Types of Threat Intelligence

Threat intelligence is not a single product — it exists in distinct types that serve different audiences, operate at different levels of abstraction, and inform different kinds of decisions. Understanding these types is essential for both producing and consuming intelligence effectively. This lesson covers the four widely recognized types of threat intelligence: strategic, operational, tactical, and technical.

Learning Objectives

• Distinguish between the four types of threat intelligence
• Identify the appropriate audience and format for each type
• Understand how the four types relate to and support each other
• Recognize real-world examples of each intelligence type
• Select the right intelligence type for a given decision or consumer

The Four Types at a Glance

Before diving into each type, here is a comparison table that summarizes the key differences:

Strategic Threat Intelligence

Strategic intelligence provides high-level assessments of the threat landscape relevant to an organization. It is designed for decision-makers — CISOs, executive leadership, and board members — who need to understand cyber risk in business terms, not technical details.

Characteristics

• Non-technical language — Avoids IOCs, CVE numbers, and technical jargon
• Broad scope — Covers threat trends, geopolitical developments, industry-specific risks, and regulatory implications
• Long time horizon — Addresses threats and trends over quarters or years, not individual incidents
• Judgment-heavy — Relies on analytical assessments with confidence levels rather than raw data

What Strategic Intelligence Answers

• What threat groups are targeting our industry and why?
• How is the ransomware threat evolving, and what does that mean for our risk posture?
• Are geopolitical developments (e.g., international conflict, sanctions) likely to increase cyber threats to our organization?
• Where should we invest our security budget to address the most likely threats?
• How does our threat exposure compare to peers in our sector?

Real-World Examples

• An annual threat landscape report assessing that nation-state espionage targeting the defense industrial base has increased, driven by geopolitical tensions, and recommending increased investment in identity security and supply chain risk management.
• A quarterly briefing to the board summarizing ransomware trends, noting that double-extortion tactics now account for the majority of incidents in the organization's sector, with an assessment of the organization's readiness.
• CrowdStrike's annual Global Threat Report and Mandiant's M-Trends report are public examples of strategic-level intelligence products.

Common Mistakes

• Including raw IOCs or detection rules in executive briefings
• Presenting threat data without analytical judgment or business context
• Failing to connect threats to the organization's specific risk profile

Operational Threat Intelligence

Operational intelligence focuses on specific adversary campaigns, operations, and the intent behind them. It sits between the strategic and tactical levels, providing enough detail to understand how adversaries operate without descending into individual indicators.

Characteristics

• Campaign-focused — Centers on specific threat actor operations, not individual indicators
• Adversary-centric — Profiles threat groups, their motivations, targeting patterns, and operational tempo
• Planning-oriented — Enables security teams to prepare for anticipated threats rather than only reacting to observed ones
• Moderate time horizon — Relevant for weeks to months as campaigns evolve

What Operational Intelligence Answers

• What campaigns is a specific threat group currently conducting?
• What sectors and geographies are being targeted?
• What is the adversary's operational tempo — are attacks increasing?
• What is the adversary's likely objective (espionage, financial gain, disruption)?
• How does this campaign relate to previously observed activity by the same group?

Real-World Examples

• A report detailing that APT29 (Cozy Bear) is conducting a phishing campaign targeting government agencies and think tanks using compromised legitimate email accounts, with the likely objective of intelligence collection related to foreign policy.
• An assessment that a ransomware group has shifted from targeting healthcare to targeting manufacturing, based on observed victimology changes over the past quarter.
• CISA's joint advisories (e.g., AA22-110A on Russian state-sponsored cyber threats) that describe ongoing campaigns with enough operational detail for organizations to assess relevance and prepare defenses.

Common Mistakes

• Confusing operational intelligence with a list of IOCs (that is tactical/technical)
• Producing adversary profiles that describe historical activity without assessing current and future intent
• Failing to assess whether a campaign is relevant to the consuming organization

Tactical Threat Intelligence

Tactical intelligence describes how adversaries operate — their tactics, techniques, and procedures (TTPs). It is the most directly actionable type for security operations teams because it enables detection, hunting, and defensive tuning based on adversary behavior rather than specific indicators.

Characteristics

• TTP-focused — Describes adversary behaviors mapped to frameworks like MITRE ATT&CK
• Detection-oriented — Directly supports the creation of detection rules, hunt queries, and defensive playbooks
• Behavioral — Focuses on patterns of activity rather than specific artifacts (which change frequently)
• Shorter time horizon — TTPs evolve over weeks to months, though some remain consistent for years

What Tactical Intelligence Answers

• What techniques does this adversary use for initial access (e.g., spearphishing, exploitation of public-facing applications)?
• How do they move laterally (e.g., PsExec, RDP, WMI)?
• What persistence mechanisms do they use (e.g., scheduled tasks, registry run keys, DLL side-loading)?
• What does their command-and-control communication look like (e.g., HTTPS beaconing with specific jitter patterns, DNS tunneling)?
• What MITRE ATT&CK techniques should we prioritize for detection coverage?

Real-World Examples

• A report documenting that a threat group achieves initial access via spearphishing attachments (T1566.001), establishes persistence via scheduled tasks (T1053.005), escalates privileges using token manipulation (T1134), and exfiltrates data over HTTPS (T1041) — with corresponding detection logic for each technique.
• A Sigma rule detecting the use of certutil.exe to download files (T1105), a technique used by multiple threat groups for ingress tool transfer.
• MITRE ATT&CK Navigator layers showing which techniques a specific group has been observed using, enabling defensive gap analysis.

Why TTPs Matter More Than IOCs: The Pyramid of Pain (covered in Lesson 5) illustrates that TTPs are the hardest thing for adversaries to change. An attacker can swap out an IP address or domain in minutes, but changing their entire operational methodology is costly and slow. TTP-based detection is therefore more durable than IOC-based detection.

Common Mistakes

• Producing TTP reports without corresponding detection or hunting guidance
• Mapping activity to MITRE ATT&CK at the tactic level only (e.g., "Initial Access") without specifying the technique and sub-technique
• Treating tactical intelligence as static — adversary TTPs evolve and must be periodically reassessed

Technical Threat Intelligence

Technical intelligence consists of specific technical artifacts associated with threats — the raw indicators and forensic details that automated systems can ingest and act on immediately.

Characteristics

• Artifact-focused — IP addresses, domain names, file hashes, URLs, email addresses, registry keys, mutexes, and other observable artifacts
• Machine-consumable — Designed to be ingested directly into SIEMs, firewalls, IDS/IPS, endpoint detection tools, and TIPs
• Shortest time horizon — Many technical indicators (especially IP addresses and domains) decay rapidly as adversaries rotate infrastructure
• Highest volume — Organizations may consume millions of technical indicators

What Technical Intelligence Provides

• Blocklists for known-malicious infrastructure
• SIEM correlation rules matching specific IOCs
• Sandbox analysis results for malware samples
• Network signatures (Snort/Suricata rules) for known C2 traffic
• YARA rules for file-based detection of specific malware families

Real-World Examples

• A STIX bundle containing 500 IP addresses, 200 domains, and 50 file hashes associated with a specific malware family, formatted for automated ingestion into a TIP.
• A VirusTotal report showing detection rates, behavioral analysis, and network indicators for a submitted malware sample.
• An automated feed from an ISAC providing daily updates of IOCs relevant to the financial sector.

Common Mistakes

• Ingesting massive volumes of indicators without validation, leading to false positive alert fatigue
• Treating IOC feeds as "intelligence" without analysis or context
• Failing to age out stale indicators, causing alerts on long-decommissioned infrastructure
• Not tracking the provenance or confidence level of ingested indicators

How the Four Types Relate

The four types of intelligence are not independent — they form a hierarchy that supports decision-making at every level of an organization.

Strategic    →  "APT groups targeting healthcare are increasing activity"
                    ↓ informs
Operational  →  "APT41 is conducting a campaign against healthcare supply chains"
                    ↓ informs
Tactical     →  "APT41 uses spearphishing → Cobalt Strike → DCSync for credential theft"
                    ↓ informs
Technical    →  "Block these C2 IPs, detect these file hashes, alert on these domains"

Intelligence flows in both directions. Technical indicators discovered during incident response can be analyzed upward — linking indicators to TTPs (tactical), TTPs to campaigns (operational), and campaigns to strategic trends (strategic). This bottom-up analysis is how individual incidents contribute to the broader intelligence picture.

Similarly, strategic assessments drive top-down tasking. If strategic intelligence assesses that ransomware targeting the energy sector is increasing, operational teams focus collection on relevant ransomware groups, tactical teams develop detection for those groups' TTPs, and technical teams prioritize ingestion of associated IOCs.

Choosing the Right Type

When producing intelligence, always start with the consumer:

A mature CTI program produces all four types, tailored to their respective audiences. An immature program typically produces only technical intelligence (IOC feeds) and wonders why leadership does not value the CTI function.

Key Takeaways

• Threat intelligence exists in four types: strategic, operational, tactical, and technical
• Each type serves a different audience, operates at a different level of abstraction, and has a different time horizon
• Strategic intelligence informs business decisions; technical intelligence informs automated blocking — they are not interchangeable
• The four types form a hierarchy where intelligence flows both top-down (strategic drives collection priorities) and bottom-up (technical findings inform strategic assessments)
• TTPs (tactical level) provide the most durable detection value because adversaries cannot easily change their operational methodology
• A mature CTI program produces intelligence at all four levels, tailored to each audience

Practical Exercise

Decompose a Threat Report Into Four Types

Find a public threat report from a vendor such as Mandiant, CrowdStrike, Palo Alto Unit 42, or Cisco Talos. Then:

1. Extract the strategic elements — What industry or geopolitical trends does the report reference? What high-level risk does it describe?
2. Extract the operational elements — What campaign or threat group is described? What are their objectives and targeting patterns?
3. Extract the tactical elements — What TTPs does the report document? Can you map them to MITRE ATT&CK techniques?
4. Extract the technical elements — What specific IOCs (IPs, domains, hashes, URLs) are provided?

Write a one-sentence summary for each type. This exercise builds the habit of reading reports with all four intelligence levels in mind.

Further Reading

• MITRE ATT&CK — attack.mitre.org. The standard framework for cataloging adversary TTPs at the tactical level.
• "The Diamond Model of Intrusion Analysis" — Sergio Caltagirone, Andrew Pendergast, Christopher Betz (2013). Provides a model for relating adversary, infrastructure, capability, and victim — useful for operational-level analysis.
• FIRST Traffic Light Protocol (TLP) — first.org/tlp. The standard for marking intelligence with sharing restrictions, essential for proper dissemination at all levels.
• "Intelligence-Driven Incident Response" — Scott J. Roberts and Rebekah Brown (O'Reilly, 2017). Covers how different types of intelligence support incident response operations.