It is now widely accepted that computer security is a cat-and-mouse game in which the defender must constantly adapt to the changing tactics of the attacker. One key to success in this game is having good intelligence about the current state of the adversary’s toolkit and their tactics, techniques, and procedures (TTPs). This article provides an overview of the different forms of threat intelligence and explains why each is important.
The first form of intelligence is technical intelligence. This is information about the specifics of the adversary’s tools and techniques. This might include information such as the signature of a particular malware tool or the IP addresses used by an attacker. Technical intelligence is important because it can be used to directly detect and block attacks.
The second form of intelligence is strategic intelligence. This is information about the adversary’s goals, methods, and capabilities. It can help security teams to understand why the adversary is attacking and what they are trying to achieve. This type of intelligence is important because it can help to guide the overall security strategy.
The third form of intelligence is operational intelligence. This is information about the adversary’s current activities. It can help security teams to identify and track ongoing attacks. Operational intelligence is important because it can help to prioritize response and mitigation efforts.
The fourth and final form of intelligence is contextual intelligence. This is information about the environment in which the adversary is operating. It can help to provide context for the other forms of intelligence and help to identify potential indicators of compromise. Contextual intelligence is important because it can help to understand the adversary’s motivations and intentions.
All four of these forms of intelligence are important for effective security. Technical intelligence is necessary for directly detecting and blocking attacks. Strategic intelligence is necessary for understanding the adversary’s goals and methods. Operational intelligence is necessary for identifying and tracking ongoing attacks. Contextual intelligence is necessary for understanding the adversary’s motivations and intentions.
It is important to note that intelligence is not a static thing. The adversary is constantly evolving and adapting, and so the defender’s intelligence must also constantly evolve and adapt. intelligence must be gathered from a variety of sources and must be analyzed and interpreted by experienced analysts. It is only through this process that the defender can hope to keep one step ahead of the adversary.