Threat Intelligence
IOC management, threat feeds, STIX/TAXII, and threat hunting.
Overview
Threat intelligence provides actionable information about threats.
Intelligence Types
| Type | Audience | Focus |
|---|---|---|
| Strategic | Executives | Trends, risks |
| Tactical | Security teams | TTPs |
| Operational | SOC analysts | Specific threats |
| Technical | Analysts | IOCs |
Indicators of Compromise
# IOC types
iocs = {
"ip_addresses": ["10.0.0.1", "192.168.1.100"],
"domains": ["malicious.com", "evil.org"],
"hashes": {
"md5": "abc123...",
"sha256": "def456..."
},
"urls": ["http://malicious.com/payload"],
"email_addresses": ["attacker@evil.com"]
}
STIX/TAXII
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--uuid",
"created": "2024-01-15T00:00:00.000Z",
"modified": "2024-01-15T00:00:00.000Z",
"name": "Malicious IP",
"description": "Known C2 server",
"pattern": "[ipv4-addr:value = '10.0.0.1']",
"pattern_type": "stix",
"valid_from": "2024-01-15T00:00:00.000Z"
}
Threat Hunting
# Hunting hypothesis
hypothesis = "Adversaries may use PowerShell for lateral movement"
# Hunt queries
queries = [
"SELECT * FROM process WHERE name = 'powershell.exe'",
"SELECT * FROM network WHERE dest_port = 5985",
"SELECT * FROM files WHERE path LIKE '%Temp%\\%.ps1'"
]
# Analysis
for query in results:
analyze_behavior(query)
MITRE ATT&CK
Architecture Diagram
Tactics:
+-- Initial Access
+-- Execution
+-- Persistence
+-- Privilege Escalation
+-- Defense Evasion
+-- Credential Access
+-- Discovery
+-- Lateral Movement
+-- Collection
+-- Exfiltration
+-- Command and Control
Threat Intel Platforms
| Platform | Features |
|---|---|
| MISP | Open source, sharing |
| ThreatConnect | Commercial, orchestration |
| Anomali | Threat intel platform |
| Recorded Future | Intelligence collection |
Practice
Set up MISP and share threat indicators with partners.