September 25, 2018 • The Recorded Future Team
In its ideal form, threat intelligence would provide us with information about specific attacks before they happen, helping us decide exactly what we need to do to stay safe.
But anyone with experience as a threat analyst will tell you that intelligence relating to specific attacks is a rarity. Most threat groups are careful about where and how they discuss their plans, making it extremely difficult for non-government analysts to uncover or intercept them.
However, just because detecting specific attacks isn’t always a central component of threat intelligence programs doesn’t mean it can’t play a role. In fact, there’s a whole field of threat intelligence dedicated to precisely this function.
Operational threat intelligence relates to specific attacks or campaigns. It helps defenders understand the nature, intent, and timing of a specific attack, and also provides insight into the nature and sophistication of the group(s) responsible. In many cases, however, only partial context can be obtained.
In many ways, true operational threat intelligence is the holy grail of security, providing defenders with an opportunity to put controls in place preemptively and block attacks before they occur. Even partial intelligence can provide key insights into upcoming attacks — for example, by highlighting likely avenues of attack before they are exploited.
Operational threat intelligence is intended for an almost exclusively technical audience (e.g., security operations personnel and managers), so it inevitably includes technical context.
Since operational threat intelligence relates to specific attack plans, there are really only two ways to obtain it:
Unsurprisingly, then, of the four primary categories of threat intelligence, operational threat intelligence is most likely to come from closed sources. While some groups do communicate using open channels (e.g., social media, open IRC channels, etc.) most take a more secretive approach.
Some of the most common sources include:
While less sophisticated threat groups — particularly those with ideological motivations — are content to discuss their plans via relatively unprotected channels, more serious criminal operations are far more likely to take precautions.
Which brings us on to an important point: Since operational threat intelligence relates to the activity and communications of specific individuals and groups, its collection raises a number of legal and ethical considerations.
Thankfully, there is one source of operational threat intelligence that comes almost completely free from legal and ethical considerations: analysis of activity-related attacks.
Just like in the world of physical security, some recurring cyberattacks are related to real-world events, such as media coverage or the activity of an organization and its partners or customers. Ideological groups are particularly likely to engage in repeat attacks and have often used brute-force tactics such as DDoS campaigns in response to certain triggers.
By studying past activity, threat analysts can often correlate attacks with specific trigger events, and ultimately provide advance warning of likely future attacks.
In the course of collecting and analyzing operational threat intelligence, threat analysts are likely to come across four primary barriers:
Predicting (and hopefully preventing) incoming attacks is what threat intelligence is all about — but because it isn’t easy to infiltrate threat groups or intercept their communications, producing true operational threat intelligence is a relatively rare feat for most organizations. But there are ways to start the process.
Monitoring open channels such as social media and chat rooms, for example, requires minimal effort (assuming you have the right technology in place) and can provide valuable insights into upcoming attacks. At the same time, working to identify the real-world events that trigger cyber activity can profoundly improve your ability to anticipate repeat attacks.
Ultimately, though, the challenges presented by the creation of operational threat intelligence mean that most organizations should pursue it as just one part of a wider intelligence program that focuses primarily on more general trends in their threat landscape.
So what does a well-rounded threat intelligence program look like?
As we’ve already seen, threat intelligence is a widely misunderstood discipline, and with so many solutions available, organizations often struggle to determine the best route forward.
To help you get started, a recent guide from Gartner explains how threat intelligence can be used to improve the security profile of a modern organization. The guide includes:
To learn more, download your free copy of Gartner’s “Market Guide for Security Threat Intelligence Products and Services.”