How Operational Threat Intelligence Blocks Attacks Before They Happen

September 25, 2018 • The Recorded Future Team

Key Takeaways

  • Operational threat intelligence is about uncovering specific incoming attacks before they happen.
  • Most operational threat intelligence comes from closed sources, although some threat actors discuss their plans via social media or public chat rooms.
  • Correlating cyber activity with real-world events is a powerful and accessible way to produce operational threat intelligence.
  • In many cases it is extremely difficult, illegal, or even functionally impossible to infiltrate or otherwise compromise a group’s communications. As a result, operational threat intelligence should only be pursued as part of a well-rounded threat intelligence capability.

In its ideal form, threat intelligence would provide us with information about specific attacks before they happen, helping us decide exactly what we need to do to stay safe.

But anyone with experience as a threat analyst will tell you that intelligence relating to specific attacks is a rarity. Most threat groups are careful about where and how they discuss their plans, making it extremely difficult for non-government analysts to uncover or intercept them.

However, just because detecting specific attacks isn’t always a central component of threat intelligence programs doesn’t mean it can’t play a role. In fact, there’s a whole field of threat intelligence dedicated to precisely this function.

Already having covered the strategic and tactical sides of threat intelligence earlier in this blog series, today we’re tackling operational threat intelligence.

What Is Operational Threat Intelligence?

Operational threat intelligence relates to specific attacks or campaigns. It helps defenders understand the nature, intent, and timing of a specific attack, and also provides insight into the nature and sophistication of the group(s) responsible. In many cases, however, only partial context can be obtained.

In many ways, true operational threat intelligence is the holy grail of security, providing defenders with an opportunity to put controls in place preemptively and block attacks before they occur. Even partial intelligence can provide key insights into upcoming attacks — for example, by highlighting likely avenues of attack before they are exploited.

Operational threat intelligence is intended for an almost exclusively technical audience (e.g., security operations personnel and managers), so it inevitably includes technical context.

Sources of Operational Threat Intelligence

Since operational threat intelligence relates to specific attack plans, there are really only two ways to obtain it:

  1. Cultivating human sources within an active threat group, most likely through recruitment or infiltration
  2. Intercepting or otherwise compromising a threat group’s communications

Unsurprisingly, then, of the four primary categories of threat intelligence, operational threat intelligence is most likely to come from closed sources. While some groups do communicate using open channels (e.g., social media, open IRC channels, etc.) most take a more secretive approach.

Some of the most common sources include:

  • Internet chat rooms (both open and private) often hosted on IRC servers
  • Social media
  • Public and private forums hosted on both the open and dark web

While less sophisticated threat groups — particularly those with ideological motivations — are content to discuss their plans via relatively unprotected channels, more serious criminal operations are far more likely to take precautions.

Which brings us on to an important point: Since operational threat intelligence relates to the activity and communications of specific individuals and groups, its collection raises a number of legal and ethical considerations.

Correlating Attacks With Activity

Thankfully, there is one source of operational threat intelligence that comes almost completely free from legal and ethical considerations: analysis of activity-related attacks.

Just like in the world of physical security, some recurring cyberattacks are related to real-world events, such as media coverage or the activity of an organization and its partners or customers. Ideological groups are particularly likely to engage in repeat attacks and have often used brute-force tactics such as DDoS campaigns in response to certain triggers.

By studying past activity, threat analysts can often correlate attacks with specific trigger events, and ultimately provide advance warning of likely future attacks.

4 Barriers to Collecting Operational Threat Intelligence

In the course of collecting and analyzing operational threat intelligence, threat analysts are likely to come across four primary barriers:

  1. Access: Most threat groups take at least some precautions when discussing their plans and do their best to maintain secrecy. Not only are there ethical and legal implications to consider, but it’s also important to recognize that in many cases it simply won’t be possible to gain access to a group’s communications.
  2. Language: On a similar note, many serious threat groups are located in non-English speaking countries and communicate using their native languages. This can add to the expense of uncovering operational threat intelligence, although this hurdle can be overcome with the use of a natural language processing (NLP) engine such as the one incorporated into Recorded Future.
  3. Too Much Noise: Many common sources of operational threat intelligence such as chat rooms and social media are naturally high volume, making manual monitoring unfeasible. Once again, the technology incorporated into powerful threat intelligence solutions helps to mitigate this hurdle.
  4. Obfuscation Tactics: As we’ve already noted, many threat groups go to great lengths to hide their intentions from prying eyes. Common obfuscation tactics include the use of proprietary codes in place of target names and/or types of attack, and the regular changing of individual aliases.

Overcoming the Hurdle

Predicting (and hopefully preventing) incoming attacks is what threat intelligence is all about — but because it isn’t easy to infiltrate threat groups or intercept their communications, producing true operational threat intelligence is a relatively rare feat for most organizations. But there are ways to start the process.

Monitoring open channels such as social media and chat rooms, for example, requires minimal effort (assuming you have the right technology in place) and can provide valuable insights into upcoming attacks. At the same time, working to identify the real-world events that trigger cyber activity can profoundly improve your ability to anticipate repeat attacks.

Ultimately, though, the challenges presented by the creation of operational threat intelligence mean that most organizations should pursue it as just one part of a wider intelligence program that focuses primarily on more general trends in their threat landscape.

The Guide to Threat Intelligence

So what does a well-rounded threat intelligence program look like?

As we’ve already seen, threat intelligence is a widely misunderstood discipline, and with so many solutions available, organizations often struggle to determine the best route forward.

To help you get started, a recent guide from Gartner explains how threat intelligence can be used to improve the security profile of a modern organization. The guide includes:

  • Definitions of common terminology
  • Where, why, and how threat intelligence is commonly used (12 use cases)
  • How to align common use cases with your specific requirements
  • How to evaluate threat intelligence vendors based on your business needs

To learn more, download your free copy of Gartner’s “Market Guide for Security Threat Intelligence Products and Services.”