Threat Intelligence: Are you more strategic, tactical, operational or technical?

There are different types of Threat Intelligence, each adapted to the needs of companies. Decryption.

Share the post:

In the first episode of our Threat Intelligence series , we laid the groundwork. As a reminder, Threat Intelligence (TI) is an extremely advanced security watch that allows us to monitor threats and attacks continuously in order to better respond to them, but above all to anticipate them.

In this second part, let’s dig deeper: there are different types of Threat Intelligence. Each type is adapted to the maturity of the company’s security system, but also to the resources (human and technological) associated with it.

There are four main approaches: strategic, tactical, operational and technical.

Découvrez la Threat Intelligence avec Orange Cyberdefense

Source: Threat Intelligence : Collecting, Analyzing, Evaluating – MWR

Tactical Threat Intelligence

Tactical Threat Intelligence is associated with “Tactics, Techniques and Procedures” also called (but more rarely) “Tools, Techniques, Procedures”. TTPs remain the modus operandi of cyber attackers: they characterize the actions of an opponent as well as his own approach. 

Tactical Threat Intelligence therefore mainly provides information about the behavior, habits, tools and techniques of attackers: malware analyses, anti-virus workarounds or tools used to conduct “DDoS” attacks for Distributed Denial of Service attacks. 

Tactical Threat Intelligence thus makes it possible to understand the attackers’ method. It participates in the development of proactive security devices and rapid decision-making during and after intrusion detection.

Technical Threat Intelligence

Threat Intelligence involves the processing of a large amount of information, most often in the form of raw data and available in very large quantities.

Among these data are compromise indicators such as IPs, URLs or hash lists. This information makes it possible to identify an attack in progress and therefore to block it more easily.

However, it should be noted that they have a very short lifespan. Indeed, it is very easy for an attacker to change his IP address or modify a MD5 checksum. This Threat Intelligence is therefore most often used by Security Operation Centers (SOC) teams that supervise and protect companies’ information systems.

For a reliable technical Threat Intelligence, it is actually better to integrate these data as quickly as possible, “in real time” ideally, and therefore in an automated way.

Operational Threat Intelligence

The objective of this type of Threat Intelligence is to identify attacks by collecting information as close as possible to the attacker. It includes the factual list of attacks and allows you to prepare for those already identified.

This Threat Intelligence is generally used by the security manager or incident response manager. It is less frequently used in companies and becomes more relevant to government organizations.

Indeed, the majority of the information collected comes from forums and the dark web, which are more difficult to access. In addition, many of these communities do not communicate in English, which further complicates matters.

Strategic Threat Intelligence

Strategic Threat Intelligence provides access mainly to high-level, non-technical analysis and information for decision-makers. It makes it possible to better anticipate the defense strategies to be adopted according to the evolution of risks.

For example, it can quantify the financial impact of malicious activities or anticipate the strong trends of a period in terms of attacks. It applies to all sectors, at both the entrepreneurial and government level.

In conclusion

Well used, Threat Intelligence is therefore a real asset because security is now a differentiating factor in all sectors. Currently, the market is mainly oriented towards technical and tactical Threat Intelligence, which mainly improve detection capabilities.

Implementing a complete Threat Intelligence program is a complex and iterative process. In the next episode, we will see the main steps of its application within a company.

About the blogger

Mathilde Poulbot is an engineer apprentice at Orange Cyberdefense. A graduate of the Saint-Malo University of Technology, she is currently studying at the Ecole Nationale Supérieure d’Ingénieurs de l’Université de Bretagne-Sud (ENSIBS).

Découvrez les blogueuses du Blog Orange Cyberdefense