The concept of ‘threat intelligence’, and the process for producing cyber threat intelligence is highly misunderstood. Raw data and information gathered from various sources is often mislabeled as threat intelligence by organizations. Cyber threat intelligence (CTI) is knowledge related to evidence-based data information--including overview, propagation methods, indicators of compromise (IoCs), impact and mitigative actions required--regarding a particular cyber threat against an organization. This knowledge is gathered after extensive analysis of related data collected through reliable sources. Cyber threat intelligence is used to assist enterprises to undertake necessary mitigation steps against the threat.
It cannot be stressed enough about how important the whole process of analysis is. Hence, depending on the form of analysis used to produce the intel, threat intelligence can be classified into three types, viz. Strategic, Tactical and Operational Intelligence.
Strategic Intelligence includes identifying and inspecting risks that can affect an organization’s core assets--such as, employees, customers, vendors, and the overall infrastructure. Development of strategic intelligence requires highly skilled human analysts to gather proprietary information, follow up on trends, identify threats and design defensive architecture to combat those threats. At the strategic level, threat intelligence presents highly relevant information in a clear and concise form, while outlining mitigation strategies that can aid an organization in the decision-making process. This form of intelligence includes historical trends, motivations or key attributions of an attack. It helps enterprises look at a bigger picture and set predominant goals to attain cybersecurity.
Tactical Intelligence provides extensive and rich data on a current or existing threat that could be of more use for an analyst. Unlike Strategic, tactical is micro in its scope. This intelligence comes in the form of Indicators of Compromise (IoCs) which includes information on malicious domains, malware files, malicious URLs and virus signatures. Tactical intelligence is highly effective in analysing a cyber kill chain and thereby containing the attack in progress. With tactical intelligence in hand, organizations can act quickly and minimize the impact.
Operational Intelligence is produced entirely by computers through data identification and collection using technologies like Artificial Intelligence and Machine Learning. This form of intelligence focuses mainly on how a threat actor is going to attack a company--who is most active, what are the targets, capabilities, intentions, etc -- at the operational level. It also examines other elements like how the attack would impact the organization and helps prioritize the operational assets from the security perspective.
Collectively all types of intelligence are important for an organization. They cannot pit strategic intelligence against tactical or operational intelligence to determine which is best. All three are equally essential and required to create an effective incident response.