Blog post

From IPs to TTPs

By Anton Chuvakin | April 04, 2013 | 2 Comments


“Here is a ‘bad’ IP – let’s ACL the sucker!” thinking is many people’s first experience with technical shared security data. However, as I pointed out in my previous blog post, “Consumption of Shared Security Data”, it is definitely not the only way – and often not the most useful way – of consuming shared technical information (“bad” IPs are also not the only type of such information).  Threat indicators (network and host), NIDS/NIPS rules, queries/patterns and other information received from whatever external entity have plenty of  uses for detecting, mitigating and investigating incidents. Even simply collecting such external data for future reference during the upcoming investigations (such as “where was this IP seen before?”) often comes handy when you need additional historical context.

However, all the above discussion applies to TECHNICAL information. By ‘technical’ here I mean the types of data consumed, not produced, by the information systems (“boxes”) as opposed to meat and blood humans (excluding cyborgs and androids, presumably Smile).

The technical indicators that are the easiest to share and consume. Their usefulness is also the most short-lived! URLs that drop binaries may live for hours. Binaries may be used once. Exfiltration upload sites (the “holy grail” of technical indicators, according to some) may survive until the attackers moves the data off your site.

As I was writing this blog post, a blog post from Mandiant came up with the line I really wanted to write myself (and now I can just quote them):  “When we talk about threat intelligence, the conversation sometimes gravitates toward signatures or tactical [that I called “technical” – A.C.] indicators that allow security teams to detect more evil: IP addresses, domain names, MD5 hashes, etc. However, real security intelligence does much more than this. It allows us to draw conclusions based on observed data and judge the likelihood of future actions.”

Non-technical data/information/intelligence may include things like actor profiles, TTPs, etc. For example:

  • bruting passwords before trying to use exploits
  • targeting  the information about energetic materials
  • often exfiltrating to IPs in  “Country X”
  • making a particular typo in phishing emails
  • communicating with other actors, known to be from “Group Y”

However, these non-technical indicators are not consumed by computers. They are consumed by your threat intelligence team. What? You don’t have such a team? Well, do you have at least “an intelligence dude”? Smile Well… the shared non-technical intelligence has to be used by somebody, and if that somebody does not exist, then you cannot make use of it.

At this point, it should be clear  that the real “intelligence-based security” is most definitely  not for everybody. I’d be more harsh and say it like this: if you are asking a question “am I ready?”, you probably are not –  please patch your Windows boxes at least monthly first Smile

Related posts:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Tamer Ibrahim says:

    You are asking too much 🙂

    The fact is Most of enterprises do not implement internal “intelligence-based security” where they do not analyze security reports (if exist) and come up with over all picture about their security posture. also even though many security incidents published, hardly you find some enterprises take actions to avoid same incidents from happening to them.
    Looks like it is always the same joke, we have firewall we are secured.

  • >The fact is Most of enterprises do not implement internal “intelligence-
    >based security”

    Exactly! That was exactly my point. The media talks about “this new thing” (intelligence), but the reality is [in most cases] var different