Level Up Strategic, Tactical, Technical & Operational Threat Intelligence

As threat intelligence evolves, mature organizations view it as a complex, multi-layer process.

The standard Threat Intelligence cycle famously includes five stages: Planning, Collection, Analysis, Production (AKA reporting), and Dissemination. But this cycle can be viewed and conducted with different approaches in mind. As we understand the difference between strategic, tactical, technical, and operational Threat Intelligence, we’ll see what that means. Without this vital process, it would be hard to achieve the main goal for which Threat Intelligence exists: To proactively identify and mitigate threats. 

Before we go into detail, it’s important to note that while the questions we ask may apply to most organizations, the Prioritized Intelligence Requirements (PIRS) aren’t one-size-fits-all. Each organization must determine them based on specific, relevant parameters. 

Why Do Many Organizations Fail to Implement an Effective Threat Intelligence Program?

1. Limited Resources: The combination of tight budgets and talent shortage impacts the cybersecurity field. The result is a severe resource shortage. Even organizations that focus on threat intelligence (strategic, operational, technical, and tactical) might not have the capacity to properly face the challenge.
2. Lack of Visibility: Many organizations lack accurate visibility into their attack surface, and even when visibility exists, threat intelligence isn’t always part of the equation. This creates a relatively high volume of unmonitored risks across the organization.
3. Threat Agility: The dark web shifts quickly, and threat actors constantly switch forums and chat groups. Organizations often lack the time, staff, and tools to track these changes, causing them to miss critical strategic insights and tactical TTPs.
4. Overwhelming Unnecessary Information: Threat intelligence is often perceived as inefficient due to insufficient tools. Subpar solutions that do not sufficiently sort through the available information lead to unfitting intelligence. Intelligence alerts often lack context, complicating investigations, mitigation and future prevention.

Solutions to the Current Threat Intelligence Problems

1. Increase Efficiency & Reduce Workload: The current worker shortage is not going anywhere, yet there are threat intelligence solutions that act as an extension of the team, sending only relevant, prioritized intelligence and significantly reducing the workload for SOC team members, analysts, and CISOs.
2. Consolidating Threat Intelligence, Attack Surface Management, and Digital Risk Protection: When these three are integrated natively, intelligence can be prioritized based on organizational risk. Context can also be added to a alerts making it easier for SOC analysts to investigate, respond, and remediate. 
3. Increased Coverage of the Deep & Dark Web, Alongside Social Channels: Threat intelligence evolves rapidly, and threat intelligence coverage must evolve at the same speed. Correct feeds need to be monitored, and researchers must remain informed immediately when new forums and channels arise.

When all of the above are put in place, intelligence becomes relevant, prioritized, and contextualized. Only then does the volume of threat intelligence become manageable.

The Big Four: Multiple Threat Intelligence Layers

What Is Strategic Threat Intelligence?

To form the organization’s TI strategy, we ask who is targeting us and why. Threat Intelligence leaders investigate the identity and motive of current and potential threat agents. If a specific industry becomes more attractive for malicious cyber groups, what does that mean for our organization? What do we stand to lose if this threat isn’t addressed? These questions are both the starting point and final conclusion. 

What Is Operational Threat Intelligence?

Now that we’ve characterized the possible threat actors, we ask how they will try to cause harm to the organization and where they might operate (The deep web? On Telegram? On the open web? By asking these questions, we begin to focus on environments and platforms that could serve threat actors, building the security plan accordingly. This is the transition stage between strategy and action, covering detailed daily tasks for the team. 

What Is Technical Threat Intelligence?

A more detailed How is being asked at this point, as we list possible resources the attacker might use to execute their plan. Technical threat intelligence looks at indicators of Compromise (IoCs) like IP addresses, domains, file hashes, and more. 

What Is Tactical Threat Intelligence?

Once again, we repeat a question but view it through a different lens and at a lower level. We ask what actions the attackers will take. Answers to this question will be revealed by studying the Tactics, Techniques, and Procedures (TTP). These parameters are short-lived and can change relatively fast. 

Threat intelligence turns security queries into Threat Intelligence layers. For instance, when we want to know which units within the organization are at risk, this is a strategic question. Identifying the risks within the industry is operational, and listing the IoC our SOC team should focus on is tactical. 

Understanding the Differences Between Strategic and Tactical Threat Intelligence

In addition to the descriptions above, threat intelligence layers differ in the following ways. 

• Time Period: Strategic threat intelligence considers long-term goals and behaviors, whereas the tactical layer is all about the here and now. Lower layers change rapidly and are more easily influenced by industry changes. This also means that tactical and technical actions must be addressed immediately. 
• Seniority: Typically, executives handle strategic decisions and consult with company management to make overarching decisions based on the chosen strategy. Research shows that 88% of CISOs report to the full board or a committee. Tactics and technical steps are handled by all team members as part of their routine tasks. 
• Response: While lower layers are reactive and respond to events as they occur, strategic threat intelligence is proactive, trying to anticipate and handle threats in advance. CISOs follow global and industry news, identify relevant information, and seek or create policies that offer an appropriate course of action.  
• Relevancy: High-level strategies tend to have a broader outlook compared to tactical steps focused on specific company practices. The lower the layer, the more relevant and detailed it is. 
• Queries: Strategic Threat Intelligence asks questions such as why and who in an effort to identify potential risks. As these broad queries are translated into practical steps, the central questions we ask become what and how. These narrow questions detail possible vulnerabilities the SOC team should look into. 
• Technicality: As the names suggest, technical and tactical threat intelligence are based on more technical steps, such as the mitigation steps needed to solve the problem, which can include the blocking of a new set of IP addresses or a forced password reset for users with compromised credentials. Strategy, on the other hand, considers general concepts, global procedures, and industry trends.