How Tactical Threat Intelligence Helps Identify the Enemy
September 19, 2018 • The Recorded Future Team
- Tactical threat intelligence provides information about the specific tactics, techniques, and procedures (TTPs) employed by threat actors to achieve their goals.
- Technical defenders (e.g., system architects and security personnel) and security decision makers are the primary audience for this type of threat intelligence.
- By understanding the attack vectors, tools, infrastructure, and forensic avoidance strategies being used against targets in their industry or location, organizations can more effectively manage defenses and allocate security resources.
Threat intelligence can be broken down into four distinct subcategories, each with its own sources, technical complexity, and audience. While some types are intended for a purely technical audience, others are intended for mixed audiences, and are often consumed by individuals with almost no technical knowledge at all.
In the first installment in a four-part series on the different types of intelligence that make up a comprehensive threat intelligence program, we covered the strategic side.
Today, we’re taking things to a more tactical level.
What Is Tactical Threat Intelligence?
Tactical threat intelligence provides information about the tactics, techniques, and procedures (TTPs) used by threat actors to achieve their goals (e.g., to compromise networks, exfiltrate data, and so on). It’s intended to help defenders understand how their organization is likely to be attacked, so they can determine whether appropriate detection and mitigation mechanisms exist or whether they need to be implemented.
Unlike strategic threat intelligence, which is almost exclusively non-technical, tactical threat intelligence is intended for a predominantly technical audience, and usually includes some technical context. In particular, tactical threat intelligence is consumed by personnel directly involved in the defense of an organization, such as system architects, administrators, and security staff, although it does also play a role in higher-level security decision making.
Since threat actor TTPs change all the time, tactical threat intelligence is usually gathered during the course of normal intelligence operations, rather than on request.
Sources of Tactical Threat Intelligence
For the typical organization, reports produced by security vendors and other industry players are the most easily accessible source of tactical threat intelligence. In many cases, these reports focus on a specific threat group or attack campaign, and provide key tactical information such as:
- Locations and industries targeted
- Attack vectors employed (e.g., spear phishing, SQL injection, etc.)
- Tools and technical infrastructure used
In some cases, industry-vetted reports can be obtained via intelligence-sharing initiatives such as the Cyber Security Information Sharing Partnership (CiSP).
While these reports can be extremely valuable, they are produced for a wide audience, and consequently only a small proportion will be relevant to any specific organization. For this reason, industry reports are at best an incomplete source of tactical threat intelligence.
A more thorough and reliable stream of tactical threat intelligence requires an active gathering process, which can include any or all of the following sources:
- Open source
- Honeypots and darknets
- Telemetry data
- Scanning and crawling
- Malware analysis
- Closed source
- Human relationships
While it is possible to build an in-house collection capability for tactical threat intelligence, it can be costly to do so, and it requires a variety of specialist tools and skills. For most organizations, purchasing tactical threat intelligence from dedicated security vendors is a more realistic proposition.
Discerning Threat Actor TTPs
Tactical threat intelligence falls into four primary categories:
1. Attack Vectors
What types of attack vectors are threat actors using to target organizations in your industry or location? For example, they could be harvesting credentials using targeted spear phishing campaigns, or they could be using documented vulnerabilities to escalate their privileges.
Understanding which attack vectors are being employed against organizations like yours is hugely valuable because it enables defenders to prioritize their time and resources effectively.
Other important questions include:
- How are they selecting targets?
- Are they exploiting specific vulnerabilities?
- How are they moving laterally and/or escalating privileges within target networks?
- What are their objectives, and which asset classes are they targeting?
- Have there been any observable patterns of behavior?
What tools, if any, are threat actors using during the course of their operations (e.g., to compromise target networks, escalate privileges, or exfiltrate data)? This type of information will usually come from post-mortem analyses of successful or unsuccessful attacks, and will ideally include details of the specific malware or exploit kits used.
In addition to providing defenders with clear marching orders, this type of information can also provide insight into a threat group’s level of skill and funding.
In addition to the tools they use, it also helps to have an understanding of the wider infrastructure being employed by threat actors. In most cases, this will relate to the data exfiltration portion of an attack, as this typically relies on communication between a point inside a compromised network and an external command and control (C2) server.
While identifying the specific IP addresses of C2 servers is more the domain of technical threat intelligence, tactical threat intelligence will focus more on the communication techniques used, like HTTP or DNS, for example.
Understanding how these communications are conducted enables defenders to determine whether they would be detected and blocked by a network as it currently stands, or if further controls should be employed.
4. Forensic Avoidance Strategies
Finally, what techniques are threat actors using to avoid detection of their tools and actions? Sophisticated threat groups will employ a variety of strategies to delay or avoid detection, and it pays for frontline defenders such as incident response analysts to understand which techniques are in common use.
Offense Shapes Defense
Since tactical threat intelligence relates to TTPs that are highly likely to be employed against your specific organization, it can (and should) feed directly into your security operations. This can happen in three primary ways:
1. Informing Improvements to Existing Security Controls and Processes
In perhaps its most obvious use, tactical threat intelligence helps defenders understand how and where they are most likely to be targeted, providing them with a chance to preemptively tighten security controls and processes.
For example, if it’s determined that specific threat vectors or exploit kits are in heavy use, defenders can use that information to prioritize specific defense activities or reconfigure firewall settings.
2. Informing Investment Decisions
In some cases, tactical threat intelligence will highlight the need for an organization to invest additional resources in order to address a specific threat.
For example, since spear phishing is consistently popular in almost every industry, an organization might choose to invest in better filtering technologies, or enhanced end-user training.
3. Speeding Up Incident Response
While total prevention of incoming attacks is ideal, it can’t always be achieved. Not only will some attacks require intervention from first-line responders, but others will inevitably breach your organization’s defenses and require immediate action to prevent escalation.
Having an understanding of which TTPs are in common use at any given time dramatically improves an incident response team’s ability to identify, prioritize, and remediate serious security incidents.
Is It Working?
Unlike strategic threat intelligence, it’s typically quite easy to measure the ROI of tactical threat intelligence. Whenever an improvement or investment is made, it should be monitored closely to determine its efficacy.
For example, if your intelligence leads you to implement a new security protocol (e.g., DMARC) or reconfigure an existing technology, it should be a simple matter to determine whether any serious threats have been averted as a result.
Unfortunately, since incident response efficacy relies so heavily on human expertise, it’s somewhat more difficult to measure the impact of tactical threat intelligence in this area. In lieu of more concrete metrics, it pays to have a strong feedback loop between frontline defenders and your threat intelligence experts.
The Guide to Threat Intelligence
Tactical threat intelligence offers huge benefits for both frontline security personnel and security decision makers. For maximum value, though, it should be incorporated into a broader threat intelligence capability that encompasses all four intelligence types.
A recent guide from Gartner explains the various ways that threat intelligence can be used to improve the security profile of a modern organization and shares insight into:
- Definitions of common terminology
- Where, why, and how threat intelligence is commonly used (12 use cases)
- How to align common use cases with your specific requirements
- How to evaluate threat intelligence vendors based on your business needs
To learn more, download your free copy of Gartner’s “Market Guide for Security Threat Intelligence Products and Services.”