Threat Intelligence Glossary
Threat Intelligence - Angreifer verstehen, bevor sie zuschlagen
Threat Intelligence (TI) is the systematic collection, analysis, and use of information about cyber threats: Indicators of Compromise (IOCs), Tactics, Techniques, and Procedures (TTPs), threat actors, and their motives. A distinction is made between Strategic (C-Level), Operational (SOC triage), and Tactical Intelligence (technical IOCs). Key sources: MISP, OpenCTI, VirusTotal, CISA, BSI, commercial feeds (Recorded Future, Mandiant, CrowdStrike Falcon Intel).
Threat Intelligence is the difference between reactive and proactive security. Those who know their attackers—their methods, tools, and motivations—can protect themselves in a targeted manner rather than reacting to every alert immediately.
Types of Intelligence
Strategic Intelligence (C-Level / CISO)
- Who is attacking companies in my industry?
- Which geopolitical developments increase the risk?
- How will the threat landscape evolve over the next 12–24 months?
- Sources: BSI Situation Report, Verizon DBIR, CrowdStrike Global Threat Report
- Output: Security strategy, investment decisions
Operational Intelligence (SOC / IR Team)
- What campaigns are currently active against my industry?
- What TTPs are APT groups currently using?
- Are there active waves of attacks targeting specific CVEs?
- Sources: ISACs (Information Sharing and Analysis Centers), commercial TI feeds
- Output: Detection rules, playbook adjustments, proactive hunting
Tactical Intelligence (Analysts / Incident Response)
- Specific IOCs: IP addresses, domains, file hashes, URLs
- YARA rules for malware families
- Which C2 servers are active?
- Sources: MISP, VirusTotal, AlienVault OTX, AbuseIPDB
- Output: SIEM rules, firewall blocklists, EDR signatures
IOC Types and Their Usefulness
Pyramid of Pain (David Bianco)
| Level | IOC Type | Effort Required by Attacker | Usefulness |
|---|---|---|---|
| 1 | Hash values (MD5/SHA1/SHA256) | Rename 1 bit → new hash | Low (trivial to bypass) |
| 2 | IP addresses (C2 servers) | New server (5 minutes) | Medium (IOCs quickly become obsolete) |
| 3 | Domain names | Register new domain (hours) | Medium-good |
| 4 | Network/host artifacts (User-Agent, registry keys) | Source code modification required | Good |
| 5 | Tools (Mimikatz, Cobalt Strike, Impacket) | Develop new tool (weeks/months) | Very good |
| 6 | TTPs (Tactics, Techniques, Procedures) | Retraining teams = very expensive | Maximum! |
> Focus on TTP-based detection (ATT&CK) > IOC hunting - Integrate IOCs quickly, but do not use them as the sole strategy.
TI platforms and tools
Open-Source TI Platforms
MISP (Malware Information Sharing Platform):
- Developed by CIRCL (Luxembourg), used by NATO
- Sharing: bidirectional IOC exchange between organizations
- Feeds: 100+ public feeds (CIRCL, ENISA, national CERTs)
- Taxonomies: TLP (Traffic Light Protocol), MITRE ATT&CK;
- Automation: MISP API → SIEM integration
# MISP Docker Setup:
git clone https://github.com/MISP/misp-docker
docker compose up
# Default: https://localhost, admin@admin.test / adminOpenCTI (Open Cyber Threat Intelligence Platform):
- Filigran (French), more modern than MISP
- Graph-based: relationships between entities
- Integrated: MITRE ATT&CK;, CVE, STIX 2.1
- Connectors: 50+ (VirusTotal, Shodan, MISP, AbuseIPDB)
- Strength: Visualization of attacker groups + TTPs
Key entities: Threat Actor → Campaign → Intrusion Set → Malware → TTP (ATT&CK; Technique) → Indicator (IOC)
AlienVault OTX (Open Threat Exchange):
- Community-based, free
- "Pulses": bundled IOC collections related to incidents
- API: easy integration into SIEM/firewall
Free feeds
| Feed | Content |
|---|---|
| AbuseIPDB | IP reputation (brute force, spam, etc.) |
| URLhaus | Malware URLs (abuse.ch) |
| Malware Bazaar | Malware samples + hashes (abuse.ch) |
| PhishTank | Phishing URLs (community) |
| Feodo Tracker | Botnet C2 IP addresses (abuse.ch) |
| CISA KEV | Known Exploited Vulnerabilities (MANDATORY!) |
Commercial Feeds
| Provider | Features |
|---|---|
| Recorded Future | Market leader, AI-based, expensive |
| Mandiant (Google) | APT expertise, IR insights |
| CrowdStrike Intel | Falcon integration, actor profiles |
| Microsoft MSTIC | Defender + Sentinel integration |
| VirusTotal Intel | API for hashes, URLs, domains |
TI Integration into SOC Operations
Threat Intelligence Lifecycle
1. Planning (Requirements):
- What do I need to know? (Industry-specific!)
- Financial sector: Emotet, QBot, BEC actors
- Critical Infrastructure: APT groups with geopolitical motives
- SMEs: opportunistic ransomware, phishing
2. Collection:
- Subscribe to feeds (MISP, OTX, CISA KEV)
- ISAC membership (industry-specific)
- Dark web monitoring (optional, for higher levels)
3. Processing + Normalization:
- STIX 2.1 / TAXII 2.1 (standard formats)
- Deduplication, confidence score
- TLP classification (Clear/Green/Amber/Red)
4. Analysis:
- Relevance: Does this affect my environment?
- Timeliness: Is the IOC still valid?
- Attribution: Which actors are using this?
5. Distribution:
- SIEM: IOCs as lookup lists
- Firewall/EDR: Automatic blocking
- SOC analysts: Context for alert triage
- CISO: Strategic Reporting
6. Feedback:
- Was the intelligence useful?
- False positives caused by IOCs?
- Which feeds provide quality information?
TLP (Traffic Light Protocol)
| Classification | Meaning |
|---|---|
| TLP:RED | For designated recipients only (confidential!) |
| TLP:AMBER | Internal use only (limited distribution) |
| TLP:GREEN | Community (no public release) |
| TLP:CLEAR | Public (no restrictions) |
Threat Actors and Attribution
Russia
APT28 (Fancy Bear / Sofacy):
- Targets: Government, military, defense industry, energy
- Tools: X-Agent, Zebrocy, LoJax-UEFI
- Known attacks: German Bundestag 2015, DNC 2016
APT29 (Cozy Bear):
- Targets: Government, think tanks, pharmaceutical industry
- Tools: WellMess, CozyBear backdoor
- SolarWinds SUNBURST (2020!)
Sandworm:
- Targets: Critical infrastructure
- Tools: NotPetya, BlackEnergy, Industroyer/Crashoverride
- Ukraine power outages 2015/2016
China
APT10 (Stone Panda):
- Targets: Managed service providers, manufacturing companies
- Operation Cloud Hopper: MSP attacks worldwide
APT41:
- Dual-use: state espionage + cybercrime
- Targets: Pharmaceuticals, gaming industry, telecommunications
DPRK (North Korea)
Lazarus Group:
- Targets: Financial institutions, cryptocurrency
- Bangladesh Bank Robbery: $81 million stolen
- WannaCry 2017 (attributed)
Cybercrime (financially motivated)
| Group | Characteristics |
|---|---|
| LockBit | Ransomware-as-a-Service, largest ransomware group 2022–2024 |
| BlackCat | Rust-based, triple extortion |
| Clop | MOVEit mass campaign 2023 |
| FIN7 | Financial sector, POS malware |
Caution Regarding Attribution
- False-flag operations exist
- Always specify "confidence level" (Low/Medium/High)
- Public attribution: politically sensitive
- For companies: TTP-based protection > actor attribution
