Cyber threat intelligence plays a critical role in a proactive cybersecurity strategy. By gathering and analyzing data, security teams and company leaders are able to make quick and effective decisions about cyber security strategies and attacks.
Not all cyber threat intelligence is the same however. Certain data is better suited for different uses. Some information is general, some is strategic and some data tells your security team exactly how your organization is likely to be attacked, and by whom.
One category of threat intelligence is called tactical threat intelligence. This article explores what it is, where it can be found, which members of your organization own it, and how it can be used to improve your company’s cybersecurity posture. We also look at some of the challenges associated with gathering tactical threat intelligence, and how those barriers can be overcome.
What is Tactical Threat Intelligence?
The goal of tactical threat intelligence is to provide security teams with insights about how cyber criminals attack. This form of threat intelligence covers the tactics, techniques, and procedures (TTP) used by threat actors, and gives security teams information about how those tools are used to launch attacks, escalate privileges, and compromise data and systems.
In other words, tactical threat intelligence helps security teams understand the details of how their company is likely to be attacked. The focus of tactical threat intelligence is twofold:
- External: The TTP used by attackers
- Internal: The strengths and weaknesses of the organization’s cyber security controls, and its ability to prevent attacks
Because tactical threat intelligence deals with specific attack scenarios, it can be an incredible benefit to an organization. Security teams can use this information to determine the most likely attacks and prepare for them before they occur.
How is tactical threat intelligence gathered?
Tactical threat intelligence is typically gathered through open source intelligence (OSINT) such as news reports, social media, malware samples, attack group reports, human intelligence, and other publicly available information. Cybersecurity industry experts also share information with one another about threats.
Tactical intelligence may also be gathered through industry reports and purchasing information from third party sources, through honeypots, darknets, crawling, and scanning.
Who owns tactical threat intelligence?
While other forms of threat intelligence are more general, tactical threat intelligence gets deep into the weeds covering recent attack trends, and offering insights into the specific technical tools that are being used to breach networks.
Because tactical threat intelligence includes so much technical knowledge, the individuals that own and act on this intelligence are typically technical individuals who are directly involved in cyberdefense, such as the security team, SOC managers, system architects, and administrators. In some cases, however, leadership may need to review tactical threat intelligence to make decisions about a breach or security budgeting issues.
Use Cases for Tactical Threat Intelligence
Proactive cyber defense
Tactical threat intelligence is a key piece of a proactive cybersecurity strategy. By using tactical threat intelligence, your team can identify the most likely and the most impactful threats faced by your organization. Once those risks have been defined, your security team can take action to mitigate the risk.
For example, if your team is aware that similar companies in your industry are being targeted by social engineering scams, you can take action to institute email filters, create education programs, and take other measures to mitigate the risk of social engineers targeting your organization.
Providing context for data
Tactical threat intelligence can help your team tease important insights out of raw data. Often alerts and indicators of compromise are provided to your team as a list of data points. Rather than reading through the data and sifting it manually, tactical threat intelligence can provide context about which compromises are highest priority.
Tactical threat intelligence enriches that data, giving your team much-needed context quickly, so they can get to work keeping attackers out.
Triage
The most important (and most common) use of tactical threat intelligence is stopping data breaches and cyber attacks. Your security team is constantly fielding security alerts about suspicious activity, such as odd network traffic, unusual privileged user account activity, login issues, unusual DNS requests and potentially dangerous web traffic.
Tactical threat intelligence lets your team quickly analyze those alerts by comparing them to tactical threat data, giving your organization more information about the most likely risks. If an alert is validated, your team can respond to that specific threat and shut down the incident.
Challenges in Gathering Tactical Threat Intelligence
Gathering, processing, analyzing, and disseminating threat intelligence data is a key piece of an effective cyber threat intelligence program. However, when it comes to tactical threat intelligence, this can get complicated.
There’s too much data
There’s often a lot of information to gather, and it’s very detailed, granular information. It can be a challenge to know which data applies to your organization, and which risks are the highest priority.
Organizations generate a massive amount of data, as does every source of OSINT. For security teams, this can be like standing in front of a firehose of information, trying to find the most relevant data patterns in time to catch an attack. Bad data management can lead to mistakes, such as missing an indicator of compromise, or generating false alerts.
The data is too general
Most OSINT information is general, and caters to a broad group of companies. While general information about threats and tactics can be useful, the risks most specific to your organization and sector will give you the best possible tactical intelligence.
Intelligence is inaccessible
While you can find reports that detail TTP that has already been used, what about emerging attack techniques? Most of this information isn’t accessible; it’s being discussed by the threat actors themselves. Much of the time, these conversations aren’t taking place where you can see them; they’re happening in private forums and on the Dark Web.
Stealing your data is a criminal’s livelihood, so they take great care to keep their TTP and their conversations secret. This can make it particularly challenging to prepare for the newest attack scheme or malware.
In-house information gathering is impractical
An organization can build its own data-gathering team, but it’s impractical. Gathering intelligence is time-consuming and expensive: you have to curate and develop sources and analyze all of the information coming in. This can be overwhelming for a small team.
Overcome the Barriers to Tactical Threat Intelligence with Flare
Tactical threat intelligence is an invaluable piece of your cybersecurity strategy. It helps organizations plan for likely attacks, reduce specific risks, and prioritize cyber security spending. However, gathering and analyzing that information can be overwhelming — especially for smaller security teams.
Fortunately, automation can help overcome some of these challenges. Flare’s cyber threat intelligence platform gives your organization threat intelligence from the dark & clear web and Telegram channels relevant to your organization. When a threat actor mentions your organization by name on a dark web forum, or discusses TTP that might be used against your company, you receive an automated alert with that tactical intelligence.
Try a free trial of Flare with just a 15 minute setup.
