What is Tactical Threat Intelligence and How Does it Identify Potential Threats?

With cyber threats evolving at a breakneck pace, understanding the methods and tactics used by attackers to execute cyber attacks is crucial for any organization. Tactical threat intelligence (CTI) provides this understanding by focusing on the specific tactics, techniques, and procedures (TTPs) that attackers use to compromise systems. By leveraging tactical CTI, organizations can not only detect potential threats but also enhance their overall cybersecurity posture.

What Is Tactical Cyber Threat Intelligence?

Cyber threat intelligence can be broken down into four distinct subcategories, each with its own sources, technical complexity, and audience:

• Strategic threat intelligence
• Tactical threat intelligence
• Technical threat intelligence
• Operational threat intelligence

While some types are intended for a purely technical audience, others are intended for mixed audiences, and are often consumed by individuals with almost no technical knowledge at all.

Tactical threat intelligence provides information about the tactics, techniques, and procedures (TTPs) used by threat actors to achieve their goals (e.g., to compromise networks, exfiltrate data, and so on). It’s intended to help defenders understand how their organization is likely to be attacked, so they can determine whether appropriate detection and mitigation mechanisms exist or whether they need to be implemented.

An effective threat intelligence program guides security teams and security professionals through the development and execution of a program that enables them to optimize resources and respond effectively to the modern threat landscape.

Unlike strategic threat intelligence, which is almost exclusively non-technical, tactical threat intelligence is intended for a predominantly technical audience, and usually includes some technical context. In particular, tactical intelligence is consumed by personnel directly involved in the defense of an organization, such as system architects, administrators, and security staff, although it does also play a role in higher-level security decision making.

Since threat actor TTPs change all the time, tactical threat intelligence is usually gathered during the course of normal intelligence operations, rather than on request.

Understanding Tactical Threat Intelligence

Tactical cyber threat intelligence provides specific details about cyber threats that are imminent or currently occurring. It involves gathering detailed information about how threat actors operate, which includes understanding their tools, techniques, and processes.

This type of intelligence is highly actionable, offering organizations the information needed to respond to cyber threats in real time. It typically includes data on indicators of compromise (IOCs) such as malicious IP addresses, URLs, file hashes, and email addresses associated with phishing attacks.

How Tactical Threat Intelligence Works

The process of tactical intelligence begins with data collection from various sources. These sources can include open-source intelligence (OSINT), commercial cyber threat intelligence providers, dark web monitoring, and internal telemetry from an organization’s own network. Once the data is collected, it is analyzed to identify patterns and indicators of compromise. This involves using advanced analytics, machine learning, and threat intelligence platforms to correlate data from different sources and extract meaningful insights.

This entire process is part of the threat intelligence lifecycle, which includes stages such as direction, collection, processing, analysis, dissemination, and feedback to ensure continuous improvement and refinement of the intelligence process.

After analysis, the actionable intelligence is disseminated to relevant stakeholders within the organization. This includes security operations centers (SOCs), incident response security teams, and other key personnel responsible for threat mitigation. With the intelligence in hand, organizations can implement measures to respond to the identified threats. This can include updating security controls, blocking malicious IP addresses, patching the latest vulnerabilities, and conducting forensic analysis to understand the scope of an attack.

Gathering Tactical Threat Intelligence

Tactical CTI is typically derived from various sources including open-source intelligence (OSINT), dark web monitoring, malware analysis, and threat group reports. OSINT can include data from news reports, social media, and forums where cybercriminals discuss their methods. Additionally, threat intelligence platforms aggregate data from these sources to provide a comprehensive view of the threat landscape.

For instance, the dark web is a rich source of tactical CTI, where cybercriminals often discuss and trade information about vulnerabilities and attack methods. By monitoring these discussions, organizations can gain insights into emerging threats and prepare accordingly.

Real-World Applications of Tactical Threat Intelligence

In practice, tactical threat intelligence is used in various scenarios to enhance cybersecurity. For instance, in phishing attack prevention, identifying email addresses and URLs used in phishing campaigns allows organizations to block these threats before they reach end-users, reducing the risk of credential theft and other forms of social engineering attacks.

It provides real-time insights and actionable recommendations for dealing with security vulnerabilities and attack techniques. It involves studying past attacks, drawing conclusions about threat actors' tactics, techniques, and procedures (TTPs), and providing context and insight into how adversaries plan, conduct, and sustain campaigns and major operations.

For ransomware defense, tactical threat intelligence can detect early signs of an attack, such as suspicious file hashes or command-and-control (C2) communications. This enables organizations to isolate infected systems and prevent the spread of ransomware. Additionally, monitoring for IOCs related to third-party vendors and partners can help identify threats targeting the supply chain, allowing organizations to take preventive measures and ensure the security of their extended network.

Sources of Tactical Threat Intelligence

For the typical organization, reports produced by security vendors and other industry players are the most easily accessible source of tactical threat intelligence. In many cases, these reports focus on a specific threat group or attack campaign, and provide key tactical information such as:

• Locations and industries targeted
• Attack vectors employed (e.g., spear phishing, SQL injection, etc.)
• Tools and technical infrastructure used

In some cases, industry-vetted reports can be obtained via intelligence-sharing initiatives such as the Cyber Security Information Sharing Partnership (CiSP).

IMAGE

While these reports can be extremely valuable, they are produced for a wide audience, and consequently only a small proportion will be relevant to any specific organization. For this reason, industry reports are at best an incomplete source of tactical threat intelligence.

A more thorough and reliable stream of tactical threat intelligence requires an active gathering process, which can include any or all of the following sources:

• Open source
• Honeypots and darknets
• Telemetry data
• Scanning and crawling
• Malware analysis
• Closed source
• Human relationships

While it is possible to build an in-house collection capability for tactical threat intelligence, it can be costly to do so, and it requires a variety of specialist tools and skills. For most organizations, purchasing tactical threat intelligence from dedicated security vendors is a more realistic proposition.

Discerning Threat Actors TTPs

Tactical threat intelligence categorizes the various methods and strategies used by threat actors to execute their attacks, providing actionable information about identified attacks in progress. It falls into four primary categories:

• Attack vendors
• Tools
• Infrastructure
• Forensic Avoidance Strategies

Understanding these categories can help provide a detailed blueprint of how attackers operate, allowing organizations to better prepare and defend against the evolving tactics used by cyber adversaries.

1. Attack Vectors

What types of attack vectors are threat actors using to target organizations in your industry or location? For example, they could be harvesting credentials using targeted spear phishing campaigns, or they could be using documented vulnerabilities to escalate their privileges.

Understanding which attack vectors are being employed against organizations like yours is hugely valuable because it enables defenders to prioritize their time and resources effectively.

Other important questions include:

• How are they selecting targets?
• Are they exploiting specific vulnerabilities?
• How are they moving laterally and/or escalating privileges within target networks?
• What are their objectives, and which asset classes are they targeting?
• Have there been any observable patterns of behavior?

2. Tools

Around 32% of cyberattacks have involved data theft and leaks for different organizations. So what tools, if any, are threat actors using during the course of their operations (e.g., to compromise target networks, escalate privileges, or exfiltrate data)? This type of information will usually come from post-mortem analyses of successful or unsuccessful attacks, and will ideally include details of the specific malware or exploit kits used.

In addition to providing defenders with clear marching orders, this type of information can also provide insight into a threat group's level of skill and funding.

3. Infrastructure

In addition to the tools they use, it also helps to have an understanding of the wider infrastructure being employed by threat actors. In most cases, this will relate to the data exfiltration portion of an attack, as this typically relies on communication between a point inside a compromised network and an external command and control (C2) server.

While identifying the specific IP addresses of C2 servers is more the domain of technical threat intelligence, tactical threat intelligence will focus more on the communication techniques used, like HTTP or DNS, for example.

Understanding how these communications are conducted enables defenders to determine whether they would be detected and blocked by a network as it currently stands, or if further controls should be employed.

4. Forensic Avoidance Strategies

Finally, what techniques are threat actors using to avoid detection of their tools and actions? Sophisticated threat groups will employ a variety of strategies to delay or avoid detection, and it pays for frontline defenders such as incident response analysts to understand which techniques are in common use.

Offense Shapes Defense

Tactical cyber threat intelligence is evidence-based knowledge about the tactics, techniques, and procedures used by the digital adversary against your organization. It relates to TTPs that are highly likely to be employed against your specific organization. It can (and should) feed directly into your security operations. This can happen in three ways:

1. Informing Improvements to Existing Security Controls and Processes

In perhaps its most obvious use, tactical threat intelligence helps defenders understand how and where they are most likely to be targeted, providing them with a chance to preemptively tighten security controls and processes.

An effective threat intelligence program guides security teams through the development and execution of a program that enables them to optimize resources and respond effectively to the modern threat landscape.

For example, if it’s found that specific threat vectors or exploit kits are being heavily used, defenders can use that information to prioritize specific defense activities or reconfigure firewall rules.

2. Informing Investment Decisions

In some cases, tactical threat intelligence will tell an organization they need to invest more resources in a specific area.

For example, since spear phishing is consistently popular in almost every industry, an organization might choose to invest in better filtering technologies, or enhanced end-user training.

3. Speeding Up Incident Response

While total prevention of incoming attacks is ideal, it can't always be achieved. Not only will some attacks require intervention from first-line responders, but others will inevitably breach your organization's defenses and require immediate action to prevent escalation.

Having an understanding of which TTPs are in common use at any given time dramatically improves an incident response team's ability to identify, prioritize, and remediate serious security incidents.

Is It Working?

Tactical threat intelligence is a key part of modern cybersecurity strategies. Unlike strategic threat intelligence, it’s typically quite easy to measure the ROI of tactical threat intelligence. Whenever an improvement or investment is made, it should be monitored closely to determine its efficacy.

The cyber threat intelligence lifecycle ensures continuous improvement and refinement of the intelligence process through stages such as direction, collection, processing, analysis, dissemination, and feedback.

For example, if your intelligence leads you to implement a new security policy (e.g. DMARC) or change an existing technology, you should be able to easily measure if any serious threats have been prevented as a result.

Unfortunately, since incident response efficacy relies so heavily on human expertise, it’s somewhat more difficult to measure the impact of tactical threat intelligence in this area. In lieu of more concrete metrics, it pays to have a strong feedback loop between frontline defenders and your threat intelligence experts.

Organizations that invest in this will be better protected, more operationally resilient and maintain operational continuity, and uphold their reputation in an increasingly hostile digital landscape.

To learn more about how Recorded Future’s threat intelligence can help your cybersecurity strategy and security teams, get a personalized demo.