Principles of Information Security: Threat Intelligence and MITRE ATT&CK Framework

Threat Intelligence and MITRE ATT&CK Framework

Threat Intelligence & MITRE ATT&CK Framework – Exam-Ready Study Guide

What This Is

Threat intelligence is evidence-based knowledge about cyber threats—who’s attacking, what tactics they use, and how to stop them. The MITRE ATT&CK Framework is a globally accessible knowledge base of adversary behaviors, organized into tactics, techniques, and procedures (TTPs). Together, they help security teams detect, respond to, and prevent attacks before damage occurs.

Real-world example: In the 2021 Colonial Pipeline ransomware attack, threat intelligence revealed that the DarkSide group used phishing emails to steal credentials, then moved laterally using RDP (Remote Desktop Protocol) before deploying ransomware. MITRE ATT&CK’s Lateral Movement (TA0008) and Credential Access (TA0006) techniques helped investigators trace the attack and harden defenses.

Key Terms & Concepts

• Threat Intelligence (TI): Structured data about cyber threats (actors, tools, methods) used to proactively defend against attacks. Sources include ISACs (Information Sharing and Analysis Centers), open-source feeds (OSINT), and commercial providers (Recorded Future, CrowdStrike).

• Types:

  • Strategic (high-level trends for executives)
  • Tactical (TTPs for security teams)
  • Operational (immediate threats, e.g., IOCs)
  • Technical (malware hashes, IP blacklists)

• MITRE ATT&CK: A matrix of adversary behaviors mapped to real-world attacks, used for threat modeling, detection engineering, and red teaming. Covers enterprise, mobile, and ICS (industrial control systems).

• Key components:

  • Tactics (WHY): The adversary’s goal (e.g., Persistence (TA0003), Exfiltration (TA0010)).
  • Techniques (HOW): Specific methods (e.g., Phishing (T1566), Pass-the-Hash (T1550.002)).
  • Procedures (HOW EXACTLY): Step-by-step attack examples (e.g., APT29 using PowerShell for lateral movement).

• Indicators of Compromise (IOCs): Forensic artifacts (IPs, domains, file hashes) that signal a breach. Shared via STIX/TAXII (structured threat intelligence formats).

• Example: A .exe file with hash a1b2c3... is flagged as Emotet malware.

• Indicators of Attack (IOAs): Behavioral patterns (e.g., unusual process execution, privilege escalation) that suggest an attack in progress.

• Example: A user account suddenly accessing 100+ files in 5 minutes (possible data exfiltration).

• TTPs (Tactics, Techniques, Procedures): The DNA of an attack. Security teams use TTPs to hunt for threats and build detections.

• Example: APT29 (Cozy Bear) uses spear-phishing (T1566.001)-PowerShell (T1059.001)-C2 (Command & Control) via DNS tunneling (T1071.004).

• Cyber Kill Chain (Lockheed Martin): A 7-phase model of an attack (Recon-Weaponization-Delivery-Exploitation-Installation-C2-Actions on Objectives). MITRE ATT&CK expands on this with more granular techniques.

• Threat Actor: A person/group behind an attack (e.g., APT29 (Russia), Lazarus Group (North Korea), FIN7 (cybercrime)). Classified by motivation (espionage, financial, hacktivism) and skill level (script kiddie vs. nation-state).

• Threat Modeling: A structured approach to identify and prioritize threats. Common methods:

• STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege)
• PASTA (Process for Attack Simulation and Threat Analysis)

• MITRE ATT&CK Navigator (visualizes attack paths).

• Threat Hunting: Proactively searching for hidden threats using hypotheses (e.g., “An attacker might use WMI for lateral movement”). Tools: SIEM (Splunk), EDR (CrowdStrike), MITRE ATT&CK Navigator.

• STIX/TAXII:

• STIX (Structured Threat Information eXpression): A standardized language for sharing threat data (e.g., IOCs, TTPs).

• TAXII (Trusted Automated eXchange of Indicator Information): A protocol for sharing STIX data (like an "email for threat intel").

• Threat Intelligence Platform (TIP): A tool (e.g., MISP, ThreatConnect, Anomali) that aggregates, correlates, and enriches threat data for actionable insights.

• Diamond Model of Intrusion Analysis: A framework to analyze attacks by Adversary, Infrastructure, Capability, and Victim. Helps attribute attacks and predict future moves.

Step-by-Step / Process Flow

1. Collect Threat Intelligence

• Sources:
• OSINT (VirusTotal, AlienVault OTX, Shodan)
• Commercial feeds (Recorded Future, CrowdStrike)
• ISACs (FS-ISAC for finance, H-ISAC for healthcare)
• Dark web monitoring (Intel 471, Flashpoint)
• Tools: MISP, ThreatConnect, OpenCTI.

2. Analyze & Enrich Data

• Normalize data (e.g., convert IPs to STIX format).
• Enrich IOCs (e.g., check if an IP is a Tor exit node or known C2 server).
• Prioritize threats using MITRE ATT&CK (e.g., “This technique is used by APT29—high risk!”).

3. Map to MITRE ATT&CK

• Use the ATT&CK Navigator to visualize:
• Which techniques are most relevant to your environment.
• Gaps in detection (e.g., “We don’t monitor Process Injection (T1055)”).
• Example: If you see PowerShell abuse (T1059.001), check for Defense Evasion (TA0005) techniques like Obfuscation (T1027).

4. Operationalize Intelligence

• Feed IOCs into security tools:
• SIEM (Splunk, QRadar) for alerting.
• EDR/XDR (CrowdStrike, SentinelOne) for automated blocking.
• Firewalls/IDS (Palo Alto, Snort) to block malicious IPs.
• Update detection rules (e.g., Sigma rules for MITRE ATT&CK techniques).

5. Hunt for Threats

• Develop hypotheses (e.g., “An attacker might use Scheduled Tasks (T1053.005) for persistence”).
• Query logs (e.g., EventID:4698 for new scheduled tasks).
• Use MITRE ATT&CK to guide hunting (e.g., “Check for LSASS memory dumping (T1003.001)”).

6. Share & Improve

• Report findings to stakeholders (e.g., “APT29 is targeting our industry—patch CVE-2023-1234”).
• Contribute to ISACs (e.g., share IOCs with FS-ISAC).
• Refine detections based on new TTPs.

Common Mistakes

Certification Exam Tips

CISSP

• Management perspective: Focus on strategic threat intelligence (e.g., “How would you brief the CISO on APT29’s latest campaign?”).
• Tricky question: “Which threat intelligence type is most useful for incident response?”-Operational (immediate IOCs).
• MITRE ATT&CK trap: CISSP may ask about tactics (WHY), not techniques (HOW). Know the 14 enterprise tactics (e.g., Initial Access, Persistence, Exfiltration).

Security+

• Memorize: STIX/TAXII (know the difference: STIX = data format, TAXII = sharing protocol).
• Common question: “Which threat actor is most likely to use ransomware?”-Cybercriminals (FIN7, REvil).
• MITRE ATT&CK: Know 3-5 techniques per tactic (e.g., Phishing (T1566) under Initial Access).

CEH

• Hands-on focus: Be ready to analyze a PCAP and map it to MITRE ATT&CK (e.g., “This traffic shows DNS tunneling (T1071.004)”).
• Threat hunting: CEH may ask, “Which tool would you use to hunt for lateral movement?”-SIEM (Splunk) + EDR (CrowdStrike).
• Kill Chain vs. ATT&CK: Know that MITRE ATT&CK is more granular (e.g., 7 Kill Chain phases vs. 14 ATT&CK tactics).

Quick Check Questions

1.

A security analyst discovers a new malware sample with a unique file hash. Which threat intelligence type is this an example of? ? A) Technical (IOC) ? B) Strategic ? C) Tactical ? D) Operational Explanation: A file hash is a technical IOC (Indicator of Compromise), used for immediate detection.

2.

During an incident, an attacker dumps LSASS memory to steal credentials. Which MITRE ATT&CK technique does this represent? ? A) T1003.001 (OS Credential Dumping: LSASS Memory) ? B) T1555 (Credentials from Password Stores) ? C) T1078 (Valid Accounts) ? D) T1059 (Command-Line Interface) Explanation: LSASS memory dumping is a credential access technique under T1003.001.

3.

A company wants to share threat intelligence with industry peers. Which standard/protocol should they use? ? A) STIX/TAXII ? B) NIST CSF ? C) ISO 27001 ? D) OWASP Top 10 Explanation: STIX (data format) and TAXII (sharing protocol) are the standard for threat intel exchange.

Last-Minute Cram Sheet

1. Threat Intelligence Types:

2. Strategic (executives)-Tactical (TTPs)-Operational (IOCs)-Technical (hashes, IPs).

3. MITRE ATT&CK:

4. 14 Enterprise Tactics (e.g., Initial Access, Persistence, Exfiltration).

5. Techniques (e.g., Phishing (T1566))-Procedures (e.g., “APT29 uses malicious LNK files”).

6. STIX/TAXII:

7. STIX = data format, TAXII = sharing protocol (like “email for threat intel”).

8. IOCs vs. IOAs:

9. IOC = forensic artifact (hash, IP).

10. IOA = behavioral pattern (e.g., unusual process execution).

11. Threat Hunting Tools:

12. SIEM (Splunk, QRadar) + EDR (CrowdStrike, SentinelOne) + MITRE ATT&CK Navigator.

13. Cyber Kill Chain vs. MITRE ATT&CK:

14. Kill Chain = 7 phases (Recon-Actions on Objectives).

15. ATT&CK = 14 tactics + 200+ techniques (more granular).

16. Threat Actor Motivations:

17. Nation-state (espionage), Cybercriminals (financial), Hacktivists (ideological), Script Kiddies (chaos).

18. Common Exam Trap:

19. “Which threat intelligence type is best for incident response?”-Operational (not strategic!).

20. MITRE ATT&CK Technique Example:

21. T1059.001 (PowerShell)-Execution tactic.

22. T1071.004 (DNS C2)-Command & Control tactic.

23. Threat Modeling Methods:

    • STRIDE (Microsoft)-PASTA (risk-centric)-MITRE ATT&CK Navigator (visual).