What is tactical threat intelligence?

If threat intelligence is the umbrella, within that umbrella lies strategic and tactical intelligence, next to their operational and technical intelligence siblings. Whereas operational intelligence focuses primarily on your business and technical intelligence is based more on adversary technology, your everyday tactical intelligence typically helps feed information to the defenders. Often tactical intelligence is a part of more significant trends, which in turn drives the strategic aspect of intelligence that allows your executives and middle management to see the bigger picture. If strategic intelligence is the forest, tactical intelligence would be a tree or a few trees. Or, more simply, as Luther Vandross once put it, it’s the here and now.

In the military world (which gave us a lot of our everyday lexicon and concepts in security), tactical intelligence is often crucial to battlefield commanders dealing with a volatile enemy situation that is typically developing very nearby in the extreme near-term. Commanders want to know what’s happening just outside of their frontlines, with the most important questions often being who, how, and when. It’s no different to a security team composed of a ragtag bunch of analysts, security engineers and admins, management, and a CISO: They want to know who’s trying to get into the castle walls.

Tactical threat intelligence can tell you more about the IPs that have recently been hammering your networks with scans and brute force attacks, for instance. During a major security incident, tactical threat intelligence will give you some context about an observed command-and-control (C2) domain, or maybe some new, interesting file hashes to look for in an investigational pivot. Tactical threat intelligence can also help drive threat hunting activities since intelligence sent to a SOC can help analysts hunt an environment for new or different indicators. 

Again, tactical threat intelligence deals with the here and now. On its own, it doesn’t always indicate a trend, per se, nor is it always valuable for strategic decision-makers at the executive levels. Still, it is useful at the operational levels. Taken over time and analyzed, a group of indicators may be used to derive strategic intelligence, but at this level, don’t expect to confirm a campaign on the strength of a single event.

How does Digital Shadows (now ReliaQuest) use tactical threat intelligence?

Much like other vendors, Digital Shadows (now ReliaQuest) is in the tactical threat intelligence game by offering various information, which in our case, is accessed via a portal that makes indicators such as hashes, domains, or IP addresses searchable. Similar to using threat feeds, customers can use that information to enrich their telemetry, either through an API or manual searches. 

Besides having searchable indicators, Digital Shadows (now ReliaQuest) delivers tactical threat intelligence, often at least daily. This is typically in the form of various domain alerts, tippers, and other notifications customers have configured in SearchLight. In addition, Digital Shadows (now ReliaQuest) also responds to requests-for-information (RFI) from customers, which are typically a more focused analytical product derived from specific, tactical customer needs.

A request-for-information may help answer a limited set of intelligence requirements, often driven by a recent event or new information specific to a customer’s needs rather than the entire financial vertical. Tippers and similar intelligence updates often answer a single question or inform on a particular issue. In our case, these usually touch on timely updates about exploits, vulnerabilities, or campaigns that are currently emerging to keep you informed. Again, the one-offs don’t always offer great perspective for a strategic look, but over time, they become valuable if they begin to show specific trends.

What solutions are there for you?

Let’s suppose that you notice a particular IP address, 49.235.167.41, has been attempting to log in via SSH to one of your servers. A quick look in SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) will reveal that it’s been assessed as a high threat, echoing the internet consensus.  

Searching for an evil IP via SearchLight

 

Some additional pivots through search results will show us some other exciting indicators, such as a user reporting on Twitter repeated attempts to log in with specific usernames and passwords or that it’s ended up on more than a couple of blocklists via Pastebin or Fail2Ban. Knowing this context makes it easier for you to potentially make the decision to investigate the activity further or create a rule to block the IP address outright.

In the case of an RFI, a customer may be noticing this and several other IPs making repeated attempts to log in on their infrastructure over time. This is where the short-term, ad hoc intelligence requirements come into play when creating an RFI. It’s serving a tactical need, so the research typically may only look at a brief snapshot of time or only require confirmation of several vital facts to be valuable to a customer.

Digital Shadows (now ReliaQuest)’ intelligence expertise

We understand your need for tactical intelligence because, chances are, our analysts have been in your position before. From the latest on ransomware campaigns to news about exploited vulnerabilities, promptly passing on crucial information to a customer is what every intelligence analyst aspires to, and Digital Shadows (now ReliaQuest) is no different in that regard. 

Suppose you’re curious about how we can solve your questions by making tactical threat intelligence work for you. In that case, you can always talk to us about a demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) to define more specific use cases that can help intelligence work for you.