs) used by attackers. This threat intel is usually gathered directly from threats detected inside a network or from external sources that can impact tactical decisions. Tactical threat intelligence focuses predominantly on a technical audience and is consumed by security teams and defense architects.
From the tactical intelligence viewpoint, take the instance of an organization that just became the victim of a cyberattack. The incident responders need to know the Indicators of Compromise (IOCs) to identify malicious activities inside the network. Leveraging this type of threat intel informs the tactical response to the situation at hand.
Tactical intelligence sharing is machine-to-machine driven and provides rich and extensive data on existing threats that could benefit a security analyst. This type of intelligence involves IOCs, which include relevant information on malware files, malicious domains and URLs, and virus signatures. When examining a cyber kill chain, tactical intelligence proves highly effective and allows organizations to act quickly and reduce the impact.
Moreover, threat actor footprints can be identified and tracked by continuously mapping their TTPs against reported incidents using MITRE’s ATT&CK Navigator.
Difference between Strategic and Tactical Threat Intel
While strategic threat intel provides an outward view for organizations to develop their security policies and processes, tactical intel is aimed at ongoing operations to implement existing policies. In other words, strategic intel is gathered for the purpose of building support for the resources necessary to build a strong defense against threats. Tactical intel is required to take rapid actions based on the activities of adversaries.
With strategic threat intelligence, decision-makers get a perspective on present and future trends and patterns. With the choices available, security teams can gain insights into present happenings and also, see future possibilities and outcomes and correct policies before it is too late.
Tactical threat intelligence is all about the immediate present. While strategic decisions from the past lead an organization to its current condition, tactical decisions empower security teams to execute tasks and tools to take advantage of the situation and redirect resources, if required.
Strategic intel consumers are security teams, including analysts and senior executives like CISOs, SOC Heads, Heads of Threat Intelligence, Heads of Cyber Fusion, who are accountable for the entire planning and big decision-making to shape an organization’s future and cybersecurity posture.
Tactical intel consumers are security specialists who are fundamentally responsible for incident response measures. With a proper comprehension and implementation of strategies, tactical decisions can be made to attain specific goals.
As tactical threat intel deals with ongoing incidents, it is of a reactive nature. It focuses on making the best of a situation with the tools at disposal. Strategic threat intel enables security teams to take initiatives to make effective decisions that can be executed in the future.
Strategic threat intel solutions reinforce a company’s capability of detection and understanding of real-time information about emerging threats. They empower key stakeholders and internal teams to engage in discussions. Tactical threat intel solutions amass intelligence from various external sources and internally deployed security tools. They enable security teams to identify trends from the cyber kill chain in the post-exploitation stage and associate them with reported intel.
Understanding the differences between strategic and tactical threat intel and realizing the importance of both can substantially reinforce an organization’s capability to deal with present and future threats, with a proper way to respond to them. The point to be noted is that organizations need to consume all types of intel to understand their security threat environment in detail and design and implement defensive measures accordingly.