Blog

Three Types of Threat Intelligence: Defined and Explained

September 6, 2022

Why is threat intelligence important?

In order for your security teams to effectively mitigate risk and stay ahead of cyber threats, it is essential for your organization to have a strong threat intelligence program. This threat intelligence, which is ideally made up from a variety of open and closed sources, is what gives your teams the information needed to proactively respond to threats and prevent attacks that bring harm to your organization’s assets, infrastructure, and personnel.

Building an effective cyber threat intelligence program requires a comprehensive view of the threat landscape your organization is facing. Depending on why it’s collected and what information it yields, the umbrella of threat intelligence can be divided into three major pillars: strategic, operational, and tactical.

Each type of threat intelligence provides a different aspect of understanding your organization’s risk apertures, plus how to defend against them. Having this understanding across all three pillars of threat intelligence allows you to target threats at different stages of their lifecycle, and provides insights to all of the stakeholders involved in your organization’s security, from executives to technical employees. 

To get the most out of your threat intelligence, it is important to prioritize creating a program that is designed to utilize all three types.

Strategic threat intelligence

Strategic threat intelligence overarches your entire threat intel program, and refers to using your organization’s intel data collections, historical observations, and research to identify trends and create long-term plans. Compared to operational and tactical intelligence, it is more broadly focused and seeks to define a company’s security posture and the impact cyber activities and attack trends have on business decisions. 

Using this information, security teams and the leadership that oversees them are able to better allocate resources to build a team, tech stack, and support system that is uniquely attuned to their specific needs in the world of cyber defense. In the event of, for example, an increase in the number of ransomware attacks against a certain industry, organizations within that sector would use their strategic intelligence to identify that trend and likely decide to invest more heavily in defense measures that address ransomware threats.

Normally, strategic threat intelligence is geared towards executives, high-level leadership, and CISOs to summarize the biggest threats the organization should be aware of. It is primarily showcased in white papers, reports, and other briefings and provides overviews of threats in a certain time period. It is continuously collected to keep an organization current with its threat landscape.

Operational threat intelligence

More directly applicable in nature, operational threat intelligence uses the collection of data and information to respond to a threat or attack as it is in progress. It is meant to be used immediately, and provides real-time alerts that can help your security team understand the scope of an attack and defend against it. It is a critical part of detecting active threats and responding to them quickly, so that your organization suffers minimal harm.

Along with giving you the intelligence needed to thwart an attack, it provides deeper insights into exactly how a threat actor operates, including their motives, capabilities, and potential next steps based on how they’ve behaved in the past. Not only does operation threat intelligence improve your organization’s ability to defend against attacks, it also strengthens your overall security posture and improves the quality with which you can investigate an incident and remediate damage.

This type of threat intel is often technical, and is immediately and urgently applicable to a potential attack situation. Its audience is security professionals, including security managers, heads of incident response, network defenders, and fraud detection teams. It usually consists of indicators of compromise (IOCs) and machine-readable data, including URLs, domain names, and IP addresses, among other things, and is often consumed through firewalls, SIEMs, SOARs, and other security tools.

Tactical threat intelligence

A mediary intelligence type between strategic and operational, tactical threat intelligence uses collected information to identify threats and mitigate them. It has a shorter lifespan than strategic threat intel, which is meant to detect long term trends, but is less reactionary than operational threat intelligence, which helps teams defend against threats during time-sensitive active attacks.

In order to be effective, tactical threat intelligence requires thorough knowledge of a threat actor and its tactics, techniques, and procedures (TTPs), and is continuously gathered and analyzed from both human and technical sources. It often supports specific investigations, and provides information about a certain type of attack and the methodologies commonly seen. It also assists with threat hunting by giving security teams intel about where certain threats have been observed online, giving them a better way to locate relevant threats from their data collection sources.

Individuals and teams in charge of network security, architecture, and administration, as well as IT service managers and security operations managers, are the primary audience for tactical threat intelligence. It is often viewed in campaign, malware, incident, and attack group reports, and is extremely technical in nature.

Putting it all together

Ultimately, each of the above types of threat intelligence plays a unique role in the entire threat detection, prevention, and response process, and the lack of any of them would severely impact an organization’s ability to protect itself from attack. The best way to ensure you are getting the most out of all three intelligence types is to create a data collection program that uses diverse intelligence sources to gather information. 

Additionally, putting protective measures in place, like firewalls, serves not only to prevent infiltration from threat actors, but also provides a line of visibility for your security teams into the threats facing your infrastructure. By observing security tool logs and getting alerts about suspicious activity, your team is given awareness of potential threats that go beyond online or general intelligence sources. 

Identify and mitigate cyber risks with Flashpoint


Never miss a development across illicit communities and protect your assets, stakeholders, and infrastructure by identifying emerging vulnerabilities, security incidents, and ransomware attacks. Get a free trial today and see Flashpoint’s extensive collections platform, deep web chatter, and dark web monitoring tools in action.

Begin your free trial today.