A Security Operations Center (SOC) analyst wants to develop internal indicators of compromise (IOCs). What type of threat intelligence should the analyst use?

The most suitable type of threat intelligence for developing internal indicators of compromise (IOCs) is operational threat intelligence. This form of intelligence focuses on the specifics of potential threats that an organization may face and includes details about tactics, techniques, and procedures (TTPs) used by attackers. Using operational intelligence allows an SOC analyst to create IOCs that are relevant to the environment they are defending, enabling them to identify potential threats more effectively.

Operational threat intelligence is valuable as it provides contextual information about threats that can directly inform defense mechanisms and analytical processes. When analysts create IOCs, they are looking for specific patterns or behaviors that may indicate an ongoing or future attack, which operational intelligence can help define.

In contrast, tactical intelligence deals primarily with the tools and methods that attackers use, which while informative, may not directly correlate with developing internal IOCs. Strategic intelligence encompasses broader trends and high-level insights about threats, which are less actionable for creating specific internal indicators. Open Source Intelligence (OSINT) is useful for gathering information from publicly available sources but may not have the depth or specificity for creating internal IOCs that are tailored to an organization's unique environment and risks.