Chapter 2: Threat Intelligence

Tools and Techniques

Prof. Kanchan Dhuri
• “ Resilience”

• “Robust”
• Cyber resilience refers to an organization's ability to prepare for,
respond to, and recover from cyberattacks or system failures while
continuing to operate.
• It includes preventive measures, detection systems, recovery plans,
and adaptability.
• Example: A resilient network can continue operating even after a
ransomware attack due to strong backup and incident response plans.

• A robust system is one that continues to work correctly even when

faced with errors, attacks, or unexpected input.
• Example: A robust cybersecurity system can detect and block new
types of malware without crashing or failing.
For an organization’s Cyber Security which is
more important?
• Technology, Process and People
• 1] Technological control e.g. Firewall
• 2] Processes ex. Who should have right to change firewall setting
• 3] people ex. Awareness and timely actions by employees

(you need to decide which factor you think is more important and
which is less important.)
Truth or false
1] The first statement is, 'Every employee has the absolute right to
keep a weak or strong password.’
2] The second is, 'Employees should have the ability to install any
software they want on their work devices.
3] The third is, 'Employees should have the right to turn off the
device firewall.'
• Suppose you are the one sending malware to somebody else's
machine, and you want to know if the malware has been installed
there. How would you do that? You have to have the malware
communicate to you.
Command and Control (C2)
• Command and control is not used for which of the following
activities by the adversary?
• 1] to know if the intended malware is install one the target
machine
• 2] to send more customized payload to the target
• 3] Data exfiltration
• 4] Privilege escalation
• The first choice is that the command and control (CC2), the
adversary wants to know if the malware has been installed. Then it
will write the malware in such a way that as soon as the malware finds
a target and executes, it will call on the network functions and
communicate to the command and control.
• Now once the adversary knows that it has been installed, then it will
want the malware to find something on that machine—what
applications are running, what versions are running, what are the
different files in the file system, if there are any credentials somewhere
in that machine, and if there is a weak implementation of a protocol
through which it can move.
The framework for understanding attacker behavior was first developed by Lockheed Martin.
Threat Intelligence Tools and Techniques
• Threat intelligence involves collecting, analyzing, and applying
information about potential or current attacks that threaten an
organization. It helps security teams proactively defend against
cyber threats.
The tools and techniques used in threat intelligence
are generally categorized into the following areas
Tool Category Examples Description

MISP, ThreatConnect, Anomali, IBM X- Collect, aggregate, and analyze threat data from
Threat Intelligence Platforms (TIPs)
Force Exchange multiple sources.

Security Information and Event Collect logs and security data to identify threats and
Splunk, IBM QRadar, ArcSight, LogRhythm
Management (SIEM) correlate events.

Endpoint Detection and Response CrowdStrike Falcon, SentinelOne, Monitor and collect data from endpoint devices to
(EDR) Microsoft Defender ATP detect malicious activity.

AlienVault OTX, FireEye, Talos Intelligence, Provide real-time threat data like IOCs (IP addresses,
Threat Feeds
VirusTotal domains, file hashes).

Monitor network traffic for anomalies and malicious

Network Traffic Analysis (NTA) Zeek (formerly Bro), Suricata, Darktrace
patterns.

Cuckoo Sandbox, Hybrid Analysis, Joe Used to detonate and analyze malware behavior in a
Malware Analysis Tools
Sandbox controlled environment.

Maltego, Shodan, SpiderFoot, Collect open-source data for threat actor profiling and
OSINT Tools
TheHarvester reconnaissance.
 Technique Description

Indicator of Compromise (IOC) Analysis Identifying IPs, URLs, file hashes, or domains linked to malicious activity.

Mapping Threat Actors' Tactics, Techniques, and Procedures using frameworks like
TTP Analysis (MITRE ATT&CK)
MITRE ATT&CK.

Threat Hunting Proactively searching for threats within an organization’s environment.

Behavioral Analysis Observing how malware or threat actors behave to detect unknown threats.

STIX/TAXII Standards Structured data formats and protocols used for threat data sharing.

Dark Web Monitoring Monitoring hacker forums and black markets for stolen data or chatter.

Social Media Monitoring Tracking platforms like Twitter, Reddit for early threat indicators.

Phishing Campaign Analysis Tracking and analyzing phishing attempts to identify common vectors.

Machine Learning/AI-based Threat Detection Automating anomaly detection and pattern recognition in large datasets.
STIX/TAXII Standards:

• STIX (Structured Threat Information Expression) and TAXII

(Trusted Automated Exchange of Intelligence Information) are two
open standards developed to facilitate the sharing of cyber
threat intelligence (CTI) in a consistent and automated way
between organizations, tools, and systems.
• Purpose:
STIX is a data format used to represent and structure threat
intelligence information in a machine-readable way.
• A way to "describe" the threat – what it is, how it behaves, who is
behind it, and how it can be detected.
• Key Features:
• Uses JSON format (human- and machine-readable).
• Describes threat actors, malware, attack patterns, IOCs (Indicators of
Compromise), TTPs (Tactics, Techniques, Procedures), and more.
• Based on cyber threat intelligence lifecycle: includes context,
relationships, and confidence levels.
Example of what STIX can describe:
• A file hash associated with ransomware
• An IP address used for command-and-control (C2)
• A phishing domain used by a specific threat actor
TAXII (Trusted Automated Exchange of
Intelligence Information)
Purpose:
TAXII is a protocol (like HTTP) used to transport threat intelligence data
(often in STIX format) between systems securely and in real-time.
• A delivery truck that carries STIX-formatted threat data from one
organization or system to another.
Key Features:
• Secure, automated communication
• Supports both push and pull models
• Can distribute threat data in near real-time
• Works over HTTPS and RESTful APIs
Example
Let’s say: Organization A detects a new phishing domain.
• It creates a STIX package describing the domain, related IPs, and email patterns.
• It uses TAXII to send this data to partners, government agencies, or commercial
threat platforms.
• Those partners receive it and automatically update their security systems (e.g.,
firewalls, SIEMs).
Benefits of Using STIX/TAXII:
• Automation-friendly sharing of threat intelligence
• Promotes interoperability between tools
• Enhances collaborative defense against cyber threats
• Supports contextual threat analysis with structured data
Introduction to MITRE ATT & CK framework
• MITRE ATT&CK is a knowledge base of how adversaries attack our
systems.
• What is ATT & CK?
• The goal is to understand what can happen to your system and
figure out how you would stop or detect it when it happens.
• As a defender, I want to know various things. I want to know
whether my current defense is adequate and if the controls I
have—like firewalls, endpoint detection, network monitoring,
strong authentication, two-factor authentication, network
segmentation, and so on—are enough.
 ATT&CK
• Adversarial Tactics, Techniques, and Common Knowledge
• It is a framework developed by MITRE corporation,USA to describe the behavior of cyber attackers
(adversaries) across different stages of an attack lifecycle.
• ATT&CK is a knowledge base, not a tool.
• It's a framework to study the adversary's behavior in a very structured way.
MITRE ATT&CK helps in:
• Understanding how attackers operate.
• Improving threat detection, response, and defense.
• Mapping existing security controls to real-world threats.
Key Components:
• Tactics – Why the attacker is doing something.
(High-level goals like Initial Access, Execution, Persistence)
• Techniques – How the attacker achieves that goal.
(e.g., Phishing, Command and Scripting Interpreter)
• Sub-techniques – More detailed methods within a technique.
• Procedures – Real-world examples of how specific groups use techniques.
• MITRE Corporation is a think tank. They formed a group that went through a very
large number of incidents, analyzing what happened in those incidents and what
was done. They came up with a structured way of capturing all these incidents.
They said an adversary has a final goal.
• EX: in the case of Stuxnet, the final goal was to change the program of
programmable logic controllers (PLCs) such that the motors rotating the spindles
for enriching uranium would sometimes go very fast and sometimes go very slow.
Instead of operating at a uniform speed and a critical speed necessary for nuclear
enrichment, they had thousands of very large tubes in which uranium was being
rotated for enrichment.
• These spindles, if they rotate at a critical speed or beyond, only then does it work.
The attackers figured out that the motors rotate the spindles. Every spindle has a
motor, so they decided to target the PLCs, which control the motor speeds.
Tactic Technique Real-world Use Case

Sending malicious email to

Initial Access Phishing
gain entry

Using PowerShell to execute

Execution PowerShell
payload

Exfiltration Over Stealing data via secure web

Exfiltration
HTTPS connection
Variants of the Framework:
• ATT&CK for Enterprise – Covers desktops, servers, cloud, etc.
• ATT&CK for Mobile – Mobile-specific attacks.
• ATT&CK for ICS – Industrial Control Systems.

Who Uses ATT&CK?

• Security analysts:
• SOC teams
• Threat hunters
• Red and blue teams
• Organizations building threat models
Indicators of Compromise (IOCs)
IOCs are pieces of forensic data that indicate potentially malicious activity on a system or network. They
help detect and respond to cyber threats.

IOC Type Example

File Hash 44d88612fea8a8f36de82e1278abb02f

IP Address 185.62.188.88

Malicious URL http://phishing-site[.]com/login.php

Malicious Domain update-checker[.]com

Filename/Path C:\Temp\doc123.exe

Registry Key HKEY_LOCAL_MACHINE\...\Run\evil

Email Address admin@bank-secure.co

CVE/Exploit CVE-2021-34527 (PrintNightmare)

• 1. File Hashes (MD5, SHA-1, SHA-256)
Type Example
MD5 44d88612fea8a8f36de82e1278abb02f (WannaCry ransomware)
SHA-256 d2d2d2c2f4c1e8c4e432e3a4d554a5cb1cabcfe58ea9e2d43e176e3e44f6cfaa

• Malicious IP Addresses
• Used for command-and-control (C2), phishing, or malware
distribution.
• C2 Server Type
185.62.188.88 (used in APT attacks)
Example

Botnet Traffic 192.42.116.41

• Malicious URLs and Domains
Type Example
Phishing URL http://login-verification[.]xyz/verify.php
Malware Host maliciousdomain[.]com/malware.exe
C2 Domain update-checker[.]com

• Filenames and Paths

• Suspicious or known filenames used by malware.

Type Example
Ransomware Dropper invoice_2023.exe
Suspicious Path C:\Users\Public\svchost.exe

• Registry Keys (Windows)

• Used by malware for persistence.
Type Example
Persistence Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware
Debate Topics
• “Threat Intelligence should be shared publicly to benefit all
organizations.”
Vs.
“Threat Intelligence should remain private to avoid giving
advantage to attackers.”

• “Human analysts are more effective than automated tools in

threat intelligence.”
Vs.
“Automation and AI should replace human threat analysts for
better efficiency.”
• “AI and ML are revolutionizing threat intelligence.”
Vs.
“AI/ML introduces more risks and false positives than actual
value in threat intelligence.”
• “Zero-day vulnerability disclosures should be shared
immediately with the public.”
Vs.
“Zero-days should be kept confidential until a patch is ready.”
Points to Consider for Debate
• 1. Understanding the Topic
• 2. Research and Evidence
• 3. Balanced Argument
• 4. Technical Understanding (if applicable)
• 5. Ethical and Legal Angles
• 6. Clarity and Simplicity
• 7. Engagement and Delivery
Rubrics 20Marks
Criteria

1. Content Accuracy & Relevance

2. Research & Evidence

3. Organization & Structure

4. Rebuttal & Counter-Arguments

5. Delivery & Communication