Key Takeaways
- CTI is actionable knowledge about threats
- MITRE ATT&CK maps adversary tactics and techniques
- IOCs are atomic indicators (hashes, IPs, domains)
- TTPs are more valuable than IOCs long-term
Contents
1. What is Threat Intelligence?
Cyber Threat Intelligence (CTI) is evidence-based knowledge about threats that helps organizations make informed security decisions. It goes beyond raw data to provide context, relevance, and actionability.
Intelligence Cycle
- Planning: Define intelligence requirements
- Collection: Gather relevant data
- Processing: Normalize and structure data
- Analysis: Derive insights and meaning
- Dissemination: Share with stakeholders
- Feedback: Improve future cycles
2. Types of Threat Intelligence
Strategic Intelligence
High-level trends for executives. Geopolitical, industry threats, risk landscape.
Tactical Intelligence
TTPs - How attackers operate. Maps to MITRE ATT&CK. Used by SOC/IR teams.
Operational Intelligence
Specific campaigns, threat actors. Who, why, when details.
Technical Intelligence
IOCs - hashes, IPs, domains. Machine-readable, short lifespan.
3. Indicators of Compromise (IOCs)
# IOC Types:
# - File hashes (MD5, SHA1, SHA256)
# - IP addresses
# - Domain names
# - URLs
# - Email addresses
# - Mutex names
# - Registry keys
# - File paths
# IOC sharing formats:
# - STIX (Structured Threat Information eXpression)
# - TAXII (transport protocol for STIX)
# - OpenIOC
# - YARA rules
# - Snort/Suricata rulesIOC Lifecycle
- Collection: Gather from incidents, feeds, research
- Validation: Verify accuracy, check for false positives
- Enrichment: Add context (WHOIS, reputation, related IOCs)
- Integration: Push to SIEM, EDR, firewall
- Expiration: Age out stale indicators
4. MITRE ATT&CK Framework
ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base of adversary behavior.
# ATT&CK Matrix Structure:
# Tactics (WHY) → Techniques (HOW) → Sub-techniques (HOW specifically)
# Example:
# Tactic: Initial Access
# Technique: Phishing (T1566)
# Sub-technique: Spearphishing Attachment (T1566.001)
# Key tactics:
# - Reconnaissance
# - Initial Access
# - Execution
# - Persistence
# - Privilege Escalation
# - Defense Evasion
# - Credential Access
# - Discovery
# - Lateral Movement
# - Collection
# - Exfiltration
# - Impact5. Threat Feeds & Sources
Free Feeds
- AlienVault OTX: Community threat intelligence
- Abuse.ch: Malware & botnet tracking
- CISA AIS: US government sharing
- VirusTotal: File/URL analysis
- PhishTank: Phishing URL database
Commercial Feeds
- Recorded Future: Real-time threat intelligence
- CrowdStrike: Adversary intelligence
- Mandiant: Incident-based intelligence
- Intel 471: Underground monitoring
6. Operationalizing Intelligence
# Integration points:
# 1. SIEM: Create alerts based on IOC matches
# 2. Firewall: Block malicious IPs/domains
# 3. EDR: Hunt for malicious hashes/behaviors
# 4. Email gateway: Block phishing indicators
# 5. Proxy: Block malicious URLs
# Automation with SOAR:
# New IOC → Enrich → Check reputation → If malicious → Block → Alert7. Threat Hunting
# Hypothesis-driven hunting:
# "APT29 is known to use scheduled tasks for persistence.
# Let's hunt for suspicious scheduled tasks in our environment."
# SIEM query example:
index=windows EventCode=4698
| where NOT match(TaskName, "Microsoft|Windows|Adobe")
| stats count by ComputerName, TaskName
# Hunt based on ATT&CK:
# T1053.005 - Scheduled Task/Job
# T1059.001 - PowerShell
# T1055 - Process Injection8. CTI Tools & Platforms
- MISP: Open-source threat intelligence platform
- OpenCTI: STIX-based CTI platform
- TheHive: Incident response platform
- Cortex: Analyzers for enrichment
- YARA: Pattern matching for malware
FAQ
How do I start a CTI program?
Define requirements (what threats matter?), integrate free feeds with SIEM, start tracking relevant threat actors, and gradually mature with tools like MISP.