In this chapter, we’ll look at how best to structure the cybersecurity data you’ve collected to meet your operational, tactical, and strategic goals. These are the goals we identified in Part 1 of the course.
Feed Your Operational Threat Intelligence
It focuses on:
Monitoring IOC feeds: By integrating these indicators into your existing security tools (antivirus, web application firewall, etc.), you can quickly detect suspicious or malicious activity on your network. This means you can respond immediately to minimize damage.
Monitoring new vulnerabilities and associated patches: Keeping up to date with new vulnerabilities affecting your IS means you can react quickly to secure your systems, reducing the risk of compromise.
Monitoring data leaks and attacker groups’ ransom demands on victims: This information helps you detect any risk of compromise to your organization’s inner or outer security perimeter (e.g., publication of sensitive data on data leak sites run by ransomware operators). It supports the need to guarantee the confidentiality of sensitive data.
Feed Your Tactical Threat Intelligence
It focuses on:
Trends in cyber risks and threats: When you understand the emerging trends, you can anticipate the types of attacks that could target your organization and then take preventive action. For example, you can adapt your defense systems when you learn that a group of attackers has expanded its scope and is now targeting a new operating system (OS) that you use in your organization.
Attack techniques adopted by threat actors: By analyzing the methods used by attackers, you can understand more about their intentions and thwart them effectively.
Attackers’ arsenal: By identifying and monitoring key parts of the attackers’ arsenal (such as tools and malware), you can disrupt their operations and defend yourself more effectively.
Emergence and development of malicious tools: Tracking how malware and the tools used by attackers change means you can adapt your defenses accordingly.
Feed Your Strategic Threat Intelligence
It focuses on:
Attackers’ motives: If you understand attackers’ motives, you can predict their potential targets and strengthen your security posture. For example, financial gain is the motive behind a significant number of cyber attacks. The threat actors behind these attacks are typically opportunistic, so their targets are difficult to predict. Consequently, to counter this threat, you need to ensure that you protect your operating system against generic tools and recurring malware, regardless of the sector you operate in. However, you must closely monitor the activities of Advanced Persistent Threat (APT) groups—who typically carry out targeted attack campaigns—to assess the cyber risks specific to your particular business.
Links between attack campaigns and state interests: Identifying links between attacks and state interests gives you a better understanding of attackers’ motives.
National and international regulations: By keeping a close eye on regulatory developments, you can help your organization stay compliant to avoid fines. This information may also help it plan ahead for future compliance work. For example, some of the more recent initiatives to tighten cybersecurity rules include France’s military programming law 2024–2030, the European Union's NIS2 directive and Cyber Resilience Act (CRA). The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was also introduced in the USA to improve responses to cyber incidents and ransomware attacks.
Geopolitics and international issues: Understanding international issues helps you preempt threats linked to international relations.
Recognize the Multiple Goals of Threat Intelligence
In the sections above, I’ve made a point of separating the information you need to collect for each of the different goals. In the real world, the same event can generate three distinct levels of threat intelligence.
For example, intelligence on a specific attack campaign may reveal all three of the following:
The motives of the group of attackers, for example how it aligns with the strategic interests of a state (strategic level, with geopolitical implications).
The specific modus operandi of this attack (tactical level, relating to attack techniques or the malware used).
The indicators of compromise (IOCs) associated with this campaign (operational level).
Let’s take the example of Predator spyware, which was used for political purposes in 2023. This article by Sekoia.io describes how this software works and the background of the campaigns detected. It reflects the result of threat intelligence on several levels: operational (listing the IOCs associated with the software, such as domain names), tactical (overview of the attackers’ arsenal), and strategic (analysis of the geopolitical context as it relates to the victimology identified).
The way the various levels of cyber threat intelligence interconnect highlights its intrinsic complexity. This reinforces the need for a holistic approach to ensure effective protection.
Categorize Your Data
Classification and categorization are common methods of sorting collected information. These methods not only help you find relevant information quickly when you need it, but they also make it easier to disseminate.
You can use the following criteria to categorize your information:
Priority and importance
Source type
Reliability and credibility
Subject matter
Geographic or linguistic criteria
Type of media (video, article, social media post, etc.)
Imagine you work for a government agency responsible for cybersecurity. You collect information from various sources, such as incident reports, threat feeds, and discussion forums. To make it easier to manage this data, you categorize it according to priority, source, reliability, subject matter, geography, media type, and so on. If appropriate, consider tagging your sources, creating tree structures, and adding comments about the information you’ve collected.
Let’s Recap!
Operational threat intelligence focuses mainly on IOCs, security alerts, vulnerabilities, and data leaks.
Tactical threat intelligence focuses mainly on trends, attack techniques, attacker infrastructure, and developments in malicious tools.
Strategic threat intelligence focuses on attackers’ motives, geopolitical links, regulations, and competitive intelligence.
Threat intelligence can have multiple goals: operational, tactical, and strategic.
To make it easier to find, you need to classify and categorize the information collected according to relevant criteria.
Now let’s take a look at how to process and analyze the information you’ve collected.