“Group P at country C wants your juicy research about E” and “here, this 3cf78d14a06199e6df526c3df4e28ac0 file is so ownage” are both examples of THREAT INTELLIGENCE (TI), based on the definitions in common usage today. Indeed, both fit Gartner definition of TI that states that “threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard” (source).
For my research, I am broadly slicing all threat intelligence data (oops… I just said “intelligence data” without cringing) into two broad classes:
- Strategic TI = reports and other human-readable products on threat actors, their intentions, affiliations, interests, goals, capabilities, plans, campaigns, etc.
- Tactical TI (sometimes labeled “technical” or “operational” with subtle differences in usage) = indicators, IP, URL or hash lists, and other system-level or network-level artifacts that can be matched to what is observed on information systems.
Admittedly, strategic TI splits into different sub-types and levels, from country-level [bordering on geopolitics, almost Stratfor-style], to industry- or company-level or actor-level. And of course, one can identify many sub-types of technical TI and even some TI that sort of fits in between. Note, however, that I am not defining the types based on their sources (human or machines may create TI), but on their usage and the level of details. Humans can cook technical TI and maybe in the future machines will be able to write reports?
For now, I organized and described the types like this (given that this is a working draft, it well may change before I create a final paper – your thoughts are always welcome!):
|Created by||Humans||Machines or humans + machines|
|Consumed by||Humans||Machines and humans|
|Delivery time frame||Days – months||Seconds to hours|
|Useful lifespan||Long||Short (usually)|
|Ambiguity||Possible; hypothesis and leads OK||Undesirable; systems don’t tolerate it|
|Focus||Planning, decisions||Detection, triage, response|
[and, yes, I am aware of some exceptions that don’t fit this; a 0-day in malware that allows easy detection would be a an example of a durable technical TI piece (*); attacker preference for a specific tool may fit between the types]
BTW, TI providers sort of split into “creators of technical TI [indicator feed makers]”, “creators of strategic TI [report writers]” and (magic!) “creators of BOTH times interlinked together.” As you can imagine, the last category is most useful [provided you can make use of strategic TI components], but more often much more expensive (“here is a picture of the attacker, here are his goals for this week, here are his tools, here are the trace signatures to detect them”)
Next, we will be discussing various use cases for TI data, including using TI to create better TI!
Posts related to this research project: