Introduction

This post covered an introduction to Cyber Threat Intelligence, its lifecycle and frameworks such as MITRE ATT&CK and Cyber Kill Chain. In this post, we also covered the answers to TryHackMe Intro to Cyber Threat Intel room.

Blue Team Cyber Security & SOC Analyst Study Notes

Certified Security Blue Team Level 1 Study Notes

Web Hacking & Pentesting Study Notes

What is Cyber Threat Intelligence (CTI)?

CTI involves collecting and analyzing evidence-based knowledge about adversaries’ Tactics, Techniques, and Procedures (TTPs) to:

  • Blue Team Perspective: Build detections and strengthen security by understanding attacker methods.
  • Red Team Perspective: Emulate adversary TTPs to test the effectiveness of defenses and improve resilience.

Core Focus:

  • Profile attackers by studying their tools, tactics, and procedures.

Sources of Threat Intelligence

CTI can be gathered from various internal, community, and external sources:

A. Internal Sources

  1. Pen Tests: Information from penetration testing exercises.
  2. Vulnerability Assessments: Analysis of system weaknesses.
  3. Incident Response Reports: Insights from past breaches or incidents.
  4. Logs: Syslogs, event logs, and other machine data.
  5. Training Reports: Results from security awareness training.

B. Community Sources

  1. Open Web Forums: Online security communities and forums.
  2. Dark Web Forums: Threat intelligence from underground hacker forums.

C. External Sources

  1. Intelligence Feeds: Threat updates from vendors (e.g., real-time alerts).
  2. Public Resources: Government or social media reports on emerging threats.

Cyber Threat Intelligence Lifecycle

The CTI lifecycle describes the stages of threat intelligence gathering and processing:

A. Direction

  • Define objectives, goals, and the scope of the intelligence gathering.
  • Identify business assets, risks, sources of intelligence, and required tools.

B. Collection

  • Gather data from various internal, community, and external sources.
  • Examples: malware reports, log files, incident data.

C. Processing

  • Organize raw data into usable formats using tools like SIEM (Security Information and Event Management).

D. Analysis

  • Derive insights from the processed data.
  • Examples:
    • Identify attack patterns.
    • Define action plans to mitigate risks.
    • Strengthen the organization’s security profile.

E. Dissemination

  • Share findings with stakeholders in a clear, high-level format.
  • Examples: Reports on risks, mitigation strategies, or budget allocations for security measures.

F. Feedback

  • Gather stakeholder responses to improve intelligence efforts or security controls.

Frameworks for Cyber Threat Intelligence

Frameworks provide structure and guidance for utilizing CTI effectively.

A. MITRE ATT&CK Framework

  • A knowledge base of adversary TTPs.
  • Used for analyzing and tracking attacker behaviors.

B. Cyber Kill Chain

  • Breaks down adversary actions into sequential stages:
    1. Reconnaissance: Collecting victim information.
    2. Weaponization: Preparing malicious payloads (e.g., PDFs, executables).
    3. Delivery: Distributing payloads (e.g., via email or USB).
    4. Exploitation: Exploiting vulnerabilities to gain access.
    5. Installation: Installing malware or backdoors.
    6. Command & Control (C2): Remotely controlling the compromised system.
    7. Actions on Objectives: Achieving the attacker’s end goals, such as data exfiltration.

Key Takeaways

  • CTI enables organizations to proactively protect assets by understanding and emulating adversary behaviors.
  • Frameworks like MITRE ATT&CK and the Cyber Kill Chain are essential tools for organizing and applying threat intelligence.
  • The lifecycle approach ensures structured collection, processing, and utilization of intelligence.

Room Answers | TryHackMe Basic Pentesting Walkthrough

What does CTI stand for?

Cyber Threat Intelligence

IP addresses, Hashes and other threat artefacts would be found under which Threat Intelligence classification?

Technical Intel

At which phase of the CTI lifecycle is data converted into usable formats through sorting, organising, correlation and presentation?

Processing

During which phase do security analysts get the chance to define the questions to investigate incidents?

Direction

What sharing models are supported by TAXII?

Collection and Channel

When an adversary has obtained access to a network and is extracting data, what phase of the kill chain are they on?

Actions on Objectives

What was the source email address?
vipivillain@badbank.com

What was the name of the file downloaded?

flbpfuh.exe

After building the threat profile, what message do you receive?

THM{NOW_I_CAN_CTI}

Video Walkthrough

,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles