What is Technical Threat Intelligence?

Posted: 3rd October 2018
By: Esteban Borges

Technical threat intelligence is the detailed information about potential or current threats gathered from various technical sources. It’s technical data about threat actors’ tools and infrastructure.

Unlike tactical threat intelligence which is about threat actors’ tactics, techniques and procedures (TTPs), technical threat intelligence is about specific indicators of compromise (IOCs) and is designed for rapid distribution and response. Operational threat intelligence focuses on providing real-time insights and recommendations about specific attacks, including the nature, motive, timing, methods, and threat actors involved.

What is Technical Threat Intelligence?

It involves understanding specific threats, studying past attacks, and providing actionable recommendations for dealing with security vulnerabilities and attack techniques. The threat intelligence lifecycle is key to turning raw security data into threat intelligence and involves stages such as direction, collection, processing, analysis, dissemination and feedback.

For example, a threat group targeting a subset of organizations using business email compromise (BEC) campaigns would be tactical threat intelligence, while a set of email subject lines from an observed campaign would be technical intelligence.

Common examples of technical intelligence:

  • Malware hashes (e.g. MD5 or SHA-1)
  • Registry keys or file artifacts from malware samples
  • Subject lines or email content from phishing campaigns
  • Maliciously registered URLs
  • IP addresses of confirmed C2 infrastructure

This type of intelligence has a short shelf life as threat actors adapt their tools and tactics to maximize the effectiveness of attacks.

Examples of Technical Threat Intelligence

What’s Technical Threat Intelligence Used For?

Technical threat intelligence is used to stop cyber threats. Security teams use this intelligence to improve security and drive business strategy. It gives you detailed, actionable data on specific indicators like IP addresses, domain names and malware hashes that you can feed into your security systems.

It’s to help you prevent access to and from the bad guys’ properties that they use to attack your target. It’s to help you respond faster to threats by adjusting your security controls, reduce the risk of breaches and minimize damage.

Sources of Technical Threat Intelligence

Technical indicators are ingested via threat intelligence feeds which are high volume and specific to a type of indicator (e.g. malware hashes or phishing subject lines). It can come from:

  • Reports from various cybersecurity researchers, experts and organizations currently under attack
  • Threat data feeds from multiple third-party sources that collect and share or sell
  • Information shared within cybersecurity networks and communities like forums
  • News articles about current attacks
  • Dark Web forums and marketplaces and insider information from attacked or breached organizations
  • System and network logs if you are the target of an imminent attack

Threat intelligence tools collect and aggregate threat data better.

These threat feeds are produced by various security vendors, industry groups and communities that share intelligence and are ingested via a threat intelligence platform or specialist solution.

Threat intelligence platforms combine external feeds with internal data and have features like rapid assessments, prioritized risk assessments and smart threat intelligence data analysis and visualization. They help manage evolving attack vectors, improve security posture and automate threat hunting.

Types of Technical Threat Intelligence

Technical threat intelligence can be broken down into three types, each helping to improve your organization’s security.

  1. **Network Indicators: **Domain names and URLs for command and control and malware delivery and IP addresses associated with them.
  2. Host-Based Indicators: Host-based indicators are derived from the deep inspection of infected systems and include file hashes (e.g. MD5 or SHA-1), file artifacts and registry keys.
  3. **Email Indicators: **Details about phishing and spear-phishing emails used to launch attacks, e.g. sender addresses, subject lines and malicious attachments or links.

Each type of technical threat intelligence serves a purpose in defending against cyber threats. Network indicators help stop external threats getting in. Keeping up to date with emerging threats is key to improving your organization’s security posture.

Threat intelligence platforms help you manage and use different types of technical threat intelligence.

Components of Technical Threat Intelligence

Technical threat intelligence gives you the information to detect, prevent and respond to threats in real time. Cyber threat intelligence platforms help you stay one step ahead of threats by giving you detailed analysis and context about the tactics, techniques and procedures (TTPs) used by the attackers.

TTI also helps you to understand and remediate attacks and improve your security posture by giving you the intelligence to anticipate threats.

Indicators of Compromise (IoCs)

IoCs are the forensic evidence of an intrusion and are threat data that can be used to detect if a network or system has been breached. These include IP addresses, domain names, file hashes and email addresses associated with malicious activity. Sharing IoCs helps you to detect and remediate threats quickly. This is key to preventing future attacks by understanding the attackers, their motivation and their capability.

Tactics, Techniques and Procedures (TTPs)

**TTPs describe the behavior and methods used by malicious actors to launch cyber attacks, which security professionals should know. **Knowing these patterns helps you to anticipate and defend against threats. TTPs give you a bigger picture of how attacks are done so you can develop your defensive strategy.

Knowing TTPs gives you operational intelligence by giving you real-time insights and threat intelligence to fix security vulnerabilities and attack techniques.

Threat Actor Profiles

Threat profiling means knowing who the threat actors are, what their motivation, capability and targets are. By profiling threat actors, organizations can tailor their defenses to specific threats and improve their overall security posture.

A dedicated cyber threat intelligence team is key to gathering and analyzing data about the attackers, creating and defining roles and disseminating the analysis to stakeholders to improve the organization’s security posture.

Vulnerability Information

Vulnerability information about software and hardware is essential for TTI. Knowing the vulnerabilities and the associated cyber threats helps organizations to prioritize patches and implement compensating controls to reduce the risk of exploitation.

Rules for Using Technical Indicators

It’s easy to get carried away with technical intelligence as there is so much of it. To get the most out of your cyber threat intelligence operation you need to follow three simple rules:

  1. Prioritize Relevance: Focus on indicators that are relevant to your organization’s specific threats and vulnerabilities. This means your efforts are concentrated on the most important data.
  2. Be Timely: Technical intelligence must be up to date to be effective. Out of date information means missed opportunities to defend.
  3. Respond to Immediate Threats: Technical intelligence enables defenders to respond to immediate threats, such as cyber attacks, by giving them actionable threat intelligence that can be actioned quickly. This is key to minimizing damage.

1. Don’t Let Supply Drive Demand

There’s a common myth that “doing threat intelligence” is just a case of using a threat intelligence platform to consume multiple free and paid feeds. When defining the requirements for technical intelligence many organizations go back to some variation of “Consume and react to X, Y and Z feeds”. Unfortunately this will not deliver good results because threat feeds are not designed to meet the needs of specific organizations.

A better requirement would be “Identify artifacts from malware being used to target organizations in our sector”. This will likely require consuming multiple threat feeds and using rules (or a specialist threat intelligence solution) to extract only the indicators relevant to your organization.

2. Automation is Key

Technical intelligence has two key characteristics: It has a short shelf life and it’s available in bulk. Realistically the combination of these two means manual dissemination and use of technical indicators is impossible.

For technical intelligence to be truly valuable there must be a mechanism (e.g. STIX, TAXII or an API) to feed technical indicators directly into security technologies such as firewalls, AVs, IDS, blacklists and email or content filters.

3. Don’t forget the past

The primary use of technical intelligence is obvious: To enable defenders to respond to (or, even better, block) immediate threats.

But there’s a secondary use that’s often overlooked: To help identify breaches that have already happened.

You can’t always prevent breaches from happening. When they do happen it’s important to identify and triage them as quickly as possible. Unfortunately according to the Ponemon 2023 Cost of a Data Breach study it takes an average of 204 days for US companies to know they have been breached.

Cross referencing logs from security technologies with the latest technical indicators is a way to identify past breaches and can reduce the cost of remediation by a huge amount.

Technical Threat Intelligence

Technical threat intelligence is about integrating different types of intelligence into your security strategy. A cyber threat intelligence platform plays a key role in automating data collection and analysis, translating foreign language sources and giving granular visibility into threats relevant to your sector.

The security team is key to TTI by collecting and analyzing data, understanding threat actors, building defense strategies and using cyber threat intelligence platforms for a proactive approach.

TTI Program

To use TTI you need to have a dedicated cyber threat intelligence program within your organization’s threat intelligence lifecycle. This program should have skilled analysts, robust data collection and analysis tools and clear processes for sharing and acting on intelligence.

TTI into Existing Frameworks

TTI should be integrated into existing security frameworks (such as the diamond model of intrusion analysis, or the cyber kill chain)** and processes such as SIEM systems, IDS and incident response workflows**. This will ensure threat intelligence is used effectively and efficiently.

Ongoing Training and Development

The threat landscape is constantly changing so cyber threat intelligence teams need to stay up to date with the latest threat activity. Cyber threat intelligence training and development is key.

Common Objections

A common objection is that malicious actors can just tweak their tools and infrastructure every now and then and avoid detection. Malware hashes are a classic example of this. Even a slight change to a malware sample will give a different hash.

Specifically they point out that technical threat intelligence can never be relied upon to identify or block targeted attacks. The tools and infrastructure used in a targeted attack will be custom built for that attack and therefore won’t be detected by even the latest technical indicators.

Remember, in addition to tactical threat intelligence there are three other types of intelligence to consider:

  • Strategic — A general view of your organizations threat landscape
  • Operational — Details of specific attacks or campaigns
  • Tactical — Details of threat actors TTPs

Strategic Threat Intelligence provides high-level information designed for non-technical stakeholders, such as senior leadership, executive-level security professionals, and company boards. This type of intelligence offers a comprehensive overview of the latest vulnerabilities, risks, and potential attacks, enabling organizations to make informed decisions to protect against potential threats.

Technical threat intelligence is a powerful tool for mitigating generalized cyber attacks and identifying past breaches or malicious activity. Tactical and operational threat intelligence are great for anticipating and responding to targeted or advanced attacks.

Each of the four types of cyber threat intelligence has its own uses, benefits and drawbacks. Only with all types of threat intelligence can you be prepared for what’s coming.

Cyber Threat Intelligence for Security Professionals

Plugging technical threat intelligence into a wider security strategy allows you to defend and respond to threats proactively. Cyber threat intelligence platforms play a key role in giving you a deeper understanding of the threat landscape by combining detailed technical indicators with broader intelligence.

Security professionals use threat intelligence to enhance security capabilities, drive organizational strategy and inform decision making for security controls. So you’re not just reacting to threats as they happen but preventing them from happening.

Ready to enhance your cybersecurity with technical threat intelligence? Book a demo today to protect your organization from emerging threats.

Esteban Borges
Esteban Borges

Esteban is a seasoned security researcher and IT professional with over 20 years of experience, specializing in hardening systems and networks, leading blue team operations, and conducting thorough attack surface analysis to bolster cybersecurity defenses. He's also a skilled marketing expert, specializing in content strategy, technical SEO, and conversion rate optimization. His career includes roles as Security Researcher and Head of Marketing at SecurityTrails, before joining the team at Recorded Future.