We briefly talked about cyber threat intelligence, tools and platforms used and how threat data is ingested into these tools. We covered openCTI platform and explained its components including going over the threats, arsenal and analysis sections. We conluded the video with an investigative scenario about a malware family and threat group and used openCTI to gather threat intel.This was part of TryHackMe OpenCTI SOC Level 1 pathway.

Get Blue Team Notes

Windows Privilege Escalation Techniques Course

Challenge Description

Provide an understanding of the OpenCTI Project.

Video Highlights

Cyber Threat Intelligence is typically a managerial mystery to handle, with organisations battling with how to input, digest, analyse and present threat data in a way that will make sense. From the rooms that have been linked on the overview, it is clear that there are numerous platforms that have been developed to tackle the juggernaut that is Threat Intelligence.

OpenCTI

OpenCTI is another open-sourced platform designed to provide organisations with the means to manage CTI through the storage, analysis, visualisation and presentation of threat campaigns, malware and IOCs.

Objective

Developed by the collaboration of the French National cybersecurity agency (ANSSI), the platform’s main objective is to create a comprehensive tool that allows users to capitalise on technical and non-technical information while developing relationships between each piece of information and its primary source. The platform can use the MITRE ATT&CK framework to structure the data. Additionally, it can be integrated with other threat intel tools such as MISP and TheHive. Rooms to these tools have been linked in the overview.

OpenCTI Data Model

OpenCTI uses a variety of knowledge schemas in structuring data, the main one being the Structured Threat Information Expression (STIX2) standards. STIX is a serialised and standardised language format used in threat intelligence exchange. It allows for the data to be implemented as entities and relationships, effectively tracing the origin of the provided information.

Room Answers

What is the name of the group that uses the 4H RAT malware?

What kill-chain phase is linked with the Command-Line Interface Attack Pattern?

Within the Activities category, which tab would house the Indicators?

What Intrusion sets are associated with the Cobalt Strike malware with a Good confidence level? (Intrusion1, Intrusion2)

Who is the author of the entity?

What is the earliest date recorded related to CaddyWiper?  Format: YYYY/MM/DD

Which Attack technique is used by the malware for execution?

How many malware relations are linked to this Attack technique?

Which 3 tools were used by the Attack Technique in 2016? (Ans: Tool1, Tool2, Tool3)

What country is APT37 associated with?

Which Attack techniques are used by the group for initial access? (Ans: Technique1, Technique2)

Video Walkthrough

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles