Intro to Cyber Threat Intel
TryHackMe Walkthroughs â‹… Guided â‹… Intro to Cyber Threat Intel
Task 1: Introduction
This room introduces us to the basics of cyber threat intelligence. In this room, we will learn:
The basics of CTI and its various classifications
The lifecycle followed to deploy and use intelligence during threat investigations
Frameworks and standards used in distributing intelligence
Task 2: Cyber Threat Intelligence
Cyber Threat Intelligence (CTI) is evidence-based knowledge about adversaries, including their indicators, tactics, motivations, and actionable advice against them.
Intelligence is the correlation of data and information to extract patterns of actions based on contextual analysis. Threat intelligence can be gathered internally, from the community forums, or from external sources such as public sources and threat intelligence feeds.
There are a few different types of intelligence:
Strategic intel: Looks into the organization's threat landscape and maps out risk areas
Technical intel: Looks into evidence and artifacts of an attack performed by an adversary
Tactical intel: Assesses adversaries' tactics, techniques, and procedures (TTPs)
Operational intel: Looks into the adversary's motives and intent to attack
Task 3: CTI Lifecycle
Cyber threat intelligence follows six, cyclic steps that form a feedback process loop.
Planning & direction: Define objectives and goals and identify crucial parameters such as information assets, tools, sources of intelligence, etc.
Collection: Gather the required data to address objectives
Processing: Extract, sort, organize, and correlate data to present it in a usable and understandable format
Analysis: Derive insights from the data and potentially investigate a threat or strengthen security controls
Dissemination: Disseminate intelligence to stakeholders
Feedback: Seek feedback from stakeholders
Task 4: CTI Standards & Frameworks
Standards and frameworks in CTI allow for common terminology and the distribution of threat intelligence across the industry. Common frameworks include:
MITRE ATT&CK: A knowledge base of adversary behavior, focusing on indicators and tactics
TAXII: Defines two models, collection and channel, for exchanging threat intelligence
STIX: Provides relationships between threat information such as attack campaigns, indicators, etc.
Cyber Kill Chain: Breaks down adversary into 7 steps: (1) reconnaissance, (2) weaponization, (3) delivery, (4) exploitation, (5) installation, (6) command and control, and (7) actions on objectives
The Diamond Model: Looks at intrusion analysis and tracking attack groups over time using four key areas: (1) adversary, (2) victim, (3) infrastructure, and (4) capabilities
Task 5: Practical Analysis
Open the site associated with the task to answer the following questions.
Last updated