Levels of threat intelligence
Utilizing each instance of intelligence is important because they serve different functions. Analysts leveraging the sum knowledge of these three types of intelligence are better able to determine what security solutions to use, how they should be leveraged, and how to proactively and reactively respond to threats.
Tactical threat intelligence and IOCs are meant to historically document cyber attacks, serving both as a corpus of evidence (for compliance, law enforcement, investigations, legal purposes, etc.) and also as reference material for analysts to interpret and extract context for use in defensive operations.
IOCs are provided to analysts to serve as examples of a particular threat, such as a malware sample, malware family, intrusion campaign, or threat actor. Analysts can enrich alerts from security solutions with tactical threat intelligence to provide more context and determine which threats are worth worrying about and which can safely be ignored.
Consider the following from an incident response perspective: If you are responding to an intrusion event, you may wonder how a particular actor performs privilege escalation, lateral movement, or data theft. If you are hunting for undiscovered malicious activity, you might want to start your hunt by looking for a specific actor's behavior. Whatever your scenario, you need to answer the question “How do you search for this actor within your environment?”
Using operational threat intelligence
Operational threat intelligence is knowledge gained from examining details from known attacks. An analyst can build a solid picture of actor methodology by piecing together tactical indicators and artifacts and derive them into operational intelligence. This can help to achieve a number of defensive goals, like enhancing incident response plans and mitigation techniques for future attacks and incidents.
Analysts can also implement and bolster a proactive discovery program (“hunting program”) to identify suspicious files and activity that have bypassed traditional security technologies. From there they can develop detection methodologies that are not dependent on IOCs, ensuring broader coverage of threats in a more timely fashion.
Examples of operational threat intelligence
Strategic threat intelligence
Using strategic threat intelligence
Examples of strategic threat intelligence
- APT10 aka “MenuPass Group”
- APT22 aka “Barista Team”
- APT29 aka “The Dukes”
- Collaborate with the Fraud team to determine the top 3–5 types of fraud and ask what information would help them detect and prevent this in the future?
- What does the analysis of Incident tickets reveal about the nature and type of data targeted in previous data breach events?
- What vulnerabilities were exploited and by what means?
- What systems store PII and how do the vulnerabilities of those systems line up with known exploitation vectors?
- TI can focus on reducing risk due to data loss and external threats by identifying actors and deriving intelligence on external threats targeting their industry, ensuring detection techniques and mechanisms are in place and able to catch these threats.
Threat intelligence will continue to evolve and be a key security function. Integrating tactical, operational, and strategic threat intelligence will provide valuable insights into IOCs and threat actor's methodologies. This will lead to more secure environments where you can identify your adversaries. A growing number of public and private sector organizations are now using cyber threat intelligence. Recent research published by the Ponemon Institute revealed that 80% of organizations are using it and that an even higher percentage regard it as critical.
Organizations using cyber threat intelligence are meeting numerous security challenges. They are detecting and responding to advanced threats. They are preventing data breaches and protecting sensitive information. They are lowering cybercrime and fraud costs. Most importantly, they are reducing overall business risk.