Threat Intelligence Fundamentals

1Types of IOCs:
2 
3NETWORK-BASED IOCs
4├── IP Addresses
5│   └── Example: 185.243.115.12 (C2 server)
6├── Domain Names
7│   └── Example: evil-domain[.]com
8├── URLs
9│   └── Example: hxxps:606070;">//evil[.]com/malware.exe
10├── Email Addresses
11│   └── Example: phisher@malicious[.]com
12└── Network Signatures
13    └── Example: Snort/Suricata rules
14 
15HOST-BASED IOCs
16├── File Hashes (MD5, SHA1, SHA256)
17│   └── Example: d41d8cd98f00b204e9800998ecf8427e
18├── File Names/Paths
19│   └── Example: C:\Windows\Temp\evil.exe
20├── Registry Keys
21│   └── Example: HKLM\Software\MalwareKey
22├── Mutex Names
23│   └── Example: Global\MyMalwareMutex
24└── Process Names
25    └── Example: svchost_evil.exe
26 
27BEHAVIORAL IOCs
28├── Techniques (MITRE ATT&CK)
29│   └── Example: T1059.001 (PowerShell execution)
30├── Patterns
31│   └── Example: Unusual outbound DNS traffic
32└── Anomalies
33    └── Example: Login from impossible travel location

1The Pyramid of Pain:
2 
3                    /\
4                   /  \
5                  / TTP \     ← TOUGH! Attackers must change methodology
6                 /--------\
7                /  Tools   \  ← Annoying. Must find/create new tools
8               /------------\
9              /  Artifacts   \ ← Inconvenient. Registry, mutex changes
10             /----------------\
11            / Domain Names     \ ← Simple. Get new domains easily
12           /--------------------\
13          /    IP Addresses      \ ← Easy. Cloud providers = instant new IP
14         /------------------------\
15        /       Hash Values         \ ← Trivial. Recompile = new hash
16       /----------------------------\
17 
18Higher on pyramid = More pain for attackers when blocked
19Focus detection on TTPs for maximum impact!

1Intelligence Types by Audience:
2 
3STRATEGIC INTELLIGENCE
4├── Audience: Executives, Board, Management
5├── Format: Reports, briefings, presentations
6├── Content: Threat landscape, trends, risk to business
7├── Questions Answered:
8│   ├── Who might target us and why?
9│   ├── What are industry threat trends?
10│   └── How should we prioritize security investment?
11└── Example: 606070;">#a5d6ff;">"Nation-state actors are targeting our sector"
12 
13OPERATIONAL INTELLIGENCE
14├── Audience: Security managers, IR leads
15├── Format: Threat advisories, campaign reports
16├── Content: Specific campaigns, actor profiles, IOCs in context
17├── Questions Answered:
18│   ├── What attacks are happening now?
19│   ├── How do these campaigns work?
20│   └── What should we do to prepare?
21└── Example: 606070;">#a5d6ff;">"APT29 campaign targeting VPN vulnerabilities"
22 
23TACTICAL INTELLIGENCE
24├── Audience: SOC analysts, IR responders
25├── Format: IOC feeds, detection rules, TTPs
26├── Content: Specific indicators and signatures
27├── Questions Answered:
28│   ├── What should I block?
29│   ├── What should I detect?
30│   └── How do I investigate this alert?
31└── Example: 606070;">#a5d6ff;">"Block these 50 C2 IPs, deploy these Sigma rules"

1Free Threat Intelligence Sources:
2 
3OPEN SOURCE / FREE
4├── VirusTotal (virustotal.com)
5│   └── File/URL/IP reputation, sandbox analysis
6├── AlienVault OTX (otx.alienvault.com)
7│   └── Crowd-sourced threat intel, pulses
8├── Abuse.ch (abuse.ch)
9│   └── MalwareBazaar, Feodo Tracker, URLhaus
10├── CISA Alerts (cisa.gov)
11│   └── Government advisories, KEV list
12├── MITRE ATT&CK (attack.mitre.org)
13│   └── TTPs, threat group profiles
14├── Twitter/X Security Community
15│   └── Real-time threat research sharing
16├── Vendor Blogs
17│   └── Microsoft, CrowdStrike, Mandiant, etc.
18└── TheHackerNews, BleepingComputer
19    └── Security news and IOCs
20 
21COMMERCIAL / PAID
22├── Recorded Future
23├── Mandiant (Google)
24├── CrowdStrike Intel
25├── Intel 471
26├── Flashpoint
27└── Many others...
28 
29SHARING COMMUNITIES
30├── ISACs (Industry-specific)
31│   └── FS-ISAC (Financial), H-ISAC (Health), etc.
32├── MISP (Open source platform)
33│   └── Share IOCs with trusted partners
34└── Information Sharing Agreements
35    └── Peer organizations

1606070;"># Practical Threat Intel Workflow
2 
3606070;"># 1. ENRICHMENT - Add context to alerts
4606070;"># SOC gets alert for connection to 1.2.3.4
5606070;"># Enrich with threat intel:
6 
7606070;"># Check VirusTotal
8curl -s 606070;">#a5d6ff;">"https://www.virustotal.com/api/v3/ip_addresses/1.2.3.4" \
9  -H 606070;">#a5d6ff;">"x-apikey: YOUR_API_KEY" | jq '.data.attributes.last_analysis_stats'
10 
11606070;"># Check AbuseIPDB
12curl -s 606070;">#a5d6ff;">"https://api.abuseipdb.com/api/v2/check?ipAddress=1.2.3.4" \
13  -H 606070;">#a5d6ff;">"Key: YOUR_API_KEY" | jq '.data.abuseConfidenceScore'
14 
15606070;"># 2. DETECTION - Create rules from intelligence
16606070;"># Intel report says APT uses PowerShell with -EncodedCommand
17606070;"># Create Sigma rule:
18 
19title: Encoded PowerShell Execution
20status: stable
21logsource:
22    product: windows
23    category: process_creation
24detection:
25    selection:
26        CommandLine|contains:
27            - 606070;">#a5d6ff;">'-EncodedCommand'
28            - 606070;">#a5d6ff;">'-enc'
29            - 606070;">#a5d6ff;">'-ec'
30    condition: selection
31level: medium
32 
33606070;"># 3. BLOCKING - Feed IOCs to security controls
34606070;"># Import malicious IPs to firewall
35606070;"># Import malicious domains to DNS sinkhole
36606070;"># Import file hashes to EDR block list
37 
38606070;"># 4. HUNTING - Proactive search for IOCs
39606070;"># Search SIEM for known bad domains
40index=proxy domain IN (evil1.com, evil2.com, evil3.com)
41| stats count by src_ip, domain

1Major Threat Actor Categories:
2 
3NATION-STATE / APT (Advanced Persistent Threat)
4├── Motivation: Espionage, sabotage, geopolitics
5├── Resources: Unlimited funding, zero-days, custom tools
6├── Targets: Government, defense, critical infrastructure
7├── Examples:
8│   ├── APT29/Cozy Bear (Russia) - SolarWinds
9│   ├── APT41 (China) - Supply chain attacks
10│   └── Lazarus Group (North Korea) - Crypto theft
11└── Characteristics: Stealthy, patient, sophisticated
12 
13CYBERCRIME / RANSOMWARE GROUPS
14├── Motivation: Money
15├── Resources: Moderate, buy tools, affiliate model
16├── Targets: Anyone who will pay
17├── Examples:
18│   ├── LockBit - RaaS leader
19│   ├── BlackCat/ALPHV - Advanced extortion
20│   └── Clop - Mass exploitation
21└── Characteristics: Opportunistic, business-oriented
22 
23HACKTIVISTS
24├── Motivation: Political/social causes
25├── Resources: Limited, use known tools
26├── Targets: Organizations they oppose
27├── Examples:
28│   ├── Anonymous - Decentralized collective
29│   ├── IT Army of Ukraine - Pro-Ukraine
30│   └── Various politically motivated groups
31└── Characteristics: Public, attention-seeking, DDoS/defacement
32 
33INSIDER THREATS
34├── Motivation: Money, revenge, ideology
35├── Resources: Authorized access
36├── Targets: Their own employer
37├── Examples: Disgruntled employees, contractors
38└── Characteristics: Hardest to detect, trusted access

1Threat Intelligence Lifecycle:
2 
31. PLANNING & DIRECTION
4   ├── Define intelligence requirements
5   ├── What questions do we need answered?
6   ├── Who will consume the intelligence?
7   └── Example: 606070;">#a5d6ff;">"We need to know about ransomware TTPs"
8 
92. COLLECTION
10   ├── Gather raw data from sources
11   ├── OSINT, dark web, commercial feeds
12   ├── Internal data (IR findings, hunting results)
13   └── Technical collection (malware samples)
14 
153. PROCESSING
16   ├── Normalize data formats
17   ├── Deduplicate and clean
18   ├── Structure for analysis
19   └── Store in TIP or database
20 
214. ANALYSIS
22   ├── Turn data into intelligence
23   ├── Add context and meaning
24   ├── Identify patterns and trends
25   └── Assess relevance to organization
26 
275. DISSEMINATION
28   ├── Deliver to consumers
29   ├── Right format for audience
30   ├── Actionable recommendations
31   └── Timely delivery
32 
336. FEEDBACK
34   ├── Was the intel useful?
35   ├── What should we change?
36   ├── Continuous improvement
37   └── Refine requirements
38 
39The cycle repeats continuously!

1Scenario: New Ransomware Campaign Alert
2 
3INTEL RECEIVED:
4─────────────────────────────────────────────
5Source: FS-ISAC Alert
6Title: 606070;">#a5d6ff;">"Active RansomGroup Campaign Targeting Banks"
7 
8Summary:
9- RansomGroup is exploiting CVE-2024-XXXX (VPN vuln)
10- Initial access → Cobalt Strike → Data exfil → Encrypt
11 
12IOCs Provided:
13- C2 IPs: 45.33.32.156, 185.141.63.47
14- C2 Domains: update-service[.]com, cdn-check[.]net
15- File Hash: a1b2c3d4e5f6...
16- Cobalt Strike watermark: 305419896
17 
18TTPs:
19- T1190 (Exploit Public-Facing Application)
20- T1059.001 (PowerShell)
21- T1071.001 (Web Protocols for C2)
22 
23ACTIONS TO TAKE:
24─────────────────────────────────────────────
25 
261. IMMEDIATE (< 1 hour)
27   ├── Check if we have the vulnerable VPN
28   ├── Block C2 IPs at perimeter firewall
29   ├── Add domains to DNS sinkhole
30   └── Alert SOC to watch for related activity
31 
322. SHORT-TERM (< 24 hours)
33   ├── Search SIEM for historical C2 connections
34   ├── Deploy detection rules for TTPs
35   ├── Scan for vulnerable systems
36   ├── Update EDR with file hash
37   └── Patch if vulnerable!
38 
393. ONGOING
40   ├── Monitor for new IOCs from this campaign
41   ├── Threat hunt for Cobalt Strike indicators
42   ├── Brief management on threat
43   └── Update IR playbook for ransomware
44 
45SIEM Query (Splunk):
46index=proxy OR index=firewall
47(dest_ip IN (606070;">#a5d6ff;">"45.33.32.156", "185.141.63.47") OR
48 query IN (606070;">#a5d6ff;">"update-service.com", "cdn-check.net"))
49| stats count by src_ip, dest_ip, query

According to the Pyramid of Pain, which indicator type causes attackers the most difficulty when blocked?

You've received an alert about traffic to IP 45.33.32.156. Use free online tools (VirusTotal, AbuseIPDB) to gather threat intelligence about this IP. Document what you find.