Threat Intelligence: Angreifer verstehen bevor sie angreifen

Threat Intelligence (TI)—also known as Cyber Threat Intelligence (CTI)—is the collection, analysis, and use of information about current and future cyber threats. The goal: not to react to attacks, but to be proactively prepared for threat actors.

Three simple questions define TI:

Who is attacking companies like ours?
How—what tactics, techniques, and tools?
Why—motivation (financial, espionage, activism)?

The answers enable targeted protective measures instead of generic security.

The Three Levels of TI

Strategic Intelligence

For CISOs and management: An overview of the threat landscape without technical details.

Questions answered by strategic TI:

Which industries are currently being attacked by which APT groups?
How are ransomware trends evolving? (RaaS increase, double extortion)
Which geopolitical events increase cyber risks for our company?

Sources: ENISA Threat Landscape, BSI IT Security Situation Report, Mandiant M-Trends Report, CrowdStrike Global Threat Report.

Operational Intelligence

For SOC managers and incident responders: Current campaigns and attack methods.

Questions answered by Operational TI:

Which phishing campaign is currently active?
Which CVE is currently being actively exploited (weaponized)?
Which C2 infrastructure is the group behind the current attack using?

Sources: ISACs (industry-specific sharing platforms), Recorded Future, Mandiant Advantage, FS-ISAC.

Tactical Intelligence

For security analysts and threat hunters: Specific Indicators of Compromise (IoCs) and techniques.

Tactical IoCs:

IP addresses: 185.234.xx.xx (known C2 server)
Domain names: malware-c2-xyz.net (active phishing domain)
File hashes: sha256:abc123... (known malware file)
YARA rules: Patterns in malware code
Snort/Suricata rules: Network traffic patterns

Indicators of Compromise (IoCs) and Indicators of Attack (IoAs)

IoCs - What happened?

IoCs are forensic artifacts that indicate a compromise:

Network IoCs:
  → IP addresses of known C2 servers
  → Domains (phishing, malware distribution)
  → DNS queries to known malware domains
  → User-agent strings of known tools (Cobalt Strike Beacon)

File IoCs:
  → SHA256 hashes of known malware files
  → File names and paths (C:\Users\Public\svhost.exe)
  → Registry keys used by the malware

Host IoCs:
  → Unknown services with strange names
  → Scheduled tasks with obfuscated PowerShell commands
  → New local admin accounts

Limitations of IoCs: Skilled attackers change IoCs regularly (IP rotation, new domains, newly compiled malware). IoCs have a "half-life" of hours to days.

IoAs - What's happening right now?

IoAs are behavior-based and detect attack patterns independently of specific IoCs:

&quot;PowerShell launches immediately after Word&quot; → Macro malware pattern
&quot;LSASS is accessed by an unknown process&quot; → Credential dumping
&quot;Legitimate admin tool (PsExec) launches at the wrong time&quot; → Lateral movement
&quot;SMB traffic to domain controller without prior login&quot; → Pass-the-hash

IoAs are more valuable than IoCs—SIEM rules that detect IoAs remain effective even against new malware variants.

MITRE ATT&CK: The TI Framework

MITRE ATT&CK is the global knowledge base of attacker tactics and techniques—based on real-world incidents:

14 Tactics (What the attacker aims to achieve):
  TA0001: Initial Access (How does the attacker gain entry?)
  TA0002: Execution (How does the attacker execute code?)
  TA0003: Persistence (How does the attacker maintain a foothold?)
  TA0004: Privilege Escalation (How does the attacker gain elevated privileges?)
  TA0005: Defense Evasion (How do they bypass security?)
  TA0006: Credential Access (How do they steal credentials?)
  TA0007: Discovery (What do they find on the network?)
  TA0008: Lateral Movement (How do they spread?)
  TA0009: Collection (What do they collect?)
  TA0010: Exfiltration (How does he exfiltrate data?)
  TA0011: Command and Control (How does he control the system?)
  TA0040: Impact (What is the final damage?)
  ...

200+ techniques with sub-techniques:
  T1078: Valid Accounts (uses stolen credentials)
  T1053.005: Scheduled Task/Job (persistence via scheduled tasks)
  T1003.001: LSASS Memory Dumping (credential dump)

Practical Use: SIEM rules against ATT&CK techniques; instead of individual IoCs → more robust detection.

TI Sources: Free to Enterprise

Free Sources

OSINT / Open Source:

VirusTotal: File hashes, domains, IPs scanned by 70+ AV scanners
AlienVault OTX (Open Threat Exchange): Community-based IoC feeds
Abuse.ch: Malware tracker, ransomware tracker, Feodo tracker
Shodan.io: Exposed systems and services
CIRCL.lu MISP: Open-source TI platform
BSI CERT-Bund: German alerts and advisories
CVE/NVD: NIST vulnerability database

Government/ISAC:

CERT-Bund (BSI): German cyber alerts
MS-ISAC: Local government agencies (USA)
FS-ISAC: Financial sector
Health-ISAC: Healthcare

Commercial TI platforms

Provider	Strengths	Price range
Recorded Future	Most comprehensive data, automatic prioritization	$$$
Mandiant Advantage	Incident-based intelligence	$$$
CrowdStrike Falcon X	EDR integration, rapid attribution	$$$
Flashpoint	Darknet monitoring, IAB tracking	$$$
KELA	European focus, German	$$
Flare	SMB-friendly, stealer log monitoring	$$

Deploying TI Operationally: Use Cases

SIEM Integration: IoC Matching

# Automatic IoC matching in SIEM
# Daily updated blocklist in firewall:

# Extract from TI feed (STIX 2.1 format):
import requests
ti_feed = requests.get(&quot;https://ti-provider.com/api/v1/iocs?type=ip&quot;)
malicious_ips = [ioc[&quot;value&quot;] for ioc in ti_feed.json()[&quot;results&quot;]]

# Transfer to firewall blocklist (pfSense API example):
for ip in malicious_ips:
    pfsense_api.add_to_blocklist(ip)

Vulnerability Prioritization

TI helps determine which CVEs need to be patched immediately:

CVE-2024-12345: CVSS 9.8 (critical)
Without TI: &quot;Critical → must be patched this week&quot;

With TI: &quot;CVE-2024-12345 is being ACTIVELY exploited by LockBit affiliates,
         already in 3 German companies this week&quot;
→ IMMEDIATE patch (today, not this week)

Threat Hunting

TI insights about attacker groups drive targeted threat hunting:

TI Report: &quot;APT28 (Fancy Bear, Russia) is currently attacking German
             defense companies via spear-phishing using
             .lnk files containing PowerShell loaders&quot;

Threat Hunt Hypothesis:
  → Are there unknown .lnk files in Downloads folders?
  → Are there anomalous PowerShell processes launched by WINWORD.EXE?

SIEM Query:
  index=windows EventCode=4688
  ParentImage=&quot;C:\\Program Files\\Microsoft Office\\...\\WINWORD.EXE&quot;
  Image=&quot;C:\\Windows\\System32\\powershell.exe&quot;

STIX 2.1 (Structured Threat Information eXpression): Standard format for TI exchange.

TAXII (Trusted Automated Exchange of Intelligence Information): Protocol for automated TI exchange.

Companies can share TI via ISACs and MISP instances—anonymized, structured, and machine-processable. BSI and CERT-Bund offer sharing platforms for German companies.

Maturity Level: How do you use TI?

Level	Feature
0	No TI usage, reactive to attacks
1	Free IoC feeds in SIEM (IP/domain blocking)
2	Industry-specific ISAC membership, ATT&CK-based SIEM rules
3	Commercial TI platform, threat hunting, vulnerability prioritization
4	Proactive TI operations, TI sharing with partners, in-house attribution

For most German SMEs, Levels 1–2 are realistic and sufficient. Level 3 is for companies with their own SOC.