In an ideal case, threat intelligence
provides an organization with information about threats before they become attacks, helping the security team decide exactly what it needs to do to keep the organization secure. However, it is rare to find threat intelligence pertinent to particular attacks. Most attackers are careful about where and when to discuss their plans, thus, making it difficult for non-government agencies to intercept those chats.
Despite that, there is a specific threat intelligence discipline dedicated to identifying specific attacks. This educational blog tackles operational threat intelligence.
What is Operational Threat Intelligence?
Operational threat intelligence is actionable intelligence on specific incoming attacks. It provides information on the nature of the attack, the identity and capabilities of the threat actor, and an indication of when the attack will hit the organization. This intel is consumed by executive managers to design strategy-based plans and policies to protect the organization against incoming attacks. It is also consumed by business unit managers and security operations personnel.
Sources of Operational Threat Intelligence
Consumers of operational threat intelligence want intelligence on all bad actors that pose a threat to their organizations. However, it is crucial that organizations focus on operational threat intelligence that can be practically obtained, as in-depth intel on nation-state threat actors is neither a feasible nor realistic requirement for them.
Operational threat intelligence is most commonly sourced from closed sources. Although some actors communicate via open channels, most are secretive. Common sources include open and private internet chat rooms, social media, and public and private forums hosted on both open and dark webs, and activity-related attacks.
Barriers to Collecting Operational Threat Intelligence
Due to its specific nature, collecting operational threat intelligence is a daunting task. Thus, analysts are sure to face a few hindrances on their path to intel collection. They have been listed below.
Barrier to Access
Some ideologically motivated groups communicate freely in open chat rooms. However, groups are aware that their chat rooms are monitored and targeted operations are discussed in private forums. It can be operationally and legally difficult to gain access to these chat rooms.
Many sophisticated threat groups are located in non-English speaking countries and communication is usually carried out in their native language. Analysts should be aware that this would up the cost of the collection of actionable intelligence.
Too Much Noise
Common sources of operational threat intelligence, such as social media and chat rooms, are high volume, implying that manual monitoring is impractical. While collecting operational threat intelligence, security analysts should ensure that the access to information is legal and relevant to the business. The temptation to have vicarious access to closed sources can at times outweigh good judgment when it comes to whether the information is actually useful.
It goes without saying that threat actors go to great lengths to hide their intentions from the outer world. Common obfuscation tactics include changing aliases on a regular basis or using proprietary codes for target names or attack types.
Overcoming the Barriers
Threat intelligence is all about predicting and preventing incoming attacks. It is not an easy feat to gather intel by infiltrating threat groups or intercepting their communications. However, there are ways to start the process. It takes minimal effort to monitor open chat forums and special media. They can offer valuable insights into threats. At the same time, deploying an advanced Threat Intelligence Platform (TIP) can help detect real-world events that spark off cyber activity. A deeper analysis can be attained by combining operational threat intelligence with other forms of threat intelligence, such as tactical and strategic threat intelligence, to ensure proper comprehension of the groups’ capabilities and attack patterns. This amalgamation can help gain more information on the expected form and scale of the attack.
Use Cases of Operational Threat Intelligence
Operational threat intelligence can provide warning of future attacks, such as a planned DDoS attack at a particular time. Proper operational intel provides organizations the ability to implement appropriate defense that will confront the attack, as well as analyze the nature of the attack. Operational threat intelligence can enhance incident response and mitigation tactics for future incidents and attacks and enforce and strengthen a proactive threat hunting program to detect malicious activity that evades conventional security technology. It can also assist in performing actor and malware-based analytics for high-risk threats and develop detection methodologies independent of Indicators of Compromise (IOCs), securing a wider coverage of threats.
Security Operations Center (SOC)
Operational threat intelligence can be leveraged by SOCs for security monitoring, alerting, and blocking. SOCs can create rules or signatures for IOCs that create alerts in SIEMs, IDS/IPS, or endpoint protection products. A set of IOCs can be used to block suspicious activities.
Vulnerability management can be a time-consuming affair. However, there are times when imminent threats can be averted by a simple patch. Operational threat intelligence bridges this gap and provides a smarter lens of risk-based analysis of vulnerabilities.
Sharing Operational Threat Intelligence
This type of threat intelligence can be shared with peers, stakeholders, information sharing communities (ISACs/ISAOs), commercial feed providers, national CERTs, vendors, and clients to provide an advanced warning of attacks. Take for instance, if during the collection process if it is noticed that the threat actors under observation are planning on targeting another organization, the latter can be alerted to the threat.
The Bottom Line
It should be remembered that time is money and cybercrime is a business. With effective and timely operational threat intelligence, organizations can successfully withstand adversaries and have a better understanding of their cybersecurity postures against today’s cyber threats.