^.^;

Threat Intelligence

MITRE ATT&CK, VirusTotal, AlienVault OTX. IOC feeds. Threat actor profiling.

IntermediatePhase 3: Password SecurityInteractive IOC Lookup

What is Threat Intelligence?

Threat Intelligence (TI) is evidence-based knowledge about existing or emerging threats. It includes IOCs (Indicators of Compromise), TTPs (Tactics, Techniques, Procedures), threat actor profiles, and vulnerability data used to make informed defensive decisions.

Why Threat Intelligence?

  • Proactive Defense: Block known-bad IPs, domains, file hashes before they attack
  • Contextualize Alerts: Understand "who" is attacking and "why" (APT groups, ransomware gangs)
  • Prioritize Threats: Focus on threats targeting your industry/geography
  • Share Intelligence: Collaborate with community (ISACs, FS-ISAC, threat feeds)

Types of Threat Intelligence

🎯 Strategic

High-level, executive audience

  • • Threat landscape trends
  • • Geopolitical risks
  • • APT group campaigns
  • • Budget/resource decisions

⚙️ Tactical

TTPs, how attackers operate

  • • MITRE ATT&CK techniques
  • • Attack vectors (phishing, RDP)
  • • Malware families (Emotet, Cobalt Strike)
  • • SOC analyst use

🔍 Operational

Specific attack indicators (IOCs)

  • • IP addresses, domains
  • • File hashes (MD5, SHA256)
  • • URLs, email subjects
  • • Immediate blocking/alerting

Popular Threat Intelligence Platforms

🔬 VirusTotal:

Upload files/URLs for scanning by 70+ AV engines. Check file hashes, domain reputation. Free API (limited queries).

👁️ AlienVault OTX (Open Threat Exchange):

Community-driven threat feed. 100,000+ participants share IOCs. Free API. Pulses (curated threat reports).

🎖️ MITRE ATT&CK:

Framework mapping adversary tactics/techniques. 14 tactics (Initial Access, Execution, Persistence...). Used for threat modeling.

🌐 ThreatConnect / ThreatQ:

Commercial TIP (Threat Intelligence Platform). Aggregate feeds, enrich IOCs, integrate with SIEM/SOAR. Expensive.

📡 Abuse.ch (URLhaus, MalwareBazaar):

Free feeds of malicious URLs, malware samples. Real-time updates. Community-maintained.

🔐 CISA (US-CERT):

Government threat advisories (ICS alerts, BOD directives). STIX/TAXII feeds. Free for US entities.

Indicators of Compromise (IOCs)

🌐 Network IOCs:
  • • Malicious IP addresses (C2 servers)
  • • Domains (DGA, phishing sites)
  • • URLs (exploit kits, payloads)
  • • SSL certificate hashes
📁 File IOCs:
  • • File hashes (MD5, SHA1, SHA256)
  • • File names (malware.exe)
  • • File paths (C:\Temp\payload.dll)
  • • YARA rules (pattern matching)
📧 Email IOCs:
  • • Sender addresses (spoofed domains)
  • • Subject lines (invoice.pdf patterns)
  • • Attachment hashes
  • • Email headers (X-Mailer signatures)
💻 Host IOCs:
  • • Registry keys (persistence)
  • • Scheduled tasks
  • • Mutexes (malware identifiers)
  • • Process names

MITRE ATT&CK Framework

MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. 14 tactics with 200+ techniques.

TA0001 - Initial Access: Phishing, exploit public-facing apps, valid accounts
TA0002 - Execution: PowerShell, Windows Management Instrumentation, user execution
TA0003 - Persistence: Registry run keys, scheduled tasks, boot/logon autostart
TA0004 - Privilege Escalation: Bypass UAC, exploit vulnerabilities, access tokens
TA0005 - Defense Evasion: Obfuscation, disable AV, masquerading
TA0006 - Credential Access: Credential dumping, brute force, keylogging
TA0007 - Discovery: System info, network share discovery, account discovery
TA0008 - Lateral Movement: Pass-the-hash, RDP, SMB/Windows Admin Shares

💡 Use ATT&CK to map detected threats to known techniques and prioritize defenses

Integrating Threat Feeds

1. Ingest Feeds into SIEM

# Splunk example
| inputlookup threatfeed_otx.csv
| search src_ip IN (ioc_list)

Match network logs against threat feed IPs/domains

2. Firewall Blocking (Automated)

# Block malicious IPs from feed
iptables -A INPUT -s 203.0.113.45 -j DROP

Automated blocking of known-bad IPs from threat feeds

3. Enrich SIEM Alerts

When SIEM sees suspicious IP, lookup in VirusTotal/OTX to add context (malware family, threat actor)

Best Practices

Multiple Feeds: Don't rely on single source. Aggregate OTX, VirusTotal, Abuse.ch, CISA
Context is Key: IOC alone is noise. Add "why" it's bad (ransomware? APT28?)
Automate Ingestion: Feed updates hourly. Manual copying doesn't scale
Avoid False Positives: Google/Cloudflare IPs appear in feeds. Whitelist legitimate infra
Share Back: If you find new IOCs, contribute to OTX/Abuse.ch (community benefits)
Map to ATT&CK: Tag alerts with MITRE techniques for trend analysis

Real-World Impact: WannaCry (2017)

Threat intel feeds shared WannaCry file hashes and kill-switch domain hours after outbreak.

Organizations That Used Threat Intel:

  • • ✅ Blocked WannaCry hashes at email gateway (no infections)
  • • ✅ Registered kill-switch domain (stopped spread)
  • • ✅ Patched MS17-010 within hours (proactive response)

Organizations Without Threat Intel:

  • • ❌ 200,000+ systems encrypted worldwide
  • • ❌ NHS (UK healthcare) crippled for days
  • • ❌ $4 billion in damages

Threat Intelligence Platform

Enable threat feeds and search for IOCs (IPs, domains, hashes, MITRE techniques).

0
Active Feeds
0
Total IOCs
0
Searches

Threat Feeds

AlienVault OTX
IOCs: 15,000
VirusTotal
IOCs: 50,000
Abuse.ch
IOCs: 8,000
MITRE ATT&CK
IOCs: 200

IOC Lookup

Try These Examples:

Search Results

No searches yet. Enable feeds and search for IOCs above.
Terms of ServiceLicense AgreementPrivacy Policy
Copyright © 2025 JMFG. All rights reserved.