How to Use OpenCTI to Gather Threat Intelligence | TryHackMe Trooper
In this post, we provided a comprehensive explanation of OpenCTI, a cyber threat intelligence platform, to gather cyber threat intelligence and use it to build security controls. We also used TryHackMe Trooper to demonstrate the practical part.
Please watch the video at the bottom for full detailed explanation of the walkthrough.
TryHackMe Task Description
A multinational technology company has been the target of several cyber attacks in the past few months. The attackers have been successful in stealing sensitive intellectual property and causing disruptions to the company’s operations. A threat advisory report about similar attacks has been shared, and as a CTI analyst, your task is to identify the Tactics, Techniques, and Procedures (TTPs) being used by the Threat group and gather as much information as possible about their identity and motive. For this task, you will utilise the OpenCTI platform as well as the MITRE ATT&CK navigator, linked to the details below.
Introduction to Cyber Threat Intelligence (CTI)
CTI refers to collecting, managing, and sharing threat intelligence data, which is crucial for identifying and mitigating cybersecurity threats.
Platforms like OpenCTI, MISP ( Malware Information Sharing Platform), and The Hive are used to store and manage threat data gathered from incident responses and community feeds.
Sources of Threat Intelligence
Incident Response Engagements: Data from incident response teams includes information such as malware, indicators of compromise (IOCs) like hashes, IPs, domains, etc.
Community Feeds: Sharing threat data across organizations provides a broader view of emerging cyber threats.
Components of OpenCTI
Dashboard: Summarizes all collected threat intelligence, including reports, entities, and observables (e.g., domains and IPs).
Activities Tab: Contains threat intelligence reports from various organizations, detailing recent threats and events. Local incident data is registered here.
Knowledge Tab: Includes detailed information on threat actors, their tools, techniques, and procedures (TTPs). It also categorizes threats using frameworks like MITRE ATT&CK.
USB-Ferry Attack Analysis with OpenCTI
The USB-Ferry malware is described in a cyber attack scenario, where the malware is propagated using USB devices to infect air-gapped networks (those isolated from the internet for security reasons).
The attack targets critical sectors, including healthcare, military, and transportation in regions like Taiwan, the Philippines, and Hong Kong.
By using OpenCTI and MITRE Navigator, analysts can investigate attacks, identify attacker groups (such as Tropic Trooper), and analyze their tactics and tools.
The malware USB-Ferry is delivered initially via spear-phishing emails, then spreads to air-gapped systems via infected USBs.
Investigators can search for related malware, tools, and vulnerabilities within OpenCTI to conduct a thorough analysis of the cyber attack.
Understanding Attack Pattern
OpenCTI allows the analysis of attack patterns, such as how Tropic Trooper uses various techniques like spear-phishing and USB propagation for initial access to systems.
Analysts can dive deeper into specific malware, such as Yahya and USB-Ferry, and see the associated attack patterns and defensive strategies.
Room Answers | TryHackMe Trooper
Room answers can be found here.
