CSY201 Week 09 Intermediate

Practice intelligence workflows before moving to reading resources.

Operating Systems & Security

Track your progress through this week's content

Opening Framing: Intelligence-Driven Security

Without threat intelligence, defenders are blind. We react to alerts without understanding the bigger picture. We don't know who's attacking us, what they want, or how they operate.

Threat intelligence changes this. It provides context about adversaries—their tactics, techniques, infrastructure, and motivations. With good intelligence, we can anticipate attacks, prioritize defenses, and respond more effectively.

This week covers threat intelligence fundamentals: what it is, where it comes from, how to use it in SOC operations, and how to produce intelligence from your own incidents.

Key insight: Intelligence without action is trivia. The value of threat intelligence comes from applying it to improve detection, prevention, and response.

1) Threat Intelligence Fundamentals

Understanding what threat intelligence is and isn't: 

Threat Intelligence Defined:

"Evidence-based knowledge about existing or emerging 
threats that can be used to inform decisions."

Key elements:
- Evidence-based (not speculation)
- Actionable (informs decisions)
- Contextual (explains the "so what")
- Timely (relevant to current threats)

What threat intelligence is NOT:
- Raw data (that's just information)
- Vendor marketing
- Generic threat reports
- Unvetted IOC lists

Intelligence Levels: 

Strategic Intelligence:
- Audience: Executives, board, leadership
- Timeframe: Months to years
- Content: Threat landscape, risk trends, adversary motivations
- Format: Reports, briefings
- Example: "Nation-state actors targeting our industry are 
  increasing in sophistication"

Operational Intelligence:
- Audience: Security managers, IR leads
- Timeframe: Days to weeks
- Content: Active campaigns, adversary capabilities, TTPs
- Format: Reports, advisories
- Example: "APT29 is conducting phishing campaign targeting 
  energy sector using COVID-19 lures"

Tactical Intelligence:
- Audience: SOC analysts, detection engineers
- Timeframe: Hours to days
- Content: IOCs, detection signatures, attack patterns
- Format: IOC feeds, YARA rules, detection rules
- Example: "Block IP 185.x.x.x - active C2 server"

The Intelligence Cycle: 

    ┌─────────────────────────────────────┐
    │                                     │
    ▼                                     │
┌────────────┐                            │
│ Direction  │ ← What do we need to know? │
└─────┬──────┘                            │
      ↓                                   │
┌────────────┐                            │
│ Collection │ ← Gather raw information   │
└─────┬──────┘                            │
      ↓                                   │
┌────────────┐                            │
│ Processing │ ← Organize and format      │
└─────┬──────┘                            │
      ↓                                   │
┌────────────┐                            │
│ Analysis   │ ← Create intelligence      │
└─────┬──────┘                            │
      ↓                                   │
┌────────────┐                            │
│Dissemination│← Share with consumers     │
└─────┬───────┘                           │
      ↓                                   │
┌────────────┐                            │
│ Feedback   │ ← Was it useful?           │
└─────┴──────────────────────────────────-┘

Key insight: Intelligence is a cycle, not a one-time product. Feedback improves future intelligence.

2) Threat Intelligence Sources

Intelligence comes from many sources: 

Internal Sources (your own data):

Incident data:
- IOCs from your incidents
- TTPs observed in attacks
- Adversary infrastructure used against you

Log analysis:
- Failed attacks
- Blocked connections
- Suspicious patterns

Security tools:
- EDR detections
- Firewall blocks
- Email gateway catches

Advantages:
- Directly relevant to your organization
- High confidence (you observed it)
- Context-rich

Disadvantages:
- Reactive (already attacked)
- Limited visibility
- Resource-intensive to analyze

External Sources: 

Commercial feeds:
- Recorded Future
- Mandiant
- CrowdStrike
- ThreatConnect
- Quality varies, cost significant

Open source (OSINT):
- VirusTotal
- AlienVault OTX
- Abuse.ch (URLhaus, MalwareBazaar)
- MISP communities
- Free, but quality varies

Government/Industry:
- CISA alerts
- FBI Flash reports
- ISACs (sector-specific)
- CERT advisories
- High quality, limited scope

Sharing communities:
- ISACs (FS-ISAC, H-ISAC, etc.)
- MISP instances
- Threat sharing groups
- Bidirectional sharing

Evaluating Intelligence Quality: 

Admiralty Scale (NATO system):

Source Reliability:
A - Completely reliable
B - Usually reliable
C - Fairly reliable
D - Not usually reliable
E - Unreliable
F - Cannot be judged

Information Credibility:
1 - Confirmed by other sources
2 - Probably true
3 - Possibly true
4 - Doubtful
5 - Improbable
6 - Cannot be judged

Example rating: B2
"Usually reliable source, probably true information"

Questions to ask:
- Where did this come from?
- How was it collected?
- Has it been validated?
- Is it current?
- Is it relevant to us?

Key insight: More intelligence isn't better intelligence. Focus on quality, relevance, and actionability.

3) Working with IOCs

Indicators of Compromise are tactical intelligence: 

IOC Types:

Network indicators:
- IP addresses
- Domain names
- URLs
- SSL certificate hashes

Host indicators:
- File hashes (MD5, SHA1, SHA256)
- File names/paths
- Registry keys
- Mutex names
- Process names

Email indicators:
- Sender addresses
- Subject lines
- Attachment names/hashes
- Header patterns

Behavioral indicators:
- Command patterns
- Network traffic patterns
- Process relationships

IOC Lifecycle: 

IOC Value Over Time:

     Value
       │
High   │  ****
       │ *    *
       │*      ***
Medium │         ***
       │            ***
Low    │               *****
       │__________________________ Time
         Hours  Days  Weeks  Months

Hash: Hours to days (trivial to change)
IP: Days to weeks (easy to change)
Domain: Days to weeks (moderate effort)
TTP: Months to years (hard to change)

Implications:
- IOC feeds require constant updates
- Old IOCs create false positives
- Behavioral detection more durable

IOC Management: 

IOC workflow:

1. Receive IOC
   - From feed, report, or incident
   
2. Validate
   - Check reputation services
   - Verify source reliability
   - Test in sandbox if applicable

3. Enrich
   - Add context (campaign, actor, malware)
   - Determine relevance
   - Set confidence level

4. Implement
   - Add to SIEM for alerting
   - Block at perimeter (if high confidence)
   - Search historically (retroactive hunt)

5. Maintain
   - Set expiration date
   - Review and retire old IOCs
   - Track effectiveness

STIX and TAXII: 

STIX (Structured Threat Information Expression):
- Standard format for threat intelligence
- JSON-based (STIX 2.x)
- Represents objects and relationships

STIX objects:
- Attack Pattern
- Campaign
- Indicator
- Malware
- Threat Actor
- Tool
- Vulnerability

TAXII (Trusted Automated Exchange):
- Protocol for sharing STIX data
- Client-server model
- Collections and channels

Benefits:
- Automation of intel sharing
- Consistent format across tools
- Machine-readable intelligence

Key insight: IOCs are perishable. Without active management, your IOC database becomes a collection of false positive generators.

4) Applying Intelligence in SOC Operations

Intelligence must be operationalized to have value: 

Detection Enhancement:

IOC-based detection:
- Add IOCs to SIEM watchlists
- Block at firewall/proxy
- Alert on email gateway
- Search EDR telemetry

Example SIEM rule:
index=proxy dest_domain IN (watchlist_malicious_domains)
| alert severity=high

Behavioral detection from TTPs:
- Translate techniques to detection rules
- Example: "APT uses encoded PowerShell"
  → Alert on PowerShell -enc parameter

ATT&CK mapping:
- Identify techniques used by relevant threats
- Ensure detection coverage
- Prioritize gaps

Alert Enrichment: 

When alert fires, enrich with intelligence:

Automatic enrichment:
- IP/domain reputation lookup
- Hash lookup in threat intel
- Geo-location
- ASN information

Manual enrichment:
- Search threat reports
- Check intel platforms
- Query sharing communities

Enrichment questions:
- Is this IOC in our threat intel?
- What campaign/actor is it associated with?
- What other IOCs are related?
- What's the typical attack chain?

Enriched alert is faster to triage

Threat-Informed Defense: 

Prioritize defenses based on intelligence:

1. Identify relevant threats
   - Who targets our industry?
   - What's our threat profile?

2. Understand their TTPs
   - How do they gain access?
   - What do they do post-compromise?

3. Map to ATT&CK
   - Which techniques do they use?
   - What's our detection coverage?

4. Prioritize gaps
   - Focus on techniques used by our threats
   - Not all techniques are equal

Example:
"Threat group targeting our sector uses spearphishing
with macro-enabled documents (T1566.001) and PowerShell
for execution (T1059.001). Priority: Enhance email
filtering and PowerShell logging."

Key insight: The question isn't "what threats exist?" but "what threats are relevant to us, and are we prepared?"

5) Producing Intelligence

SOCs can produce intelligence, not just consume it: 

Intelligence from Incidents:

Every incident generates potential intelligence:
- IOCs observed
- TTPs used
- Infrastructure details
- Timing and targeting

Incident → Intelligence workflow:
1. Extract IOCs during investigation
2. Document TTPs observed
3. Analyze patterns across incidents
4. Create finished intelligence
5. Share with community (if appropriate)

Creating Threat Reports: 

Internal threat report structure:

1. Executive Summary
   - Key findings
   - Relevance to organization
   - Recommended actions

2. Threat Overview
   - Actor/campaign background
   - Motivation and targets
   - Capabilities

3. Technical Analysis
   - Attack chain
   - TTPs (mapped to ATT&CK)
   - IOCs

4. Detection and Mitigation
   - Detection opportunities
   - Prevention measures
   - Response guidance

5. Appendices
   - Full IOC list
   - YARA rules
   - Detection queries

Intelligence Sharing: 

Benefits of sharing:
- Improves community defense
- Builds relationships
- Gets intelligence back
- Strengthens ecosystem

Sharing considerations:
- Sanitize sensitive info
- Get legal/PR approval
- Use TLP (Traffic Light Protocol)

TLP Markings:
TLP:RED - Named recipients only
TLP:AMBER - Limited sharing within org
TLP:AMBER+STRICT - Same, no clients
TLP:GREEN - Peer and partner orgs
TLP:CLEAR - Public

Sharing platforms:
- ISACs
- MISP communities
- Informal peer groups
- Public reports (TLP:CLEAR)

Key insight: Organizations that share intelligence receive more than they give. Contribution builds trust and access.

Real-World Context: Threat Intel in Action

Threat intelligence transforms operations:

Proactive Defense: Intelligence about an active campaign allows defenders to hunt for IOCs, enhance detection, and warn users before attacks arrive—not after.

Faster Triage: When an alert matches known threat intelligence, analysts immediately understand context. "This IP is known APT29 infrastructure" changes the response.

Better Decisions: Strategic intelligence helps leadership prioritize security investments. "Nation-states are targeting our sector" justifies budget differently than generic fear of hackers.

MITRE ATT&CK Integration:

  • Threat Groups: ATT&CK documents known groups and their TTPs
  • Software: Malware and tools mapped to techniques
  • Detection: Data sources for each technique

Key insight: Threat intelligence is a force multiplier. It helps defenders focus limited resources where they matter most.

Guided Lab: Threat Intelligence Analysis

Practice working with real threat intelligence.

Step 1: Research a Threat Group

Choose one threat group:
- APT29 (Cozy Bear)
- APT28 (Fancy Bear)
- Lazarus Group
- FIN7
- Conti/Wizard Spider

Research using:
- MITRE ATT&CK Groups page
- Threat reports from vendors
- CISA advisories
- News articles

Step 2: Document TTPs

For your chosen group, document:

Initial Access techniques:
- How do they get in?
- What ATT&CK techniques?

Execution techniques:
- How do they run code?
- What tools do they use?

Persistence techniques:
- How do they maintain access?

Common tools and malware:
- What software do they use?

Targets:
- What industries/regions?
- What motivations?

Step 3: Collect IOCs

Find publicly available IOCs:
- Search threat reports
- Check AlienVault OTX
- Search VirusTotal

Document IOCs with context:
| Type | Value | Campaign | Confidence | Source |
|------|-------|----------|------------|--------|
| IP   | ...   | ...      | High       | ...    |
| Hash | ...   | ...      | Medium     | ...    |

Step 4: Create Detection Plan

Based on TTPs, recommend:
- What logs are needed?
- What detection rules?
- What preventive controls?
- What hunting queries?

Reflection (mandatory)

  1. How would you prioritize defenses against this group?
  2. What detection gaps exist for their techniques?
  3. How would this intelligence change your SOC operations?
  4. What's the shelf life of the IOCs you found?

Week 9 Outcome Check

By the end of this week, you should be able to:

Next week: Threat Hunting Fundamentals—proactively searching for threats that evade automated detection.

🎯 Hands-On Labs (Free & Essential)

Practice intelligence workflows before moving to reading resources.

🎮 TryHackMe: Threat Intel

What you'll do: Work through threat intel concepts and IOC handling.
Why it matters: Intelligence drives priority and detection focus.
Time estimate: 1.5-2 hours

Start TryHackMe Threat Intel →

📝 Lab Exercise: IOC Enrichment Sprint

Task: Enrich 10 IOCs using VirusTotal and OTX, then score confidence.
Deliverable: IOC table with verdicts, sources, and recommended actions.
Why it matters: Enrichment turns raw indicators into actionable intel.
Time estimate: 60-90 minutes

Open VirusTotal →

🧭 MITRE ATT&CK Navigator: IOC-to-TTP Mapping

What you'll do: Map indicators to ATT&CK techniques and build a heatmap.
Why it matters: TTPs last longer than IOCs and guide defenses.
Time estimate: 45-60 minutes

Open ATT&CK Navigator →

🛡️ Lab: Implement CIS Level 1 Benchmark

What you'll do: Apply a CIS Level 1 benchmark to a Linux or Windows host.
Deliverable: Before/after hardening checklist and audit output.
Why it matters: Benchmarks reduce attacker dwell time and noise.
Time estimate: 90-120 minutes

💡 Lab Tip: Translate indicators into techniques so detections survive IOC decay.

🛡️ CIS Benchmarks & System Baselines

Threat intel improves when environments are hardened. Baselines reduce attacker options and clarify what is truly anomalous. 

Hardening focus areas:
- Disable unused services and ports
- Enforce strong auth and auditing
- Apply secure configuration policies
- Monitor for baseline drift

📚 Building on CSY102: OS hardening principles and secure configuration baselines.

Resources

Complete the required resources to build your foundation.

Lab: Threat Intelligence Report

Goal: Create a complete threat intelligence report on a threat actor relevant to a specific industry.

Scenario

You're the threat intelligence analyst for a financial services company. Leadership wants to understand threats targeting the sector and recommendations for defense.

Part 1: Threat Landscape

  1. Identify 3 threat groups targeting financial services
  2. Document their motivations and capabilities
  3. Assess relevance to your organization type

Part 2: Deep Dive

  1. Select one group for detailed analysis
  2. Document complete TTP profile (ATT&CK mapping)
  3. Collect current IOCs with sources
  4. Identify tools and malware used

Part 3: Detection and Prevention

  1. Map TTPs to required data sources
  2. Create 3 detection rules for key techniques
  3. Recommend preventive controls
  4. Develop hunting queries

Part 4: Report

  1. Write executive summary (1 page)
  2. Complete technical report
  3. Create IOC appendix
  4. Include recommendations

Deliverable (submit):

Checkpoint Questions

  1. What are the three levels of threat intelligence?
  2. What is the difference between IOCs and TTPs in terms of detection value?
  3. What is STIX and why is it important?
  4. How do you evaluate the quality of threat intelligence?
  5. What is the Traffic Light Protocol (TLP)?
  6. How does threat intelligence improve SOC operations?

Week 09 Quiz

Test your understanding of threat intelligence sources, formats, and application.

Format: 10 multiple-choice questions. Passing score: 70%. Time: Untimed.

Take Quiz

Weekly Reflection

Reflection Prompt (200-300 words):

This week you learned threat intelligence—understanding adversaries to improve defense. You researched threat groups, worked with IOCs, and considered how to apply intelligence operationally.

Reflect on these questions:

A strong reflection will consider the challenges of making threat intelligence actionable and valuable.

Verified Resources & Videos

Threat intelligence transforms security from reactive to proactive. The skills you've practiced—researching threats, working with IOCs, creating reports—make you a more effective defender. Next week: threat hunting, where you proactively search for threats that automated detection misses.

← Previous: Week 08 Next: Week 10 →