Cyber Threat Intelligence (CTI) can be defined as the contextual analysis of threat actor intent, capabilities and opportunities that helps organizations to better strategize around protection requirements and remediate active threats. While this definition broadly applies across the entire security organization, the relevancy of certain types of threat intelligence is highly dependent on stakeholder needs (strategic, operational, tactical). For instance, first-line SOC analysts require timely, tactical intelligence to make quick decisions and keep the organization safe from imminent threats, whereas senior executives may require longer term trend and forecast intelligence for strategic planning.
Consider this scenario. An IP address used to host a malicious command and control (C2) server is discovered by security analysts. After some processing and analysis, it is discovered that this indicator of compromise (IOC) matches detected threat alerts associated with malware seen on the corporate network. With this insight, the security team is able to take quick and immediate action to clean infected systems and block related malicious communications and subsequent attacks.
This type of in-the-moment and data-rich information is known as “tactical threat intelligence,” and provides critical, everyday value for security defenders who work tirelessly to secure their organizations from cyber threats and attacks. Whereas threat intelligence at the strategic and operational levels deal with macro-level threats, adversary trends and long-term risks, intelligence at the tactical level deals with threats of the present and immediate future. This primarily involves the identification and analysis of IOCs and telemetry enrichment by the SOC team so incident responders can take action to contain, prevent or eradicate threats and mitigate further risk.
With this in mind, how does tactical threat intelligence work in practice? What specifics are involved in the tactical intelligence lifecycle from start to finish? Read on to learn more about the effective use cases of tactical threat intelligence and how you can get the most from your CTI solution.
Tactical Threat Intelligence Use Case #1: SOC Alert Enrichment
A primary use case for integrating tactical threat intelligence is the quick analysis and triage of incoming security alerts and suspicious activities. IOCs such as malicious IPs and URLs, malware/ransomware hashes, suspicious network traffic, phishing infrastructure, etc. are collected, processed, and disseminated to the security team. Using correlated threat alert data from an integrated threat intelligence solution, pertinent threat alerts are matched with the identified IOCs and enriched with intelligence needed to quickly make decisions to escalate or resolve alerts.
Once alerts are validated and enriched, digital forensics and incident response (DFIR) teams spring into action by making quick decisions to remediate the threat or resolve the incident. Tactical (and often automated) actions such as adding IPs/URLs to a firewall blocklist, isolating machines or systems, notifying the ISP and/or host providers are taken to defend networks and the organization at large from malicious attacks.
Combining enriched threat alerts from many disparate and external data sources with discovered IOCs makes for an effective process in utilizing tactical threat intelligence. For example, ZeroFox integrates with D3 Security’s NextGen SOAR platform enabling automated trigger actions for investigation and remediation playbooks for specific external threat alerts and types (such as impersonations of brands, executives, domains, etc.). Tactical threat intelligence collected and curated within the ZeroFox Platform is also made available within the SOAR environment via API, streamlining triage and response and reducing manual processes.
Tactical Threat Intelligence Use Case #2: Incident Response Support, Threat Hunting and RFIs
The second most valuable use for tactical threat intelligence is supporting the incident responders. Upon having a likely or confirmed incident escalated to them, incident responders begin the process of containing and eradicating the threat to enable recovery actions. As threats establish persistence in their victim networks, it is critical for the incident response team to have known TTPs and fresh indicators. Without tactical threat intelligence, it is common for incident responders and system administrators to miss backdoors and compromised accounts. With a robust library of threat TTPs and indicators, adversary dwell time and mean cost of breach can be greatly reduced saving the victim millions of dollars in fines, lawsuits, and reputational losses.
Tactical threat intelligence also helps to drive threat hunting activities since intelligence received by a SOC can provide key insights that lead to finding new indicators within an environment. This usually begins with a hypothesis (i.e. the who, what, when, why, and how of an adversary) informed from an intelligence assessment. After searching through available threat data such as hashes, domains, IPs, C2 domains, etc. (either using threat feeds ingested via API or something like ZeroFox’s searchable threat hunting database), analysts attempt to answer their initial hypothesis. This exercise results in critical inputs such as the creation of new threat detection rules and triggers for more refined and accurate tactical alerts.
Sometimes however, gathering tactical threat intelligence requires deeper levels of research and investigation in order to meet customer and stakeholder needs. A request-for-information (RFI) may be the appropriate action to take (before say a blocking action) in order to gain deeper insights and ensure the highest-fidelity intelligence from an identified alert or IOC.
In cases of discovering indicators of sensitive data leaks, breaches and malicious attacks (i.e. malware/ransomware), tactical RFIs may require intelligence gathered from the most secretive, and difficult to penetrate underground threat actor hubs across the furthest reaches of the deep and dark web. For these special cases, ZeroFox pulls from a deep bench of experienced intelligence analysts and embedded dark operatives with long-established personas to obtain unique access to closed, unindexed forums, communities and marketplaces, and gain early warning into breach data and/or attack plans.
For example, let’s say that an IOC has been discovered by threat analysts for an unusual amount of outbound traffic on the network (potentially indicating an exfiltration event occurring). After some analysis, an RFI is issued to investigate for potential compromised credentials as part of illicit sale of data exfiltrated from any event-related data breaches. The ZeroFox dark web operatives respond to the RFI, and use their unique access to go where bots and data scrapers can’t to collect information about the breach. The tactical intelligence gained from this access helps security teams understand the scope of a potential breach and react faster and more completely.
Tactical Threat Intelligence Use Case #3: Adversary Disruption
In addition to providing evidence into an attack and fodder for investigation, IOCs can be used to disrupt and dismantle an attacker’s infrastructure. While traditional takedown actions are a critical part of a cybersecurity playbook, ZeroFox’s people and technology goes beyond isolated takedown actions and automatically deploys discovered indicators to a global network of disruption partners. These partners include social media platforms, DNS providers, hosts/ISPs, cloud providers, link shorteners, browsers, ISACS, endpoint security and others. ZeroFox greatly increases costs to the threat actors with our scale.
Tactical threat intelligence is an integral component for virtually every security outfit, especially for SOC analysts and incident response units in the trenches fighting to keep the organization safe and mitigate risk. Alert enrichment, incident response support and adversary disruption are three quick, valuable applications of tactical threat intelligence. By considering the various applications of tactical intelligence and aligning budget with security requirements, you can maximize the value of your threat intelligence solution.
Learn more about how ZeroFox provides threat intelligence tailored for your organization via an AI platform and expert resources to drive action.