acronyms used
APT : Advanced persistent threat
CTI : Cyber threat intelligence
TTP : Tactics, Techniques and procedures (used by the threat actors)
Introduction:
I used to think that Cyber Threat Intelligence (CTI) is all about collecting info regarding certain APTs and threat actors which are of relevant to the organization, for the sake of hardening the organizations security posture in accordance to the TTPs used.
Turns out CTI brings more to the table, like for instance it helps the SOC team greatly in many ways. let me present you some simple examples that I have taken from tryhackme to demonstrate :
say there are benign activities going on like someone doing network scanning and such, in this scenario Threat intelligence provides the context that helps an analyst decide which of those multiple alerts represents genuine danger.
Information security literature distinguishes data, information, and intelligence, yet the three terms often blur in daily conversation. Making them explicit clarifies an analyst's objective.
| Layer | Definition | Alert-queue example | SOC L1 action |
|---|---|---|---|
| Data | An unprocessed observable | 45.155.205.3 :443 |
Capture the artefact. |
| Information | Data plus factual annotation | IP registered to Hetzner, first seen 2023-07-14 | Record attributes. |
| Intelligence | Analysed information that answers so-what | IP belongs to the current BumbleBee C2; block immediately | Escalate or suppress. |
In concrete terms, Cyber Threat Intelligence (CTI) seeks to answer three essential questions:
- Who, or what, is on the other end of this alert indicator?
- What was their behaviour in the past?
- How does my organisation respond, and what should I do about it right now?
therefore, a Level 1 analyst is responsible for making the artifacts usable and enriching them until they qualify as intelligence, or demonstrating that they never will. That push is enacted through enrichment: rapid, methodical lookups of public, commercial, and internal sources that shed light on origin, behaviour, and relevance.
Indicator Types Essential to First-Line Triage
Every artefact demands a tailored enrichment path. Memorising tools is less important than recognising what kind of indicator the alert supplies and knowing where to look. Below, we have a table showing the types of indicators we need to be aware of, with examples:
| Indicator | Example | First Resources | Associated IOA or TTP Examples |
|---|---|---|---|
| IPv4 / IPv6 | 45.155.205.3 |
• WHOIS (ASN, allocation date) · VirusTotal Relations· Shodan banner scan | IOA: Repeated SSH failures TTP: T1110.003Password Guessing |
| Domain / FQDN | malicious-updates[.]net |
• WHOIS age · RiskIQ or SecurityTrails passive-DNS · urlscan.io | IOA: surge of DNS queries to a 24-hour-old domain |
| URL | hxxp://malicious-updates[.]net/login |
• URLhaus reputation · urlscan.io behaviour graph · Any.Run dynamic run (network off) | IOA: Browser POST to /gateway.php with payload |
| File hash | e99a18c428cb38d5… |
• VirusTotal static & dynamic · Hybrid-Analysis · MalShare corpus | TTP: T1055 Process Injection into regsvr32.exe |
| E-mail address | billing@evil-corp.com |
• MXToolbox header analysis • Have I Been Pwned | IOA: SPF failure plus recent domain registration |
| Local artefact | HKCU\Software\Run\updater.exe |
• Sigma rules · EDR prevalence query · Vendor knowledge bas | TTP: T1060.001 Registry Run Keys |
some of you might say okay am convinced how can I start utilizing CTI to my need.
well there are a lot of great tools that would give you a good jump start but here are the leading opensource examples, MISP and OpenCTI
and that sums up the end of this introductory article hope you enjoyed it.
Top comments (0)