Pivoting in cyber threat intelligence refers to using one piece of data to find and explore related information and expand your understanding of a threat. It lets you discover hidden connections between indicators of compromise and find potential vulnerabilities before they are exploited. <\/p>\n\n\n\n
Cyber threat intelligence concentrates on indicators of compromise, IOCs<\/a>. These are data points or artifacts (like IP addresses, domain names, file hashes, email addresses, etc.) that indicate a potential or actual malicious activity. Pivoting is researching links and correlations between IOCs and thus discovering new IOCs relevant to the same attack, malware, or threat agent. Note that the definition of pivoting in threat intelligence is different to that in cyber security. Generally, it\u2019s a popular term used in many other fields. <\/p>\n\n\n\n In CS the term is usually used by pentesters and hackers. Here pivoting is<\/a> the act of an attacker moving from one compromised system to one or more other systems within the same or other organizations. Pivoting is fundamental to the success of advanced persistent threat (APT) attacks. <\/em> <\/p>\n\n\n\n Pivoting for CTI shows its potential when IOCs are viewed not as \u201catomic\u201d but rather as complex objects. Taken by themselves, they are, so to say, \u201cbackward-looking\u201d, they lack context. IOCs are good forensic material, but not enough for predictive, proactive security effort. <\/p>\n\n\n\n Pivoting focuses on behaviors. Indicators are linked through their behavioral commonalities. This approach grasps IOC relationships, helps discover new ones, predict their behavior, generalize tendencies, and eventually build strong and adaptive defense based on the understanding of adversaries. <\/p>\n\n\n\n Pivoting is not just about techniques and tools; it is rather about a certain approach or dare say a certain mindset. Once adopted, it\u2019ll give your threat intelligence a new depth and perspective. <\/p>\n\n\n\n The most basic algorithm is: <\/p>\n\n\n\n You can start with network indicators pivoting.\u00a0 Basic network IOCs are IPs, domains, SSL\/TSL certificates. They all have certain parameters: for example, registrar and registrant for domains, hosting provider or server type for an IP address, issue date or issuer for a certificate.\u00a0
Pivoting helps make CTI proactive, helps predict and prevent the unfolding of an attack or the emergence of new threats.
Threat intelligence and pivoting are critical for businesses and corporate security<\/a> because they enhance an organization’s ability to anticipate, detect, and respond to cyber threats. By leveraging actionable insights from threat intelligence and pivoting to discover deeper connections, businesses can protect their assets, reduce risk, and strengthen overall cybersecurity posture. <\/p>\n\n\n\nHow it works <\/h2>\n\n\n\n
Pivoting routine <\/h2>\n\n\n\n
\n
Where to start <\/h2>\n\n\n\n
\u00a0
One of the most powerful tools for IOC research is ANY.RUN\u2019s Threat Intelligence Lookup<\/a>. It lets you search threat artifacts with over 40 search parameters<\/a>, including YARA<\/a> and Suricata<\/a> rules, combine them and get real-time updates<\/a> on search results.\u00a0\u00a0<\/p>\n\n\n\n