Cyber Threat Intelligence

Cyber Threat Intelligence is evidence-based knowledge about adversaries, including their indicators, tactics, motivations, and
actionable advice against them. It includes data about potential attackers, their methods, and the vulnerabilities they exploit. The
goal is to help organizations anticipate and defend against cyber attacks more effectively. It would be typical to use the terms
“data”, “information”, and “intelligence” interchangeably. However, let us distinguish between them to understand better how
CTI comes into play.

Data: These are raw, discrete pieces of evidence, like individual IP addresses, URLs, domain names, or file hashes that are
known to be indicators of potential malicious activity.

Information: Information is what you get when you combine and contextualize data to answer specific questions. It helps to
provide more structure and meaning to the raw data, for example By tracking how often employees accessed a suspicious
webpage over the past month, you can determine patterns of potential exposure or risk.

Intelligence: The correlation of data and information to extract patterns of actions based on contextual analysis.
Intelligence is the result of further analysis, where you correlate various pieces of data and information to uncover larger
patterns or trends. It provides actionable insights, allowing decision-makers to anticipate threats and take informed actions.
For example By correlating data from multiple incidents (like similar IPs, attack methods, and times), intelligence can help
identify a particular adversary's tactics and predict future behavior.

The primary goal of CTI is to understand the relationship between your operational environment and your adversary and
how to defend your environment against any attacks. You would seek this goal by developing your cyber threat context by
trying to answer the following questions:

**Who’s attacking you? - Identify the threat actors

**What are their motivations? - Understand the attackers' goals
**What are their capabilities? - Assessing the tools and techniques they use
**What artefacts and indicators of compromise (IOCs) should you look out for? - Monitoring and detecting attacks,

CTI relies on gathering data from multiple sources to form a comprehensive view of potential threats. These sources can
be classified into three main categories:

Internal
Community
External .

1. Internal Sources - These are sources within your own organization that provide direct insights into the security
landscape of your operational environment.
Corporate Security Events: Information from vulnerability assessments, penetration testing, and incident
response reports. This provides details on weaknesses and past breaches within the organization.
Cyber Awareness Training Reports: Data from employee training programs on cybersecurity awareness, which
helps to identify common vulnerabilities or gaps in understanding.
System Logs and Events: Logs from firewalls, IDS/IPS systems, endpoints, and other security tools that detect
anomalies, unauthorized access, or suspicious activity.

2. Community Sources: These are sources that come from the wider cybersecurity community, including both legal and
illegal communities.
Open Web Forums: Public forums and platforms where security researchers, professionals, and enthusiasts
discuss vulnerabilities, trends, and cyber threats.
Dark Web Communities: Forums and marketplaces on the dark web where cybercriminals exchange tools, stolen
data, and discuss tactics. This is often a valuable source for monitoring adversary chatter and emerging threats.
3. External Sources: These sources provide intelligence from outside the organization, often from third parties or publicly
available data.
 Threat Intel Feeds (Commercial & Open-source): Aggregated feeds from specialized vendors or open-source platforms
that provide real-time data on global cyber threats, such as IOCs, TTPs, and active campaigns.
Online Marketplaces: Websites where cybercrime services, exploit kits, or stolen data are sold. Monitoring these
markets can reveal insights into ongoing attacks or plans for future attacks.
Public Sources: These include government publications, advisories from cybersecurity agencies, social media
analysis, financial and industrial reports, and other public data that provide broader context on emerging cyber
threats.

Threat Intelligence Classifications :

1. Strategic Intel :
High-level intel that looks into the organization’s threat landscape and maps out the risk areas based on trends, patterns
and emerging threats that may impact business decisions.
Purpose: High-level analysis focused on understanding the broader threat landscape over time. Scope: This intel looks
at trends, patterns, and emerging threats that could impact an organization's long-term
strategies and business decisions. It often involves geopolitical analysis, industry trends, and threat actor
profiling.

2. Technical Intel :
Looks into evidence and artefacts of attack used by an adversary. Incident Response teams can use this intel to
create a baseline attack surface to analyze and develop defense mechanisms.

Purpose: Provides detailed technical data about specific threats, such as malware signatures, phishing URLs, or
file hashes. Scope: Focuses on the actual artifacts of an attack (e.g., malicious code, exploit methods). It is used by security
teams to detect, analyze, and block cyber threats.

3. Tactical Intel :
Assesses adversaries’ tactics, techniques, and procedures (TTPs). This intel can strengthen security controls and
address vulnerabilities through real-time investigations.

Purpose : Provides insights into an adversary's Tactics, Techniques, and Procedures (TTPs).
Scope : Focuses on understanding how attackers operate and what methods they use, enabling the organization
to adjust security controls and defenses in response. This type of intelligence is often used for real-time
investigations.'

4. Operational Intel : Looks into an adversary’s specific motives and intent to perform an attack. Security teams may use
this intel to understand the critical assets available in the organisation (people, processes and technologies) that may
be targeted.

Purpose: Understands the specific motives, goals, and immediate plans of an adversary targeting the
organization.
Scope: Focuses on active or planned attacks and helps security teams prioritize defense around critical assets,
such as sensitive data, infrastructure, or key personnel.

Cyber Threat Intel Life Cycle :

Threat intel is obtained from a data-churning process that transforms raw data into contextualised and action-oriented insights
geared towards triaging security incidents. The transformational process follows a six-phase cycle:

Direction
Collection
Processing
Analysis
Dissemination
Feedback
Direction :

Every threat intel program requires to have objectives and goals defined, involving identifying the following parameters:

Information assets and business processes that require defending.

Potential impact to be experienced on losing the assets or through process interruptions.
Sources of data and intel to be used towards protection.
Tools and resources that are required to defend the assets.

Collection :

Once objectives have been defined, security analysts will gather the required data to address them. Analysts will do this by using
commercial, private and open-source resources available. Due to the volume of data analysts usually face, it is recommended to
automate this phase to provide time for triaging incidents. Gathering data from public threat feeds, logs from intrusion detection
systems, and monitoring the dark web for chatter about specific attack methods.

Processing :

This phase involves sorting, organizing, and correlating various data types—such as raw logs, vulnerability data, malware samples,
and network traffic—so that analysts can make sense of the information quickly and effectively. Raw logs, vulnerability information,
malware and network traffic usually come in different formats and may be disconnected when used to investigate an incident. This
phase ensures that the data is extracted, sorted, organised, correlated with appropriate tags and presented visually in a usable and
understandable format to the analysts. SIEMs are valuable tools for achieving this and allow quick parsing of data.
Analysis :

Once the information aggregation is complete, security analysts must derive insights. Decisions to be made may involve:

Investigating a potential threat through uncovering indicators and attack patterns.

Defining an action plan to avert an attack and defend the infrastructure.
Strengthening security controls or justifying investment for additional resources.

Dissemination :

Disseminationis the process of distributing the intelligence gathered, analyzed, and processed to the appropriate
stakeholders within an organization. It is a crucial stage in the Cyber Threat Intelligence (CTI) Lifecycle, as the
effectiveness of CTI relies not just on the quality of the intelligence but also on how well it is shared with the relevant
audience. Dissemination ensures that intelligence reaches the right people, in the right format, and at the right time to allow
for actionable decisions.
For example, C-suite members will require a concise report covering trends in adversary activities, financial implications
and strategic recommendations. At the same time, analysts will more likely inform the technical team about the threat IOCs,
adversary TTPs and tactical action plans.

Feedback :

The final phase covers the most crucial part, as analysts rely on the responses provided by stakeholders to improve the
threat intelligence process and implementation of security controls. Feedback should be regular interaction between teams
to keep the lifecycle working.

CTI Standards & Frameworks :

Standards and frameworks provide structures to rationalise the distribution and use of threat intel across industries. They
also allow for common terminology, which helps in collaboration and communication. Here, we briefly look at some
essential standards and frameworks commonly used.

MITRE ATT&CK

The ATT&CK framework is a knowledge base of adversary behavior, focusing on the indicators and tactics. Security
analysts can use the information to be thorough while investigating and tracking adversarial behavior.
TAXII

The Trusted Automated eXchange of Indicator Information (TAXII) defines protocols for securely exchanging threat intel to
have near real-time detection, prevention and mitigation of threats. The protocol supports two sharing models:

Collection: Threat intel is collected and hosted by a producer upon request by users using a request-response model.
Channel: Threat intel is pushed to users from a central server through a publish-subscribe model.

STIX
Structured Threat Information Expression (STIX) is a language developed for the "specification, capture, characterisation
and communication of standardised cyber threat information". It provides defined relationships between sets of threat info
such as observables, indicators, adversary TTPs, attack campaigns, and more.

Cyber Kill Chain

Developed by Lockheed Martin, the Cyber Kill Chain breaks down adversary actions into steps. This breakdown helps
analysts and defenders identify which stage-specific activities occurred when investigating an attack.
 Technique Purpose Examples
Obtain information about the victim and the tactics used for Harvesting emails, OSINT, and
Reconnaissance the attack. social media, network scans
Malware is engineered based on the needs and intentions Exploit with a backdoor,
Weaponisation of the attack. malicious office document
Covers how the malware would be delivered to the victim's Email, weblinks, USB
Delivery system.
Breach the victim's system vulnerabilities to execute code
and create scheduled jobs to establish persistence.
Exploitation EternalBlue, Zero-Logon, etc.
Install malware and other tools to gain access to the
victim's system.
Installation Password dumping, backdoors,
Remotely control the compromised system, deliver
remote access trojans
additional malware, move across valuable assets and
Command & elevate privileges. Empire, Cobalt Strike, etc.
Control
Fulfil the intended goals for the attack: financial gain,
corporate espionage, and data exfiltration.
Actions Data encryption, ransomware,
on public defacement
Objective
s
Over time, the kill chain has been expanded using other frameworks such as ATT&CK and formulated a new Unified Kill
Chain.
The Diamond Model

The diamond model looks at intrusion analysis and tracking attack groups over time. It focuses on four key areas, each
representing a different point on the diamond. These are:

Adversary: The focus here is on the threat actor behind an attack and allows analysts to identify the motive behind
the attack.
Victim: The opposite end of adversary looks at an individual, group or organisation affected by an attack.
Infrastructure: The adversaries' tools, systems, and software to conduct their attack are the main focus. Additionally,
the victim's systems would be crucial to providing information about the compromise.
Capabilities: The focus here is on the adversary's approach to reaching its goal. This looks at the means of
exploitation and the TTPs implemented across the attack timeline

An example of the diamond model in play would involve an adversary targeting a victim using phishing attacks to obtain
sensitive information and compromise their system, as displayed on the diagram. As a threat intelligence analyst, the model
allows you to pivot along its properties to produce a complete picture of an attack and correlate indicators.

Some notable threat reports come from Mandiant, Recorded Future and AT&TCybersecurity.

Threat Intelligence Tools :

Tools that we will cover :

UrlScan.io to scan for malicious URLs.

Abuse.ch to track malware and botnet indicators.
Investigate phishing emails using PhishToo.
Cisco's Talos Intelligence platform for intel gathering.

1. Urlscan.io :
urlscan.io is a free online service that allows you to analyze websites for potential security issues, threats, and track
various online behaviors.
It is developed to assist in scanning and analyzing websites. It is used to automate the process of browsing and crawling
through websites to record activities and interactions.

When a URL is submitted, the information recorded includes the domains and IP addresses contacted, resources
requested from the domains, a snapshot of the web page, technologies utilised and other metadata about the website.
The site provides two views, the first one showing the most recent scans performed and the second one showing current
live scans.
URL scan results provide ample information, with the following key areas being essential to look at:

Summary: Provides general information about the URL, ranging from the identified IP address, domain registration
details, page history and a screenshot of the site.
HTTP: Provides information on the HTTP connections made by the scanner to the site, with details about the data
fetched and the file types received.
Redirects: Shows information on any identified HTTP and client-side redirects on the site.
Links: Shows all the identified links outgoing from the site's homepage.
Behaviour: Provides details of the variables and cookies found on the site. These may be useful in identifying the
frameworks used in developing the site.
Indicators: Lists all IPs, domains and hashes associated with the site. These indicators do not imply malicious activity
related to the site.

lets see and example for example.com

As you can see there a lot of options available.

So while you at it explore a bit.
2. Abuse.ch :
Abuse.ch is a Swiss-based platform that helps cybersecurity professionals and organizations combat malware, botnets, and
online threats. It focuses on tracking, collecting, and distributing information about cyber threats. It was developed to identify
and track malware and botnets through several operational platforms developed under the project. These platforms are:

Malware Bazaar: A resource for sharing malware samples.

Feodo Tracker: A resource used to track botnet command and control (C2) infrastructure linked with Emotet, Dridex
and TrickBot.
SSL Blacklist: A resource for collecting and providing a blocklist for malicious SSL certificates and JA3/JA3s
fingerprints.
URL Haus: A resource for sharing malware distribution sites.
Threat Fox: A resource for sharing indicators of compromise (IOCs).
YARAify: YARAhub, the platform also provides a structured way for sharing YARA rules with the community.

Scan a file with YARA »

Malware Bazar : MB - Malware

As the name suggests, this project is an all in one malware collection and analysis database, and supports some of the following
features:

Malware Samples Upload: Security analysts can upload their malware samples for analysis and build the intelligence
database. This can be done through the browser or an API.
Malware Hunting: Hunting for malware samples is possible through setting up alerts to match various elements such
as tags, signatures, YARA rules, ClamAV signatures and vendor detection.
FeeodoTracker : FT - Botnet

With this project, Abuse.ch is targeting to share intelligence on botnet Command & Control (C&C) servers associated with
Dridex, Emotes (aka Heodo), TrickBot, QakBot and BazarLoader/BazarBackdoor. This is achieved by providing a
database of the C&C servers that security analysts can search through and investigate any suspicious IP addresses they
have come across. Additionally, they provide various IP and IOC blocklists and mitigation information to be used to
prevent botnet infections.

Key Features of Feodo Tracker:

Botnet Tracking: Feodo Tracker monitors command-and-control (C2) servers used by botnets to communicate with
infected machines. These servers are crucial for attackers to control their malware remotely.
IP Blocklists: The tracker provides daily updated blocklists of malicious IP addresses associated with Feodo/Dridex
botnets. These blocklists help companies and security teams prevent their systems from communicating with known
malicious servers.
Historical Data: Feodo Tracker maintains a history of detected botnet C2 servers, allowing researchers to analyze past
botnet behavior and track trends over time.
Publicly Available Feeds: The tracker provides IP feeds that can be directly used by network administrators, ISPs, and
cybersecurity professionals to block access to known botnet servers, thus preventing infections or stopping active
malware communication.
Explore the 4 options highlighted to identify the deafferent fields available in it.

SSLBL Blacklist : SB - SSL

Abuse.ch developed this tool to identify and detect malicious SSL connections. From these connections, SSL certificates
used by botnet C2 servers would be identified and updated on a denylist that is provided for use. The denylist is also used
to identify JA3 fingerprints that would help detect and block malware botnet C2 communications on the TCP layer.

You can browse through the SSL certificates and JA3 fingerprints lists or download them to add to your deny list or threat
hunting rulesets.

Key Features of SSLBL:

Tracking Malicious SSL Certificates: SSLBL collects and lists SSL certificates used by malware, phishing sites, and
other malicious activities. It helps security professionals identify and block these certificates.
JA3 Fingerprinting: SSLBL also uses JA3 fingerprints to detect malicious SSL connections. JA3 fingerprints are
based on the unique characteristics of SSL/TLS handshakes, which can help identify malware even if it uses
encrypted connections.
IP Blocklists: SSLBL provides IP blocklists of servers hosting malicious SSL certificates. These blocklists can be used
to block access to these servers, thus preventing malware from communicating or spreading.
Malware Campaign Detection: The project is particularly focused on detecting SSL certificates used in malware
campaigns. It monitors domains and IP addresses tied to botnets and other malicious activities.
Explore the 4 options highlighted to identify the deafferent fields available in it.

Urlhaus : UH - Malicious Urls

As the name points out, this tool focuses on sharing malicious URLs used for malware distribution. As an analyst, you can
search through the database for domains, URLs, hashes and filetypes that are suspected to be malicious and validate your
investigations.

The tool also provides feeds associated with country, AS number and Top Level Domain that an analyst can generate
based on specific search needs.

Key Features of URLhaus:

Malware URL Tracking: URLhaus collects and lists URLs that are actively distributing malware. These URLs are often
submitted by security researchers, incident responders, and automated systems from around the world.
Threat Intelligence Feeds: URLhaus provides freely accessible feeds of malicious URLs. These feeds can be
integrated into security systems like firewalls, proxy servers, and email filters to automatically block malicious content.
Detailed Reports: Each URL entry includes detailed information, such as:
The type of malware being distributed (e.g., ransomware, trojans, etc.).
The hosting domain and IP address.
Metadata like the first and last seen dates, helping track when the threat was active.

Public Submissions: Anyone can submit new malware URLs to URLhaus, making it a community-driven effort. After
submission, the URLs are validated, and if confirmed to be malicious, they are added to the public database.
Historical Data: URLhaus maintains a historical archive of malware URLs, which is useful for understanding past
threats and analyzing trends.
ThreatFox : TF - IOC

ThreatFoxis another project by Abuse.ch that focuses on collecting and sharing indicators of compromise (IOCs) related to
malware, making it a key tool for cybersecurity professionals involved in threat detection and response. It is an open
platform where users can both submit and access a wide variety of threat data.

Key Features of ThreatFox:

Indicators of Compromise (IOCs): ThreatFox provides a large repository of IOCs, including malicious domains, IP
addresses, URLs, file hashes (e.g., MD5, SHA256), and more. These IOCs are critical for detecting and responding to
malware infections.
Crowdsourced Submissions: ThreatFox allows users to submit IOCs related to malware. These submissions are
validated and shared with the community, creating a constantly updated and growing threat intelligence database.
Free Access to Threat Data: All the IOCs on ThreatFox are freely accessible to the public. Cybersecurity professionals
can use this data to improve their defenses against active threats.
Threat Intelligence Feeds: ThreatFox provides real-time threat intelligence feeds that can be integrated into security
infrastructure (e.g., firewalls, intrusion detection systems, and SIEM platforms) to automatically block known threats.
YARAify : Yi

YARAif is a project by Abuse.ch focused on sharing YARA rules to detect and identify malware. YARA rules are a key part
of malware research and detection, allowing security teams to describe patterns of malicious behavior in files and network traffic.
YyARAify helps security professionals and researchers by providing a repository of community-contributed YARA rules that can be
used to improve malware detection.

Key Features of YARAify:

YARA Rules Repository: YARAify offers a collection of YARA rules that can be used to detect and classify malware.
These rules are contributed by the community and are specifically crafted to identify various malware families and
types of malicious behavior.
YARA Rule Submissions: Like other Abuse.ch projects, YARAify allows researchers and security professionals to
submit their own YARA rules to the platform. These rules are validated and then shared publicly to help others detect
malware more effectively.
Malware Detection and Classification: By using YARA rules from YARAify, security teams can enhance their detection
systems to automatically flag files and behaviors that match the patterns associated with known malware. This is
crucial for automated scanning, malware analysis, and incident response

3. PhishTool :
PhishTool seeks to elevate the perception of phishing as a severe form of attack and provide a responsive means of email security.
Through email analysis, security analysts can uncover email IOCs, prevent breaches and provide forensic reports that could be used
in phishing containment and training engagements.

The core features include:

Perform email analysis: PhishTool retrieves metadata from phishing emails and provides analysts with the relevant
explanations and capabilities to follow the email’s actions, attachments, and URLs to triage the situation.
Heuristic intelligence: PhishTool integrates with Open Source Intelligence (OSINT) sources to give analysts up-to-
date information about ongoing phishing threats. This intelligence allows them to track tactics, techniques, and
procedures (TTPs) used by attackers to evade security controls, helping to predict and mitigate future attacks more
effectively.
Classification and reporting: Phishing email classifications are conducted to allow analysts to take action quickly.
Additionally, reports can be generated to provide a forensic record that can be shared.

Additional features are available on the Enterprise version:

 Manage user-reported phishing events. Report phishing email findings back to users and
keep them engaged in the process. Email stack integration with Microsoft 365 and Google
Workspace.

So for experiment purpose i am taking an sample phishing email from Github Repo So we
choose smaple1.eml

Analysis Tab

Once uploaded, we are presented with the details of our email for a more in-depth look. Here, we have the following tabs:

Headers: Provides the routing information of the email, such as source and destination email addresses, Originating
IP and DNS addresses and Timestamp.
Received Lines: Details on the email traversal process across various SMTP servers for tracing purposes.
X-headers: These are extension headers added by the recipient mailbox to provide additional information about the
email.
Security: Details on email security frameworks and policies such as Sender Policy Framework (SPF), DomainKeys Identified
Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC).
 Attachments:Lists any file attachments found in the email.
Message URLs: Associated external URLs found in the email will be found here.

4. Cisco Talos Intelligence

IT and Cybersecurity companies collect massive amounts of information that could be used for threat analysis and
intelligence. Being one of those companies, Cisco assembled a large team of security practitioners called Cisco Talos to
provide actionable intelligence, visibility on indicators, and protection against emerging threats through data collected from
their products. The solution is accessible as Talos Intelligence.

Cisco Talos' Six Key Teams:

:
1. Threat Intelligence & Interdiction
Function: This team is responsible for quickly correlating and tracking threats to provide actionable intelligence.
They take Indicators of Compromise (IOCs) such as IP addresses, file hashes, and URLs, and enrich them
with context. This enables more accurate threat detection and allows security teams to respond to evolving
threats with a deeper understanding of the attack vectors.
Focus: Turning simple IOCs into context-rich intelligence that can be used to block and prevent attacks.
2. Detection Research:
Function: Focused on vulnerability research and malware analysis. This team works on creating detection rules,
signatures, and other content for Cisco’s security products to protect against known and unknown threats.
Focus: Writing detection signatures for intrusion detection systems (IDS), antivirus programs, and other security
tools based on ongoing analysis of threats.
3. Engineering & Development:
Function: Provides ongoing support for Cisco's inspection engines, keeping them updated with the latest
capabilities to identify, categorize, and triage new and emerging threats. They ensure that security tools remain
effective as the threat landscape evolves.
Focus: Developing and maintaining the core inspection engines used in Cisco’s security products.

4. Vulnerability Research & Discovery:

Function: This team collaborates with software and service vendors to discover and report vulnerabilities in their
products. They develop repeatable methodologies for vulnerability discovery, often leading to responsible
disclosure and patch development.
Focus: Identifying and reporting software and hardware vulnerabilities to vendors, ensuring security flaws are
addressed before they can be exploited by attackers.

5. Communities:
Function: This team is responsible for maintaining Talos' image in the cybersecurity community. They manage
open-source projects, participate in industry events, and engage with the community to promote collaboration
and knowledge-sharing.
Focus: Sustaining the reputation of Talos and fostering relationships within the open-source community.
6. Global Outreach:
Function: Focused on disseminating intelligence to Cisco’s customers and the broader security community. They
publish research, threat reports, and security advisories to help organizations stay informed about the latest
cyber threats and defensive strategies.
Focus: Sharing knowledge and insights through publications, blogs, reports, and presentations to increase
awareness and understanding of emerging cyber threats.

More information about Cisco Talos can be found on their White Paper
Talos Dashboard :

Vulnerability Research: Disclosed and zero-day vulnerability reports marked with CVE numbers and CVSS scores.
Details of the vulnerabilities reported are provided when you select a specific report, including the timeline taken to get
the report published. Microsoft vulnerability advisories are also provided, with the applicable snort rules that can be
used.
Intelligence Center: Provides access to searchable threat data related to IPs and files using their SHA256 hashes.
Analysts would rely on these options to conduct their investigations. Additional email and spam data can be found
under the Email & Spam Data tab.

Cisco Talos Attack Map :

[Attack Map]((https://talosintelligence.com/ebc_spam)

This map shows an overview of email traffic with indicators of whether the emails are legitimate, spam or malware across
numerous countries. Clicking on any marker, we see more information associated with IP and hostname addresses, volume
on the day and the type.
Open-CTI :

OpenCTI is another open-sourced platform designed to provide organisations with the means to manage CTI through the
storage, analysis, visualisation and presentation of threat campaigns, malware and IOCs.
The platform's main objective is to create a comprehensive tool that allows users to capitalise on technical and non-
technical information while developing relationships between each piece of information and its primary source.
The platform can use the MITRE ATT&CK framework to structure the data. Additionally, it can be integrated with other
threat intel tools such as MISP and TheHive.

OpenCTI helps organizations manage cyber threat intelligence by collecting, structuring, and analyzing data from various
sources, visualizing relationships between threats, and enabling better-informed decisions. Its graph-based approach and
STIX2 compliance make it easy to share intelligence and gain deep insights into threats.
OpenCTI Data Model :

OpenCTI uses a variety of knowledge schemas in structuring data, the main one being the Structured Threat Information
Expression (STIX2) standards. STIX is a serialised and standardised language format used in threat intelligence exchange.
It allows for the data to be implemented as entities and relationships, effectively tracing the origin of the provided
information.

This data model is supported by how the platform's architecture has been laid out.

The highlight services include:

GraphQL API: The API connects clients to the database and the messaging system.
Write workers: Python processes utilised to write queries asynchronously from the RabbitMQ messaging system.
Connectors: Another set of Python processes used to ingest, enrich or export data on the platform. These connectors
provide the application with a robust network of integrated systems and frameworks to create threat intelligence
relations and allow users to improve their defence tactics.

According to OpenCTI, connectors fall under the following classes:

Type Description Examples

EXTERNAL_IMPORT Pull data from remote sources, convert it to STIX2 MITRE Datasets, MISP, CVE,
and insert it on the OpenCTI platform. AlienVault, Mandiant, etc.
INTERNAL_ENRICHMENT Listen for new OpenCTI entities or users requests, Shodan, DomainTools, IpInfo,
pull data from remote sources to enrich. etc.
INTERNAL_IMPORT_FILE Extract data from files uploaded on OpenCTI trough STIX 2.1, PDF, Text, HTML, etc.
the UI or the API.
STIX 2.1, CSV, PDF, etc.
INTERNAL_EXPORT_FILE Generate export from OpenCTI data, based on a
single object or a list.
Consume a platform data stream an do something
STREAM Splunk, Elastic Security, Q-
with events.
Radar, etc.

For more details on configuring connectors and the data schema you can visit the OpenCTI Documentation.

open CTI Dashboard :

The OpenCTI categorises and presents entities under the Activities and Knowledge groups on the left-side panel. The
activities section covers security incidents ingested onto the platform in the form of reports. It makes it easy for analysts to
investigate these incidents. In contrast, the Knowledge section provides linked data related to the tools adversaries use,
targeted victims and the type of threat actors and campaigns used.

Analysis

The Analysis tab contains the input entities in reports analysed and associated external references. Reports are central to
OpenCTI as knowledge on threats and events are extracted and processed. They allow for easier identification of the
source of information by analysts. Additionally, analysts can add their investigation notes and other external resources for
knowledge enrichment.

Events
Security analysts investigate and hunt for events involving suspicious and malicious activities across their organisational
network. Within the Events tab, analysts can record their findings and enrich their threat intel by creating associations for
their incidents.

Observations

Technical elements, detection rules and artefacts identified during a cyber attack are listed under this tab: one or several
identifiable makeup indicators. These elements assist analysts in mapping out threat events during a hunt and perform
correlations between what they observe in their environments against the intel feeds.

See Image.
Threats

All information classified as threatening to an organisation or information would be classified under threats. These will
include:
Threat Actors: An individual or group of attackers seeking to propagate malicious actions against a target.
Intrusion Sets: An array of TTPs, tools, malware and infrastructure used by a threat actor against targets who share
some attributes. APTs and threat groups are listed under this category on the platform due to their known pattern of
actions.
Campaigns: Series of attacks taking place within a given period and against specific victims initiated by advanced
persistent threat actors who employ various TTPs. Campaigns usually have specified objectives and are orchestrated
by threat actors from a nation-state, crime syndicate or other disreputable organisation.

Arsenal

This tab lists all items related to an attack and any legitimate tools identified from the entities.

Malware: Known and active malware and trojan are listed with details of their identification and mapping based on the
knowledge ingested into the platform. In our example, we analyse the 4H RAT malware and we can extract
information and associations made about the malware.
Attack Patterns: Adversaries implement and use different TTPs to target, compromise, and achieve their objectives.
Here, we can look at the details of the Command-Line Interface and make decisions based on the relationships
established on the platform and navigate through an investigation associated with the technique.
Courses of Action: MITRE maps out concepts and technologies that can be used to prevent an attack technique
from being employed successfully. These are represented as Courses of Action (CoA) against the TTPs.
Tools: Lists all legitimate tools and services developed for network maintenance, monitoring and management.
Adversaries may also use these tools to achieve their objectives. For example, for the Command-Line Interface attack
pattern, it is possible to narrow down that CMD would be used as an execution tool. As an analyst, one can investigate
reports and instances associated with the use of the tool.
Vulnerabilities: Known software bugs, system weaknesses and exposures are listed to provide enrichment for what
attackers may use to exploit and gain access to systems. The Common Vulnerabilities and Exposures (CVE) list
maintained by MITRE is used and imported via a connector.
Entities

This tab categorises all entities based on operational sectors, countries, organisations and individuals. This information
allows for knowledge enrichment on attacks, organisations or intrusion sets.

Overview Tab: Provides the general information about an entity being analysed and investigated. In our case, the
dashboard will present you with the entity ID, confidence level, description, relations created based on threats,
intrusion sets and attack patterns, reports mentioning the entity and any external references.
Knowledge Tab: Presents linked information associated with the entity selected. This tab will include the
associated reports, indicators, relations and attack pattern timeline of the entity. Additionally, an analyst can view
fine-tuned details from the tabs on the right-hand pane, where information about the threats, attack vectors,
events and observables used within the entity are presented.
 Analysis Tab: Provides the reports where the identified entry has been seen. The analysis provides usable
information about a threat and guides investigation tasks.
Indicators Tab: Provides information on IOC identified for all the threats and entities.
Data Tab: Contains the files uploaded or generated for export that are related to the entity. These assist in
communicating information about threats being investigated in either technical or non-technical formats.
History Tab: Changes made to the element, attributes, and relations are tracked by the platform worker and this tab
will outline the changes.

MISP :

MISP - MALWARE INFORMATION SHARING PLATFORM is an open-source threat information platform that facilitates
the collection, storage and distribution of threat intelligence and Indicators of Compromise (IOCs) related to malware, cyber
attacks, financial fraud or any intelligence within a community of trusted members.

MISP is effectively useful for the following use cases:

Malware Reverse Engineering: Sharing of malware indicators to understand how different malware families function.
Security Investigations: Searching, validating and using indicators in investigating security breaches.
Intelligence Analysis: Gathering information about adversary groups and their capabilities.
Law Enforcement: Using Indicators to support forensic investigations.
Risk Analysis: Researching new threats, their likelihood and occurrences.
Fraud Analysis: Sharing of financial indicators to detect financial fraud.

MISP provides the following core functionalities:

IOC database: This allows for the storage of technical and non-technical information about malware samples,
incidents, attackers and intelligence.
 Automatic Correlation: Identification of relationships between attributes and indicators from malware, attack
campaigns or analysis.
Data Sharing: This allows for sharing of information using different models of distributions and among
different MISP instances.
Import & Export Features: This allows the import and export of events in different formats to integrate other systems
such as NIDS, HIDS, and OpenIOC.
Event Graph: Showcases the relationships between objects and attributes identified from events.
API support: Supports integration with own systems to fetch and export events and intelligence.

The following terms are commonly used within MISP and are related to the functionalities described above and the general
usage of the platform:

Events: Collection of contextually linked information.

Attributes: Individual data points associated with an event, such as network or system indicators.
Objects: Custom attribute compositions.
Object References: Relationships between different objects.
Sightings: Time-specific occurrences of a given data point or attribute detected to provide more credibility.
Tags: Labels attached to events/attributes.
Taxonomies: Classification libraries are used to tag, classify and organise information.
Galaxies: Knowledge base items used to label events/attributes.
Indicators: Pieces of information that can detect suspicious or malicious cyber activity.

Dashboard
The analyst's view of MISP provides you with the functionalities to track, share and correlate events and IOCs identified
during your investigation. The dashboard's menu contains the following options, and we shall look into them further:

Home button: Returns you to the application's start screen, the event index page or the page set as a custom home
page using the star in the top bar.
Event Actions: All the malware data entered into MISP comprises an event object described by its connected
attributes. The Event actions menu gives access to all the functionality related to the creation, modification, deletion,
publishing, searching and listing of events and attributes.
Dashboard: This allows you to create a custom dashboard using widgets.
Galaxies: Shortcut to the list of MISP Galaxies on the MISP instance. More on these on the Feeds & Taxonomies
Task.
Input Filters: Input filters alter how users enter data into this instance. Apart from the basic validation of attribute entry by
type, the site administrators can define regular expression replacements and blocklists for specific values and block
 certain values from being exportable. Users can view these replacement and blocklist rules here, while an
administrator can alter them.
Global Actions: Access to information about MISP and this instance. You can view and edit your profile, view the
manual, read the news or the terms of use again, see a list of the active organisations on this instance and a
histogram of their contributions by an attribute type.
MISP: Simple link to your baseurl.
Name: Name (Auto-generated from Mail address) of currently logged in user.
Envelope: Link to User Dashboard to consult some of your notifications and changes since the last visit. Like some of
the proposals received for your organisation.
Log out: The Log out button to end your session immediately.

Event Management :
The Event Actions tab is where you, as an analyst, will create all malware investigation correlations by providing
descriptions and attributes associated with the investigation. Splitting the process into three significant phases, we have:

Event Creation.
Populating events with attributes and attachments.
Publishing.

Event Creation :
In the beginning, events are a storage of general information about an incident or investigation. We add the description,
time, and risk level deemed appropriate for the incident by clicking the Add Event button. Additionally, we specify the
distribution level we would like our event to have on the MISP network and community. According to MISP, the following
distribution options are available:

Your organisation only: This only allows members of your organisation to see the event.
This Community-only: Users that are part of your MISP community will be able to see the event. This includes your
organisation, organisations on this MISP server and organisations running MISP servers that synchronise with this
server.
 Connected communities: Users who are part of your MISP community will see the event, including all organisations
on this MISP server, all organisations on MISP servers synchronising with this server, and the hosting organisations of
servers that are two hops away from this one.
All communities: This will share the event with all MISP communities, allowing the event to be freely propagated from
one server to the next.
Additionally, MISP provides a means to add a sharing group, where an analyst can define a predefined list of
organisations to share events.

Lets go to Populate From > Phishing E-mail

Event details can also be populated by filling out predefined fields on a defined template, including adding attributes to the
event. We can use the email details of the CobaltStrike investigation to populate details of our event. We will be using
the Phishing E-mail category from the templates.

we can add the required details by going to https://www.malware-traffic-analysis.net/2022/03/01/index.html , and

downloading the attached files and analyzing the .eml file and test it on "app.phishtool.com" or we can just read the IOC for
information.
Attributes & Attachments

Attributes can be added manually or imported through other formats such as OpenIOC and ThreatConnect. To add them
manually, click the Add Attribute and populate the form fields.

Some essential options to note are:

For Intrusion Detection System: This allows the attribute to be used as an IDS signature when exporting
the NIDS data unless it overrides the permitted list. If not set, the attribute is considered contextual information and not
used for automatic detection.
Batch import: If there are several attributes of the same type to enter (such as a list of IP addresses, it is possible to
join them all into the same value field, separated by a line break between each line. This will allow the system to
create separate lines for each attribute.

The analyst can also add file attachments to the event. These may include malware, report files from external analysis or
simply artefacts dropped by the malware. You can have the Cobalt Strike EXE binary file from the link given before. You
also have to check the Malware checkbox to mark the file as malware. This will ensure that it is zipped and passworded to
protect users from accidentally downloading and executing the file.
Uploading the Cobalt Strike.exe.bin file.
Context should be : cobalit strike binary file.

Publish Event

Once the analysts have created events, the organisation admin will review and publish those events to add them to the pool
of events. This will also share the events to the distribution channels set during the creation of the events.

EVENT Creation Output on Dashboard : Link

Feeds

Feeds are resources that contain indicators that can be imported into MISP and provide attributed information about
security events. These feeds provide analysts and organisations with continuously updated information on threats and
adversaries and aid in their proactive defence against attacks.

MISP Feeds provide a way to:

Exchange threat information.

Preview events along with associated attributes and objects.
Select and import events to your instance.
Correlate attributes identified between events and feeds.

Feeds are enabled and managed by the Site Admin for the analysts to obtain information on events and indicators.
Taxonomies
taxonomies
Event Actiions > List Taxonomies

A taxonomy is a means of classifying information based on standard features or attributes. On MISP, taxonomies are used
to categorise events, indicators and threat actors based on tags that identify them.

Analysts can use taxonomies to:

Set events for further processing by external tools such as VirusTotal.

Ensure events are classified appropriately before the Organisation Admin publishes them.
Enrich intrusion detection systems' export values with tags that fit specific deployments.

Taxonomies are expressed in machine tags, which comprise three vital parts:

Namespace: Defines the tag's property to be used.

Predicate: Specifies the property attached to the data.
Value: Numerical or text details to map the property.

Taxonomies Dashboard :
Tagging
Information from feeds and taxonomies, tags can be placed on events and attributes to identify them based on the
indicators or threats identified correctly. Tagging allows for effective sharing of threat information between users,
communities and other organisations using MISP to identify various threats.

In our CobaltStrike event example, we can add tags by clicking on the buttons in the Tags section and searching from the
available options appropriate to the case. The buttons represent global tags and local tags, respectively. It is also important
to note that you can add your unique tags to your MISP instance as an analyst or organisation that would allow you to
ingest, navigate through and share information quickly within the organisation.

Tagging Best Practices

Tagging at Event level vs Attribute Level

Tags can be added to an event and attributes. Tags are also inheritable when set. It is recommended to set tags on the
entire event and only include tags on attributes when they are an exception from what the event indicates. This will provide
a more fine-grained analysis.

The minimal subset of Tags

The following tags can be considered a must-have to provide a well-defined event for distribution:

Traffic Light Protocol: Provides a colour schema to guide how intelligence can be shared.
Confidence: Provides an indication as to whether or not the data being shared is of high quality and has been vetted
so that it can be trusted to be good for immediate usage.
Origin: Describes the source of information and whether it was from automation or manual investigation.
Permissible Actions Protocol: An advanced classification that indicates how the data can be used to search for
compromises within the organisation.

THM Task 5 PoC : Link

Additional Resources :

MISP Book
MISP GitHub
CIRCL MISP Training Module 1
[CIRCL MISP Training Module 2](https://www.youtube.com/watch?v=Jqp8CVHtNVk

Dataview (inline field '='): Error:

-- PARSING FAILED --------------------------------------------------

> 1 | =
| ^

Expected one of the following:

'(', 'null', boolean, date, duration, file link, list ('[1, 2, 3]'), negated field,
number, object ('{ a: 1, b: 2 }'), string, variable