Tactical, Operational, Strategic Levels of CTI
There are 3 levels of cyber threat intelligence: tactical, operational, and strategic. They progress from the micro to the macro level in terms of detail and time frame. These levels involve different goals, tasks, and results.
Tactical CTI
Tactical CTI deals with the what (IoCs, TTPs); the low-level, technical details of individual attacks and attackers. It focuses on the short term.
Tactical CTI is usually produced for the incident response (IR) team, SOC analysts, risk analysts, IT, and IT tools (e.g., SIEM, firewalls, IDS/IPS, endpoints).
Operational CTI
Operational CTI deals with the how and where (TTPs); the mid-level details of attack campaigns and attackers. It’s the middle level between tactical and strategic CTI. It’s less technical than the tactical level, but more technical than the tactical level. It focuses on the medium term.
It helps mid-level decision-makers better understand vulnerabilities, threats, and attacks, to make more informed decisions about defending the organization against specific threats.
Operational CTI is usually produced for the incident response (IR) team, network security team, SOC analysts, threat hunters, vulnerability management team, risk analysts, and managers in IT (e.g., CISO, CIO) and other areas (e.g., PR, HR, legal).
Strategic CTI
Strategic CTI deals with the who (attribution) and why (motive, intent). It deals with the high-level, big-picture details about attack trends and the threat landscape. It’s the least technical level. It focuses on the long term.
It helps senior decision-makers make more informed decisions about mitigating risks and defending the organization against general threats.
Strategic CTI is usually produced for organizational leaders (e.g., CEO, CIO, CTO, CFO, other executives) and GRC (governance, risk, and compliance) analysts.