Introduction
Understanding the different types of threat intelligence levels is important when discussing the advancement of any organization. It’s more than just collecting and compiling data. The purpose of threat intelligence is to use analytical methods and indicators to detect threats and vulnerabilities, then give advice on how to handle them.
Strategic threat intelligence
Tactical threat intelligence is a common term when discussing cybersecurity. It refers to the actions and procedures that an attacker uses to accomplish their mission—such as how they communicate with each other, compromise systems, move laterally throughout the network, exfiltrate data, and remain undetected once they are on a system or network.
TTPs (tactics, techniques and procedures) can vary based on what type of attacker you’re dealing with (for example: nation-state versus mercenary group) as well as what kind of attack campaign you’re defending against (dating site hack vs ransomware). However, there are some general patterns that most TTPs follow:
Evasion techniques: Methods used by attackers to avoid detection by security tools and processes
Avoidance techniques: Methods used by attackers to avoid any sort of interaction with security measures until they’ve obtained the information they need
Tactical threat intelligence
Tactical threat intelligence is a common term when discussing cybersecurity. It refers to the actions and procedures that an attacker uses to accomplish their mission—such as how they communicate with each other, compromise systems, move laterally throughout the network, exfiltrate data, and remain undetected once they are on a system or network.
TTPs (tactics, techniques and procedures) can vary based on what type of attacker you’re dealing with (for example: nation-state versus mercenary group) as well as what kind of attack campaign you’re defending against (dating site hack vs ransomware). However, there are some general patterns that most TTPs follow:
Evasion techniques: Methods used by attackers to avoid detection by security tools and processes
Avoidance techniques: Methods used by attackers to avoid any sort of interaction with security measures until they’ve obtained the information they need
Operational threat intelligence
Operational threat intelligence focuses on indicators of compromise (IoCs). These are pieces of information that point to malicious activity, such as a particular file or URL.
The most common type of IoC is a file, such as a malware sample or exploit. But it could also be an IP address or domain name associated with malware distribution, or something else that can indicate an attacker’s presence on your network.
IoCs can be used to detect and respond to threats in real time by providing context for other security tools. If you’re using SIEM software to monitor the status of your infrastructure, for example, then you may have hundreds if not thousands of events flying around every day from all kinds of sources—firewalls reporting connections blocked by certain rules; intrusion prevention systems detecting suspicious activities; anti-virus utilities identifying infected files…the possibilities are endless! The challenge here is figuring out which ones matter most so you don’t waste precious resources investigating harmless incidents (like when someone leaves their laptop logged into Facebook) when there might be more serious issues happening elsewhere within your system (like someone stealing credit card numbers from the same laptop). That’s where IoCs come in handy: they help filter out false positives so that analysts only need look at those alerts which really raise suspicions about how secure something really is (or isn’t).
Conclusion
Understanding the different types of levels in Threat Intelligence is an important tool for any analyst. The more specific you get, the more tactical and operational the information. This also means that when you are looking at a broad view of your threats, you may not be able to determine if there are any current issues affecting your business or organization. By gaining a high-level view of what is happening in your industry, you can then focus on specific areas where there may be an issue with one or multiple adversaries who are using different tactics and techniques to gain access to data, systems or networks.