Open in app

Sign in

Write

Sign in

Intro to Cyber Threat Intel TryHackme Walkthrough

Introducing cyber threat intelligence and related topics, such as relevant standards and frameworks.

Cyber Rey
4 min readNov 6, 2023

This write-up covers the Intro to Cyber Threat Intel Room on TryHackMe.
Learning Path (s): SOC Level 1
Module: Cyber Threat Intelligence
Skill/Tools:: CTI Lifecycle, CTI Standards & Frameworks, OSINT/Open-Source Tools

CTI is critical for investigating and reporting adversary attacks with organizational stakeholders and external communities.

Cyber Threat Intelligence

💡Cyber Threat Intelligence (CTI) can be defined as evidence-based knowledge about adversaries, including their indicators, tactics, motivations, and actionable advice against them

  • Data: Discrete indicators associated with an adversary, such as IP addresses, URLs, or hashes.
  • Information: A combination of multiple data points that answer the question
  • Intelligence: The correlation of data and information to extract patterns of actions based on contextual analysis.

The primary goal of CTI is to understand the relationship between your operational environment and your adversary and how to defend your environment against any attacks. You would seek this goal by developing your cyber threat context:

Threat Intelligence Classifications:

  • Strategic Intel: High-level intel that looks into the organization’s threat landscape and maps out the risk areas based on trends, patterns, and emerging threats that may impact business decisions.
  • Technical Intel: Looks into evidence and artifacts of attack used by an adversary.
  • Tactical Intel: Assesses adversaries’ tactics, techniques, and procedures (TTPs). This intel can strengthen security controls and address vulnerabilities through real-time investigations.
  • Operational Intel: Looks into an adversary’s specific motives and intent to perform an attack. Security teams may use this intel to understand the critical assets available in the organization (people, processes, and technologies) that may be targeted.

CTI Lifecycle

💡The CTI Lifecycle is a data-churning process that transforms raw data into contextualized and action-oriented insights geared toward triaging security incidents

CTI Lifecycle
CTI Lifecycle

Direction

defining the objectives and goals, by identifying the following parameters:

  • Information assets and business processes that require defending.
  • Potential impact to be experienced on losing the assets or through process interruptions.
  • Sources of data and intel to be used towards protection.
  • Tools and resources that are required to defend the assets.

Collection

Here, security analysts will gather the required data (using commercial, private and open-source resources) to address the above objectives. Due to the volume of data, it is recommended to automate this phase to provide time for triaging incidents.

Processing

This phase ensures that the data is extracted, sorted, organized, correlated with appropriate tags, and presented visually in a usable and understandable format to the analysts. SIEMs are valuable tools for achieving this and allow quick parsing of data

Analysis

Here, security analysts must derive insights. Decisions to be made may involve:

  • Investigating a potential threat through uncovering indicators and attack patterns.
  • Defining an action plan to avert an attack and defend the infrastructure.
  • Strengthening security controls or justifying investment for additional resources.

Dissemination

Different organizational stakeholders will consume the intelligence in varying languages and formats.

  • C-suite members will require a concise report covering trends in adversary activities, financial implications, and strategic recommendations.
  • Analysts will more likely inform the technical team about the threat IOCs, adversary TTPs, and tactical action plans.

Feedback

Feedback should be a regular interaction between teams to keep the lifecycle working, as analysts rely on the responses provided by stakeholders to improve the threat intelligence process and the implementation of security controls.

CTI Standards & Frameworks

Essential standards and frameworks commonly used include:

MITRE ATT&CK: knowledge base of adversary behavior, focusing on the indicators and tactics

TAXII: protocols for securely exchanging threat intel to have near real-time detection, prevention, and mitigation of threats

STIX: provides defined relationships between sets of threat info such as observables, indicators, adversary TTPs, attack campaigns, and more.

Cyber Kill Chain & Unified Kill Chain: breaks down adversary actions into steps

The Diamond Model: looks at intrusion analysis and tracking attack groups over time

Room Questions Walkthrough

Note: Due to Medium’s formatting, some elements are dropped. Please visit our Notion page for the full tutorial.

CTI

TOC

cyberrey.notion.site

  • What does CTI stand for?
  • Under which Threat Intelligence classification are IP addresses, Hashes, and other threat artifacts found?
  • In which phase is data made usable through sorting, organizing, correlation, and presentation?
  • During which phase do security analysts define questions to investigate incidents?
  • What sharing models are supported by TAXII?
  • In which phase of the kill chain is an adversary who has obtained access to a network and is extracting data?
  • What was the source email address?
  • What was the name of the downloaded file?
  • After building the threat profile, what message is received?

Cti Lifecycle
Cyber Threat Intelligence
Cti Standards Frameworks
Osint Open Source Tools
Tryhackme Walkthrough

--

--

Cyber Rey
Cyber Rey

Written by Cyber Rey

25 Followers
1 Following

Experienced Cybersecurity Professional, proficient in Cloud Security (AWS & Azure), Vulnerability Assessment and Penetration testing (VAPT), IT administration.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams