CYBERWARFARE LABS

Blue Team
Fundamentals
Module : 03 | CYBER THREAT ANALYSIS AND INTELLIGENCE
 FOUNDATIONS OF
CYBER THREAT ANALYSIS
AND INTELLIGENCE
INTRODUCTION TO THREAT ANALYSIS AND INTELLIGENCE
● Cyber Threat Analysis is technically termed as
Threat Intelligence in an IT enterprise. whose act as ● General overview of CTI
a first line defenders of any cyber attacks. . ● Common sources of CTI
● Cyber Threat Landscape
● Cyber Threat Intelligence (CTI) refers to the ● Introduction to Threat Intel Portal | TIP
knowledge and information that an organization ● Pain Of Pyramid
gathers, analyzes, and applies to understand and ● IOC Vs IOA
respond to cybersecurity threats
General overview of
Threat Intelligence
 General overview of Cyber Threat Intelligence

Cyber Threat Intelligence (CTI) refers to the process

By employing a comprehensive cyber threat intelligence
of collecting, analysing, and distribution of
strategy, organizations can enhance their defensive
information related to potential and ongoing cyber
posture and respond effectively to emerging threats.
threats.

This involves a combination of automated tools, skilled

The goal of CTI is to provide organizations with
analysts, and a collaborative approach to information
actionable insights to understand, detect, and
sharing within the cybersecurity community.
mitigate emerging cyber threats.
General overview of Threat Intelligence

The general hierarchy of Threat intel will be followed

Threat Intel Manager
by a Tier 1, Tier 2 & Tier 3 Security analyst, under the
guidance of Threat Intel Manager.
Security Analyst (Tier 3)

The hierarchy for a Threat Intelligence Analyst Security Analyst (Tier 2)

typically involves different levels of expertise,
responsibility, Security Analyst (Tier 1)
General overview of Threat Intelligence

Threat Intelligence teams generally operate under a

general shift Threat Intelligence often involves in collaborate with
several other security teams, such as SOC, Incident
● Collect and analyze data from various sources Response, and Forensics, to identify and determine the
● Develop and refine indicators of compromise (IoCs). criticality and various pattern of various threats.
● Contribute to the enhancement of threat intelligence
processes.
 Working of
Threat Intelligence
Working of Threat Intelligence
Common sources of
Threat Intelligence
Common sources of Threat Intelligence

● Cyber threat intelligence can be gather and accumulate from

various common source which including:
○ Internal Source
○ Technical Source
○ Human Source

Collecting intel from various sources which typically give a high

visibility and get updated with various emerging cyber attacks
Human Source
Human source-based threat intelligence involves
gathering information about potential cybersecurity below mentioned are some commonly
threats from human intelligence sources. gathered method used under Human
intelligence source
This can include insights from individuals who have direct
knowledge or involvement in threat activities, as well as 1. Social Media
information obtained through social engineering, 2. Dark-Web
open-source intelligence (OSINT), and other 3. Forums
human-centric methods.
Human Source : Social Media

Social Media based threat intelligence

generally involves actively monitoring social
media platforms to collect emerging threat
data. This can include text-based posts,
images, videos, and other content shared by
users.

Reference: https://t.co/69neYcD0mH
Human Source : Dark-Web

Generally at Dark Web Forums cyber criminals usually

discuss and share various topics.

These generally provides valuable information about threat

intelligence and clues about how cyber attacks are carried
out.

The dark web is a challenging network that requires

specialized skills, expertise, and extensive knowledge of
sources to gather threat intelligence
Threat Intel Working : Phase 01
Threat Intel Working : Phase 02
Data, Information & Intelligence
Understanding this hierarchy helps organizations in
building effective CTI programs, from collecting raw
data to producing actionable intelligence
Threat Intel Working : Phase 03
Converting RAW Data to
Intelligence
Raw Data to Intelligence
Converting raw data into cyber threat
intelligence involves a structured process to
analyze and contextualize information, providing
actionable insights for decision-making and
threat mitigation
 Converting RAW Data to Intelligence
While investigating a suspected file,
malware analysts has been
extracted and upload the Hash of
the reported file,

These extracted hash need to be

processed and analysed for a
better intel. let us quick perform an
analysis to convert the RAW data
into an valuable intel.
 Introduction to
Threat Intel Portal
Cyber Threat
Landscape
Cyber Threat Landscape
below mentioned are some traditional threat
The cyber threat landscape is constantly evolving by
landscape.
technological advancements and emerging new
attack vectors.
1. Ransomware
2. APT targeted attacks
Many cyber security company such as kaspersky,
3. Supply chain attack
mandiant, crowdstrike will be constantly monitor such
4. Phishing and Social Engineering
threat activity and publish a detail report.
Ransomware
Ransomware is generally a type of malicious
software which are intentionally designed to restrict
access to the file until a huge ransom of money is
been paid.

This type of malware often encrypts the victim's files,

making them inaccessible, and then demands
payment, usually in cryptocurrencies, in exchange for
the decryption key. Ra
APT targeted attacks
Advanced Persistent Threats (APTs) continue to pose
significant challenges for many organizations, they
poses a high level skill set to bypass modern
defensive system.

Generally these attackers maintains unauthorized

access to a target over an extended period
Supply chain attack

in-recent trends attacker started targeting

Supply chain based exploit to get
compromise of organisation infrastructure.

as per stats 66% of attacks are been typically

targeted based on supply chain based
attack.
Phishing and Social Engineering

A commonly used technique to extract

sensitive credentials information including
username, password etc, this particular
technique generally impersonate as a legit
form of login page which lure the victim to
enter their sensitive credentials.
Pain Of Pyramid
Pain Of Pyramid

The Pyramid of Pain was created by a security

professional, David J Bianco, in the year of 2013,

This particular conceptual model often

considered as a effective use of Cyber
Threat Intelligence.
Hashing Algorithm

Hashing plays a vital role in various aspects of cybersecurity

defense. Here are some ways in which hashing is used for cyber
defense:

Many defensive solutions use hash values to identify known

malware. By comparing file hashes against various intel database
of known malicious hashes.
Common Challenges of hash based detection
Generally hash based indicators are been most
accurate compare to other most accurate why
because the chance of having the same hash values
for two different files are so low, but it's easy for the
adversary to modify the content and the hash for the
file get automatically get changed.

Commonly used hashing algorithm

● MD5 (Message Digest Algorithm 5)
● SHA-256 (Secure Hash Algorithms 256)
IP Address

Defending against cyber threats often involves

identifying malicious or suspicious IP address, these
IP-based defense plays a significant role in
safeguarding many cyber attacks.

IP address are been considered as a fundamental

indicator
Common Challenges of IP based detection

The adversary can be easily impersonate or modify the IP

address using various tools and techniques including VPN,
Proxy.

using such techniques adversary can mask the real IP

addresses, allowing users to appear as if they are connecting
from different locations.
Domain / URL

Domains and URLs (Uniform Resource

Locators) are integral components of the
internet, serving as the addresses for
accessing websites and online resources.
Common Challenges of IP based detection

Comparative to IP modification Domain and URL are bit complex but

still it's possible.

Let us assume a scenario that the malicious domain get blacklisted, in

such case the attacker can quickly shift their operations to a newly
registered domain, maintaining continuity in their malicious activities
with minimal disruption
Host/Network Artifact

In general A network artifact is produced as the result

of some network activity, while a host artifact is
produced as the result of some activity on a host
machine

when an attacker tries executing malware it typically

result in modification including registry keys, file drop
etc.
Common Challenges of IP based detection

Modifying or restructuring the Network/Host based

artifacts are been comparatively hared than others. let
us assume a scenarios where a malicious script create
by an adversary will creating a schedule task in the host
machine, if a detection team can successfully identify
such activity the adversary need to restructure the
entire flow, modifying such flow will be comparatively
difficulty.
Tools
The success rate of attack mostly depends on the
various malicious tools used by the adversaries.

In general attackers typically use various software

tools and platforms to carry out attacks (such as
backdoors or password crackers).
Common Challenges of IP based detection

In majority of the cases cyber defender can easily

pin-poin the activity if its been carried out by an tool
centric approach. this can be get easily detected by
various EDR and XDR solutions.

in such case the attacker need to came up with some

plan for custom tools, it generally a challenging task for
adversaries because it demands extensive knowledge,
effort, and resources.
TTP’s
In terms of major compromise the adversaries follow a
unique Tactic, Technique and Procedure to get
successful intrude in an organisational infrastructure.

If an adversarial team is been planning for an

compromise it typically involves years and month of
planning their entier operation which include TTP’s
Common Challenges of IP based detection

In case of cyber defence majority of the organisation

has been implemented a base line detection.

but If an organizational defence are been created in the

such way to detect TTP’s of adversaries then it's been a
huge trouble for the adversaries to came up with the
new Tactic Technique and procedure for their exploit.
IOC Vs IOA
Indicator Of Compromise
IOC generally considered as historically record based identification
of security incidents.

IOC typically included

● Filename
● File hashes
● Malicious IP address which are been used for C2 communication
or other malicious activity

IOC are been generally considered as an key evidence which help

the investigator to identify a malicious activity.
Indicator Of Attack
IOA generally considered as real-time detection of security attack
and incidents. it's also termed as behavioral based indicator

IOA typically included

● Behavioral Analysis
● Tactic Technique and Procedure

IOA follows a reactive approach for identifying and detecting cyber

attacks.
 Thank You
For Professional Red Team / Blue Team / Purple Team / Cloud Cyber Range labs / Trainings, please contact

support@cyberwarfare.live
To know more about our offerings, please visit: https://cyberwarfare.live