How You Can Apply Strategic and Tactical Threat Intelligence in ThreatConnect
One of the questions we get from users of the ThreatConnect platform is, given an encountered indicator, “what should we look for in the platform?” Of course, as with most things intelligence-related, the answer is “it depends.” It depends on your organization’s sources and intelligence requirements. Sources include the different intelligence feeds or repositories that are available to an organization, while intelligence requirements generally define what the team focuses on and the questions it seeks to answer for its consumers. These intelligence requirements may range from the specific to the abstract, but they typically fall into one of two categories – strategic and tactical.
Strategic intelligence informs HOW an organization defends itself and its overall cybersecurity posture. This includes the tools necessary to defend against their threats’ capabilities. Employing strategic intelligence enables an organization to tactically respond when incidents or issues arise. As the Empire was building the Death Star before Star Wars: A New Hope, from a strategic intelligence perspective, they knew their biggest threat, the Rebel Alliance, would likely attack using their fleet of X-Wings and Y-Wings. To that end, they placed turrets around the surface of the Death Star and trained a fleet of Tie Fighters, both of which were capable of shooting down such aircraft.
Conversely, tactical intelligence informs WHAT an organization needs to focus on when responding to incidents using the tools at their disposal. This includes indicators, such as domains, IP addresses, and hashes, that an organization is most likely to encounter. Tactical intelligence is much more temporal in nature than strategic intelligence and the utility of it can dissipate quickly. In the end of Star Wars: A New Hope, in response to the Rebel Alliance attack, Darth Vader tactically understood that he needed to shoot down Luke’s X-Wing using his Tie Fighter as Luke posed the greatest immediate threat. Had Vader been successful in his tactical response, the Death Star may have survived the day.
To understand the difference between the two, it’s useful to think about them visually. To illustrate the difference between strategic and tactical intelligence, consider the simplified tree graph below. Built off of the Diamond Model for Intrusion Analysis, the graph below shows the relationships between a threat, campaigns, tools, infrastructure, and victims.
What if you are a part of a victim organization that has just experienced an incident involving the theoretical malicious infrastructure infr1[.]com? From a tactical intelligence perspective, your incident responders may be interested in knowing what other indicators of compromise (IOCs) are needed to determine if there is additional activity or compromises within the organization. Also, your forensic team may want to know what tools are involved so they can appropriately review and remediate affected computers.
To identify this tactical intelligence, pivot horizontally in the graph above. Leveraging threat intelligence that identifies other domains and malware associated with the domain that you’ve experienced will inform your tactical response to the situation at hand. In this instance, such threat intelligence may come from another victimized organization that experienced the same domain as you, in addition to two others (infr2 and infr3[.]com). Other threat intelligence may help identify the type of malware (Alpha Malware), and its corresponding hashes, that is currently hosted at those domains. All of this will inform your tactical response.
Within ThreatConnect, given an indicator as a starting point, the following investigative functions may help identify tactical intelligence that informs your response to an incident:
- Analyze: This is always a good place to start. It helps to identify what is already known in your communities about the indicator(s) you are experiencing. Also, it provides the metaphorical breadcrumbs for you to follow and ultimately identify pertinent tactical intelligence.
- Viewing Associated Indicators: After creating your incident and importing indicators, this will identify any other domains, malware, or IP addresses that have been associated with the given indicator by you or others within your community. Pivoting to these associated indicators may also help identify other relevant tactical intelligence.
- DNS: Understanding which IP addresses host domains used in attacks against your organization, or vice versa, may help identify other malicious infrastructure that you need to be on the lookout for. Furthermore, Subdomains under Passive DNS may identify previously active subdomains for those that you’ve encountered.
- WHOIS: This information can identify any specific individuals that may have registered the infrastructure that you’re experiencing. If this is a specific, malicious actor, the other domains that they’ve registered may be used in other attacks against you and could be valuable tactical intelligence for defensive efforts.
- Spaces App: For those organizations that have VirusTotal or OpenDNS subscriptions, ThreatConnect’s Spaces integrations can help identify whether the domain in question is malicious, and if so, what malicious files are being hosted there.
From a strategic intelligence perspective, organizations need to know what tools, processes, and capabilities they can implement to ensure that they are able to appropriately defend themselves against their biggest threats. Ideally, before an incident has taken place, C-level executives might want to know which APTs or individual adversaries are known to target their sector and what their corresponding tools, techniques, and processes (TTPs), capabilities, and motivations are. Analyzing this higher level, strategic intelligence can help identify the corresponding gaps in an organization’s tools and processes, and facilitate an organization’s ability to address a threat before they experience it.
To identify strategic intelligence, you’re going to be investigating vertically in the graph above. Strategic threat intelligence that details the campaigns, adversaries, or threat groups that are most applicable to your organization could come from a variety of open, commercial, or community sources. Given that you’ve already experienced an incident involving infr1[.]com, this provides a starting point for your investigation. Otherwise, looking at what other organizations within your sector (Other Victim Org) have experienced would be a good starting point.
After identifying that the attack you experienced was part of APT A’s campaign, strategic intelligence identifies the other activities that APT A has been associated with, and their TTPs. Strategic intelligence also includes subjective information that doesn’t fit well into a tree graph, like their actions on objectives and their motivations. In this case, we can see that APT A has conducted a previous campaign where they used Beta Webshell. If your organization is unequipped to defend against attacks leveraging webshells, this is a critical gap that needs to be addressed to keep potential attacks by APT A from happening.
Within ThreatConnect, given an indicator as a starting point, the following investigative functions helps identify strategic intelligence that informs your response to an incident:
- Analyze: As with tactical intelligence, this is a good place to start if you have one or more indicators. Analyze details what is known in your communities about the supplied indicators, including whether they have been attributed to any higher level threats or adversaries.
- Viewing Associated Threats/Adversaries: When investigating indicators, this helps quickly identify whether there is any attribution to a specific threat or adversary entry that is already in one of your communities. Pivoting to these entries can provide you with detailed information on the threat, their capabilities, tactics, tools, and motivations.
- Tags: Tags are used to quickly classify indicators or groups to campaigns, malware families, APTs, or nation states. Understanding how others have classified the indicators that you’ve encountered can help identify those higher level groups that would inform your strategic intelligence efforts.
If you’re using a Community as a starting point, the following investigative functions may help identify strategic intelligence that informs your organization’s defensive posture:
- Browse > Threats/Adversaries: This can provide you with a general understanding of which threats or adversaries others within your community have encountered. You can then pivot to those entries to identify any available strategic intelligence.
- Browse > Incidents: Viewing and understanding the incidents that have been shared with your communities may help you identify trends in the capabilities or TTPs that malicious actors are leveraging against your sector.
- Browse > Tags: Sorting the tags within your community based on their usage can help identify those higher level threats that are more commonly encountered in your sector.
- Community Dashboard: Being cognizant of what is posted to your community can provide awareness if and when new threats are encountered by others in your sector.
Understanding the difference between strategic and tactical intelligence, their utilities, and how ThreatConnect can facilitate the analysis of both, can significantly augment your organization’s capability to leverage threat intelligence and respond to intelligence requirements. If you rely on one type of intelligence over the other you may be left exposed to attacks, whereas awareness and use of both can put you in a better defensive position against attacks before they take place.