In this post, we provided a comprehensive explanation of OpenCTI, a cyber threat intelligence platform, to gather cyber threat intelligence and use it to build security controls. We also used TryHackMe Trooper to demonstrate the practical part.

Please watch the video at the bottom for full detailed explanation of the walkthrough.

Malware Analysis Study Notes

Blue Team Cyber Security & SOC Analyst Study Notes

TryHackMe Task Description

A multinational technology company has been the target of several cyber attacks in the past few months. The attackers have been successful in stealing sensitive intellectual property and causing disruptions to the company’s operations. A threat advisory report about similar attacks has been shared, and as a CTI analyst, your task is to identify the Tactics, Techniques, and Procedures (TTPs) being used by the Threat group and gather as much information as possible about their identity and motive. For this task, you will utilise the OpenCTI platform as well as the MITRE ATT&CK navigator, linked to the details below. 

Introduction to Cyber Threat Intelligence (CTI)

CTI refers to collecting, managing, and sharing threat intelligence data, which is crucial for identifying and mitigating cybersecurity threats.

Platforms like OpenCTI, MISP (Malware Information Sharing Platform), and The Hive are used to store and manage threat data gathered from incident responses and community feeds.

Sources of Threat Intelligence

Incident Response Engagements: Data from incident response teams includes information such as malware, indicators of compromise (IOCs) like hashes, IPs, domains, etc.

Community Feeds: Sharing threat data across organizations provides a broader view of emerging cyber threats.

Components of OpenCTI

Dashboard: Summarizes all collected threat intelligence, including reports, entities, and observables (e.g., domains and IPs).

Activities Tab: Contains threat intelligence reports from various organizations, detailing recent threats and events. Local incident data is registered here.

Knowledge Tab: Includes detailed information on threat actors, their tools, techniques, and procedures (TTPs). It also categorizes threats using frameworks like MITRE ATT&CK.

USB-Ferry Attack Analysis with OpenCTI

The USB-Ferry malware is described in a cyber attack scenario, where the malware is propagated using USB devices to infect air-gapped networks (those isolated from the internet for security reasons).

The attack targets critical sectors, including healthcare, military, and transportation in regions like Taiwan, the Philippines, and Hong Kong.

By using OpenCTI and MITRE Navigator, analysts can investigate attacks, identify attacker groups (such as Tropic Trooper), and analyze their tactics and tools.

The malware USB-Ferry is delivered initially via spear-phishing emails, then spreads to air-gapped systems via infected USBs.

Investigators can search for related malware, tools, and vulnerabilities within OpenCTI to conduct a thorough analysis of the cyber attack.

Understanding Attack Pattern

OpenCTI allows the analysis of attack patterns, such as how Tropic Trooper uses various techniques like spear-phishing and USB propagation for initial access to systems.

Analysts can dive deeper into specific malware, such as Yahya and USB-Ferry, and see the associated attack patterns and defensive strategies.

Room Answers | TryHackMe Trooper

What kind of phishing campaign does APT X use as part of their TTPs?
spear-phishing emails

What is the name of the malware used by APT X?
USBferry

What is the malware’s STIX ID?

malware–5d0ea014-1ce9-5d5c-bcc7-f625a07907d0c

With the use of a USB, what technique did APT X use for initial access?

Replication through removable media

What is the identity of APT X? 
Tropic Trooper

On OpenCTI, how many Attack Pattern techniques are associated with the APT?

39c

What is the name of the tool linked to the APT?

BITSAdmin

Load up the Navigator. What is the sub-technique used by the APT under Valid Accounts?
Local Accounts

Under what Tactics does the technique above fall?

Initial Access, Persistence, Defense Evasion and Privilege Escalation

What technique is the group known for using under the tactic Collection?

Automated Collection

Video Walkthrough

, ,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles