In this post , we covered the concept of threat intelligence, how it’s performed and what are the IOCs collected during threat intelligence and how they are used and standarized to be implemented in SOC to hunt for threats and prevent future cyber attacks. This video is part of TryHackMe Threat Intelligence for SOC which is part of SOC Level 2.
Definition of cyber threat intelligence
From blue team perspective, it’s the collection and analysis of tactics, techniques and procedures used by attackers to build detections.
From read team perspectives, it’s the emulation of adversaries TTPs and analysis of blue team’s ability to build detections based in IOCs and TTPs.
Red team collects TTPs from threat intelligence frameworks and related to a certain hacking group to create tools and emulate this hacking group’s behaviour in an engagement.
In cyber threat intelligence, we aim to answer the below questions with the help of threat intelligence
- Who’s attacking you?
- What are their motivations?
- What are their capabilities?
- What artefacts and indicators of compromise (IOCs) should you look out for?
Classifications of threat intelligence
- Strategic Intel: High-level intel that looks into the organisation’s threat landscape and maps out the risk areas based on trends, patterns and emerging threats that may impact business decisions.
- Technical Intel: Examines evidence and artefacts of attacks an adversary uses. Incident Response teams can use this intel to create a baseline attack surface to analyse and develop defence mechanisms.
- Tactical Intel: Assesses adversaries’ tactics, techniques, and procedures (TTPs). This intel can strengthen security controls and address vulnerabilities through real-time investigations.
- Operational Intel: Assesses an adversary’s specific motives and intent to perform an attack. Security teams may use this intel to understand the critical assets available in the organisation (people, processes, and technologies) that threat actors may target.
How threat intelligence is gathered?
- Internal:
- Vulnerability assessments and incident response reports.
- Cyber awareness training reports.
- System logs and events.
- Community:
- Web forums.
- Dark web communities for cybercriminals.
- External
- Threat intel feeds (Commercial & Open-source)
- Online marketplaces.
- Public sources include government data, publications, social media, financial and industrial assessments.
What are sigma rules and what is the rule of Sigma in detection engineering?
Sigma is an open-source generic signature language developed to describe log events in a structured format. This allows for quick sharing of detection methods by security analysts.
For the expression of detection logic for various logs, the Sigma syntax offers a straightforward and potent framework. Proxy logs, Windows events, application logs, firewall logs, cloud events, Linux audit logs, and many other log types can have rules written for them by Sigma.
Sigma offers the vocabulary required to spell out detection logic and incorporate metadata useful for delving into warnings produced by your rules. Sigma helps you to better arrange and distribute detection rules you write to colleagues and threat intelligence networks.
Sigma’s most potent feature is that it was made to work with any search and detection software you already own. Sigma rules can be converted into Elastic, Splunk, Arcsight, Carbon Black, Graylog, NetWitness, Humio, Crowdstrike, Elastalert, and numerous other free and commercial formats using the Sigma converter tool. Vendor lock-in is avoided and you may utilize your detection logic for searches in your investigations, as a foundation for threat hunting inquiries, and across other detection systems by saving your rules in Sigma syntax.
Room Answers | TryHackMe Threat Intelligence for SOC
How many unique IP addresses were provided in the IOC list?
11
Which detection approach involves building an asset or activity baseline profile for dBased on the set of IOCs, how many IOC hits were discovered in the logs?
48
Which tOut of the total number of IOCs, how many unique IP addresses were discovered in the logs?
7
How many connections were made to 185[.]224[.]128[.]215?
21
What is the IP address of the compromised host?
10.10.196.49
What is the destination port of connections made to 107[.]175[.]202[.]151?
80
How many DNS queries to agrosaoxe[.]info have been created?
11
Before deploying the sinkhole configuration, what IPv4 addresses are resolved by agrosaoxe[.]info? (format: IPs in ascending order)
104.21.48.143, 172.67.186.179
What is the IP address used for DNS Sinkhole?
192.168.5.13
How many hits were caused by connections to sinkholed domains?
115
How many unique domains have been sinkholed?
12
What is the value of the alert field in the converted ElastAlert rule?
debug
How many alerts were generated by the rule?
40
How many unique domains were sinkholed via 0.0.0.0?
7
What is the sinkholed domain that has .ru TLD?
twizt.ru
Video Walkthrough