Gartner Blog Network


From IPs to TTPs

by Anton Chuvakin  |  April 4, 2013  |  4 Comments

“Here is a ‘bad’ IP – let’s ACL the sucker!” thinking is many people’s first experience with technical shared security data. However, as I pointed out in my previous blog post, “Consumption of Shared Security Data”, it is definitely not the only way – and often not the most useful way – of consuming shared technical information (“bad” IPs are also not the only type of such information).  Threat indicators (network and host), NIDS/NIPS rules, queries/patterns and other information received from whatever external entity have plenty of  uses for detecting, mitigating and investigating incidents. Even simply collecting such external data for future reference during the upcoming investigations (such as “where was this IP seen before?”) often comes handy when you need additional historical context.

However, all the above discussion applies to TECHNICAL information. By ‘technical’ here I mean the types of data consumed, not produced, by the information systems (“boxes”) as opposed to meat and blood humans (excluding cyborgs and androids, presumably Smile).

The technical indicators that are the easiest to share and consume. Their usefulness is also the most short-lived! URLs that drop binaries may live for hours. Binaries may be used once. Exfiltration upload sites (the “holy grail” of technical indicators, according to some) may survive until the attackers moves the data off your site.

As I was writing this blog post, a blog post from Mandiant came up with the line I really wanted to write myself (and now I can just quote them):  “When we talk about threat intelligence, the conversation sometimes gravitates toward signatures or tactical [that I called “technical” – A.C.] indicators that allow security teams to detect more evil: IP addresses, domain names, MD5 hashes, etc. However, real security intelligence does much more than this. It allows us to draw conclusions based on observed data and judge the likelihood of future actions.”

Non-technical data/information/intelligence may include things like actor profiles, TTPs, etc. For example:

  • bruting passwords before trying to use exploits
  • targeting  the information about energetic materials
  • often exfiltrating to IPs in  “Country X”
  • making a particular typo in phishing emails
  • communicating with other actors, known to be from “Group Y”

However, these non-technical indicators are not consumed by computers. They are consumed by your threat intelligence team. What? You don’t have such a team? Well, do you have at least “an intelligence dude”? Smile Well… the shared non-technical intelligence has to be used by somebody, and if that somebody does not exist, then you cannot make use of it.

At this point, it should be clear  that the real “intelligence-based security” is most definitely  not for everybody. I’d be more harsh and say it like this: if you are asking a question “am I ready?”, you probably are not –  please patch your Windows boxes at least monthly first Smile

Related posts:

Category: security  sharing  

Tags: data-sharing  security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on From IPs to TTPs


  1. Tamer Ibrahim says:

    You are asking too much :-)

    The fact is Most of enterprises do not implement internal “intelligence-based security” where they do not analyze security reports (if exist) and come up with over all picture about their security posture. also even though many security incidents published, hardly you find some enterprises take actions to avoid same incidents from happening to them.
    Looks like it is always the same joke, we have firewall we are secured.

  2. >The fact is Most of enterprises do not implement internal “intelligence-
    >based security”

    Exactly! That was exactly my point. The media talks about “this new thing” (intelligence), but the reality is [in most cases] var different

  3. […] all the “hottest” security thinking has military roots … again.  Kill chain, defense, intelligence, adversary, TTPs, campaigns, engaging [the adversary], even the whole cyber thing all have roots in […]

  4. […] From IPs to TTPs – Gartner Blog Network Anton Chuvakin Research Director 1 year with Gartner 12 years IT industry. Anton Chuvakin is a research director at Gartner’s IT1 Security and Risk … blogs.gartner.com/anton-chuvakin/2013/04/…/from-ips-to-ttps… […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.