Table 3 Definitions, audiences, purposes, scopes, and examples for four cyber threat intelligence types: strategic, operational, tactical, and technical. Abbreviations: TTPs, tactics-techniques-procedures; IoCs, indicators of compromise.
From: Proactive identification of cybersecurity compromises via the PROID compromise assessment framework
| Â | Strategic Threat Intelligence | Operational Threat Intelligence | Tactical Threat Intelligence | Technical Threat Intelligence |
|---|---|---|---|---|
Definition | high-level information about relative threats’ trends, attributions, and motivations | Information about the specifics of possible, impending, or ongoing attacks against the organization | Provides detailed information on the tactics, techniques, and procedures (TTPs) of adversaries | Involves technical indicators of compromise (IoCs) such as malware signatures, IP addresses, URLs, and hash values associated with adversaries activities |
Audience | organizational leaders and decision makers | higher-level security staff and incident response managers | Technical teams such as SOC analysts and incident response team | Technical teams such as SOC analysts and incident response team, in addition to relative IT staff responsible for the technical aspects of network |
Purpose | Provide broad long-term understanding of the threat landscape | To prepare for, identify, or respond to specific threats by understanding the operational details of attacks | To guide the selection and implementation of security controls and defensive measures based on adversaries’ known TTPs | To detect and respond to immediate threats with specific technical indicators |
Scope | Broad and generalized, offering a macro view of threat trends, industrial and geopolitical factors | Detailed information about specific threats or campaigns targeting the organization | Narrower in focus, concentrating on the immediate TTPs of adversaries | Highly specific, dealing with the technical details of threats and indicators used to identify them |
Example | Intelligence about an APT’s attribution, motive, and why it targeting specific industry or geographical region | Details of a targeted phishing campaign against the organization, including the timeline and tactics used | Specific malware techniques such as spear-phishing or ransomware tactics used by adversaries | Hash values of malware files, malicious IP addresses, URLs used in phishing attacks |
