Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

CISO Perspective: How Tactical Cyber Threat Intelligence Fits Into Your Security Program

In this series on the threat intelligence mind map, as we’ve drilled into different levels of intel we started with strategic cyber threat intelligence and

In this series on the threat intelligence mind map, as we’ve drilled into different levels of intel we started with strategic cyber threat intelligence and moved onto operational threat intelligence before now arriving at the tactical level. The reason for this approach is that I’m a firm believer of understanding the big picture first, so that your decisions are more informed and well-thought out. While I’ve pontificated about the importance of strategic and operational threat intelligence in the past, a robust intel capability should include both these levels as well as within the tactical realm. 

Tactical/Technical intelligence is what I consider as more of the traditional CTI.  This is the “on-the-network” intelligence that defenders consume in order to battle it out with adversaries. I consider this level of intel to be “traditional” because it’s really where the application of threat intelligence in the cyber world began.

Tactical Cyber Threat Intelligence  MapExamples of tactical threat intelligence include, but are not limited to IOCs such as malware signatures, IP blacklists, devices, domains, URL blacklists, log files, traffic patterns, and account credentials found in phishing, ransomware and APT campaigns. This data can be pulled into a SIEM, a threat intel platform (TIP) or some other tool within the security operations center (SOC) that based on parameters you’ve set will send an alert about threats hitting your network.  

The common challenge with tactical threat intel is too much data (and not enough context and analysis) can be pumped through an organization’s SOC and basically overwhelm your staff with noise. Even today it’s still pretty common to hear companies talk about how many IOCs they have in their feed as though quantity somehow makes it better. To use a baseball analogy, without proper context and relevancy, having a large feed of tactical data simply pushes you into swinging at pitches off the plate because you’re not focusing on the ball. The key to operationalizing this intel is to have not only the right tactical intel and filters in place, but also to have a sufficient team ready and available to use this intel – so you ultimately are focused on the right threats.

Tactical threat intelligence can help defenders make “real-time” or “near real-time” decisions as far as shutting down a port or kicking off an incident response process. This level of intel can also be used as part of the more reactive process of getting to the bottom of “what happened?” and using that intel to then help prepare and plan for future attacks. 

My team uses tactical threat intelligence as part of our overall research and analysis when we’re looking at active cyber threats or an actor’s tactics, techniques and practices (TTPs). We also include this level of intel in some of the recommendations we provide to our customers. However, with the intel that we create, tactical CTI is not shared within a vacuum. The value of tactical indicators is in their relationships, and as such we  communicate tactical intel in context as amplifying/associated information to a more operational level, finished intelligence deliverable. 

Context and relevancy are highly important when it comes to the topic of threat intelligence. But also important, especially with tactical threat intel feeds is an organization’s ability to ingest and use that data. To this end, many tactical threat intel feeds are now formatted in Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator Information (TAXII) which essentially normalizes all of the different data types so that intel can be more easily shared across different tools and organizations. Furthermore, some ISACs are using what’s called the Traffic Light Protocol (TLP) to accomplish a similar goal of sharing information, but adds more context as far as who should be seeing this information. 

Tactical cyber threat intelligence is an important component of your overall intel capability, but it isn’t where you should start nor the only type of intel that you should use. Certainly, it can provide you with specifics around the technical aspects of an attack and help you identify areas within your environment to shore up. It can also be used to feed back into your larger intel strategy to help you ask (and then answer) the right questions around your cyber risk so you can ensure a more resilient enterprise. However all of this is contingent on your ability to establish a formal intelligence program and build a capability that allows tactical intelligence (as well as operational and strategic intel for that matter) to be consumed, processed, analyzed and delivered to the proper user. 

In too many cases, tactical CTI is consumed, but not processed, nor analyzed and is delivered to the defender where the continuous whack-a-mole takes place and quickly starts to loose its value to the organization. Therefore, when exploring or expanding your tactical CTI capability, before you start consuming threat data feeds, first establish your strategy and goals and then determine what data sources can help you answer the questions you’re trying to answer. 

Advertisement. Scroll to continue reading.
Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Cybercrime

The top five categories of Bad Bot attacks are fake account creation, account takeovers, scraping, account management, and in-product abuse.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cybercrime

Deepfakes, left unchecked, are set to become the cybercriminals’ next big weapon