Gartner Blog Network


On Broad Types of Threat Intelligence

by Anton Chuvakin  |  January 30, 2014  |  2 Comments

“Group P at country C wants your juicy research about E” and “here, this 3cf78d14a06199e6df526c3df4e28ac0 file is so ownage” are both examples of THREAT INTELLIGENCE (TI), based on the definitions in common usage today. Indeed, both fit Gartner definition of TI that states that “threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard” (source).

For my research, I am broadly slicing all threat intelligence data (oops… I just said “intelligence data” without cringing) into two broad classes:

  1. Strategic TI = reports and other human-readable products on threat actors, their intentions, affiliations, interests, goals, capabilities, plans, campaigns, etc.
  2. Tactical TI (sometimes labeled “technical” or “operational” with subtle differences in usage) = indicators, IP, URL or hash lists, and other system-level or network-level artifacts that can be matched to what is observed on information systems.

Admittedly, strategic TI splits into different sub-types and levels, from country-level [bordering on geopolitics, almost Stratfor-style], to industry- or company-level or actor-level. And of course, one can identify many sub-types of technical TI and even some TI that sort of fits in between. Note, however, that I am not defining the types based on their sources (human or machines may create TI), but on their usage and the level of details. Humans can cook technical TI and maybe in the future machines will be able to write reports?

For now, I organized and described the types like this (given that this is a working draft, it well may change before I create a final paper – your thoughts are always welcome!):

Strategic Tactical
Created by Humans Machines or humans + machines
Consumed by Humans Machines and humans
Delivery time frame Days – months Seconds to hours
Useful lifespan Long Short (usually)
Durability Durable Fragile (*)
Ambiguity Possible; hypothesis and leads OK Undesirable; systems don’t tolerate it
Focus Planning, decisions Detection, triage, response

[and, yes, I am aware of some exceptions that don’t fit this; a 0-day in malware that allows easy detection would be a an example of a durable technical TI piece (*); attacker preference for a specific tool may fit between the types]

BTW, TI providers sort of split into “creators of technical TI [indicator feed makers]”, “creators of strategic TI [report writers]” and (magic!) “creators of BOTH times interlinked together.” As you can imagine, the last category is most useful [provided you can make use of strategic TI components], but more often much more expensive (“here is a picture of the attacker, here are his goals for this week, here are his tools, here are the trace signatures to detect them”)

Next, we will be discussing various use cases for TI data, including using TI to create better TI!

Comments? Thoughts?

Posts related to this research project:

Category: security  threat-intelligence  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on On Broad Types of Threat Intelligence


  1. […] This post was cross-posted from the Gartner blog.  […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.