Network Monitoring And Management

What Are The Three Types Of Cyber Threat Intelligence?

There are three classes of cyber threat intelligence – tactical, operational, and strategic – but what is the difference? Who is this information for? And how is it presented?

What Are The Three Types of CTI

Cyber threat intelligence (CTI) is a way of making sense of data to understand the specific details of your cybersecurity set up. The larger your organization is, the more complex your security infrastructure will be. This can make it difficult to have complete oversight of your entire network. CTI is a way of identifying the risks facing your network, highlighting potential future threats, and assessing the remediation methods your organization has.

This intelligence can be understood on three different levels – strategic, operational, and tactical:

Tactical intelligence is designed to combat specific threats when and where they happen. It is collected in real-time, as security incidents occur, and informs how your security tools – SIEM, firewall, EDR, etc. – will enact remediation.

Operational intelligence is one step more removed. It takes an overview of potential threats to gauge risk and to oversee remediation methods. This includes information on where an attack may come from, and how likely the attack is to happen. This intelligence might affect remediation policies, and the configuration of specific tools to block potential threats before they become active.

Strategic intelligence is a high-level overview of your organization’s threat landscape in terms of geographic, political, and business trends. This type of intelligence will present broad trends and identify if new security tools are needed, and is usually presented to key decision makers in an organization, such as C-level executives.

This article will explain specific features of each of the three intelligence types. In each case, it is worth considering who the intelligence is formatted for, and what type of action can be taken in response to this information. But first, it is worth reminding ourselves of what CTI is.

What Is CTI?

CTI provides a set of actionable insights that allow a predetermined stakeholder to understand the threats that a network or organization faces. Information will be gathered from a range of data points across the network – the exact nature of these depends on the questions that need to be answered. Data points might include IP addresses, time stamps, interviews with experts, percentages, or rates of attack. 

The format that the information is presented in will be tailored to suit the relevant stakeholder and highlight the actions that they can take to mitigate the risk. This ensures that information is relevant and can readily inform remediation actions that are appropriate for that stakeholder.

For a more in-depth explanation of how CTI works, you can read our article here.

Tactical Cyber Threat Intelligence

Tactical CTI focuses on identifying a specific threat in real-time, and enabling you to respond to it appropriately.

Who Is This Information For?

Tactical threat intelligence is formatted so that it is useful for users who will be responsible for identifying and remediating threats daily. These users will be security professionals with an in-depth knowledge of how cybersecurity solutions are implemented, and the process of remediating a threat. 

What Is This Information Used For?

Tactical CTI is used to proactively resolve issues and cyber events as they occur on your network. Tactical intelligence informs users of tactics, techniques, and procedures (TTPs) used by malicious actors. This information can be used to predict how an attack will evolve and perform remediation methods.

Tactical intelligence will highlight the detailed behavior of an attack and identify opportunities for nullifying the threat. Tactical intelligence does a lot of the “groundwork” in resolving specific, identified threats, rather than intervening with abstract, potential risks.

The Level Of Information

Tactical intelligence covers specific details of threats and areas that have been compromised – indicators of compromise (IOCs) will be particularly valuable here. The level of detail will be granular, and specific to attack incidences and devices within your network. TTPs will be explained in relation to specific IP addresses and devices. Remediation efforts will be on the code level. 

What Type Of Intelligence Is Gathered?

  • Malware signatures
  • IP and URL blacklists
  • Traffic patterns
  • Log files
  • Credentials from APTs
  • Ransomware and Phishing campaign data

Case Study

A SOC manager receives an alert telling them that a user has been automatically locked out of their account due to suspicious activity. The SOC is able to pull up the details of this behavior and decide whether to restore account access or investigate further. 

They see that a user is reported to have logged in from Berlin, while their usual office is in New York. There is no reason for this user to be in Berlin, therefore the manager can block access as the login was probably fraudulent. They can use a secure method of resetting the user’s accounts, ensuring that a new password (or other authentication method) is not compromised.

Operational (Technical) Cyber Threat Intelligence

Operational CTI focuses on identifying potential threats, and how likely they are to affect your organization.

Who Is This Information For?

This type of information is necessary for security managers, or network defense teams. These users will have a degree of oversight into their threat landscape, but will still need many of the specific, technical details regarding potential attacks. Intelligence will need to explain attack mechanisms and intent, whilst contextualizing a specific attack within broader trends. 

What Is This Information Used For?

This intelligence will be used to configure policies and to ensure that security solutions are tailored appropriately to block attacks that are likely to happen. This information will provide actionable insights that have a direct, and immediate impact on your cybersecurity set up. 

Intelligence will be updated and reviewed daily, or, at least, every few days, to ensure your cybersecurity infrastructure is working as it should. Rather than being responsible for remediating active attacks, this intelligence can be used to identify threats as they arise, and before they become attacks. 

The Level Of Information

Operational intelligence will give insights that inform how a cybersecurity defense strategy should look. It will help organizations ensure that plans and policies are relevant and tuned to stop a broad range of the most potent threats. 

This information is designed for individuals who hold a managerial role – they will be responsible for the threat hunters themselves. They will also aim to collate and understand vulnerabilities to identify any weaknesses and prevent future attacks.

What Type Of Intelligence Is Gathered?

  • Command and control channels
  • Details related to specific implementation of malware
  • File names
  • Malicious traffic
  • Suspicious IP addresses and domains
  • Tools used for attacks
  • URLs

Case Study

A SOC team meets in the morning to assess the latest intelligence and decide if any changes need to be implemented. They can see that their EDR solution has engaged a hostile actor overnight. From the data, they can see that the attacker was able to gain access through an application that has not been updated.

The SOC team can ensure that all devices on the network have the latest update (or patch) installed, to protect users from this vulnerability. They might also decide to review how the organization interacts with that application and consider if any of the security settings need to be altered. Perhaps MFA should be required, or only privileged users should have access. 

Strategic Cyber Threat Intelligence

Strategic CTI identifies who is targeting an organization and why they are doing so. 

Who Is This Information For?

Strategic threat intelligence is presented to high-level decision makers within an organization. This might be the executive board, C-level executives, and other decision makers responsible for the direction of the organization.

What Is This Information Used For?

Individuals will use this intelligence to plan cybersecurity budgets and decide how to best allocate resources. They will take advice from technical experts but might have organizational responsibilities that stretch beyond the cybersecurity infrastructure to other aspects of the organization.

The Level Of Information

These individuals will want to understand broad trends, risk areas, and the repercussions of a cybersecurity threat. There is no need for them to understand the details of how a solution is implemented or specific system requirements needed to block a threat, so long as it is effective. Details of emerging threats within the organization’s industry or region will be relevant to these individuals as they will be able to decide whether to invest in further security. 

Information is not limited to the internal network but will consider threats that your organization faces as a whole. This might include examining website, email, communications, and social media accounts to ensure your organization is protected from cyberattacks, as well as ensuring your brand integrity is not undermined. As these decisions take time to enact, these individuals might require updates quarterly or half-yearly.

What Type Of Intelligence Is Gathered?

  • New attack types
  • Economic and business impact of attacks and compromise
  • Regulatory and compliance legislation
  • Attack trends
  • Organizational vulnerabilities
  • Vulnerabilities and attacks on similar organizations

Case Study

At the end of the quarter, an organization’s executive board will review cyber threat intelligence that has been gathered over the past three months. They can see that the secure email gateway (SEG) has been effectively blocking 97% of malicious emails. This suggests that the SEG is operating well. However, they might also notice that there have been instances where attackers have attempted to gain access through MFA fatigue attacks. 

In response, the board may decide to invest in security awareness training (SAT), to ensure all their staff are aware of the risks of a cyberattack and are able to respond appropriately. They might also decide that there should be a maximum of five MFA notifications before the user is locked out, to prevent an MFA fatigue attack succeeding. This instruction will be relayed to the SOC team, or IT managers who can enact this change.


CTI is an invaluable tool for ensuring that your organization is as secure as it can be. It enables organizations to have greater oversight of the vulnerabilities that they are open to. By carrying out CTI analysis regularly, you will be able to track how your security infrastructure adapts and identify weaknesses straight away. Ensuring that relevant information is given to the relevant users allows policies to be adapted, threats mediated, and investments made swiftly and efficiently.

While it’s possible to collect, analyze and action cyber threat intelligence manually, it can be a cumbersome task to delegate to an already overworked security team. However, there are a range of solutions out there designed to aggregate threat data and analyze that data to provide actionable intelligence for you. 

To read more about The Top 10 Cyber Security Intelligence Solutions, you can read our article here.