Threat Intelligence¶
MITRE ATT&CK, IOC enrichment, CTI frameworks and threat actor profiling.
MITRE ATT&CK¶
The ATT&CK framework maps adversary behavior into Tactics, Techniques and Procedures (TTPs).
Tactics — the why (what the attacker is trying to achieve)
Techniques — the how (specific method used)
Sub-techniques — more specific variation of a technique
Tactic order — attack lifecycle¶
| # | Tactic | ID | Description |
|---|---|---|---|
| 1 | Reconnaissance | TA0043 | Gather target information |
| 2 | Resource Development | TA0042 | Build/acquire infrastructure |
| 3 | Initial Access | TA0001 | Get into the environment |
| 4 | Execution | TA0002 | Run malicious code |
| 5 | Persistence | TA0003 | Maintain foothold |
| 6 | Privilege Escalation | TA0004 | Gain higher permissions |
| 7 | Defense Evasion | TA0005 | Avoid detection |
| 8 | Credential Access | TA0006 | Steal credentials |
| 9 | Discovery | TA0007 | Learn the environment |
| 10 | Lateral Movement | TA0008 | Move to other systems |
| 11 | Collection | TA0009 | Gather target data |
| 12 | Command & Control | TA0011 | Communicate with implant |
| 13 | Exfiltration | TA0010 | Steal data |
| 14 | Impact | TA0040 | Disrupt / destroy / ransom |
IOC enrichment workflow¶
# IP reputation
iocx ip 185.220.101.45
# Domain reputation
iocx domain evil-c2.ru
# File hash
iocx hash 44d88612fea8a8f36de82e1278abb02f
# Bulk scan from file with HTML report
iocx scan iocs.txt --output report.html
Key OSINT sources¶
| Source | Best for |
|---|---|
| VirusTotal | Hash, IP, domain, URL reputation |
| AbuseIPDB | IP abuse reports |
| Shodan | Open ports, banners, services |
| URLhaus | Malware distribution URLs |
| MalwareBazaar | Malware sample lookup |
| AlienVault OTX | Threat intel pulses |
| MITRE ATT&CK | TTP mapping |
Pyramid of Pain¶
Understanding which IOC type hurts the attacker most when blocked:
/\
/ \ ← TTPs (hardest to change — most valuable)
/----\
/ Tools \ ← Malware hashes, C2 frameworks
/----------\
/ Network \ ← IP addresses, domains
/ Artifacts \
/-----------------\
/ Hash Values \ ← MD5/SHA1 (easiest to change — least valuable)
Tip
Focus your detection on TTPs and tools — they are much harder for adversaries to change than IPs or hashes.