TryHackMe: Intro to Cyber Threat Intel Walkthrough (SOC Level 1)

January 2, 2025 Jasper
Welcome to this walkthrough of the Cyber Threat Intel Room on TryHackMe.

This room will introduce you to cyber threat intelligence (CTI) and various frameworks used to share intelligence. As security analysts, CTI is vital for investigating and reporting against adversary attacks with organisational stakeholders and external communities.

This room is part of the SOC Level 1 Path.

Intro to Cyber Threat Intel

Intro to Cyber Threat Intel

Room URL: https://tryhackme.com/r/room/cyberthreatintel

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM.

Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Now, let’s move on!


Task 1: Introduction

This room will introduce you to cyber threat intelligence (CTI) and various frameworks used to share intelligence. As security analysts, CTI is vital for investigating and reporting against adversary attacks with organisational stakeholders and external communities.
Learning Objectives
  • The basics of CTI and its various classifications.
  • The lifecycle followed to deploy and use intelligence during threat investigations.
  • Frameworks and standards used in distributing intelligence.
Cyber Threat Intelligence Module

This is the first room in a new Cyber Threat Intelligence module. The module will also contain:

Questions

Ready to get started!

Answer: No answer needed


Task 2: Cyber Threat Intelligence

Introduction to Cyber Threat Intelligence (CTI)

Cyber Threat Intelligence (CTI) involves evidence-based insights about adversaries, including their tactics, motivations, and actionable guidance to protect critical assets and inform both cybersecurity teams and business decisions.

Distinguishing Data, Information, and Intelligence

CTI builds upon the distinctions between data, information, and intelligence:

  • Data: Raw indicators like IP addresses, URLs, or hashes.
  • Information: Contextualized data points, such as tracking how often a domain is accessed.
  • Intelligence: Correlated data and information analyzed to identify patterns and actionable insights.

The Core Purpose of CTI

CTI focuses on understanding the relationship between an organization and potential adversaries to enhance defenses. Key questions include:

  • Who is targeting you?
  • What motivates them?
  • What are their capabilities?
  • Which Indicators of Compromise (IOCs) should be monitored?

Sources of Threat Intelligence

Threat intelligence is derived from various sources:

  1. Internal: Logs, vulnerability assessments, incident reports, and employee training outcomes.
  2. Community: Open forums and dark web activity.
  3. External: Commercial and open-source threat feeds, government data, and public publications.

Types of Threat Intelligence

CTI is categorized into four classifications:

  1. Strategic Intel: High-level analysis of trends and risks to guide business decisions.
  2. Technical Intel: Evidence like attack artefacts to develop defensive baselines.
  3. Tactical Intel: Insights into adversaries’ Tactics, Techniques, and Procedures (TTPs) to improve real-time defenses.
  4. Operational Intel: Specifics about adversaries’ motives, intent, and targeted assets to inform protective measures.

Conclusion

Cyber Threat Intelligence is a cornerstone of modern cybersecurity, helping organizations anticipate and respond to threats effectively by combining insights from diverse sources into actionable intelligence.

Questions

What does CTI stand for?

Answer:Cyber Threat Intelligence

IP addresses, Hashes and other threat artefacts would be found under which Threat Intelligence classification?

IP addresses, hashes and other artefacts are part of technical intel.

Answer: Technical Intel

 


Task 3: CTI Lifecycle

Transforming raw data into actionable insights requires a structured, six-phase threat intelligence lifecycle. This process ensures organizations can effectively triage and respond to security incidents.

1. Direction

Setting clear objectives is the foundation of any threat intelligence program. This phase involves:

  • Identifying critical assets and business processes that need protection.
  • Assessing the potential impact of asset loss or process disruption.
  • Defining data sources and tools for threat detection.
  • Allocating resources to safeguard assets.
  • This phase also allows security analysts to pose questions related to investigating incidents.

2. Collection

Data is gathered based on the defined objectives, utilizing commercial, private, and open-source resources. Given the vast amounts of data involved, automation is often essential to streamline this phase and free up time for incident triage.

3. Processing

Raw data—such as logs, malware, and network traffic—often arrives in unstructured formats. Processing organizes and correlates this data, adding tags and visualizations to make it comprehensible for analysts. Security Information and Event Management (SIEM) tools are critical in this phase, enabling efficient data parsing and organization.

4. Analysis

Security analysts derive actionable insights from the processed data, focusing on:

  • Identifying indicators of compromise (IOCs) and attack patterns.
  • Developing action plans to prevent or mitigate attacks.
  • Enhancing security controls or justifying investment in additional resources.

5. Dissemination

Intelligence must be tailored to various stakeholders within the organization:

  • Executives: Require high-level reports on trends, financial risks, and strategic recommendations.
  • Technical Teams: Need detailed insights into IOCs, adversary Tactics, Techniques, and Procedures (TTPs), and tactical defense strategies.

6. Feedback

Stakeholder feedback is crucial for refining the threat intelligence process. Regular interactions ensure continuous improvement of security controls and the effectiveness of the intelligence lifecycle.

Questions

At which phase of the CTI lifecycle is data converted into usable formats through sorting, organising, correlation and presentation?

This phase happens after the data is collected in phase 2. After the data is collected we process it into a useful structured format. We do this in the processing phase.

Answer: processing

During which phase do security analysts get the chance to define the questions to investigate incidents?

This phase sets the direction and goals of the investigation, and includes the opportunity for security analysts to define the questions used during the investigation.

Answer: direction

 


Task 4: CTI Standards & Frameworks

Standards and frameworks provide the foundation for structuring, sharing, and utilizing Cyber Threat Intelligence (CTI). They ensure consistent terminology and facilitate collaboration across industries. Below is a summary of essential CTI standards and frameworks:


MITRE ATT&CK

The MITRE ATT&CK framework is a comprehensive knowledge base detailing adversary tactics and techniques. Security analysts use it to investigate and track adversarial behavior systematically, enabling effective detection and mitigation strategies.


TAXII (Trusted Automated eXchange of Indicator Information)

TAXII defines secure protocols for sharing threat intel in near real-time. It supports two models:

  • Collection: A producer collects and hosts threat intel, accessible to users on request.
  • Channel: Threat intel is proactively pushed to subscribers by a central server.

STIX (Structured Threat Information Expression)

STIX is a standardized language for capturing and communicating cyber threat intelligence. It organizes and defines relationships among critical elements like observables, indicators, adversary tactics, attack campaigns, and more.


Cyber Kill Chain

Developed by Lockheed Martin, the Cyber Kill Chain outlines seven stages of an adversary’s attack process, helping analysts identify and respond to specific actions.

StagePurposeExamples
ReconnaissanceGather intel on the victim and potential attack vectors.OSINT, email harvesting, network scans.
WeaponizationCreate tailored malware for the attack.Backdoors, malicious documents.
DeliveryDeliver malware to the victim’s system.Email, weblinks, USB drives.
ExploitationExploit vulnerabilities to execute malicious actions.EternalBlue, Zero-Logon.
InstallationDeploy malware and establish persistence.Remote access trojans, backdoors.
Command & ControlMaintain remote access and deploy further actions.Cobalt Strike, Empire.
Actions on ObjectivesAchieve attack goals (e.g., financial gain, espionage).Ransomware, data exfiltration.

The Cyber Kill Chain has evolved with frameworks like MITRE ATT&CK, leading to the Unified Kill Chain.


The Diamond Model

The Diamond Model analyzes and tracks intrusions by focusing on four components:

  1. Adversary: The threat actor and their motives.
  2. Victim: The individual, group, or organization targeted.
  3. Infrastructure: Tools, systems, and resources used by the adversary and the victim’s compromised systems.
  4. Capabilities: Methods and tactics employed by the adversary to achieve their goals.

This model enables analysts to pivot between its elements, offering a comprehensive view of an attack and correlating key indicators for actionable insights.

Questions

What sharing models are supported by TAXII?

TAXII supports two models:

  • Collection: A producer collects and hosts threat intel, accessible to users on request.
  • Channel: Threat intel is proactively pushed to subscribers by a central server.

Answer: Collection and Channel

When an adversary has obtained access to a network and is extracting data, what phase of the kill chain are they on?

This is part of the final phase of the kill chain. In other words the Actions on Objectives phase, where the adversary is acting on their objectives. In this case extracting data from the target host(s).

Answer:Actions on Objectives

 


Task 5: Practical Analysis:

As part of the dissemination phase of the lifecycle, CTI is also distributed to organisations using published threat reports. These reports come from technology and security companies that research emerging and actively used threat vectors. They are valuable for consolidating information presented to all suitable stakeholders. Some notable threat reports come from MandiantRecorded Future and AT&TCybersecurity.

All the things we have discussed come together when mapping out an adversary based on threat intel. To better understand this, we will analyse a simplified engagement example. Click on the green “View Site” button in this task to open the Static Site Lab and navigate through the security monitoring tool on the right panel and fill in the threat details.

Questions

Open the site, and you will see a SIEM Dashboard.

SIEM Dashboard

SIEM Dashboard

Let’s answer the following questions.

What was the source email address?

On the second to last row you will read that an email has been received from vipivillain@badbank.com. This is the answer to the question.

Answer:vipivillain@badbank.com

What was the name of the file downloaded?

This one is just above the previously mentioned row. The file name is flbpfuh.exe.

Answer: flbpfuh.exe

After building the threat profile, what message do you receive?

Now we have to build the threat profile, by filling out the question on the below image:

The correct answers are as follows:

Threat Actor Extraction IP Address: 91.185.23.222

Threat Actor Email Address: vipivillain@badbank.com

Malware Tool: flbpfuh.exe

User Victim Logged Account: Administrator

Victim Email Recipient: John Doe  (this user clicked the phishing email containing the malware)

 

The flag you will receive is as follows:

Answer: THM{NOW_I_CAN_CTI}


Congratulations on completing Intro to Cyber Threat Intel!!!

Congratulations on completing Intro to Cyber Threat Intel

Congratulations on completing Intro to Cyber Threat Intel

 

This was a great introduction to Cyber Threat Intel. Great job for following along! Let’s continue learning about threat intel!


Like my articles?

You are welcome to give my article a clap or two 🙂
I would be even more grateful if you support me by buying me a cup of coffee:

Buy me a coffee

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

Leave a Reply

Your email address will not be published. Required fields are marked *