Chapter 6: Threat Intelligence - Quiz¶

Correct Answer: B) Strategic covers long-term trends and business risks, tactical focuses on attacker TTPs and campaigns

Explanation:

Strategic Threat Intelligence: - Audience: Executive leadership, board members, CISOs - Timeframe: 6-12+ months - Content: Industry trends, geopolitical threats, risk assessments, budget justification - Example: "APT41 targeting healthcare organizations expected to increase 30% in 2026"

Tactical Threat Intelligence: - Audience: SOC managers, threat hunters, detection engineers - Timeframe: Weeks to months - Content: Attacker TTPs, campaigns, threat actor profiles - Example: "APT41 using Cobalt Strike with specific C2 patterns"

Reference: Chapter 6, Section 6.1 - Types of Threat Intelligence

Correct Answer: D) Technical

Explanation:

Technical Threat Intelligence (IOCs): - Specificity: Highly specific indicators of compromise - Audience: SIEM, IDS/IPS, EDR, firewall - Lifespan: Hours to days (IPs/domains change frequently) - Automated: Often consumed via threat feeds

Examples: - File hash: abc123def456... - IP: 203.0.113.45 - Domain: evil-c2.example.com - URL: http://malicious.site/payload.exe

Use Case: Block known malicious IP in firewall, alert on file hash detection in EDR

Reference: Chapter 6, Section 6.1 - Technical Intelligence

Correct Answer: B) Structured Threat Information Expression - standardized language for describing threats

Explanation:

STIX (Structured Threat Information Expression): - Purpose: Standardized JSON-based language for sharing threat intelligence - Version: STIX 2.1 is current standard - Benefits: Machine-readable, interoperable across tools, consistent terminology

STIX Objects: - Indicators: IOCs (IP, hash, domain) - Attack Patterns: MITRE ATT&CK techniques - Threat Actors: APT groups, campaigns - Malware: Malware families - Relationships: Links between objects (e.g., malware uses attack pattern)

Example:

{
  "type": "indicator",
  "pattern": "[ipv4-addr:value = '203.0.113.45']",
  "labels": ["malicious-activity"],
  "confidence": 85
}

Reference: Chapter 6, Section 6.2 - STIX/TAXII

Correct Answer: A) Collection

Explanation:

TAXII (Trusted Automated Exchange of Intelligence Information): - Purpose: Transport protocol for sharing STIX data - Version: TAXII 2.1

TAXII Service Models:

1. Collection (Pull Model): - Clients request intelligence from server - On-demand retrieval - Example: SOC queries feed for Emotet IOCs

2. Channel (Push Model): - Server pushes updates to subscribed clients - Real-time distribution - Example: ISAC distributes new IOCs to members

Typical Workflow:

[Threat Intel Platform] --TAXII Collection--> [SIEM/TIP]
[SIEM/TIP] parses STIX objects --> [Auto-create detection rules/blocklists]

Reference: Chapter 6, Section 6.2 - TAXII Protocol

Correct Answer: B) TTPs describe attacker behavior patterns that are harder to change than infrastructure

Explanation:

IOCs (Indicators of Compromise): - What: Specific artifacts (IP, hash, domain) - Lifespan: Hours to days (attackers change infrastructure frequently) - Detection: Signature-based (exact match) - Evasion: Trivial (register new domain, change IP)

TTPs (Tactics, Techniques, Procedures): - What: Behavior patterns (how attackers operate) - Lifespan: Months to years (changing tradecraft requires retooling) - Detection: Behavioral (patterns) - Evasion: Difficult (requires new tools/training)

Example: - IOC: Malware hash abc123 (attacker changes hash in minutes) - TTP: T1003.001 LSASS Memory Dump (requires fundamentally different credential theft method to evade)

Detection Strategy: Use IOCs for immediate blocking, TTPs for durable detections

Reference: Chapter 6, Section 6.3 - IOCs vs TTPs

Correct Answer: B) Low confidence - use for monitoring/alerting only, not automatic blocking

Explanation:

Confidence Scoring (0-100): - 90-100: High confidence - verified by multiple sources, confirmed malicious - 70-89: Medium-high - likely malicious, single trusted source - 50-69: Medium - possible threat, requires validation - 30-49: Low - unverified, use for awareness only - 0-29: Very low - rumor, uncorroborated

Confidence Score 30/100: - Meaning: Unconfirmed, possibly false positive - Use Case: Log for correlation, do NOT auto-block - Action: Monitor for additional context, escalate if behavior confirms

Example: - IP 203.0.113.45 flagged by single OSINT blog (confidence: 30) - Action: Create SIEM alert (do not firewall block) - Rationale: Could be legitimate CDN/cloud IP misidentified as malicious

Tuning: Adjust confidence thresholds based on risk tolerance and false positive tolerance

Reference: Chapter 6, Section 6.4 - Confidence Scoring

Correct Answer: A) The indicator is too old and likely no longer malicious (stale)

Explanation:

Indicator Freshness:

IP/Domain Lifespan: - Fresh (< 7 days): High likelihood still malicious - Aging (7-30 days): Moderate likelihood, may be reassigned - Stale (> 30 days): Low likelihood, infrastructure often rotates - Very Stale (> 90 days): Very low likelihood, high false positive risk

90-Day-Old IP Concerns: 1. Infrastructure Rotation: Attackers abandon old IPs, register new ones 2. Legitimate Reassignment: Cloud/hosting providers reassign IPs to legitimate customers 3. False Positives: Blocking stale IOCs disrupts legitimate services

Example: - 90 days ago: 203.0.113.45 hosted Emotet C2 - Today: Same IP reassigned to legitimate SaaS company - Impact: Auto-block causes business disruption

Best Practice: - Age out IOCs after 30-60 days (configurable per indicator type) - Prioritize fresh intelligence - Validate aged indicators before enforcement

Reference: Chapter 6, Section 6.5 - Indicator Freshness

Correct Answer: B) Use threat intelligence to form hypotheses about attacker presence and proactively search for evidence

Explanation:

Hypothesis-Driven Threat Hunting:

Process: 1. Form Hypothesis: Based on threat intel (e.g., "APT41 may be using SQL injection against our web apps") 2. Define Indicators: What evidence would confirm? (Unusual SQL queries, web shell deployment) 3. Hunt: Proactively search logs for indicators 4. Analyze: Determine if hypothesis is confirmed or refuted 5. Document: Record findings, improve detections

Example Hunt:

Hypothesis: "Attackers may use Living-off-the-Land binaries (LOLBins) for persistence"

Hunt Query:
index=endpoint process_name IN ("certutil.exe", "bitsadmin.exe", "mshta.exe")
| where NOT [whitelist_processes]
| stats count by process_name, command_line, user, host

Result: Found certutil.exe downloading suspicious DLL → Escalate

Benefits: - Proactive (find threats before alerts fire) - Reduces dwell time - Improves detection coverage

Reference: Chapter 6, Section 6.6 - Threat Hunting

Correct Answer: B) This is normal - most IOCs won't match your environment, focus on the 12 hits

Explanation:

Threat Feed Reality: - Broad Coverage: Feeds contain IOCs for diverse threats across many organizations - Low Hit Rate: Only a small fraction will match your specific environment - Value in Negatives: Confirming absence of known threats is valuable

Example: - Feed: 50,000 IOCs (ransomware, APTs, commodity malware) - Your org: 12 matches (2 Emotet IPs, 10 phishing domains) - Action: Investigate the 12 matches, dismiss the rest

Feed Tuning: 1. Filter by Relevance: Select feeds aligned with your threat model (e.g., healthcare org prioritizes healthcare-targeted threats) 2. Confidence Thresholds: Only ingest high-confidence IOCs 3. Freshness: Auto-expire stale indicators 4. Deduplication: Merge overlapping feeds

False Positive Prevention: - Don't auto-block all 50,000 IOCs (high FP risk) - Use for correlation/alerting, require confirmation before enforcement

Reference: Chapter 6, Section 6.7 - Threat Feed Management

Correct Answer: B) An indicator incorrectly flagged as malicious when it is actually benign

Explanation:

False Positive Indicator: - Definition: Benign artifact misclassified as malicious - Impact: Wasted analyst time, potential service disruption if auto-blocked

Common Causes: 1. Shared Infrastructure: Legitimate services on same IP/domain as malware (CDN, cloud hosting) 2. Domain Squatting: Typo domains flagged but actually parked/unused 3. Stale Intelligence: Previously malicious IP reassigned to legitimate org 4. Low-Quality Feeds: Unvetted OSINT sources with poor validation

Example: - Feed flags cdn.example.com as malware C2 - Reality: Legitimate CDN also used by attackers for hosting - Result: Blocking disrupts legitimate app functionality

Mitigation: - Validate: Cross-reference against multiple feeds - Whitelist: Maintain allowlist of known-good infrastructure - Confidence Thresholds: Only enforce high-confidence indicators - Feedback Loop: Report false positives to feed providers

Reference: Chapter 6, Section 6.8 - False Positive Indicators

Correct Answer: C) Direction

Explanation:

Threat Intelligence Lifecycle:

1. Direction (Planning): - Goal: Define intelligence requirements - Activities: Identify PIRs, stakeholder needs, threat model - Example PIR: "What ransomware groups target healthcare in North America?"

2. Collection: - Goal: Gather raw data from sources - Activities: OSINT, ISACs, commercial feeds, internal telemetry - Sources: Threat feeds, dark web, security blogs, MISP

3. Processing: - Goal: Normalize and structure data - Activities: Parse STIX, deduplicate, enrich with context

4. Analysis: - Goal: Derive insights from processed data - Activities: Correlate IOCs, identify TTPs, assess relevance

5. Dissemination: - Goal: Deliver intelligence to stakeholders - Activities: Reports, briefings, automated feed integration

6. Feedback: - Goal: Refine requirements based on effectiveness - Activities: Measure hit rates, gather analyst feedback, adjust PIRs

Reference: Chapter 6, Section 6.9 - Intelligence Lifecycle

Correct Answer: B) Review existing detection coverage for these techniques and create/tune rules if gaps exist

Explanation:

TTP-Based Intelligence Operationalization:

Step 1: Map to ATT&CK: - T1059.001: Command and Scripting Interpreter - PowerShell - T1003.001: OS Credential Dumping - LSASS Memory

Step 2: Assess Coverage: - Do we have detections for suspicious PowerShell? (encoded commands, ScriptBlockLogging) - Do we detect LSASS access? (EDR, Sysmon Event ID 10)

Step 3: Implement/Tune:

# Detection: LSASS Memory Access
index=sysmon EventCode=10 TargetImage="*\\lsass.exe"
| where NOT [whitelist_processes]
| stats count by SourceImage, SourceUser, Computer

Step 4: Hunt: - Proactively search for historical evidence of these techniques - Look for gaps detection didn't catch

Step 5: Test: - Purple team exercise: Can we detect these TTPs if executed?

Why Not Disable PowerShell? - Breaks legitimate IT operations (too disruptive) - Better: Monitor and detect suspicious usage patterns

Reference: Chapter 6, Section 6.10 - Operationalizing TTP Intelligence

Correct Answer: B) TIPs aggregate, normalize, deduplicate, and enrich intelligence from multiple sources with automated distribution

Explanation:

Threat Intelligence Platform (TIP) Capabilities:

1. Aggregation: - Ingest from 50+ feeds (commercial, OSINT, ISACs, internal) - Centralized repository

2. Normalization: - Convert diverse formats (CSV, STIX, JSON) to unified schema - Standardize confidence scoring

3. Deduplication: - Remove overlapping IOCs from multiple feeds - Reduce alert fatigue

4. Enrichment: - Add context: WHOIS, geolocation, threat actor attribution - Correlate IOCs to campaigns

5. Automated Distribution: - Push to SIEM, firewall, EDR via APIs - Real-time updates

6. Workflow: - Track investigation status, analyst notes - False positive feedback loop

Example Workflow:

[50 Threat Feeds] → [TIP] → [Aggregates, deduplicates, scores] → [Auto-push high-confidence IOCs to SIEM/Firewall]

Popular TIPs: MISP, ThreatConnect, Anomali, ThreatQuotient

Reference: Chapter 6, Section 6.11 - Threat Intelligence Platforms

Correct Answer: B) Assess if CVE-2024-12345 affects your SQL versions and if patches are available

Explanation:

Threat Intelligence Operationalization Workflow:

Step 1: Validate Relevance: - Does CVE-2024-12345 affect our SQL Server versions? - Query asset inventory: "SELECT version FROM sql_servers"

Step 2: Assess Exposure: - Are vulnerable servers internet-facing? - Are they behind compensating controls (WAF, network segmentation)?

Step 3: Prioritize: - Critical servers first (production, customer-facing) - Risk score: (Exploitability × Impact × Exposure)

Step 4: Remediate: - If patch available: Deploy to test → production - If no patch: Apply workarounds (disable feature, segment network, deploy virtual patch)

Step 5: Detect: - Create detection rule for CVE-2024-12345 exploitation attempts - Hunt for historical exploitation evidence

Step 6: Monitor: - Track patching status - Alert on exploitation attempts

Why Not Shutdown? - Too disruptive without validation - May be unaffected versions

Reference: Chapter 6, Practice Task - Operationalizing Intel

Correct Answer: B) High false positive rate due to unverified indicators and potential for disinformation

Explanation:

OSINT (Open Source Intelligence) Risks:

1. Unverified Indicators: - Sources: Twitter, blogs, paste sites - Quality: Varies widely (no validation standards) - Risk: Benign IPs/domains misidentified as malicious

2. Disinformation: - Attackers can poison feeds (post fake IOCs to misdirect defenders) - Example: Attacker posts IP of competitor as "malware C2" → defenders block legitimate business partner

3. Context Gaps: - OSINT often lacks context (confidence, TTPs, actor attribution) - Result: Difficult to prioritize

4. Volume Overload: - Millions of unfiltered IOCs - Impact: Alert fatigue, wasted triage time

Best Practices: 1. Multi-Source Validation: Require 2+ independent sources before enforcement 2. Reputation Scoring: Weight feeds by historical accuracy 3. Human Review: Don't auto-block OSINT IOCs without analyst validation 4. Combine with Commercial: Blend OSINT (volume) with commercial feeds (quality)

Reference: Chapter 6, Common Pitfalls