Introduction to Cyber Threat Intelligence | TryHackMe Intro to Cyber Threat Intel
Introduction
Introduction
This post covered an introduction to Cyber Threat Intelligence, its lifecycle and frameworks such as MITRE ATT&CK and Cyber Kill Chain. In this post, we also covered the answers to TryHackMe Intro to Cyber Threat Intel room.
Blue Team Cyber Security & SOC Analyst Study Notes
This guide cover various areas such as cyber threat intelligence, incident response operational notes, secure coding…
Certified Security Blue Team Level 1 Study Notes
Table of Contents:Exam Tips & PreparationNetworking FundamentalsSOC FundamentalsSecurity ControlsSecurity Management…
What is Cyber Threat Intelligence (CTI)?
CTI involves collecting and analyzing evidence-based knowledge about adversaries’ Tactics, Techniques, and Procedures (TTPs) to:
- Blue Team Perspective: Build detections and strengthen security by understanding attacker methods.
- Red Team Perspective: Emulate adversary TTPs to test the effectiveness of defenses and improve resilience.
Core Focus:
- Profile attackers by studying their tools, tactics, and procedures.
Sources of Threat Intelligence
CTI can be gathered from various internal, community, and external sources:
A. Internal Sources
- Pen Tests: Information from penetration testing exercises.
- Vulnerability Assessments: Analysis of system weaknesses.
- Incident Response Reports: Insights from past breaches or incidents.
- Logs: Syslogs, event logs, and other machine data.
- Training Reports: Results from security awareness training.
B. Community Sources
- Open Web Forums: Online security communities and forums.
- Dark Web Forums: Threat intelligence from underground hacker forums.
C. External Sources
- Intelligence Feeds: Threat updates from vendors (e.g., real-time alerts).
- Public Resources: Government or social media reports on emerging threats.
Cyber Threat Intelligence Lifecycle
The CTI lifecycle describes the stages of threat intelligence gathering and processing:
A. Direction
- Define objectives, goals, and the scope of the intelligence gathering.
- Identify business assets, risks, sources of intelligence, and required tools.
B. Collection
- Gather data from various internal, community, and external sources.
- Examples: malware reports, log files, incident data.
C. Processing
- Organize raw data into usable formats using tools like SIEM (Security Information and Event Management).
D. Analysis
- Derive insights from the processed data.
- Examples:
- Identify attack patterns.
- Define action plans to mitigate risks.
- Strengthen the organization’s security profile.
E. Dissemination
- Share findings with stakeholders in a clear, high-level format.
- Examples: Reports on risks, mitigation strategies, or budget allocations for security measures.
F. Feedback
- Gather stakeholder responses to improve intelligence efforts or security controls.
Frameworks for Cyber Threat Intelligence
Frameworks provide structure and guidance for utilizing CTI effectively.
A. MITRE ATT&CK Framework
- A knowledge base of adversary TTPs.
- Used for analyzing and tracking attacker behaviors.
B. Cyber Kill Chain
- Breaks down adversary actions into sequential stages:
- Reconnaissance: Collecting victim information.
- Weaponization: Preparing malicious payloads (e.g., PDFs, executables).
- Delivery: Distributing payloads (e.g., via email or USB).
- Exploitation: Exploiting vulnerabilities to gain access.
- Installation: Installing malware or backdoors.
- Command & Control (C2): Remotely controlling the compromised system.
- Actions on Objectives: Achieving the attacker’s end goals, such as data exfiltration.
Key Takeaways
- CTI enables organizations to proactively protect assets by understanding and emulating adversary behaviors.
- Frameworks like MITRE ATT&CK and the Cyber Kill Chain are essential tools for organizing and applying threat intelligence.
- The lifecycle approach ensures structured collection, processing, and utilization of intelligence.
Room Answers | TryHackMe Basic Pentesting Walkthrough
Room answers can be found here.
