Threat Intelligence Tools
TryHackMe Walkthroughs â‹… Guided â‹… Threat Intelligence Tools
Task 1: Room Outline
This room will introduce us to common tools used in cyber threat intelligence. In this room, we will:
Understand the basics of threat intelligence & its classifications
Use UrlScan.io to scan for malicious URLs
Use Abuse.ch to track malware and botnet indicators
Investigate phishing emails using PhishTool
Use Cisco's Talos Intelligence platform for intelligence gathering
Task 2: Threat Intelligence
Threat intelligence analyzes data to understand how to defend risks associated with existing or emerging threats targeting organizations, industries, or governments. There are a few different types of intelligence:
Strategic intel: Looks into the organization's threat landscape and maps out risk areas
Technical intel: Looks into evidence and artifacts of an attack performed by an adversary
Tactical intel: Assesses adversaries' tactics, techniques, and procedures (TTPs)
Operational intel: Looks into the adversary's motives and intent to attack
Task 3: UrlScan.io
UrlScan.io is a free application that assists in scanning and analyzes websites. The service includes information such as HTTP connections, redirects, links, behaviors, etc.
Task 4: Abuse.ch
Abuse.ch is a research project hosted at Bern University of Applied Sciences. The project identifies and tracks malware and botnets through various platforms.
Malware Bazaar is an all-in-one malware collection and analysis database.
Feodo Tracker is a resource that tracks botnet command and control (C2) infrastructure linked with Emotet, Dridex and TrickBot.
SSL Blacklist is a tool that identifies and detects malicious SSL connections, identified by certificates and JA3/JA3s fingerprints.
URL Haus is a tool that shares malicious URLs used for malware distribution
Threat Fox is a resource for searching and sharing indicators of compromise (IOCs) associated with malware
Task 5: PhishTool
PhishTool performs email analysis, heuristic intelligence, and classification and reporting to help analysts uncover and prevent breaches arising from phishing.
The email to be analyzed is located in the folder called "Emails" located on the Desktop. Double click on the email. For this exercise, you can setup Thunderbird arbitrarily.
Task 6: Cisco Talos Intelligence
Cisco Talos Intelligence provides actionable intelligence, visibility on indicators, and protection against emerging threats through data collected from Cisco products. The Cisco Talos team is comprised of six subteams: (1) Threat Intelligence & Interdiction, (2) Detection Research, (3) Engineering and Development, (4) Vulnerability Research and Discovery, (5) Communities, and (6) Global Outreach.
Task 7: Scenario 1
Analyze Email2.eml on the attacked VM to answer the following questions.
Task 8: Scenario 2
Analyze Email3.eml on the attacked VM to answer the following questions.
Task 9: Conclusion
We have covered the tip of the iceberg for open-source threat intelligence tools in this room.
Last updated