This room will introduce you to cyber threat intelligence (CTI) and various frameworks used to share intelligence. As security analysts, CTI is vital for investigating and reporting against adversary attacks with organisational stakeholders and external communities.
This room is part of the SOC Level 1 Path.
Room URL: https://tryhackme.com/r/room/cyberthreatintel
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Now, let’s move on!
Task 1: Introduction
- The basics of CTI and its various classifications.
- The lifecycle followed to deploy and use intelligence during threat investigations.
- Frameworks and standards used in distributing intelligence.
This is the first room in a new Cyber Threat Intelligence module. The module will also contain:
Questions
Ready to get started!
Answer: No answer needed
Task 2: Cyber Threat Intelligence
Introduction to Cyber Threat Intelligence (CTI)
Cyber Threat Intelligence (CTI) involves evidence-based insights about adversaries, including their tactics, motivations, and actionable guidance to protect critical assets and inform both cybersecurity teams and business decisions.
Distinguishing Data, Information, and Intelligence
CTI builds upon the distinctions between data, information, and intelligence:
- Data: Raw indicators like IP addresses, URLs, or hashes.
- Information: Contextualized data points, such as tracking how often a domain is accessed.
- Intelligence: Correlated data and information analyzed to identify patterns and actionable insights.
The Core Purpose of CTI
CTI focuses on understanding the relationship between an organization and potential adversaries to enhance defenses. Key questions include:
- Who is targeting you?
- What motivates them?
- What are their capabilities?
- Which Indicators of Compromise (IOCs) should be monitored?
Sources of Threat Intelligence
Threat intelligence is derived from various sources:
- Internal: Logs, vulnerability assessments, incident reports, and employee training outcomes.
- Community: Open forums and dark web activity.
- External: Commercial and open-source threat feeds, government data, and public publications.
Types of Threat Intelligence
CTI is categorized into four classifications:
- Strategic Intel: High-level analysis of trends and risks to guide business decisions.
- Technical Intel: Evidence like attack artefacts to develop defensive baselines.
- Tactical Intel: Insights into adversaries’ Tactics, Techniques, and Procedures (TTPs) to improve real-time defenses.
- Operational Intel: Specifics about adversaries’ motives, intent, and targeted assets to inform protective measures.
Conclusion
Cyber Threat Intelligence is a cornerstone of modern cybersecurity, helping organizations anticipate and respond to threats effectively by combining insights from diverse sources into actionable intelligence.
Questions
What does CTI stand for?
Answer:Cyber Threat Intelligence
IP addresses, Hashes and other threat artefacts would be found under which Threat Intelligence classification?
IP addresses, hashes and other artefacts are part of technical intel.
Answer: Technical Intel
Task 3: CTI Lifecycle
Transforming raw data into actionable insights requires a structured, six-phase threat intelligence lifecycle. This process ensures organizations can effectively triage and respond to security incidents.
1. Direction
Setting clear objectives is the foundation of any threat intelligence program. This phase involves:
- Identifying critical assets and business processes that need protection.
- Assessing the potential impact of asset loss or process disruption.
- Defining data sources and tools for threat detection.
- Allocating resources to safeguard assets.
- This phase also allows security analysts to pose questions related to investigating incidents.
2. Collection
Data is gathered based on the defined objectives, utilizing commercial, private, and open-source resources. Given the vast amounts of data involved, automation is often essential to streamline this phase and free up time for incident triage.
3. Processing
Raw data—such as logs, malware, and network traffic—often arrives in unstructured formats. Processing organizes and correlates this data, adding tags and visualizations to make it comprehensible for analysts. Security Information and Event Management (SIEM) tools are critical in this phase, enabling efficient data parsing and organization.
4. Analysis
Security analysts derive actionable insights from the processed data, focusing on:
- Identifying indicators of compromise (IOCs) and attack patterns.
- Developing action plans to prevent or mitigate attacks.
- Enhancing security controls or justifying investment in additional resources.
5. Dissemination
Intelligence must be tailored to various stakeholders within the organization:
- Executives: Require high-level reports on trends, financial risks, and strategic recommendations.
- Technical Teams: Need detailed insights into IOCs, adversary Tactics, Techniques, and Procedures (TTPs), and tactical defense strategies.
6. Feedback
Stakeholder feedback is crucial for refining the threat intelligence process. Regular interactions ensure continuous improvement of security controls and the effectiveness of the intelligence lifecycle.
Questions
At which phase of the CTI lifecycle is data converted into usable formats through sorting, organising, correlation and presentation?
This phase happens after the data is collected in phase 2. After the data is collected we process it into a useful structured format. We do this in the processing phase.
Answer: processing
During which phase do security analysts get the chance to define the questions to investigate incidents?
This phase sets the direction and goals of the investigation, and includes the opportunity for security analysts to define the questions used during the investigation.
Answer: direction
Task 4: CTI Standards & Frameworks
Questions
What sharing models are supported by TAXII?
TAXII supports two models:
- Collection: A producer collects and hosts threat intel, accessible to users on request.
- Channel: Threat intel is proactively pushed to subscribers by a central server.
Answer: Collection and Channel
When an adversary has obtained access to a network and is extracting data, what phase of the kill chain are they on?
This is part of the final phase of the kill chain. In other words the Actions on Objectives phase, where the adversary is acting on their objectives. In this case extracting data from the target host(s).
Answer:Actions on Objectives
Task 5: Practical Analysis:
Questions
Open the site, and you will see a SIEM Dashboard.
Let’s answer the following questions.
What was the source email address?
On the second to last row you will read that an email has been received from vipivillain@badbank.com. This is the answer to the question.
Answer:vipivillain@badbank.com
What was the name of the file downloaded?
This one is just above the previously mentioned row. The file name is flbpfuh.exe.
Answer: flbpfuh.exe
After building the threat profile, what message do you receive?
Now we have to build the threat profile, by filling out the question on the below image:
The correct answers are as follows:
Threat Actor Extraction IP Address: 91.185.23.222
Threat Actor Email Address: vipivillain@badbank.com
Malware Tool: flbpfuh.exe
User Victim Logged Account: Administrator
Victim Email Recipient: John Doe (this user clicked the phishing email containing the malware)
The flag you will receive is as follows:
Answer: THM{NOW_I_CAN_CTI}
Congratulations on completing Intro to Cyber Threat Intel!!!
This was a great introduction to Cyber Threat Intel. Great job for following along! Let’s continue learning about threat intel!
Like my articles?
You are welcome to give my article a clap or two 🙂
I would be even more grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link: