How Tactical Threat Intelligence Helps Identify the Enemy

Posted: 19th September 2018

Key Takeaways

  • Tactical threat intelligence provides information about the specific tactics, techniques, and procedures (TTPs) employed by threat actors to achieve their goals.
  • Technical defenders (e.g., system architects and security personnel) and security decision makers are the primary audience for this type of threat intelligence.
  • By understanding the attack vectors, tools, infrastructure, and forensic avoidance strategies being used against targets in their industry or location, organizations can more effectively manage defenses and allocate security resources.
Cyber threat intelligence can be broken down into four distinct subcategories, each with its own sources, technical complexity, and audience. While some types are intended for a purely technical audience, others are intended for mixed audiences, and are often consumed by individuals with almost no technical knowledge at all.

Employing the cyber threat intelligence cycle across these subcategories can help in standardizing the process of collecting, analyzing, and disseminating intelligence, ensuring that regardless of technical expertise, all stakeholders have access to actionable and contextualized threat information.

In the first installment in a four-part series on the different types of intelligence that make up a comprehensive threat intelligence program, we covered the strategic side.

Today, we’re taking things to a more tactical level.

What Is Tactical Threat Intelligence?

Tactical threat intelligence provides information about the tactics, techniques, and procedures (TTPs) used by threat actors to achieve their goals (e.g., to compromise networks, exfiltrate data, and so on). It’s intended to help defenders understand how their organization is likely to be attacked, so they can determine whether appropriate detection and mitigation mechanisms exist or whether they need to be implemented.

Unlike strategic threat intelligence, which is almost exclusively non-technical, tactical threat intelligence is intended for a predominantly technical audience, and usually includes some technical context. In particular, tactical threat intelligence is consumed by personnel directly involved in the defense of an organization, such as system architects, administrators, and security staff, although it does also play a role in higher-level security decision making.

Since threat actor TTPs change all the time, tactical threat intelligence is usually gathered during the course of normal intelligence operations, rather than on request.

Sources of Tactical Threat Intelligence

For the typical organization, reports produced by security vendors and other industry players are the most easily accessible source of tactical threat intelligence. In many cases, these reports focus on a specific threat group or attack campaign, and provide key tactical information such as:
  • Locations and industries targeted
  • Attack vectors employed (e.g., spear phishing, SQL injection, etc.)
  • Tools and technical infrastructure used

In some cases, industry-vetted reports can be obtained via intelligence-sharing initiatives such as the Cyber Security Information Sharing Partnership (CiSP).

While these reports can be extremely valuable, they are produced for a wide audience, and consequently only a small proportion will be relevant to any specific organization. For this reason, industry reports are at best an incomplete source of tactical threat intelligence.

A more thorough and reliable stream of tactical threat intelligence requires an active gathering process, which can include any or all of the following sources:

  • Open source
  • Honeypots and darknets
  • Telemetry data
  • Scanning and crawling
  • Malware analysis
  • Closed source
  • Human relationships

While it is possible to build an in-house collection capability for tactical threat intelligence, it can be costly to do so, and it requires a variety of specialist tools and skills. For most organizations, purchasing tactical threat intelligence from dedicated security vendors is a more realistic proposition.

Discerning Threat Actor TTPs

Tactical threat intelligence falls into four primary categories:

1. Attack Vectors

What types of attack vectors are threat actors using to target organizations in your industry or location? For example, they could be harvesting credentials using targeted spear phishing campaigns, or they could be using documented vulnerabilities to escalate their privileges.

Understanding which attack vectors are being employed against organizations like yours is hugely valuable because it enables defenders to prioritize their time and resources effectively.

Other important questions include:

  • How are they selecting targets?
  • Are they exploiting specific vulnerabilities?
  • How are they moving laterally and/or escalating privileges within target networks?
  • What are their objectives, and which asset classes are they targeting?
  • Have there been any observable patterns of behavior?

2. Tools

What tools, if any, are threat actors using during the course of their operations (e.g., to compromise target networks, escalate privileges, or exfiltrate data)? This type of information will usually come from post-mortem analyses of successful or unsuccessful attacks, and will ideally include details of the specific malware or exploit kits used.

In addition to providing defenders with clear marching orders, this type of information can also provide insight into a threat group’s level of skill and funding.

3. Infrastructure

In addition to the tools they use, it also helps to have an understanding of the wider infrastructure being employed by threat actors. In most cases, this will relate to the data exfiltration portion of an attack, as this typically relies on communication between a point inside a compromised network and an external command and control (C2) server.

While identifying the specific IP addresses of C2 servers is more the domain of technical threat intelligence, tactical threat intelligence will focus more on the communication techniques used, like HTTP or DNS, for example.

Understanding how these communications are conducted enables defenders to determine whether they would be detected and blocked by a network as it currently stands, or if further controls should be employed.

4. Forensic Avoidance Strategies

Finally, what techniques are threat actors using to avoid detection of their tools and actions? Sophisticated threat groups will employ a variety of strategies to delay or avoid detection, and it pays for frontline defenders such as incident response analysts to understand which techniques are in common use.

Offense Shapes Defense

Since tactical threat intelligence relates to TTPs that are highly likely to be employed against your specific organization, it can (and should) feed directly into your security operations. This can happen in three primary ways:

1. Informing Improvements to Existing Security Controls and Processes

In perhaps its most obvious use, tactical threat intelligence helps defenders understand how and where they are most likely to be targeted, providing them with a chance to preemptively tighten security controls and processes.

For example, if it’s determined that specific threat vectors or exploit kits are in heavy use, defenders can use that information to prioritize specific defense activities or reconfigure firewall settings.

2. Informing Investment Decisions

In some cases, tactical threat intelligence will highlight the need for an organization to invest additional resources in order to address a specific threat.

For example, since spear phishing is consistently popular in almost every industry, an organization might choose to invest in better filtering technologies, or enhanced end-user training.

3. Speeding Up Incident Response

While total prevention of incoming attacks is ideal, it can’t always be achieved. Not only will some attacks require intervention from first-line responders, but others will inevitably breach your organization’s defenses and require immediate action to prevent escalation.

Having an understanding of which TTPs are in common use at any given time dramatically improves an incident response team’s ability to identify, prioritize, and remediate serious security incidents.

Is It Working?

Unlike strategic threat intelligence, it’s typically quite easy to measure the ROI of tactical threat intelligence. Whenever an improvement or investment is made, it should be monitored closely to determine its efficacy.

For example, if your intelligence leads you to implement a new security protocol (e.g., DMARC) or reconfigure an existing technology, it should be a simple matter to determine whether any serious threats have been averted as a result.

Unfortunately, since incident response efficacy relies so heavily on human expertise, it’s somewhat more difficult to measure the impact of tactical threat intelligence in this area. In lieu of more concrete metrics, it pays to have a strong feedback loop between frontline defenders and your threat intelligence experts.

The Guide to Threat Intelligence

Tactical threat intelligence offers huge benefits for both frontline security personnel and security decision makers. For maximum value, though, it should be incorporated into a broader threat intelligence capability that encompasses all four intelligence types.

A recent guide from Gartner explains the various ways that threat intelligence can be used to improve the security profile of a modern organization and shares insight into:

  • Definitions of common terminology
  • Where, why, and how threat intelligence is commonly used (12 use cases)
  • How to align common use cases with your specific requirements
  • How to evaluate threat intelligence vendors based on your business needs

To learn more, download your free copy of Gartner’s “Market Guide for Security Threat Intelligence Products and Services.”