The Types of Threat Intelligence


As demonstrated by the threat intelligence lifecycle, the final product will look different depending on the initial intelligence requirements, sources of information, and intended audience. It can be helpful to break down threat intelligence into a few categories based on these criteria.
Threat intelligence is often broken down into three subcategories:
·      Strategic — Broader trends typically meant for a non-technical audience
·      Tactical — Outlines of the tactics, techniques, and procedures of threat actors for a more technical audience
·      Operational — Technical details about specific attacks and campaigns

Strategic Threat Intelligence

Strategic threat intelligence provides a broad overview of an organization’s threat landscape. It’s intended to inform high-level decisions made by executives and other decision makers at an organization — as such, the content is generally less technical and is presented through reports or briefings. Good strategic intelligence should provide insight into areas like the risks associated with certain lines of action, broad patterns in threat actor tactics and targets, and geopolitical events and trends.
Common sources of information for strategic threat intelligence include:
·      Policy documents from nation-states or nongovernmental organizations
·      News from local and national media, industry- and subject-specific publications, or other subject-matter experts
·      White papers, research reports, and other content produced by security organizations
Producing strong strategic threat intelligence starts with asking focused, specific questions to set the intelligence requirements. It also takes analysts with expertise outside of typical cybersecurity skills — in particular, a strong understanding of sociopolitical and business concepts.
Although the final product is non-technical, producing effective strategic intelligence takes deep research through massive volumes of data, often across multiple languages. That can make the initial collection and processing of data too difficult to perform manually, even for those rarified analysts who possess the right language skills, technical background, and tradecraft. A threat intelligence solution that automates data collection and processing helps reduce this burden and allows analysts who do not have as much expertise to work more effectively.

Tactical Threat Intelligence

Tactical threat intelligence outlines the tactics, techniques, and procedures (TTPs) of threat actors. It should help defenders understand, in specific terms, how their organization might be attacked and the best ways to defend against or mitigate those attacks. It usually includes technical context, and is used by personnel directly involved in the defense of an organization, such as system architects, administrators, and security staff.
Reports produced by  cyber security vendors are often the easiest way to get tactical threat intelligence. Look for information in reports about the attack vectors, tools, and infrastructure that attackers are using, including specifics about what vulnerabilities are being targeted and what exploits attackers are leveraging, as well as what strategies and tools that they may be using to avoid or delay detection.
Tactical threat intelligence should be used to inform improvements to existing security controls and processes and speed up incident response. Because many of the questions answered by tactical intelligence are unique to your organization, and need to be answered on a short deadline — for example, “Is this critical vulnerability being exploited by threat actors targeting my industry present in my systems?” — having a threat intelligence solution that integrates data from within your own network is crucial.

Operational Threat Intelligence

Operational intelligence is knowledge about cyber attacks, events, or campaigns. It gives specialized insights that help incident response teams understand the nature, intent, and timing of specific attacks.
Because this usually includes technical information — information like what attack vector is being used, what vulnerabilities are being exploited, or what command and control domains are being employed — this kind of intelligence is also referred to as technical threat intelligence. A common source of technical information is threat data feeds, which usually focus on a single type of indicator, like malware hashes or suspicious domains.
But if technical threat intelligence is strictly thought of as deriving from technical information like threat data feeds, then technical and operational threat intelligence are not totally synonymous — more like a Venn diagram with huge overlaps. Other sources of information on specific attacks can come from closed sources like the interception of threat group communications, either through infiltration or breaking into those channels of communication.
Consequently, there are a few barriers to gathering this kind of intelligence:
·      Access — Threat groups may communicate over private and encrypted channels, or require some proof of identification. There are also language barriers with threat groups located in foreign countries.
·      Noise — It can be difficult or impossible to manually gather good intelligence from high-volume sources like chat rooms and social media.
·      Obfuscation — To avoid detection, threat groups might employ obfuscation tactics like using codenames.
Threat intelligence solutions that rely on machine learning processes for automated data collection on a large scale can overcome many of these issues when trying to develop effective operational threat intelligence. A solution that uses natural language processing, for example, will be able to gather information from foreign-language sources without needing human expertise to decipher it.

Comments

Post a Comment

Popular posts from this blog

Telecom Industry as an Opportunity for a Successful Career

The faculties related to IT and telecommunications attract many talented students to Polish universities who want to explore their knowledge in this field. However, this is not surprising, because there are many companies and enterprises on the market offering numerous internships and programs. This is a great opportunity to develop and gain valuable experience in the first stages of building your own professional career. The number of positions to be filled in the telecommunications industry is still growing. The dynamics of this industry is huge. Currently, implementation of 5G technology is underway in many places in Europe, which will significantly improve data transmission. This necessitates the employment of thousands of people who will speed up the process. However, there is no shortage of work on other projects. Data analysis specialists, mobile application programmers and infrastructure specialists have constantly sought after. These are just some of the offers, attract...
Read more

What Is threat intelligence?

The concept of intelligence isn’t anything new. It’s been used throughout history and in many different industries; we see it in  OSINT , espionage and even market research, among others. Threat intelligence, specifically, is collecting and analyzing information about indicators of past, current and future cyber threats, which enables an organization to take action to protect their assets, network and the entire organization. The keyword here is analysis. Let’s think of it this way: You’ve compiled a list of all the data breaches that took place over the past year and the types of malware that caused them. That list may be informative, but it doesn’t do much good by merely existing. So what now? You have to combine your historical knowledge with data on current threats, attack vectors, existing and exploited vulnerabilities, threat actors that are specific to your industry, then analyze and compare them to find the needle in the haystack that will yield the relevant intel ...
Read more

Is Connectivity Making Industrial Cybersecurity More Vulnerable?

It can be argued that industrial facilities have taken to digital transformation much earlier than other enterprises. While it’s only now that some businesses are committing to adopting digital tools, factories have been using robots and programmable logic controllers (PLCs) decades before the dotcom boom of the nineties. Industrial cybersecurity comes to the forefront as industries increasingly adopt digital technologies. What’s probably sweeping industries today are technologies that rely on connectivity: the cloud, mobile computing, and the  Internet-of-Things  (IoT). These technologies offer some very exciting applications. The cloud has allowed organizations to shift part of their IT infrastructure off-premises and easily scale their available computing resources. Mobile computing and connectivity have allowed engineers to monitor and control their machines remotely. Sensors and robots are now even smarter, and through the IoT, are capable of interfacing with externa...
Read more