Introduction: The Hunter's Mindset
"The best defense is knowing your enemy better than they know themselves." β Sun Tzu (paraphrased for cybersecurity)
Traditional security is reactive: wait for an alert, investigate, respond. But sophisticated attackers evade detectionβthey live off the land, blend with normal traffic, and move slowly to avoid triggering thresholds. The average dwell time (time from breach to detection) is still 204 days (IBM Cost of a Data Breach Report 2023).
Threat intelligence and threat hunting flip the script. Instead of waiting for alerts, we proactively search for adversaries using knowledge of their tactics, techniques, and procedures (TTPs). We become the hunters, not the hunted.
π― Lesson Objectives
By the end of this lesson, you will be able to:
- Explain the threat intelligence lifecycle and its applications
- Navigate and apply the MITRE ATT&CK framework for threat analysis
- Distinguish between IOCs and TTPs and use both effectively
- Design and execute hypothesis-driven threat hunts
- Build a practical threat intelligence program
1. Threat Intelligence Fundamentals
1.1 What is Threat Intelligence?
Definition
Threat Intelligence is evidence-based knowledge about threatsβincluding context, mechanisms, indicators, implications, and actionable adviceβthat can inform decisions about responding to threats.
β Gartner
Threat intelligence is NOT just a feed of malicious IP addresses. True intelligence provides context: Who is attacking? Why? What are their capabilities? How do they operate? What should we do about it?
1.2 The Intelligence Pyramid
Strategic Intelligence
High-level trends, threat landscape, risk to business
Audience: C-Suite, Board, Risk Management
Example: "Nation-state actors are increasingly targeting financial sector"
Tactical Intelligence
TTPs, attack patterns, threat actor profiles
Audience: Security Architects, SOC Managers
Example: "APT29 uses OAuth token theft for persistent access"
Operational Intelligence
Specific campaigns, imminent threats, attack timelines
Audience: Incident Responders, Threat Hunters
Example: "Active campaign targeting Indian banks using XYZ malware"
Technical Intelligence
IOCs: IPs, domains, file hashes, URLs
Audience: SOC Analysts, Security Tools
Example: "Block IP 192.168.1.100, hash SHA256:abc123..."
1.3 The Intelligence Lifecycle
Direction
Define intelligence requirements. What do stakeholders need to know?
Collection
Gather raw data from internal/external sources (logs, feeds, OSINT, HUMINT)
Processing
Normalize, filter, correlate, and enrich raw data
Analysis
Convert data into actionable intelligence with context
Dissemination
Deliver intelligence to stakeholders in appropriate format
Feedback
Evaluate effectiveness, refine requirements, improve process
π‘ Real-World Example: APT40 (Leviathan) Intelligence
In July 2021, multiple governments attributed cyber espionage to China's Ministry of State Security (MSS), specifically APT40. The intelligence lifecycle in action:
- Direction: "Are we targeted by Chinese state actors?"
- Collection: Government advisories, vendor reports, internal logs
- Processing: Extract IOCs, map to MITRE ATT&CK, correlate with internal data
- Analysis: "APT40 targets maritime/defense; our organization is relevant"
- Dissemination: Brief executives on risk, provide SOC with detection rules
- Feedback: "Did we detect any APT40 activity after deploying rules?"
2. MITRE ATT&CK Framework
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is the Rosetta Stone of cybersecurityβa globally-accessible knowledge base of adversary behavior based on real-world observations.
2.1 Understanding the Structure
| Component | Definition | Example |
|---|---|---|
| Tactics | The adversary's goalβthe "why" of an attack | Initial Access, Persistence, Exfiltration |
| Techniques | How the adversary achieves the goal | Phishing (T1566), Registry Run Keys (T1547) |
| Sub-techniques | Specific variation of a technique | Spearphishing Attachment (T1566.001) |
| Procedures | Specific implementation by threat actor | APT29 uses OAuth apps for persistence |
2.2 The 14 Tactics (Enterprise Matrix)
1. Reconnaissance
Gathering information about the target
2. Resource Development
Creating attack infrastructure
3. Initial Access
Getting into the network
4. Execution
Running malicious code
5. Persistence
Maintaining foothold
6. Privilege Escalation
Gaining higher permissions
7. Defense Evasion
Avoiding detection
8. Credential Access
Stealing credentials
9. Discovery
Learning about the environment
10. Lateral Movement
Moving through network
11. Collection
Gathering target data
12. Command & Control
Communicating with malware
13. Exfiltration
Stealing data out
14. Impact
Disrupting/destroying systems
2.3 Using ATT&CK for Defense
π Detection Engineering
Map your detection rules to ATT&CK techniques. Identify gapsβwhich techniques have no detection coverage?
Example: "We detect 60% of Credential Access techniques but only 20% of Defense Evasion"
π― Threat Hunting
Use ATT&CK to prioritize hunts based on techniques used by relevant threat actors.
Example: "APT41 uses T1055 (Process Injection)βlet's hunt for this in our environment"
π Security Assessment
Test your defenses against specific techniques. Purple team exercises with ATT&CK mapping.
Example: "Can we detect Kerberoasting (T1558.003)? Let's test it."
π Incident Analysis
Document incidents using ATT&CK terminology for consistent, shareable analysis.
Example: "Attack chain: T1566.001 β T1059.001 β T1055 β T1003"
π‘ ATT&CK in Practice: WannaCry Mapped
The 2017 WannaCry ransomware attack mapped to ATT&CK:
- T1210 (Exploitation of Remote Services): Exploited EternalBlue (MS17-010) for SMB
- T1059.003 (Windows Command Shell): Executed via command line
- T1486 (Data Encrypted for Impact): Encrypted files with AES/RSA
- T1490 (Inhibit System Recovery): Deleted shadow copies
This mapping helps defenders: "If we block T1210 via patching, the entire chain breaks."
3. Indicators of Compromise (IOCs) vs TTPs
3.1 The Pyramid of Pain
Security researcher David Bianco created the "Pyramid of Pain" to illustrate how much pain different indicators cause adversaries when defenders detect them:
TTPs (Tactics, Techniques, Procedures)
TOUGH! Adversaries must change their entire methodology
Tools
Challengingβrequires new tools development
Domain Names
Simpleβregister new domains cheaply
IP Addresses
Easyβuse new VPS, proxy, Tor
Hash Values
Trivialβrecompile malware, one bit changes hash
3.2 Types of Indicators
| Indicator Type | Examples | Lifespan | Detection Value |
|---|---|---|---|
| Hash (MD5, SHA256) | Malware file hashes | Hours-Days | Low (easily changed) |
| IP Addresses | C2 server IPs | Days-Weeks | Low-Medium |
| Domain Names | Phishing/C2 domains | Days-Months | Medium |
| Network Artifacts | User-Agent strings, JA3 hashes | Months | Medium-High |
| Host Artifacts | Registry keys, file paths, mutexes | Months | Medium-High |
| TTPs | Attack patterns, behaviors | Years | Highest |
β οΈ The IOC Trap
Many organizations focus heavily on IOC blocking (IP/domain/hash lists) because it's easy to automate. But this creates a false sense of security:
- IOCs are lagging indicatorsβthey're known only after an attack
- Sophisticated attackers change IOCs constantly
- Zero-day attacks have no known IOCs
Better approach: Use IOCs for quick wins, but invest in TTP-based detection (behavioral analytics, anomaly detection) for lasting defense.
4. Threat Hunting: The Proactive Pursuit
"Threat hunting is like being a detectiveβyou don't wait for someone to report a crime; you look for evidence that one might be happening."
4.1 What is Threat Hunting?
Threat Hunting is the proactive, iterative search through networks and datasets to detect threats that evade existing automated security solutions.
Key characteristics that distinguish hunting from traditional SOC operations:
- Proactive: Not triggered by alertsβinitiated by hunters
- Hypothesis-driven: Based on intelligence, not just data
- Iterative: Findings lead to new hypotheses
- Human-led: Requires analyst intuition and creativity
4.2 The Hunting Loop
Create Hypothesis
Based on threat intel, ATT&CK, or intuition: "APT29 may be using OAuth token theft in our M365 environment"
Investigate
Query logs, analyze data, look for evidence of the hypothesis
Discover Patterns
Find anomalies, suspicious activity, or confirm benign behavior
Create/Update Analytics
Turn findings into detection rules for automation
Inform & Enrich
Document findings, update threat intel, improve defenses
4.3 Hunting Techniques
π Statistical Analysis
Look for outliers: rare processes, unusual network connections, abnormal data volumes.
Example: "Which workstations have the most unique outbound connections?"
π Stack Counting
Count occurrences of artifacts. Rare items may indicate compromise.
Example: "This scheduled task exists on only 1 of 10,000 machinesβinvestigate!"
β±οΈ Temporal Analysis
Look for activity at unusual times or suspicious patterns over time.
Example: "Authentication from India at 3 AM local time every Sunday"
π― TTP-Based Hunting
Hunt for specific techniques from MITRE ATT&CK or threat reports.
Example: "Search for LSASS memory access (T1003.001)"
4.4 Sample Hunt: Detecting Kerberoasting
π― Hunt: Kerberoasting (T1558.003)
Hypothesis
Attackers may be requesting TGS tickets for service accounts to crack offline (Kerberoasting).
Data Sources
- Windows Security Event Logs (Event ID 4769)
- Domain Controller logs
Hunt Query (Pseudo-code)
SELECT source_user, COUNT(DISTINCT service_name) as services_requested
FROM security_events
WHERE event_id = 4769
AND ticket_encryption_type IN (0x17, 0x18) -- RC4 encryption (weak)
AND service_name NOT LIKE '%$' -- Exclude machine accounts
GROUP BY source_user
HAVING services_requested > 10 -- Threshold for suspicion
ORDER BY services_requested DESC
Expected Findings
- Normal: Users request 1-5 services occasionally
- Suspicious: Single user requesting TGS for 50+ services in short time
- Indicators: RC4 encryption requested (downgrade attack)
Response Actions
- Investigate the requesting account
- Check service accounts for weak passwords
- Implement Managed Service Accounts (gMSA)
- Create detection rule for future alerts
5. Building a Threat Intelligence Program
5.1 Intelligence Sources
| Source Type | Examples | Pros | Cons |
|---|---|---|---|
| Open Source (OSINT) | AlienVault OTX, MISP, Twitter, Blogs | Free, community-driven | Quality varies, may be outdated |
| Commercial Feeds | Recorded Future, Mandiant, CrowdStrike | Curated, contextualized | Expensive, vendor lock-in |
| Government/ISACs | CERT-In, FS-ISAC, NCIIPC | Sector-specific, authoritative | May be slow, limited scope |
| Internal Telemetry | Your own logs, incidents, hunts | Highly relevant, unique | Requires analysis capability |
| Dark Web Monitoring | Paste sites, forums, markets | Early warning of breaches | Legal/ethical considerations |
5.2 India-Specific Intelligence Sources
ποΈ CERT-In
Indian Computer Emergency Response Team. Mandatory breach reporting destination under IT Act. Publishes advisories and vulnerability notes.
Website: cert-in.org.in
π NCIIPC
National Critical Information Infrastructure Protection Centre. Protects critical sectors: power, banking, telecom.
Sectors: Critical infrastructure threat intel
π¦ RBI Cyber Security
Reserve Bank of India issues sector-specific guidance and threat information for financial sector.
Focus: Banking, payment systems
π‘ DSCI
Data Security Council of India. Industry body with threat intelligence sharing initiatives.
Focus: Industry collaboration
5.3 Threat Intelligence Platform (TIP) Workflow
Threat Intelligence Platform Workflow:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β INTELLIGENCE SOURCES β
β Commercial Feeds β OSINT β CERT-In β Internal β Dark Web β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β THREAT INTEL PLATFORM β
β β’ Aggregate & Normalize β
β β’ Enrich with context β
β β’ Score & Prioritize β
β β’ Correlate with internal data β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββΌββββββββββββββββββ
βΌ βΌ βΌ
βββββββββββββ βββββββββββββ βββββββββββββ
β SIEM β β Firewall β β EDR β
β Detection β β Blocking β β Alerting β
βββββββββββββ βββββββββββββ βββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SOC / HUNT TEAM β
β β’ Investigate alerts β
β β’ Conduct hunts β
β β’ Feedback to TIP β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βοΈ Legal Considerations for Threat Intelligence
IT Act 2000, Section 69: Government can intercept/monitor computer resources for national security. Organizations may receive directives to share threat information.
DPDPA 2023: When sharing threat intel, ensure no personal data is included unless necessary. Pseudonymize/anonymize where possible.
Dark Web Monitoring: Passive monitoring is generally legal; active participation in illegal marketplaces is not. Document your methodology.
π Key Takeaways
Threat intelligence exists at four levels: strategic, tactical, operational, technicalβeach serves different stakeholders
MITRE ATT&CK provides common language for describing adversary behaviorβuse it for detection, hunting, and analysis
TTPs cause more pain to adversaries than IOCsβinvest in behavioral detection over blocklists
Threat hunting is hypothesis-driven, proactive search for threats that evade automated detection
A threat intel program combines multiple sources (OSINT, commercial, government, internal) with proper workflow
β Lesson Complete!
You've mastered threat intelligence and hunting fundamentals. Next: Digital Forensics & Evidence Handling.