Tactical Threat Intelligence

Tactical Threat Intelligence: View from the Trenches

Tactical threat intelligence is a detailed form of cyber threat intelligence (CTI) about pressing threats to help detect, respond to, and prevent attacks. It's the view from the trenches, close to the front line where security teams are facing off with attacks in progress, but with a degree of separation that allows for a more informed response and better security posture. Tactical threat intelligence is used in daily operations; it is refreshed regularly to reflect changes in the threat landscape.  

What is Tactical Threat Intelligence?

Tactical threat intelligence focuses on specific tactics, techniques, and procedures (TTPs) used in cyberattacks. It also includes threat actor tools and infrastructure, as well as the vulnerabilities they employ. It answers the "what" and "how" of attacks with technical details, including:

  • Data derived from malware samples
  • Incident analysis
  • Threat behavior analysis

Tactical intelligence provides machine-readable indicators of compromise (IoCs) such as malicious IP addresses, domains names, file hashes, and malware signatures. It's used by a variety of security teams in daily operations. It must be refreshed regularly to reflect short-term (i.e., monthly) changes in the threat landscape.

What are Tactics, Techniques, and Procedures?

Tactics, techniques, and procedures (TTPs) is a term commonly used to describe threat actor's methods of attack. They vary by threat actor and threat actor groups, reflecting their strengths, victim weaknesses, and resources at their disposal.

  • Tactics: Why an attack is carried out (e.g., to exfiltrate data)
  • Techniques: The method used to achieve the tactic (e.g., phishing)
  • Procedures: The steps used to achieve the technique (e.g., targeted phishing email with malicious attachment)

Tactical Threat Intelligence vs. Other Types of Threat Intel

The broad category of cyber threat intelligence is curated information that helps organizations make better decisions about how to defend themselves from cyber-based threats. Tactical threat intelligence is just one type of cyber threat intelligence. Each type is different, matching different functions, roles in an organization, and tools in the security stack.

  • Technical threat intelligence: Technical intelligence is actionable information on IoCs used to detect, prevent and respond to cyber threats in real time.
  • Tactical threat intelligence: Tactical intelligence details specific TTPs and other threat actor resources to improve defenses and detection capabilities.
  • Operational threat intelligence: Operational intelligence provides insight into threat actor methodologies to expose potential risks and uncover new threats.
  • Strategic threat intelligence: Strategic intelligence is the high-level perspective of how threats are changing over time to give decision makers actionable insights on budget, investment, and policy decisions.

Tactical and technical threat intelligence are the closely aligned, both answering the "what" of cyber attacks and providing actionable intelligence. Technical intel can be viewed as a subset of the tactical category for immediate use to thwart attacks in real time.

This video also provides a good breakdown of the difference between operational and tactical intelligence.

Who uses Tactical Threat Intelligence?

Tactical threat intelligence is applicable to several cybersecurity roles.

  • SOC analysts: Security operations centers (SOCs) use tactical intelligence to detect malicious activity at its outset.
  • Incident responders: Incident response teams use tactical intelligence to prevent potential attacks, respond to and quarantine security incidents in progress.
  • Security tool amins: Security tool administrators and security architects feed tactical intelligence into their tech stack to configure tools and optimize defense.
  • Threat hunters: Threat hunters use tactical intelligence throughout their investigations, from hypothesis and search details, to context and prioritization, and validation and enrichment.

Tactical Threat Intelligence Use Cases

Tactical threat intelligence is used to develop detection rules, signatures, and remediation workflows. It helps to identify malicious activities by improving:

  • YARA rules to detect and classify malware
  • Intrusion detection systems (IDS)  
  • Intrusion detection and prevention (IDP) signatures
  • Security information and event management (SIEM) correlation rules

Security Tool Integration

Tactical threat intelligence is useful in several tools essential to cybersecurity programs for maintaining a strong security posture and reducing an organization's attack surface.

Threat Intelligence Platforms (TIP)

Tactical CTI provides TIPs with timely and enriched IOCs and attack patterns that can be shared across the organization and with trusted partners via information sharing and analysis centers (ISACs). This accelerates organization's ability to anticipate and defend against specific attack methods, especially lateral movement.

Security Information and Event Management (SIEM)

Tactical CTI hones SIEM's alerting and detection capabilities. Use it to configure rules to detect specific TTPs correlated to high-risk areas. This will reduce false positives and improve threat detection accuracy.

Security Orchestration, Automation, and Response (SOAR)

Tactical CTI drives the development of automated response workflows in SOAR platforms to contain and mitigate incidents (e.g., isolating compromised endpoints or blocking malicious IP addresses).

What are the Main Sources for Gathering Tactical Threat Intelligence?

Tactical intelligence is collected from many of the same sources as other types of CTI, enriching threat data from various sources. External sources include:

  • Open sources on the public internet including social media, news reports and blogs
  • Dark web monitoring of forums and marketplaces
  • Information sharing groups
  • Threat intelligence feeds
  • Research groups

Tactical CTI also leverages internal sources such as:

  • Logs from security tools (e.g., firewalls and IDS)
  • SIEMs and other log management tools
  • User and entity behavior analytics (UEBA)

Anomali: There For You in the Trenches

Anomali supplies you with actionable insights and timely tactical CTI. Ready-to-use dashboards surface details on threat actors, TTPs, vulnerabilities, and campaigns — as well as a geolocation heatmap  — to power rapid-fire response and informed prevention.

The Anomali platform contextualizes intel with severity and confidence scoring to better prioritize alerts, and shows associations between threat actors or MITRE TTPs to understand attack patterns.

ThreatStream data can also be correlated against your internal security tools to ensure active IoCs aren’t present in your environment.

To see how Anomali leverages tactical threat intelligence across our solutions, schedule a demo.