What is Tactical Threat Intelligence?

7 minute read

“Know thyself, know thy enemy. A thousand battles, a thousand victories.”  — Sun Tzu, The Art of War

The Art of War was written more than 2500 years ago, but its wisdom remains valuable for modern enterprise SecOps teams engaged in perpetual warfare on the cyber battlefield. 

To effectively safeguard enterprise assets against digital adversaries, SecOps teams need to analyze their own infrastructure to recognize where they might be vulnerable to attack. But when it comes to knowing the enemy, SecOps teams need more than surface-level identification to anticipate and mitigate cyber attacks – they need tactical threat intelligence: specific information about the tactics that digital adversaries might use to penetrate their defenses.

In this blog, we’ll take a closer look at tactical threat intelligence, how it fits into the Cyber Threat Intelligence (CTI) framework, and its role in helping enterprise SecOps teams maintain organizational cybersecurity.

Download a copy of our Buyer’s Guide for Threat Intelligence.

What is Tactical Threat Intelligence (Tactical Cyber Threat Intelligence)?

Tactical threat intelligence is evidence-based knowledge about the tactics, techniques, and procedures (TTPs) that digital adversaries use to execute cyberattacks against enterprise targets.

Digital adversaries are often financially motivated, executing cyber attacks to steal enterprise data (which can be sold) or taking control of enterprise systems to demand a ransom. Some adversaries are hacktivists who launch cyber attacks against organizations whose activities they disagree with, and a third group consists of state-sponsored adversaries that commit espionage by stealing intellectual property and state secrets from foreign entities.

Adversaries plan and execute complex, multi-stage cyber attacks that advance their strategic aims. For example, an adversary with a financial motivation might plan a cyber attack whose ultimate goal is to steal enterprise data, which can then be sold or ransomed for cash. To achieve that ultimate strategic goal, the adversary may use a variety of tactics, such as:

  • Gathering information on the target
  • Developing resources to support the attack
  • Gaining access to the target’s network
  • Running malicious code on the target’s network
  • Establishing a foothold to ensure continuous network access over time
  • Evading network defenses
  • Stealing access credentials for secure systems
  • Searching the target’s network for valuable data and assets 
  • Exfiltrating data or sensitive information from the target network

Techniques and procedures refer to the specific action sequences that adversaries use to accomplish a tactical goal. For example, social engineering techniques like phishing and impersonation may be used to achieve tactical objectives, such as gaining initial access to a network or stealing access credentials. Specific procedures can often be linked to cyber threat groups that have used them in the past.

The goal of tactical threat intelligence is to ensure that organizations are aware of the tactical goals pursued by digital adversaries, and the techniques and procedures they use to achieve them. Understanding the goals, methods, and attack patterns of digital adversaries allows enterprise SecOps teams to more effectively anticipate, detect, and prevent attacks against their organizations.

Strategic vs. Tactical Threat Intelligence – What’s the Difference?

The notion of tactical threat intelligence fits into a broader threat intelligence framework where different kinds of information about digital risks are collected, analyzed, and conveyed to organizational actors. 

This framework includes four kinds of threat intelligence – strategic, tactical, operational, and technical – with distinct differences between them.

Strategic Threat Intelligence

Strategic threat intelligence deals with high-level information about the changing landscape of digital risks and how those changes could influence the organization’s cybersecurity posture and preparedness. Strategic intelligence focuses on new and emerging threat types and adversaries that could pose a risk to the organization.

Strategic threat intelligence is most often delivered to executives and management teams, where it can inform strategic decision-making at the highest level.

Tactical Threat Intelligence

Tactical threat intelligence deals with specific information on the latest tactics, techniques, methods, and procedures that digital adversaries are using to achieve their goals. 

Tactical threat intelligence is most often shared with SOC managers, as it allows them to implement appropriate detection and mitigation measures that block or counteract new and emerging attack patterns.

Operational Threat Intelligence

Operational threat intelligence is even more specific than tactical intelligence, as it focuses on delivering actionable information about an identified attack in progress against the organization. 

Operational intelligence is most often shared with network security managers and their teams, who can immediately use the information to inform the incident response process.

Technical Threat Intelligence

Technical threat intelligence focuses on specific threat indicators or Indicators of Compromise (IoCs) that signal malicious activity on a network or system.

Technical threat intelligence is usually shared with SecOps teams who can initiate an investigation to determine whether an attack has taken place.

Where Does Tactical Threat Intelligence Come From?

Tactical threat intelligence consists of specific information about the activities of a cyber adversary, including:

  • The tactical goal or objective the adversary tried to achieve as part of an attack
  • The specific technique, actions, or mechanisms used in the attack
  • Any software tools used as part of the attack

This information comes from the following sources:

Security Information Sharing

A huge amount of tactical threat intelligence is generated through information sharing within the cybersecurity community. When an organization experiences an attack, security teams will work to understand the attacker’s tactical objective, identify the technique used in the attack, analyze any payload from the attack (e.g. malware, scripts, trojans, etc.), and pinpoint any vulnerabilities that were exploited during the attack.

This information can be shared with security teams at other organizations as part of a collaborative approach to minimizing digital risks.

Threat Databases and Open Sources

Tactical threat intelligence can be found in threat databases like MITRE ATT&CK, a free, globally-accessible database of digital adversaries and their TTPs based on observations from real-world cyber attacks.

Other publicly available sources of tactical threat intelligence include news reports, public threat intelligence feeds, announcements and threat alerts from government organizations like the United States Cybersecurity & Infrastructure Security Agency (CISA), and online cybersecurity discussion groups.

Human Intelligence and Dark Ops

Tactical threat intelligence can be generated through the work of human intelligence operatives, including DarkOps agents monitoring the deep and dark web. By infiltrating criminal communities in the clandestine corners of the web, covert operatives can listen in on conversations where hackers share the TTPs for past, present, and future cyber attacks.

Monitoring the Public Attack Surface

While human intelligence can play an important role in developing tactical threat intelligence, it would take a huge number of human operatives to monitor the Internet at scale for potential attack chatter. 

Instead, modern cybersecurity vendors like ZeroFox have developed capabilities to monitor the public attack surface at scale using artificial intelligence. The AI-powered ZeroFox platform provides extreme visibility across the surface, deep, and dark web, social media, and mobile app stores to identify text, image, and video-based threats. These threats are analyzed by our team of human expert analysts who transform them into tactical threat intelligence that our customers can use to anticipate and prevent similar attacks.

Why is Tactical Threat Intelligence Important?

  1. Optimize Threat Detection and Prevention Capabilities

Tactical threat intelligence gives security teams the information they need to anticipate how adversaries will try to target them. Armed with this intelligence, security teams can invest in the right threat detection and prevention capabilities to increase the resilience of their infrastructure against known attack patterns.

While operational threat intelligence gives SecOps teams real-time information about a cyber attack in progress, tactical threat intelligence is more frequently used by organizations to help with proactively developing a security posture that can withstand attacks.

  1. Discover Adversary Motives & Accelerate Incident Response

When security experts can match a detected IoC to a known attack pattern, they can significantly accelerate the process of understanding the adversary’s motives, anticipating how the attack will proceed, and implementing countermeasures to thwart the attacker. This is extremely valuable during incident response, when rapid analysis and countermeasures can prevent operational downtime or the illicit exfiltration of sensitive data.

  1. Manage Cyber Threats and Prevent Losses

Tactical threat intelligence plays an important role in helping organizations manage cyber threats, mitigate digital risk, and prevent the financial and reputational damage that results from a successful cyber attack. By understanding the tactical goals, preferred techniques, and observed procedures of digital adversaries, SecOps teams can make their organizations significantly more resilient against cyber attacks.

Safeguard Your Business with Threat Intelligence from ZeroFox

ZeroFox provides enterprises with timely and relevant tactical threat intelligence to help anticipate and mitigate threats to brands, people, assets, and data across the public attack surface. 

Our ZeroFox platform uses advanced AI-driven analysis to detect complex digital threats across the public attack surface. Then, our team of expert threat analysts transforms that data into tactical threat intelligence that our customers can use to maximize the resiliency of their IT infrastructure against new and emerging threats.

Ready to learn more?

See ZeroFox in action