- Table of contents
Marketing ManagerShare on LinkedIn
I love to get stuck in and let the creative juices flow. My strengths lie in idea generation, development and execution. Over 5 years experience in B2B cybersecurity. I reign supreme when my imagination and creativity can run wild.
Table of contents
Level Up Strategic, Tactical, Technical & Operational Threat Intelligence
The standard Threat Intelligence cycle famously includes five stages: Planning, Collection, Analysis, Production (AKA reporting), and Dissemination. But this cycle can be viewed and conducted with different approaches in mind. As we understand the difference between strategic, tactical, technical, and operational Threat Intelligence, we’ll see what that means. Without this vital process, it would be hard to achieve the main goal for which Threat Intelligence exists: To proactively identify and mitigate threats.
Before we go into detail, it’s important to note that while the questions we ask may apply to most organizations, the Prioritized Intelligence Requirements (PIRS) aren’t one-size-fits-all. Each organization must determine them based on specific, relevant parameters.
Why Do Many Organizations Fail to Implement an Effective Threat Intelligence Program?
- Limited Resources: The combination of tight budgets and talent shortage impacts the cybersecurity field. The result is a severe resource shortage. Even organizations that focus on threat intelligence (strategic, operational, technical, and tactical) might not have the capacity to properly face the challenge.
- Lack of Visibility: Many organizations lack accurate visibility into their attack surface, and even when visibility exists, threat intelligence isn’t always part of the equation. This creates a relatively high volume of unmonitored risks across the organization.
- Threat Agility: The dark web shifts quickly, and threat actors constantly switch forums and chat groups. Organizations often lack the time, staff, and tools to track these changes, causing them to miss critical strategic insights and tactical TTPs.
- Overwhelming Unnecessary Information: Threat intelligence is often perceived as inefficient due to insufficient tools. Subpar solutions that do not sufficiently sort through the available information lead to unfitting intelligence. Intelligence alerts often lack context, complicating investigations, mitigation and future prevention.
Solutions to the Current Threat Intelligence Problems
- Increase Efficiency & Reduce Workload: The current worker shortage is not going anywhere, yet there are threat intelligence solutions that act as an extension of the team, sending only relevant, prioritized intelligence and significantly reducing the workload for SOC team members, analysts, and CISOs.
- Consolidating Threat Intelligence, Attack Surface Management, and Digital Risk Protection: When these three are integrated natively, intelligence can be prioritized based on organizational risk. Context can also be added to a alerts making it easier for SOC analysts to investigate, respond, and remediate.
- Increased Coverage of the Deep & Dark Web, Alongside Social Channels: Threat intelligence evolves rapidly, and threat intelligence coverage must evolve at the same speed. Correct feeds need to be monitored, and researchers must remain informed immediately when new forums and channels arise.
When all of the above are put in place, intelligence becomes relevant, prioritized, and contextualized. Only then does the volume of threat intelligence become manageable.
The Big Four: Multiple Threat Intelligence Layers
What Is Strategic Threat Intelligence?
To form the organization’s TI strategy, we ask who is targeting us and why. Threat Intelligence leaders investigate the identity and motive of current and potential threat agents. If a specific industry becomes more attractive for malicious cyber groups, what does that mean for our organization? What do we stand to lose if this threat isn’t addressed? These questions are both the starting point and final conclusion.
What Is Operational Threat Intelligence?
Now that we’ve characterized the possible threat actors, we ask how they will try to cause harm to the organization and where they might operate (The deep web? On Telegram? On the open web? By asking these questions, we begin to focus on environments and platforms that could serve threat actors, building the security plan accordingly. This is the transition stage between strategy and action, covering detailed daily tasks for the team.
What Is Technical Threat Intelligence?
A more detailed How is being asked at this point, as we list possible resources the attacker might use to execute their plan. Technical threat intelligence looks at indicators of Compromise (IoCs) like IP addresses, domains, file hashes, and more.
What Is Tactical Threat Intelligence?
Once again, we repeat a question but view it through a different lens and at a lower level. We ask what actions the attackers will take. Answers to this question will be revealed by studying the Tactics, Techniques, and Procedures (TTP). These parameters are short-lived and can change relatively fast.
Threat intelligence turns security queries into Threat Intelligence layers. For instance, when we want to know which units within the organization are at risk, this is a strategic question. Identifying the risks within the industry is operational, and listing the IoC our SOC team should focus on is tactical.
Understanding the Differences Between Strategic and Tactical Threat Intelligence
In addition to the descriptions above, threat intelligence layers differ in the following ways.
- Time Period: Strategic threat intelligence considers long-term goals and behaviors, whereas the tactical layer is all about the here and now. Lower layers change rapidly and are more easily influenced by industry changes. This also means that tactical and technical actions must be addressed immediately.
- Seniority: Typically, executives handle strategic decisions and consult with company management to make overarching decisions based on the chosen strategy. Research shows that 88% of CISOs report to the full board or a committee. Tactics and technical steps are handled by all team members as part of their routine tasks.
- Response: While lower layers are reactive and respond to events as they occur, strategic threat intelligence is proactive, trying to anticipate and handle threats in advance. CISOs follow global and industry news, identify relevant information, and seek or create policies that offer an appropriate course of action.
- Relevancy: High-level strategies tend to have a broader outlook compared to tactical steps focused on specific company practices. The lower the layer, the more relevant and detailed it is.
- Queries: Strategic Threat Intelligence asks questions such as why and who in an effort to identify potential risks. As these broad queries are translated into practical steps, the central questions we ask become what and how. These narrow questions detail possible vulnerabilities the SOC team should look into.
- Technicality: As the names suggest, technical and tactical threat intelligence are based on more technical steps, such as the mitigation steps needed to solve the problem, which can include the blocking of a new set of IP addresses or a forced password reset for users with compromised credentials. Strategy, on the other hand, considers general concepts, global procedures, and industry trends.
Every Layer Counts: Why the Multi-Step Process Is Crucial
One might be tempted to skip some stages and move faster from concept to action. Here’s why cutting corners isn’t wise.
- Strategic threat intelligence shapes an optimized threat detection and prevention approach with relevant capabilities that serve every other step. It receives support from executives and management members, allowing companies to acquire relevant resources and talent in advance. Without this stage, every other step might be misguided and cost the company far more time and money.
- Tactical moves reduce the impact of cyber threats and include incident investigation and accelerated response, which allow companies to adjust, recover, and improve.
- Building a structured path helps companies optimize spending and better utilize resources, making the entire security infrastructure more efficient and cost-effective.
Can’t Have One Without the Other: Combining Strategy and Practice
CISOs everywhere know that improving the time and cost invested in the threat intelligence process is critical. Cyberint offers crucial threat intelligence for each layer, managed by our military-trained analysts and proprietary automation using the company’s Argos platform. Strategically, our research team is constantly researching emerging threat actors, ransomware groups, dark web forums, and trends. This level of threat intelligence is then tailored to specific attack surfaces, ensuring you only receive critical and relevant alerts.
Operationally, our threat intelligence team will continuously alert on current attacks and how they relate to your attack surface. Technically, your SOC team will receive the latest IOCs with in-depth investigations and context. Tactically, your team will be able to prioritize which threats to mitigate first, as the threat intelligence will be tailored and prioritized based on your attack surface.
Recognized by Gartner, Cyberint creates a smooth path that leads to a clear and complete vision for everyone involved. Our tailored solution understands that every team is different, making cookie-cutter solutions and long, unprioritized threat intelligence feeds far less effective.
A comprehensive threat intelligence solution asks what the types of threat intelligence are, considering and enhancing each one. It offers both executives and team members the resources and technologies they need to make wise decisions. The security blanket cannot afford to be too short and must cover every part of the process to offer sufficient protection.