When discussing the wide variety of information types and datasets that constitute threat intelligence, they often fall into one of three main categories:
- Tactical threat intelligence: This is the most granular of the three threat intelligence categories. Information in this category involves either Indicators of Compromise (IOCs), Indicators of Attacks (IOAs), or Tactics, Techniques, and Procedures (TTPs):
- IOCs: An IOC is an artifact observed on a system that is indicative of a compromise of some sort. For example, a C2 IP address or an MD5 hash of a malicious file are both IOCs.
- IOAs: An IOA is an artifact observed on a system that is indicative of an attack or an attempted attack. This can be differentiated from an IOC, as an IOA does not indicate that a system was compromised, but rather attacked, due to indicators left by an adversary attacking a system. An example may be connection attempts left in a firewall log that are indicative of an automated port scan utilizing Nmap or another network scanning tool.
- TTPs: Humans are creatures of habit and, as a result, cyber attackers often develop a unique methodology to how they attack a network. For example, a cybercriminal group may favor a social engineering email that has an Excel spreadsheet that executes a remote access Trojan. From there, they may attempt to access the credit card point of sale (POS) device and infect it with another piece of malware. How this group executes such an attack is considered to be their TTPs.
- Operational threat intelligence: The past decade has seen more and more coordinated attacks that do not just target one organization but may target an entire industry, region, or country. Operational threat intelligence is data and information about the wider goal of cyberattacks and cyber threat actors. This often involves not just examining the incident response team's own organization, but examining how cyber threat actors are attacking the larger industry. For example, in returning to a previous example where incident responders at a healthcare institution were preparing for an attack, wider knowledge of what types of attacks are occurring at similar sized and staffed healthcare institutions would be helpful in aligning their own security controls to the prevalent threats.
- Strategic threat intelligence: Senior leadership such as the CIO or CISO often must concern themselves with the strategic goals of the organization alongside the necessary controls to ensure that the organization is addressing the cyber threat landscape. Strategic threat intelligence examines trends in cyberattacks, what cyber threat actors are prevalent, and what industries are major targets. Other key data points are changes in technology that a threat actor or group may leverage in an attack.
The best use of threat intelligence is to understand that each one of these types can be integrated into an overall strategy. Leveraging internal and external threat intelligence of all three types provides key decision makers with an understanding of the threat landscape; managers with the ability to implement appropriate security controls and procedures; and analysts the ability to search for ongoing security issues or to prepare their own response to a cyberattack.