Technical threat intelligence, also known as “cyber threat intelligence,” refers to threat indicators of compromise (IoCs) that cybersecurity staff use to protect their networks. It includes control-and-command (C&C) channels, tools (malware and exploits), IP addresses, domains, malicious emails, and others that threat actors use to breach a target system or network.
Compared with strategic and tactical threat intelligence, this data is meant for short-term use. But unlike operational threat intelligence, which is also for short-term use, technical threat intelligence is specific.
Read More about “Technical Threat Intelligence”
Like the other three types of threat intelligence, all organizations need technical threat intelligence if they want to ensure the utmost protection of their entire network.
What Is Technical Threat Intelligence For?
Technical threat intelligence primarily helps organizations block access to and from the malicious properties that threat actors own and keep to instigate attacks on their chosen targets.
We mentioned that this data is meant for short-term use. Why? As soon as malicious emails, links or Uniform Resource Locators (URLs), malware, and exploits are detected, targets will be able to protect against them. As such, attackers need to constantly change them to continue stealing data from or controlling target systems and networks, cutting their lives short.
Given that, cybersecurity teams need to obtain technical threat intelligence as soon as they are made available if it is to be helpful.
Where Can You Get Technical Threat Intelligence?
Technical threat intelligence can come from:
- Reports created by various cybersecurity researchers, analysts, and firms on ongoing attacks
- Threat data feeds that several third-party providers collate and either share or sell
- Information shared in cybersecurity communities, such as forums
- News articles on ongoing attacks
- Hacker forums and marketplaces on the Dark Web
- Insider information from an organization that is suffering from an ongoing attack
- Your system and network logs if you happen to be the target of an ensuing attack
What Are the Three Kinds of Technical Threat Intelligence?
IoCs can be categorized into three types:
- Network indicators: These include domain names and URLs that served as C&C communication and malware delivery channels and related IP addresses.
- Host-based indicators: These come from detailed inspections of infected systems. Examples include the MD5 or SHA-1 binary hashes, file artifacts, or registry keys.
- Email indicators: These include the socially engineered phishing or spear-phishing emails sent to the targets to instigate an attack.
Let’s look at a specific example. We obtained these Actinium/Gamaredon advanced persistent threat (APT) IoCs from a Microsoft Security report.
|Network Indicator||Host-Based Indicator|
|SHA-256 of QuietSeve malware:|
Why Do Experts Say Technical Threat Intelligence Should Be Actionable?
Remember we said earlier that technical threat intelligence is meant for short-term use? It is primarily because of that.
Organizations’ cybersecurity teams need specific IoCs to feed these to their solutions so they can block off any malicious traffic. Knowing the domains and URLs that, when accessed, can lead to the download and installation of malware will enable them to prevent anyone in the network from accessing the malicious web properties. If their cybersecurity solution is still not detecting the malware, the hash will allow them to prevent the malicious program from infecting any system.
Actionable technical threat intelligence is data cybersecurity professionals can readily use to prevent an attack from affecting their networks.
Who Uses Technical Threat Intelligence?
Because of its low-level nature, technical threat intelligence is most useful for:
- Network and system administrators who must ensure the security of their organizations
- Security operations centers (SOCs) that serve their own organizations’ and clients’ security needs
- Managed security service providers (MSSPs) who need to ensure their clients stay protected against any threat
- Security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platform providers whose products should prevent threats from affecting their users’ networks
- Marketing and communication teams who need to create information sheets and press releases for their customers should their organizations succumb to an attack
- Security researchers and analysts who want to look more closely at an ongoing attack to collect more artifacts
As you’ve seen, technical threat intelligence is critical to all users, individuals and companies alike, who want to stay protected against all kinds of threats.