Threat Intelligence
IOC management, threat feeds, STIX/TAXII, and threat hunting.
Overview
Threat intelligence provides actionable information about threats.
Intelligence Types
| Type | Audience | Focus |
|---|---|---|
| Strategic | Executives | Trends, risks |
| Tactical | Security teams | TTPs |
| Operational | SOC analysts | Specific threats |
| Technical | Analysts | IOCs |
Indicators of Compromise
# IOC types
iocs = {
"ip_addresses": ["10.0.0.1", "192.168.1.100"],
"domains": ["malicious.com", "evil.org"],
"hashes": {
"md5": "abc123...",
"sha256": "def456..."
},
"urls": ["http://malicious.com/payload"],
"email_addresses": ["attacker@evil.com"]
}
STIX/TAXII
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--uuid",
"created": "2024-01-15T00:00:00.000Z",
"modified": "2024-01-15T00:00:00.000Z",
"name": "Malicious IP",
"description": "Known C2 server",
"pattern": "[ipv4-addr:value = '10.0.0.1']",
"pattern_type": "stix",
"valid_from": "2024-01-15T00:00:00.000Z"
}
Threat Hunting
# Hunting hypothesis
hypothesis = "Adversaries may use PowerShell for lateral movement"
# Hunt queries
queries = [
"SELECT * FROM process WHERE name = 'powershell.exe'",
"SELECT * FROM network WHERE dest_port = 5985",
"SELECT * FROM files WHERE path LIKE '%Temp%\\%.ps1'"
]
# Analysis
for query in results:
analyze_behavior(query)
MITRE ATT&CK
Architecture Diagram
Tactics:
āāā Initial Access
āāā Execution
āāā Persistence
āāā Privilege Escalation
āāā Defense Evasion
āāā Credential Access
āāā Discovery
āāā Lateral Movement
āāā Collection
āāā Exfiltration
āāā Command and Control
Threat Intel Platforms
| Platform | Features |
|---|---|
| MISP | Open source, sharing |
| ThreatConnect | Commercial, orchestration |
| Anomali | Threat intel platform |
| Recorded Future | Intelligence collection |
Practice
Set up MISP and share threat indicators with partners.