Chapter 6: Threat Intelligence¶

Learning Objectives¶

By the end of this chapter, you will be able to:

Explain the threat intelligence lifecycle and types of threat intel
Integrate threat intelligence feeds into detection workflows
Evaluate threat intel quality and relevance to your environment
Apply threat intel for proactive threat hunting
Leverage AI/ML to process and prioritize threat intelligence at scale

Prerequisites¶

Chapter 5: Investigation and triage workflows
Understanding of MITRE ATT&CK framework
Basic knowledge of malware analysis concepts

Key Concepts¶

Threat Intelligence • Indicator of Compromise (IOC) • Tactics, Techniques, and Procedures (TTPs) • STIX/TAXII • Threat Hunting • Diamond Model

Curiosity Hook: The Zero-Day That Wasn't¶

Your EDR alerts on unusual PowerShell activity. The file hash is unknown. VirusTotal: 0/70 detections.

Traditional Response: "No threat intel match, probably benign."

Intelligence-Driven Response: Analyst checks: 1. TTPs: PowerShell + encoded command + outbound connection = known APT29 behavior 2. Infrastructure: C2 domain registered 3 days ago, uses same DNS provider as previous APT29 campaigns 3. Victimology: Your industry (defense) matches APT29 targeting profile

Conclusion: High-confidence APT activity, despite zero IOC matches.

Lesson: Effective threat intelligence goes beyond IOC lists—it provides context for behavior-based detection.

6.1 What is Threat Intelligence?¶

Definition¶

Threat Intelligence is evidence-based knowledge about existing or emerging threats that informs decisions to protect against attacks.

Types of Threat Intelligence¶

1. Strategic - Audience: Executives, board members - Content: Threat landscape trends, geopolitical risks, industry targeting - Example: "Ransomware attacks on healthcare increased 40% in Q1 2026" - Use Case: Risk prioritization, budget allocation

2. Tactical - Audience: SOC managers, detection engineers - Content: Adversary TTPs, attack patterns, campaign details - Example: "APT28 now using legitimate cloud services for C2" - Use Case: Detection rule development, threat hunting

3. Operational - Audience: Incident responders, threat hunters - Content: Specific campaigns, attack timelines, actor motivations - Example: "Ransomware gang X observed targeting VPN vulnerabilities (CVE-2024-1234) with 48-hour dwell time" - Use Case: Incident context, proactive defense

4. Technical - Audience: Tier 1/2 analysts, automated systems - Content: IOCs (IPs, domains, file hashes, YARA rules) - Example: IP 203.0.113.45 associated with Emotet C2 - Use Case: Automated blocking, alert enrichment, SIEM correlation

6.2 The Threat Intelligence Lifecycle¶

Phase 1: Planning & Direction¶

Questions to Answer: - What are our Priority Intelligence Requirements (PIRs)? - What threats are most relevant to our industry/geography? - What decisions will this intel inform?

Example PIRs for a Healthcare Organization: - Ransomware campaigns targeting healthcare - Vulnerabilities in medical devices - Nation-state espionage targeting medical research

Phase 2: Collection¶

Sources: - Open Source (OSINT): Public threat feeds, security blogs, CVE databases - Commercial: Threat intel vendors (Recorded Future, CrowdStrike, Mandiant) - ISACs/ISAOs: Industry-specific sharing communities (H-ISAC, FS-ISAC) - Internal: Incident data, honeypots, malware analysis

Formats: - STIX (Structured Threat Information Expression): Standardized XML/JSON format for threat data - TAXII (Trusted Automated Exchange of Indicator Information): Protocol for sharing STIX data - OpenIOC: XML format for IOCs - CSV/JSON: Simple flat files

Phase 3: Processing & Analysis¶

Processing: - Normalize data to common format - De-duplicate IOCs across feeds - Enrich with context (GeoIP, ASN, threat actor attribution)

Analysis: - Relevance: Does this apply to our environment? - Confidence: How reliable is the source? - Severity: What is the potential impact? - Actionability: Can we detect or block this?

Example:

Raw Intel: IP 45.33.32.156 used by APT29 for C2
Analysis:
  - Relevance: HIGH (we are a defense contractor, APT29 targets our sector)
  - Confidence: HIGH (multi-source confirmation)
  - Severity: CRITICAL (nation-state actor)
  - Actionability: Block in firewall, alert on SIEM

Phase 4: Dissemination¶

Audience-Specific Delivery: - Executives: Monthly strategic briefings - SOC Analysts: Real-time IOC feeds integrated into SIEM - Detection Engineers: Weekly TTP reports for rule development - Incident Responders: On-demand deep-dive reports during active incidents

Phase 5: Feedback¶

Continuous Improvement: - Track which intel led to detections - Measure false positive rates from IOC feeds - Adjust PIRs based on evolving threats - Provide feedback to intel sources

6.3 Operationalizing Threat Intelligence¶

Integration Points¶

1. SIEM Enrichment

index=firewall action=allowed
| lookup threat_intel_ip ip as dest_ip OUTPUT threat_level, threat_actor, first_seen
| where isnotnull(threat_level)
| table _time, src_ip, dest_ip, threat_level, threat_actor

Benefit: Automatically flag connections to known malicious infrastructure.

2. Automated Blocking

IF (IP in threat_feed AND confidence > 90%)
THEN block at firewall
ELSE generate alert for analyst review

Risk: False positives can block legitimate services. Use high-confidence feeds only.

3. Detection Rule Enhancement

Before Threat Intel:

detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains: '-enc'
  condition: selection

Result: Many false positives from admin scripts.

After Threat Intel (TTP-informed):

detection:
  selection_ps:
    Image|endswith: '\powershell.exe'
    CommandLine|contains: '-enc'
  selection_ttp:
    CommandLine|contains:
      - 'Invoke-WebRequest'  # APT29 observed TTP
      - 'hidden'              # Common obfuscation
      - 'bypass'              # Execution policy bypass
  condition: selection_ps and selection_ttp

Result: Reduced FPs, higher fidelity detection aligned with known adversary behavior.

4. Threat Hunting

Hunt Hypothesis: "APT29 uses compromised cloud accounts to exfiltrate data via OneDrive."

Hunt Query:

CloudAppEvents
| where Application == "OneDrive"
| where ActionType == "FileUploaded"
| summarize UploadCount = count(), TotalBytes = sum(FileSize) by AccountObjectId, bin(Timestamp, 1h)
| where UploadCount > 100 or TotalBytes > 10GB
| join kind=inner (
    SigninLogs
    | where RiskLevel == "high"
) on AccountObjectId

Logic: Find high-risk accounts with abnormal OneDrive upload activity.

6.4 Evaluating Threat Intel Quality¶

The 3 C's Framework¶

1. Confidence - High: Multiple authoritative sources, confirmed incidents - Medium: Single reputable source, plausible but unconfirmed - Low: Unverified, single anecdotal report

2. Completeness - Does it include context (actor, campaign, TTPs)? - Are IOCs timestamped and attributed? - Is there remediation guidance?

3. Consistency - Does it align with other intelligence? - Are there contradictions or anomalies?

Common Threat Intel Pitfalls¶

Pitfall 1: Stale IOCs - Problem: IP addresses and domains change frequently. A 6-month-old C2 IP may now belong to a legitimate service. - Mitigation: Expire IOCs after 30-90 days unless refreshed. Prioritize recently observed indicators.

Pitfall 2: Low-Context IOC Lists - Problem: "Here's a list of 10,000 malicious IPs" with no attribution, campaign details, or TTPs. - Mitigation: Prefer intel sources that provide context. Use IOCs for alerting, not just blocking.

Pitfall 3: Over-Reliance on IOCs - Problem: Adversaries trivially change IOCs (new domain, new hash). - Mitigation: Focus on TTPs (harder to change) and behavioral detections.

6.5 Threat Hunting with Intelligence¶

What is Threat Hunting?¶

Threat Hunting is the proactive search for threats that evaded existing detections, guided by hypotheses based on threat intelligence.

Hunt Workflow¶

[Intelligence] → [Hypothesis] → [Data Collection] → [Analysis] → [Detection/Response]

Example Hunt: Credential Dumping¶

Intelligence: APT41 observed using comsvcs.dll to dump LSASS memory (alternative to Mimikatz).

Hypothesis: "Our environment may have undetected LSASS dumping using comsvcs.dll."

Data Collection:

index=endpoint process_name="rundll32.exe"
| where match(command_line, "(?i)comsvcs.dll.*MiniDump")
| table _time, host, user, command_line

Analysis: - 0 results = No evidence of this TTP (good news, but validate telemetry coverage) - 1+ results = Investigate each instance (malicious or IT forensics?)

Outcome: - If malicious: Incident response - If benign: Allowlist known forensics systems - Either way: Create detection rule to prevent future gaps

Hunt Metrics¶

Hunts Conducted: Number of proactive hunts per month
Hunt Findings: Threats discovered that bypassed detections
Detection Improvements: New rules created from hunt insights
Coverage Expansion: ATT&CK techniques now monitored due to hunts

6.6 AI/ML in Threat Intelligence¶

Use Case 1: Intel Feed Prioritization¶

Challenge: SOC receives 50,000 IOCs/day from 20 threat feeds. Analysts can't review all.

ML Solution:

# Classify IOCs by relevance to environment
features = [
  'source_reputation',
  'ioc_age_days',
  'threat_actor_targets_our_industry',
  'ioc_seen_internally_before',
  'geolocation_relevance'
]

model = RandomForestClassifier()
model.train(labeled_iocs)  # Historical data: which IOCs led to true incidents?

new_iocs['priority_score'] = model.predict_proba(new_iocs[features])
high_priority = new_iocs[new_iocs['priority_score'] > 0.8]

Result: Analysts focus on top 5% highest-relevance IOCs.

Use Case 2: LLM-Powered Threat Summaries¶

Analyst Input:

"Summarize the latest APT29 activity and suggest detection opportunities."

LLM Output (RAG-grounded on threat intel database):

APT29 Recent Activity (Past 30 Days):
- Observed targeting defense and government sectors in North America/Europe
- Shifted to HTML smuggling for initial access (T1027.006)
- Leveraging legitimate cloud services (OneDrive, Dropbox) for C2 (T1102)
- Using 'WMI event subscriptions' for persistence (T1546.003)

Detection Opportunities:
1. Monitor for HTML files with embedded JavaScript that writes executables
2. Alert on WMI event subscription creation outside maintenance windows
3. Baseline cloud upload volumes and flag anomalies
4. Correlate VPN logins with cloud access for impossible travel

Suggested SIEM Query:
index=cloud_access app="OneDrive" action="upload"
| stats sum(bytes) as total_bytes by user, _time span=1h
| where total_bytes > 1GB
| join user [search index=vpn action=login]

Benefit: Analysts get actionable summaries without reading 50-page reports.

Use Case 3: Automated TTP Extraction¶

Challenge: Extracting TTPs from unstructured threat reports is time-consuming.

NLP Solution:

Input: "The attacker used PowerShell to download a payload from a remote server, then executed it with elevated privileges."

NLP Extraction:
- T1059.001 (PowerShell)
- T1105 (Ingress Tool Transfer)
- T1548 (Privilege Escalation)

Output: Structured mapping added to threat intel database

Interactive Element¶

MicroSim 6: Threat Intel Triage

Evaluate threat intelligence reports and decide which intel to operationalize (block, alert, hunt).

Common Misconceptions¶

Misconception: More Threat Feeds = Better Security

Reality: Quality over quantity. Too many low-quality feeds increase noise and false positives. Focus on 3-5 high-confidence, relevant feeds.

Misconception: Threat Intel Is Only for Large Organizations

Reality: Free/open-source intel (AlienVault OTX, Abuse.ch, MISP communities) provides value to organizations of all sizes. Start small and expand.

Misconception: IOCs Are Sufficient for Detection

Reality: IOCs are easily changed by attackers. Focus on TTPs for durable detections. Use IOCs for context and initial triage, not as sole detection mechanism.

Practice Tasks¶

Task 1: Classify Threat Intelligence¶

Classify each example as Strategic, Tactical, Operational, or Technical:

a) "IP 45.33.32.156 observed communicating with Emotet C2 infrastructure" b) "Ransomware attacks increased 35% year-over-year, with healthcare most targeted" c) "LockBit 3.0 campaign observed exploiting Citrix CVE-2023-4966 with 72-hour encryption timeline" d) "APT groups increasingly using living-off-the-land techniques to evade EDR"

Answers

a) Technical - Specific IOC for immediate use b) Strategic - High-level trend for executive awareness c) Operational - Campaign details with timeline for incident response d) Tactical - TTP trend for detection engineering

Task 2: Evaluate Intel Quality¶

Threat Intel Report:

Source: Anonymous forum post
Content: "IP 198.51.100.45 is a C2 server for new malware"
Context: None provided
Date: 6 months ago
Confirmation: No other sources

Questions: 1. What is the confidence level? 2. Should this IOC be blocked automatically? 3. What additional information would improve this intel?

Answers

Confidence: LOW
Anonymous source (not authoritative)
No corroboration
Stale (6 months old)
No, do not auto-block
Low confidence could mean false positive
IP may have changed ownership
Generate alert for analyst review at most
Improvements needed:
Source attribution (reputable vendor or researcher)
Malware family/campaign name
TTPs associated with this C2
Recent observation (last 30 days)
File hashes or other correlated IOCs

Task 3: Build a Hunt Hypothesis¶

Given Intel: "APT32 observed exfiltrating data by uploading to compromised legitimate websites via HTTP POST."

Task: Write a hunt hypothesis and suggest a SIEM query.

Answer

Hypothesis: "Attackers may be exfiltrating data from our environment using HTTP POST to external websites, mimicking legitimate user activity."

Hunt Query (Splunk SPL):

index=proxy http_method=POST
| where dest_category!="known_cloud_storage" AND dest_category!="saas_app"
| stats sum(bytes_out) as total_upload by src_ip, dest_domain, user
| where total_upload > 10485760  // 10 MB threshold
| sort -total_upload

Follow-up Actions: - Investigate top uploaders for legitimacy - Check destination domains for reputation - Correlate with endpoint alerts or anomalous user behavior - If confirmed: Block domain, isolate system, investigate scope

Exam Prep & Certifications¶

Relevant Certifications

The topics in this chapter align with the following certifications:

CompTIA Security+ — Domains: Security Operations, Threats and Vulnerabilities
CompTIA CySA+ — Domains: Security Operations, Incident Response
GIAC GCIH — Domains: Incident Handling, Investigation
CISSP — Domains: Security Operations, Security Assessment and Testing

View full Certifications Roadmap →

Self-Assessment Quiz¶

Question 1: What type of threat intelligence focuses on specific IOCs like IP addresses and file hashes?

Options:

a) Strategic b) Tactical c) Operational d) Technical

Show Answer

Correct Answer: d) Technical

Explanation: Technical intelligence consists of specific, machine-readable indicators (IPs, domains, hashes) for automated detection and blocking.

Question 2: What is STIX?

Options:

a) A threat intelligence sharing protocol b) A standardized format for representing threat intelligence data c) A SIEM query language d) A malware analysis tool

Show Answer

Correct Answer: b) A standardized format for representing threat intelligence data

Explanation: STIX (Structured Threat Information Expression) is a standardized XML/JSON format. TAXII is the sharing protocol. SPL/KQL are query languages.

Question 3: What is a key risk of auto-blocking IPs from threat intelligence feeds?

Options:

a) It reduces analyst workload too much b) Stale or low-confidence IOCs may block legitimate services c) It violates compliance regulations d) It increases SIEM licensing costs

Show Answer

Correct Answer: b) Stale or low-confidence IOCs may block legitimate services

Explanation: IPs change ownership. Yesterday's C2 server may be today's legitimate CDN. Auto-blocking requires high-confidence, fresh intel.

Question 4: What is the primary goal of threat hunting?

Options:

a) Respond to existing SIEM alerts b) Proactively search for threats that evaded detections c) Patch vulnerabilities before exploitation d) Train new SOC analysts

Show Answer

Correct Answer: b) Proactively search for threats that evaded detections

Explanation: Threat hunting assumes adversaries may be present but undetected. It's hypothesis-driven proactive searching, not reactive alert response.

Question 5: In the threat intelligence lifecycle, what is the purpose of the 'Feedback' phase?

Options:

a) Generate more IOCs for distribution b) Improve intelligence collection and analysis based on what was useful c) Archive old intelligence reports d) Train machine learning models

Show Answer

Correct Answer: b) Improve intelligence collection and analysis based on what was useful

Explanation: Feedback closes the loop, informing intel teams which information led to detections and what gaps remain, improving future collection.

Question 6: Why are TTPs (Tactics, Techniques, and Procedures) more valuable than IOCs for long-term detection?

Options:

a) TTPs are easier to collect than IOCs b) TTPs are harder for attackers to change than IOCs c) TTPs require no tuning or maintenance d) TTPs work without any telemetry

Show Answer

Correct Answer: b) TTPs are harder for attackers to change than IOCs

Explanation: Attackers easily generate new hashes, IPs, domains. Changing fundamental attack techniques (how they move laterally, escalate privileges) requires retooling, making TTP-based detections more durable.

Summary¶

In this chapter, you learned:

Threat intelligence types: Strategic (executive), Tactical (TTPs), Operational (campaigns), Technical (IOCs)
Intelligence lifecycle: Planning, Collection, Processing, Dissemination, Feedback
Operationalization: Integrate intel into SIEM enrichment, automated blocking, detection rules, and threat hunting
Quality evaluation: Assess confidence, completeness, consistency; avoid stale IOCs
Threat hunting: Hypothesis-driven proactive searches informed by threat intelligence
AI/ML applications: Prioritize intel feeds, generate summaries, extract TTPs from reports

Next Steps¶

Next Chapter: Chapter 7: SOAR & Automation - Learn to automate response workflows
Explore: Join a threat intelligence sharing community (MISP, OTX, industry ISAC)
Practice: Conduct a threat hunt based on recent threat intel in your environment
Tool: Set up a free MISP instance or AlienVault OTX account for hands-on intel practice

Chapter 6 Complete | Next: Chapter 7 →