Introduction to Cyber Threat Intelligence | TryHackMe Intro to Cyber Threat Intel

Introduction

This post covered an introduction to Cyber Threat Intelligence, its lifecycle and frameworks such as MITRE ATT&CK and Cyber Kill Chain. In this post, we also covered the answers to TryHackMe Intro to Cyber Threat Intel room.

Blue Team Cyber Security & SOC Analyst Study Notes

Certified Security Blue Team Level 1 Study Notes

What is Cyber Threat Intelligence (CTI)?

CTI involves collecting and analyzing evidence-based knowledge about adversaries’ Tactics, Techniques, and Procedures (TTPs) to:

• Blue Team Perspective: Build detections and strengthen security by understanding attacker methods.
• Red Team Perspective: Emulate adversary TTPs to test the effectiveness of defenses and improve resilience.

Core Focus:

• Profile attackers by studying their tools, tactics, and procedures.

Sources of Threat Intelligence

CTI can be gathered from various internal, community, and external sources:

A. Internal Sources

1. Pen Tests: Information from penetration testing exercises.
2. Vulnerability Assessments: Analysis of system weaknesses.
3. Incident Response Reports: Insights from past breaches or incidents.
4. Logs: Syslogs, event logs, and other machine data.
5. Training Reports: Results from security awareness training.

B. Community Sources

1. Open Web Forums: Online security communities and forums.
2. Dark Web Forums: Threat intelligence from underground hacker forums.

C. External Sources

1. Intelligence Feeds: Threat updates from vendors (e.g., real-time alerts).
2. Public Resources: Government or social media reports on emerging threats.

Cyber Threat Intelligence Lifecycle

The CTI lifecycle describes the stages of threat intelligence gathering and processing:

A. Direction

• Define objectives, goals, and the scope of the intelligence gathering.
• Identify business assets, risks, sources of intelligence, and required tools.

B. Collection

• Gather data from various internal, community, and external sources.
• Examples: malware reports, log files, incident data.

C. Processing

• Organize raw data into usable formats using tools like SIEM (Security Information and Event Management).

D. Analysis

• Derive insights from the processed data.
• Examples:
• Identify attack patterns.
• Define action plans to mitigate risks.
• Strengthen the organization’s security profile.

E. Dissemination

• Share findings with stakeholders in a clear, high-level format.
• Examples: Reports on risks, mitigation strategies, or budget allocations for security measures.

F. Feedback

• Gather stakeholder responses to improve intelligence efforts or security controls.

Frameworks for Cyber Threat Intelligence

Frameworks provide structure and guidance for utilizing CTI effectively.

A. MITRE ATT&CK Framework

• A knowledge base of adversary TTPs.
• Used for analyzing and tracking attacker behaviors.

B. Cyber Kill Chain

• Breaks down adversary actions into sequential stages:

1. Reconnaissance: Collecting victim information.
2. Weaponization: Preparing malicious payloads (e.g., PDFs, executables).
3. Delivery: Distributing payloads (e.g., via email or USB).
4. Exploitation: Exploiting vulnerabilities to gain access.
5. Installation: Installing malware or backdoors.
6. Command & Control (C2): Remotely controlling the compromised system.
7. Actions on Objectives: Achieving the attacker’s end goals, such as data exfiltration.

Key Takeaways

• CTI enables organizations to proactively protect assets by understanding and emulating adversary behaviors.
• Frameworks like MITRE ATT&CK and the Cyber Kill Chain are essential tools for organizing and applying threat intelligence.
• The lifecycle approach ensures structured collection, processing, and utilization of intelligence.

Room Answers | TryHackMe Basic Pentesting Walkthrough

Room answers can be found here.

Video Walkthrough