Tactical Threat Intelligence: How to shield data from advanced attacks

Andrei Pisau

December 15, 2021

Tactical Threat Intelligence: How to shield data from advanced attacks

Struck by the reality of remote collaboration, companies had to rethink both their business strategy and their infrastructure. This led many large enterprises and public organizations to restructure their data models, putting centralization and accessibility on the first place. While this change meant higher agility, it also brought increased vulnerability.

As a result, cyber-attacks increased and diversified, making 2021 the year of some of the biggest data breach and ransomware attacks in history. Furthermore, these attacks became more organized, taking the shape of the much-dreaded Ransomware-as-a-Service and started targeting organizations that were not usually in the attacker’s cross-hairs.

Centralized data makes healthcare an attractive cyber-threat target

According to Comparitech, over 600 healthcare enterprises experienced ransomware attack last year, resulting in more than $21 billion in costs and more than 18 million affected users. Cybertalk notes that attacks against healthcare facilities have jumped by 470%, with one in three such organizations experiencing ransomware of some kind.

So, what makes healthcare facilities such attractive targets? It’s simple: centralized data that needs to be accessed often and a lack of proper security. These two issues affect many other sectors, the difference being that healthcare companies are more prone to pay the ransom.

Since remote work is here to stay, these issues will most likely get worse or, as HFS Research puts it, “centralized data means centralized compromise”. So, what can security vendors do, especially when decentralization is not possible or even advisable? The solution is quite simple: tactical prevention or, in more specific terms, Tactical Threat Intelligence.

Threat intelligence vs. tactical threat intelligence

Threat Intelligence (TI) is a topic that we have covered extensively. In broad terms it refers to an organized, refined, and curated stream of information about potential and current cyber threats. Such streams allow security vendors and enterprises’ SOCs to understand security risks, as well as to prevent them.

A common classification of TI involves its three main aspects: tactical, strategic, and operational, aspects which are often used to define the same product or product suite.

Strategic threat intelligence is mostly used to identify large threats to an organization’s assets (infrastructure issues, vulnerable partners, unsecure platforms) and is highly useful for managers and executives. Operational TI focuses on the vulnerabilities themselves, allowing IT departments to strengthen their defenses and understand their enemy.

Tactical threat intelligence, on the other hand, is the main type of TI that security appliance providers, SOCs and MSSPs use. Relying on instant, up-to-date information, tactical TI provides details about multiple indicators of compromise (IOCs). Tactical TI can also offer insight about commonness of these these IOCs and the geolocations where they’re coming from, allowing security appliances to automatically update defenses and security experts a visibility into what is going on in real-time.

At a web level, tactical TI covers everything from IP and URL reputation management to phishing alerts. At a file level, it provides information about malicious file types and hashes, while mobile TI warns about app reputations and vulnerabilities in mobile operating systems. IoT information is a relatively new addition and its focus is on known IoT device vulnerabilities.

To put it simple, tactical TI is what allows security teams and security appliance and service providers to be one step ahead of attackers. It provides timely information and allows them to consolidate weak spots and prepare for potential threats. And the best part? TI is independent of the company’s infrastructure or its current security solutions with which it can easily integrate.

Indeed, while Threat Intelligence itself is not enough to prevent damage, combining it with state-of-the-art endpoint detection will. So, where do you start your search for competent TI?

Making the right choice on a threat intelligence solution

While a few companies might have the capability of building their own intelligence infrastructure, it is generally advisable to license it from providers that have both the data and the field experience for it. Why? Because any efficient threat intelligence service relies on multiple performance criteria:

Source quality – A proficient TI provider should be able to combine multiple knowledge sources and repositories, from individual machines to open-source databases, trap, honeypots, and botnet monitoring.

Expertise – It’s hard to provide comprehensive Threat Intelligence to others if you’re not a reputable security provider yourself.

Contextualization and correlation – When it comes to Threat Intelligence, adding context to IOCs is vital, from the frequency of a certain attack to its preferred targets and speed of deployment. Furthermore, tactical TI should also help you make connections between similar or repeated threats.

Ease-of-use and integration – What good is TI if you can’t interpret it with ease or integrate it into your existing security solutions?

Global character – Threat actors can come from any region and your provider should be able to understand the entire threat landscape, not just a specific region or industry.

Accuracy – Threat Intelligence should be provided in a multitude of formats and have curated threats for each specific domain.

Timeliness – Threat prevention is a time-sensitive processfully dependent on how fast you can deliver the right information. This becomes especially visible in the case of zero-day threats.

Why choose Bitdefender?

Supported by 20 years of experience and fed by hundreds of millions of sensors, Bitdefender’s Threat Intelligence services eliminate long-standing blind spots for Managed Security Service Providers (MSSPs), Managed Detection & Response companies (MDRs), security consulting firms, and large enterprises with SOC.

Our unique, platform-agnostic approach, lets security professionals integrate our feeds in minutes in any infrastructure. Our solutions offer insight into evasive malware, APTs, zero-days, and C&Cs that analysts often lack visibility into.

We build our intelligence from hundreds of millions of systems we protect in more than 170 countries. Our cloud-based infrastructure processes over 30 billion daily requests and over 6 TB of data per day, maintaining effective and globally balanced detection.

With our Threat Intelligence solution, you can grow your customers’ trust and defend them against attacks from day one, as well as augment your existing capabilities with end-to-end visibility into complex IOCs.

Last year, we saw the highly anticipated release of the MITRE ATT&CK™ Evaluation framework and, as expected, our security solutions achieved the highest number of detections across all attack steps and sub-steps, providing 100% visibility and context. This made Bitdefender’s platform a leader, with a nearly 50% greater average of detections than the other participating vendors. In other words, our insight into the threat landscape is unparalleled.

So, why not give our consultants a call and see how tactical Threat Intelligence can help you and your customers protect their data?


Contact an expert



Andrei Pisau

Andrei, as Bitdefender’s Senior Director of Product Management for Enterprise Solutions, leverages over 15 years of experience in software engineering and product management to build security solutions that speak to customer needs. A leader of the B2B2B line of business, he spearheads efforts to deliver superior technologies such as Advanced Threat Intelligence and early breach detection solutions to Technology Partners and enterprises worldwide.

View all posts

You might also like