Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

CISO Perspective: How Tactical Cyber Threat Intelligence Fits Into Your Security Program

In this series on the threat intelligence mind map, as we’ve drilled into different levels of intel we started with strategic cyber threat intelligence and

In this series on the threat intelligence mind map, as we’ve drilled into different levels of intel we started with strategic cyber threat intelligence and moved onto operational threat intelligence before now arriving at the tactical level. The reason for this approach is that I’m a firm believer of understanding the big picture first, so that your decisions are more informed and well-thought out. While I’ve pontificated about the importance of strategic and operational threat intelligence in the past, a robust intel capability should include both these levels as well as within the tactical realm. 

Tactical/Technical intelligence is what I consider as more of the traditional CTI.  This is the “on-the-network” intelligence that defenders consume in order to battle it out with adversaries. I consider this level of intel to be “traditional” because it’s really where the application of threat intelligence in the cyber world began.

Tactical Cyber Threat Intelligence  MapExamples of tactical threat intelligence include, but are not limited to IOCs such as malware signatures, IP blacklists, devices, domains, URL blacklists, log files, traffic patterns, and account credentials found in phishing, ransomware and APT campaigns. This data can be pulled into a SIEM, a threat intel platform (TIP) or some other tool within the security operations center (SOC) that based on parameters you’ve set will send an alert about threats hitting your network.  

The common challenge with tactical threat intel is too much data (and not enough context and analysis) can be pumped through an organization’s SOC and basically overwhelm your staff with noise. Even today it’s still pretty common to hear companies talk about how many IOCs they have in their feed as though quantity somehow makes it better. To use a baseball analogy, without proper context and relevancy, having a large feed of tactical data simply pushes you into swinging at pitches off the plate because you’re not focusing on the ball. The key to operationalizing this intel is to have not only the right tactical intel and filters in place, but also to have a sufficient team ready and available to use this intel – so you ultimately are focused on the right threats.

Tactical threat intelligence can help defenders make “real-time” or “near real-time” decisions as far as shutting down a port or kicking off an incident response process. This level of intel can also be used as part of the more reactive process of getting to the bottom of “what happened?” and using that intel to then help prepare and plan for future attacks. 

My team uses tactical threat intelligence as part of our overall research and analysis when we’re looking at active cyber threats or an actor’s tactics, techniques and practices (TTPs). We also include this level of intel in some of the recommendations we provide to our customers. However, with the intel that we create, tactical CTI is not shared within a vacuum. The value of tactical indicators is in their relationships, and as such we  communicate tactical intel in context as amplifying/associated information to a more operational level, finished intelligence deliverable. 

Context and relevancy are highly important when it comes to the topic of threat intelligence. But also important, especially with tactical threat intel feeds is an organization’s ability to ingest and use that data. To this end, many tactical threat intel feeds are now formatted in Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator Information (TAXII) which essentially normalizes all of the different data types so that intel can be more easily shared across different tools and organizations. Furthermore, some ISACs are using what’s called the Traffic Light Protocol (TLP) to accomplish a similar goal of sharing information, but adds more context as far as who should be seeing this information. 

Advertisement. Scroll to continue reading.

Tactical cyber threat intelligence is an important component of your overall intel capability, but it isn’t where you should start nor the only type of intel that you should use. Certainly, it can provide you with specifics around the technical aspects of an attack and help you identify areas within your environment to shore up. It can also be used to feed back into your larger intel strategy to help you ask (and then answer) the right questions around your cyber risk so you can ensure a more resilient enterprise. However all of this is contingent on your ability to establish a formal intelligence program and build a capability that allows tactical intelligence (as well as operational and strategic intel for that matter) to be consumed, processed, analyzed and delivered to the proper user. 

In too many cases, tactical CTI is consumed, but not processed, nor analyzed and is delivered to the defender where the continuous whack-a-mole takes place and quickly starts to loose its value to the organization. Therefore, when exploring or expanding your tactical CTI capability, before you start consuming threat data feeds, first establish your strategy and goals and then determine what data sources can help you answer the questions you’re trying to answer. 

Written By

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Jazz has named Sean Robinson, Rickie Goyal, Danielle Guetta, Shani Nago, and Lior Magram as VPs and Michael Calev as COO.

AJ Shipley has been appointed Chief Product Officer at CrowdStrike.

Brinqa has named Ron Dovich as Chief AI and Automation Officer, David Allen as CTO, Steve Biagioni as CFO, and James Walta as VP of Product.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.