Type of threat Intelligence

1. Strategic
1. High-Level information on changing risks.
2. Consumed by High-Level Executives and Management.
2. Operational
1. Information on specific incoming attack
2. Consumed by Security Manager, Network Defenders.
3. Tactical
1. Information on attacker's tactics, techniques (TTPs).
2. Consumed by IT Service and SOC Managers, Administrators.
4. Technical
1. Information on specific indicators of compromise.
2. Consumed by SOC Staff, IR Teams.

• Strategic
• Strategic threat intelligence provides high-level information regarding cyber security posture, threats and its impact on business 
• It is consumed by high-level executives and management of the organization. 
• It is collected from sources such as OSINT, CTI vendors, and ISAO/ISACs. 
• It is generally in the form of a report that mainly focuses on high-level business strategies. 
• It is used by the management to take strategic business decisions and to analyze the effect of such decisions.

• Tactical
• Tactical threat intelligence provides information related to TTPs used by threat actors (attackers) to perform attacks. 
• It is consumed by cyber security professionals such as IT service managers, security operations managers, administrators, and architects. 
• The collection sources for tactical threat intelligence include campaign reports, malware, incident reports, attack group reports, and human intelligence. 
• It is generated in the form of a forensic report that includes highly technical information such as malware, campaigns, techniques, and tools 
• It helps the cyber security professionals to understand how the adversaries are expected to perform the attack on the organization, the technical capabilities and goals of the adversaries along with their attack vectors

• Operational

• Operational threat intelligence provides information about specific threats against the organization. 
• It is consumed by security managers or heads of incident response, network defenders, security forensics, and fraud detection teams. 
• It is collected from sources such as humans, social media, and chat rooms. 
• It is generally in the form of a report that contains identified malicious activities, recommended courses of action, and warnings of emerging attacks. 
• It helps organizations to understand the possible threat actors along with their intention, capability, and opportunity to attack, vulnerable IT assets, and the impact of the attack if it is successful. 
• It helps IR and forensics teams in deploying security assets with the aim of identifying and stopping upcoming attacks, improving the capability of detecting attacks at an early stage, and reducing its damage on IT assets

• Technical
• Technical threat intelligence provides information about an attacker's resources such as command and control channels and tools, used to perform the attack 
• It is consumed by security operations center (SOC) staff and IR teams. 
• It has a shorter lifespan compared to tactical threat intelligence and mainly focuses on a specific indicator of compromise. 
• The indicators of technical threat intelligence are collected from active campaigns, attacks that are performed on other organizations or data feeds provided by external third-parties 
• Examples of technical threat intelligence include specific IP addresses and domains used by malicious endpoints, phishing email headers, hash checksums of malware, etc. 
• It improves detection mechanism by adding identified indicators to the defensive systems such as IDS/IPS, firewalls, endpoint security systems, etc.