Jasper Alblas
TryHackMe: Intro to Cyber Threat Intel Walkthrough (SOC Level 1)
Welcome to this walkthrough of the Cyber Threat Intel Room on TryHackMe.
This room will introduce you to cyber threat intelligence (CTI) and various frameworks used to share intelligence. As security analysts, CTI is vital for investigating and reporting against adversary attacks with organisational stakeholders and external communities.
This room is part of the SOC Level 1 Path.
Room URL: https://tryhackme.com/r/room/cyberthreatintel
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Now, let’s move on!
Table of Contents
Task 1: Introduction
This room will introduce you to cyber threat intelligence (CTI) and various frameworks used to share intelligence. As security analysts, CTI is vital for investigating and reporting against adversary attacks with organisational stakeholders and external communities.
Learning Objectives
- The basics of CTI and its various classifications.
- The lifecycle followed to deploy and use intelligence during threat investigations.
- Frameworks and standards used in distributing intelligence.
Cyber Threat Intelligence Module
This is the first room in a new Cyber Threat Intelligence module. The module will also contain:
Questions
Ready to get started!
Answer: No answer needed
Task 2: Cyber Threat Intelligence
Introduction to Cyber Threat Intelligence (CTI)
Cyber Threat Intelligence (CTI) involves evidence-based insights about adversaries, including their tactics, motivations, and actionable guidance to protect critical assets and inform both cybersecurity teams and business decisions.
Distinguishing Data, Information, and Intelligence
CTI builds upon the distinctions between data, information, and intelligence:
- Data: Raw indicators like IP addresses, URLs, or hashes.
- Information: Contextualized data points, such as tracking how often a domain is accessed.
- Intelligence: Correlated data and information analyzed to identify patterns and actionable insights.
The Core Purpose of CTI
CTI focuses on understanding the relationship between an organization and potential adversaries to enhance defenses. Key questions include:
- Who is targeting you?
- What motivates them?
- What are their capabilities?
- Which Indicators of Compromise (IOCs) should be monitored?
Sources of Threat Intelligence
Threat intelligence is derived from various sources:
- Internal: Logs, vulnerability assessments, incident reports, and employee training outcomes.
- Community: Open forums and dark web activity.
- External: Commercial and open-source threat feeds, government data, and public publications.
Types of Threat Intelligence
CTI is categorized into four classifications:
- Strategic Intel: High-level analysis of trends and risks to guide business decisions.
- Technical Intel: Evidence like attack artefacts to develop defensive baselines.
- Tactical Intel: Insights into adversaries’ Tactics, Techniques, and Procedures (TTPs) to improve real-time defenses.
- Operational Intel: Specifics about adversaries’ motives, intent, and targeted assets to inform protective measures.
Conclusion
Cyber Threat Intelligence is a cornerstone of modern cybersecurity, helping organizations anticipate and respond to threats effectively by combining insights from diverse sources into actionable intelligence.
Questions
What does CTI stand for?
Answer :Cyber Threat Intelligence
IP addresses, Hashes and other threat artefacts would be found under which Threat Intelligence classification?
IP addresses, hashes and other artefacts are part of technical intel.
Answer: Technical Intel
Task 3: CTI Lifecycle
Transforming raw data into actionable insights requires a structured, six-phase threat intelligence lifecycle. This process ensures organizations can effectively triage and respond to security incidents.
1. Direction
Setting clear objectives is the foundation of any threat intelligence program. This phase involves:
- Identifying critical assets and business processes that need protection.
- Assessing the potential impact of asset loss or process disruption.
- Defining data sources and tools for threat detection.
- Allocating resources to safeguard assets.
- This phase also allows security analysts to pose questions related to investigating incidents.
2. Collection
Data is gathered based on the defined objectives, utilizing commercial, private, and open-source resources. Given the vast amounts of data involved, automation is often essential to streamline this phase and free up time for incident triage.
3. Processing
Raw data—such as logs, malware, and network traffic—often arrives in unstructured formats. Processing organizes and correlates this data, adding tags and visualizations to make it comprehensible for analysts. Security Information and Event Management (SIEM) tools are critical in this phase, enabling efficient data parsing and organization.
4. Analysis
Security analysts derive actionable insights from the processed data, focusing on:
- Identifying indicators of compromise (IOCs) and attack patterns.
- Developing action plans to prevent or mitigate attacks.
- Enhancing security controls or justifying investment in additional resources.
5. Dissemination
Intelligence must be tailored to various stakeholders within the organization:
- Executives: Require high-level reports on trends, financial risks, and strategic recommendations.
- Technical Teams: Need detailed insights into IOCs, adversary Tactics, Techniques, and Procedures (TTPs), and tactical defense strategies.
6. Feedback
Stakeholder feedback is crucial for refining the threat intelligence process. Regular interactions ensure continuous improvement of security controls and the effectiveness of the intelligence lifecycle.
Questions
At which phase of the CTI lifecycle is data converted into usable formats through sorting, organising, correlation and presentation?
This phase happens after the data is collected in phase 2. After the data is collected we process it into a useful structured format. We do this in the processing phase.
Answer: processing
During which phase do security analysts get the chance to define the questions to investigate incidents?
This phase sets the direction and goals of the investigation, and includes the opportunity for security analysts to define the questions used during the investigation.
Answer: direction
Task 4: CTI Standards & Frameworks
Standards and frameworks provide the foundation for structuring, sharing, and utilizing Cyber Threat Intelligence (CTI). They ensure consistent terminology and facilitate collaboration across industries. Below is a summary of essential CTI standards and frameworks:
MITRE ATT&CK
The MITRE ATT&CK framework is a comprehensive knowledge base detailing adversary tactics and techniques. Security analysts use it to investigate and track adversarial behavior systematically, enabling effective detection and mitigation strategies.
TAXII (Trusted Automated eXchange of Indicator Information)
TAXII defines secure protocols for sharing threat intel in near real-time. It supports two models:
- Collection: A producer collects and hosts threat intel, accessible to users on request.
- Channel: Threat intel is proactively pushed to subscribers by a central server.
STIX (Structured Threat Information Expression)
STIX is a standardized language for capturing and communicating cyber threat intelligence. It organizes and defines relationships among critical elements like observables, indicators, adversary tactics, attack campaigns, and more.
Cyber Kill Chain
Developed by Lockheed Martin, the Cyber Kill Chain outlines seven stages of an adversary’s attack process, helping analysts identify and respond to specific actions.
| Stage | Purpose | Examples |
|---|---|---|
| Reconnaissance | Gather intel on the victim and potential attack vectors. | OSINT, email harvesting, network scans. |
| Weaponization | Create tailored malware for the attack. | Backdoors, malicious documents. |
| Delivery | Deliver malware to the victim’s system. | Email, weblinks, USB drives. |
| Exploitation | Exploit vulnerabilities to execute malicious actions. | EternalBlue, Zero-Logon. |
| Installation | Deploy malware and establish persistence. | Remote access trojans, backdoors. |
| Command & Control | Maintain remote access and deploy further actions. | Cobalt Strike, Empire. |
| Actions on Objectives | Achieve attack goals (e.g., financial gain, espionage). | Ransomware, data exfiltration. |
The Cyber Kill Chain has evolved with frameworks like MITRE ATT&CK, leading to the Unified Kill Chain.
The Diamond Model
The Diamond Model analyzes and tracks intrusions by focusing on four components:
- Adversary: The threat actor and their motives.
- Victim: The individual, group, or organization targeted.
- Infrastructure: Tools, systems, and resources used by the adversary and the victim’s compromised systems.
- Capabilities: Methods and tactics employed by the adversary to achieve their goals.
This model enables analysts to pivot between its elements, offering a comprehensive view of an attack and correlating key indicators for actionable insights.
Questions
What sharing models are supported by TAXII?
TAXII supports two models:
- Collection: A producer collects and hosts threat intel, accessible to users on request.
- Channel: Threat intel is proactively pushed to subscribers by a central server.
Answer: Collection and Channel
When an adversary has obtained access to a network and is extracting data, what phase of the kill chain are they on?
This is part of the final phase of the kill chain. In other words the Actions on Objectives phase, where the adversary is acting on their objectives. In this case extracting data from the target host(s).
Answer: Actions on Objectives
Task 5: Practical Analysis:
As part of the dissemination phase of the lifecycle, CTI is also distributed to organisations using published threat reports. These reports come from technology and security companies that research emerging and actively used threat vectors. They are valuable for consolidating information presented to all suitable stakeholders. Some notable threat reports come from Mandiant, Recorded Future and AT&TCybersecurity.
All the things we have discussed come together when mapping out an adversary based on threat intel. To better understand this, we will analyse a simplified engagement example. Click on the green “View Site” button in this task to open the Static Site Lab and navigate through the security monitoring tool on the right panel and fill in the threat details.
Questions
Open the site, and you will see a SIEM Dashboard.
Let’s answer the following questions.
What was the source email address?
On the second to last row you will read that an email has been received from vipivillain@badbank.com. This is the answer to the question.
Answer: vipivillain@badbank.com
What was the name of the file downloaded?
This one is just above the previously mentioned row. The file name is flbpfuh.exe.
Answer: flbpfuh.exe
After building the threat profile, what message do you receive?
Now we have to build the threat profile, by filling out the question on the below image:
The correct answers are as follows:
Threat Actor Extraction IP Address: 91.185.23.222
Threat Actor Email Address: vipivillain@badbank.com
Malware Tool: flbpfuh.exe
User Victim Logged Account: Administrator
Victim Email Recipient: John Doe (this user clicked the phishing email containing the malware)
The flag you will receive is as follows:
Answer: THM{NOW_I_CAN_CTI}
Congratulations on completing Intro to Cyber Threat Intel!!!
This was a great introduction to Cyber Threat Intel. Great job for following along! Let’s continue learning about threat intel!
Find more of my walkthroughs here.
Find all of my SOC Level walkthroughs here.
Like my articles?
You are welcome to comment this article, and please share with friends 🙂
I would be even more grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:
[…] TryHackMe: Intro to Cyber Threat Intel Walkthrough (SOC Level 1) […]