Connect with us

Hi, what are you looking for?


Incident Response

The Crucial Component of Detection and Response: Intelligence Pivoting

Intelligence Pivoting Allows You to Build a Broader Picture and is Pivotal to Detection and Response

Intelligence Pivoting Allows You to Build a Broader Picture and is Pivotal to Detection and Response

Pivot. It’s a word we’re hearing more frequently since the pandemic and I find it interesting for its dual meaning. One on the one hand it means “turn.” Schools are pivoting to online learning. Businesses are pivoting to a remote workforce. Retailers are pivoting to contactless commerce. But it also means “crucial.” Measures like these are pivotal to keeping Covid-19 infection rates down. While it may be a trendy term, in cybersecurity, intelligence pivoting is pivotal to detection and response. 

The first step is detection, having the right data from the right tools at the right time. But what is the right data? Each product within your security infrastructure creates its own logs and events, generating a massive amount of data – IP addresses, URLs, hash values, etc. These indicators are the lowest common denominator of all these disparate logs, and each of these indicators could reveal malicious behavior. For instance, you may see an IP address you don’t recognize in your intrusion prevention system (IPS). So, you decide to query other systems to see if any of your other security tools have detected communication back to that IP address, which is valuable information. But an indicator is just one piece of data. Without context you can’t have a full picture of what is happening. 

In my previous article I discussed the concept of intelligence pivoting with a simplified example of looking at external threat intelligence to see if a particular IP address is associated with a specific adversary. With that intelligence, you can pivot to that adversary and learn that there are numerous additional IP addresses related to that adversary. Searching across your other tools, you find a substantial subset of those associated IP addresses. That’s a fairly solid sign that something may be going on.

Digging deeper, you can gain greater contextual awareness and understanding. For instance, is this indicator associated with a specific campaign or adversary, and are there associated artifacts you can look for in other tools, like your endpoint detection and response (EDR) solution? A framework like MITRE ATT&CK that describes threat actor tactics, techniques and procedures (TTPs), allows you to expand your investigation further and formulate a hypothesis about a specific campaign or adversary that may have infiltrated your network. Now you can pivot to test your hypothesis and confirm or disprove an attack.

Say MITRE ATT&CK defines a malicious spearphishing attachment as a technique to gain initial access. The hypothesis could be that any employee spearphished with an email containing a malicious attachment is only one of many under attack. The investigation could then focus on taking a known spearphishing attempt and searching for any other staff affected by the same or similar attacks. With intelligence on a TTP from a known attack, you extract additional indicators and pivot to conduct a targeted search across the organization to reveal a more complete picture and confirm the presence of an adversary. What’s more, building a broader picture based on campaigns and methods forces attackers to change TTPs which has a significantly higher cost for them and may result in their disinterest and dropping their focus on your business. We’ll get into that in more detail in a future article.

As this more detailed example shows, you can’t stop with the first tool that reveals an indicator. You need to look across all your tools to see a broader picture – enriched by multiple indicators and indicator types, and intelligence on adversaries and their methods – so you can gain a deeper understanding of what is going on and can respond effectively. Intelligence pivoting allows you to build that broader picture and is pivotal to detection and response.

Advertisement. Scroll to continue reading.

Learn More at SecurityWeek’s Threat Hunting Summit (Virtual)

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.