As we noted in our earlier posts on Strategic Threat Intelligence and Management Intelligence , Cyber Threat Intelligence may seem like a single comprehensive discipline, but really, it comprises of multiple modules that address individual steps in the overall cyber threat intelligence process. Herein, while strategic threat intelligence is suited for an audience inclusive of key decision makers, CEOs, board members etc, who may not necessarily be proficient in the topic of cybersecurity, Tactical Threat Intelligenceis specifically compiled for an audience that understands the finer technical details that contribute to the organization’s security landscape.
What is Tactical Threat Intelligence?
Tactical intelligence enables SOCs to proactively respond to cyberthreats and supports day-to-day detection and response to improve the enterprise’s cyber posture by using malicious IP, malware signatures and mutex, phishing domains, command and control centers, and YARA rules.
Tactical intelligence enables the organizations to:
Formulate correct rules and policies to blacklist, detect and restrict malicious traffic.
Detect infiltration and system infection.
Minimise phishing emails from reaching end-users.
Protect against sensitive data leaks.
Apply whitelisting/blacklisting proactively.
Avail real-time updating of AV malware signatures.
Ensure file integrity and desktop/endpoint monitoring.
Who is the target audience for Tactical Threat Intelligence reports?
Operators like CIRT, SOC, NOC and any other interfacing teams. Essentially, personnel who are part of the organization’s security setup and tasked with proactively responding to cyber threats, support detection and response to improve the organization’s cybersecurity posture by using malicious IP, malware signatures & mutex, phishing domains, botnet command and control centers.
What are the common sources employed by CYFIRMA to source Tactical Threat Intelligence?
CYFIRMA employs robust mechanisms for information collection and interpretation to obtain Tactical threat intelligence from the following sources:
Open source and closed source
Real world communication
Data enrichment obtained from passive scanning and crawling
Why source Tactical Threat Intelligence from CYFIRMA?
Offering such key insights as tactics, techniques and procedures (TTPs) adopted by malicious actors, operational/tactical threat intelligence from CYFIRMA helps an organization’s IT team understand how a potential cyberattack will play out. Additionally, this helps cyber defenders decide on mitigation strategies, including detection techniques that are more suited for the job, enlist permissions from decision makers, identify and correct obvious vulnerabilities, etc.
n the context of CYFIRMA, tactical threat intelligence helps organizations safeguard their cyber posture by blocking known malware signatures, malicious domains, command and control centres or indicators of compromise. Using its proprietary Cyber Intelligence Analytics Platform (CAP), CYFIRMA offers tactical threat intelligence to assist organizations in cyber strategy, process and security control, predicting future cyber-attacks and business risks, and recommending proactive measures.
Importantly, CYFIRMA’s approach lays more emphasis on quality rather than quantity. CYFIRMA offers its clients a limited number of, yet highly researched and analysed IOCs that highlight a threat actor’s targeting of a specific industry and/or organization. This is in contrast to the common trend amongst cybersecurity companies wherein millions of irrelevant and poorly researched IOCs are offered.
In most organizations, the key decision makers like CEOs, Board of Directors, etc., are the secondary audience to these tactical threat intelligence reports. Thus, a technical representative (CISO, CTO, etc.) will have to act like a liaison to help the decision makers understand the finer details of these reports. Further, this representative’s recommendations will serve as the basis for the eventual decision coming from the leadership group. CYFIRMA’s on-point reporting helps streamline this conversation.
Listed below are some case-studies that further establish CYFIRMA’s proficiency as a robust aggregator of Operational/Tactical Threat Intelligence.
Case Study 1: CYFIRMA’s Tactical Intelligence Offering helped a Large US-based Financial Conglomerate Improve its Responses to Emerging Cyber Threats
Recently, CYFIRMA helped a large US-based financial institution with a sophisticated cyber threat center, identify and mitigate smartly targeted cyber threats in quick time. CYFIRMA helped the organization’s Security Operation Team to mitigate DDOS, malware Implants, DNS hijacking and data-stealing attempts by initiating daily updates to the cyber operation center to keep security controls current with the latest threat vectors (firewall, IDS/IPS, antivirus, proxies, SIEM).
Case Study 2: CYFIRMA’s Tactical Intelligence Offering helped a Well-Known Japanese Corporation Identify Complex Cyber Threats and Data Breaching Attempts
CYFIRMA was contracted by a large Japanese corporation with footprint in heavy industry, financial services, retail, and food and beverage domains to better understand cyber risks and mitigate them efficiently and effectively. CYFIRMA helped the organization’s security operations to mitigate ransomware, cryptojacking malware implants and data-stealing attempts by providing daily updates to the cyber operations center to keep security controls current with the latest threat vectors (firewall, IDS/IPS, antivirus, proxies, SIEM).
Additionally, the following highlights CYFIRMA’s Tactical recommendations to organizations. These insights help the organizations make the best use of their security assets.
Ensure End Point Detection and Response (EDR) solutions are enriched using our IOCs/IOAs to detect the threat actors proactively.
Fine tune the existing use cases in Security Information and Event Monitoring (SIEM) tool to detect the IOCs / IOAs.
Improve the detection signatures of Intrusion detection and preventions systems with custom rules to monitor and alert network intrusions.
Ensure the email security gateways, Email SPF, DKIM, DMARC, Advanced Threat protection systems, Firewall rules and network proxy controls are configured appropriately to detect the attacks in real time.
Classify and Segregate the organization business critical system a.k.a as Crown jewels and have a special security monitoring of those assets.
Identify user behavioural anomalies including privileged account monitoring, user account elevation, credential dumping, brute force attack, RDP connections and tunnelling, password spray attacks, malicious command line arguments that are detected and investigated by the cyber security team.
Further, the following lists CYFIRMA’s Tactical recommendations pertaining to IOCs:
Immediately apply IoC to IPS/IDS systems to thwart inbound packets that may be suspect.
Apply filters based on IoC to SIEM systems to detect inbound or outbound traffic on systems that contain sensitive information; particularly intellectual proprietary data.
Immediately analyze reported phishing/smishing email contents and test link access in air-gapped sandbox systems; filter and stop access to reported phishing emails or similar addresses by applying regular expression filters on mail relay systems.
Immediately block all known or reported phishing sites.
Establish closer perimeter monitoring on unusual ports, and ports provided by the attacker’s TTP.
Observe endpoint data movement alerts through email attachments, HTTP upload, or FTP upload.
Curious about what Tactical Threat Intelligence can do for your business?