Technical Threat Intelligence
What is Technical Threat Intelligence?
Technical threat intelligence is the most specific and time-sensitive of the four types of cyber threat intelligence. It's the view from the front line, focusing on specific indicators of compromise (IoCs) that suggest an attack is underway. Due to its time-sensitive nature, technical threat intelligence is dynamic, changing constantly to reflect shifts in the threat landscape so that organizations can tailor defensive systems and response tactics to eliminate threats.
Technical Threat Intelligence vs. Other Types of Threat Intelligence
The broad category of cyber threat intelligence is curated information that helps organizations make better decisions about how to defend themselves from cyber-based threats. Technical threat intelligence is just one type of cyber threat intelligence. Each type is different, matching different functions, roles in an organization, and tools in the security stack.
- Technical threat intelligence: Technical intelligence is actionable information on IoCs used to detect, prevent and respond to cyber threats in real time.
- Tactical threat intelligence: Tactical intelligence details specific tactics, techniques, and procedures (TTPs) and other threat actor resources to improve defenses and detection capabilities.
- Operational threat intelligence: Operational intelligence provides insight into threat actor methodologies to expose potential risks and uncover new threats.
- Strategic threat intelligence: Strategic intelligence is the high-level perspective of how threats are changing over time to inform decision makers on budget, investment, and policy decisions.
This YouTube video gives a good overview of the types of threat intelligence (don't mind the graphics — the audio is what matters).
What is Technical Threat Intelligence?
Technical threat intelligence provides specific IoCs that could point to an attack unfolding within an organization. Technical threat intelligence is, well, technical. It's also timely. If tactical threat intelligence answers "what?" technical threat intelligence answers "what now?"
Here is a list of details that technical threat intelligence may consider and how they can be used to detect and respond to attacks:
Malicious IP Addresses
Blocking malicious IP addresses like those of command-and-control (C2) servers can thwart an ongoing attack and stop it from spreading. Threat actors use use C2 servers to communicate with their malware and infected systems/devices to orchestrate malicious activities and spread the malware. C2 servers are also where extracted data is sent.
Malware Signatures and File Hashes
Checking for known malware signatures and file hashes helps to identify and quarantine malicious files before they can cause damage. These are unique identifiers for specific pieces of malware, such as byte sequences in code, hash values of files, or patterns of behavior such as specific network communications or file access patterns.
Phishing Indicators
Email addresses, malicious URLs, and other details can help identify phishing campaigns and block malicious domain names.
Network Protocols
Identifying suspicious network protocols could point to an attack in progress, including:
- Connections to known malicious IP addresses
- DNS requests for known malicious or newly registered domains
- Abnormal traffic patterns
- Attack tool signatures like C2 communications
Vulnerabilities
Assessing your systems for vulnerabilities with known exploits can help prevent and mitigate attacks. Cross-reference your organizations tech stack with CVEs exploited in attacks.
How Technical Threat Intelligence is Used in Security Functions
Technical threat intelligence is used in a variety of ways throughout the threat intelligence lifecycle, primarily during collection, processing, and analysis. It provides the technical threat data needed to configure security controls, such as firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS). It also allows proactive threat hunting and rapid response by identifying and blocking malicious activity based on its technical attributes.
Below are some of the specific functions that leverage technical threat intelligence to improve security posture:
Malware Analysis
In order to understand new malware — methods of infection, communication protocols, and payload delivery mechanisms — analysts need the details technical threat intelligence provides, including to reverse engineer code. Technical threat intelligence is also used to develop countermeasures like antivirus signatures and firewall rules.
Threat Hunting
Threat hunters use technical threat intelligence, leveraging IoCs to search an organization’s environment for malicious activity, spot potential threats, and identify unusual patterns of behavior.
Phishing Campaign Detection
Technical threat intelligence is used to detect phishing campaigns, refining email filters and domain blacklists with spoofed email address and malicious URLs.
Incident Response
Incident response teams use technical threat intelligence to understand attack details, identify affected systems, and develop response plans and mitigation measures.
How Security Tools Use Technical Threat Intelligence
Multiple tools within the security stack leverage technical threat intelligence to detect, contextualize, and respond to attacks and strengthen an organization's overall security posture.
- Threat intelligence platform (TIP): Uses centralized repository of known IoCs, aggregated from multiple sources. This helps security teams prioritize threats and streamline response efforts.
- Security information and event management (SIEM): Uses IoCs from threat intelligence feeds to generate alerts when similar details/activities within a network are detected. The Security operations center (SOC) then investigates the alert.
- Security Orchestration, Automation, and Response (SOAR): Enables workflows to automatically block or isolate entities with associated IoCs. Incorporating technical threat intelligence in SOAR technology significantly reduces the manual effort required by security analysts.
Challenges When Working with Technical Threat Intelligence
All types of threat intelligence come with inherent challenges, including data overload, poor context, evolving threats, and a lack of actionable insights. Technical threat intelligence is no different.
Data Overload
Due to the detailed nature of technical threat intelligence, data overload is a common problem. Too much noise can drown out the signals, creating false positives, alert fatigue, goose chases, and missed opportunities to improve security posture. Having the right tools and security professionals to interpret threat intelligence data is key to understanding its relevance to an organization.
Poor Context
Raw data is necessary for technical threat intelligence, but it doesn't tell a story of why an attack is unfolding, who's behind it (e.g., an advanced persistent threat vs. a lone-wolf opportunist), or what to do about it. Correlating threat intelligence with data from your own tech stack is key to gaining context around attack vectors and guiding response planning. Actionable intelligence is the lynchpin to stop an attack in its tracks, prevent future attacks, and power effective risk management.
Evolving Threats
Understanding of the threat landscape requires constant refreshing. Threat feeds need to deliver the latest intelligence on new TTPs and attack patterns, harvesting insights from:
- Public and private databases and bulletins
- Information sharing groups
- Dark web forums
- Social media
Remember, technical threat intelligence answers "what now," which requires real-time insights from internal systems as well as the threat landscape. To minimize security incidents and thwart potential attacks, timeliness is key.
Anomali: Delivering Front-Line Technical Threat Intelligence to Your Fingertips
Technical threat intelligence is integral to the effectiveness of Anomali solutions. By combining external threat data with internal signals, Anomali surfaces threats that truly matters and avoids false positives. Artificial intelligence is woven throughout Anomali solutions to drive correlation, prioritization, and automation, enabling faster, more effective response.
To see how Anomali ThreatStream can leverage and contextualize technical threat intelligence, schedule a demo.
