In this series on the threat intelligence mind map, as we’ve drilled into different levels of intel we started with strategic cyber threat intelligence and moved onto operational threat intelligence before now arriving at the tactical level. The reason for this approach is that I’m a firm believer of understanding the big picture first, so that your decisions are more informed and well-thought out. While I’ve pontificated about the importance of strategic and operational threat intelligence in the past, a robust intel capability should include both these levels as well as within the tactical realm.
Tactical/Technical intelligence is what I consider as more of the traditional CTI. This is the “on-the-network” intelligence that defenders consume in order to battle it out with adversaries. I consider this level of intel to be “traditional” because it’s really where the application of threat intelligence in the cyber world began.
Examples of tactical threat intelligence include, but are not limited to IOCs such as malware signatures, IP blacklists, devices, domains, URL blacklists, log files, traffic patterns, and account credentials found in phishing, ransomware and APT campaigns. This data can be pulled into a SIEM, a threat intel platform (TIP) or some other tool within the security operations center (SOC) that based on parameters you’ve set will send an alert about threats hitting your network.
The common challenge with tactical threat intel is too much data (and not enough context and analysis) can be pumped through an organization’s SOC and basically overwhelm your staff with noise. Even today it’s still pretty common to hear companies talk about how many IOCs they have in their feed as though quantity somehow makes it better. To use a baseball analogy, without proper context and relevancy, having a large feed of tactical data simply pushes you into swinging at pitches off the plate because you’re not focusing on the ball. The key to operationalizing this intel is to have not only the right tactical intel and filters in place, but also to have a sufficient team ready and available to use this intel – so you ultimately are focused on the right threats.
Tactical threat intelligence can help defenders make “real-time” or “near real-time” decisions as far as shutting down a port or kicking off an incident response process. This level of intel can also be used as part of the more reactive process of getting to the bottom of “what happened?” and using that intel to then help prepare and plan for future attacks.
My team uses tactical threat intelligence as part of our overall research and analysis when we’re looking at active cyber threats or an actor’s tactics, techniques and practices (TTPs). We also include this level of intel in some of the recommendations we provide to our customers. However, with the intel that we create, tactical CTI is not shared within a vacuum. The value of tactical indicators is in their relationships, and as such we communicate tactical intel in context as amplifying/associated information to a more operational level, finished intelligence deliverable.
Context and relevancy are highly important when it comes to the topic of threat intelligence. But also important, especially with tactical threat intel feeds is an organization’s ability to ingest and use that data. To this end, many tactical threat intel feeds are now formatted in Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator Information (TAXII) which essentially normalizes all of the different data types so that intel can be more easily shared across different tools and organizations. Furthermore, some ISACs are using what’s called the Traffic Light Protocol (TLP) to accomplish a similar goal of sharing information, but adds more context as far as who should be seeing this information.
Tactical cyber threat intelligence is an important component of your overall intel capability, but it isn’t where you should start nor the only type of intel that you should use. Certainly, it can provide you with specifics around the technical aspects of an attack and help you identify areas within your environment to shore up. It can also be used to feed back into your larger intel strategy to help you ask (and then answer) the right questions around your cyber risk so you can ensure a more resilient enterprise. However all of this is contingent on your ability to establish a formal intelligence program and build a capability that allows tactical intelligence (as well as operational and strategic intel for that matter) to be consumed, processed, analyzed and delivered to the proper user.
In too many cases, tactical CTI is consumed, but not processed, nor analyzed and is delivered to the defender where the continuous whack-a-mole takes place and quickly starts to loose its value to the organization. Therefore, when exploring or expanding your tactical CTI capability, before you start consuming threat data feeds, first establish your strategy and goals and then determine what data sources can help you answer the questions you’re trying to answer.