130 Threat Intelligence

Threat Hunting
Professional
Threat Intelligence
S e c t i o n 0 1 | M o d u l e 0 3
© Caendra Inc. 2020
All Rights Reserved
Table of Contents
MODULE 03 | THREAT INTELLIGENCE

3.1 Introduction
3.2 Threat Intelligence Reports and Research
3.3 Threat Sharing and Exchanges
3.4 Indicators of Compromise
THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.2

3.1
Introduction

3.1 Introduction
In the previous module, Module 2 – Threat Hunting

Terminology, we discussed the 2 mindsets of a Threat
Hunter:
1. A hunter that relies mostly on threat intelligence
2. A hunter that relies primarily on digital forensics
Now, we’ll go deeper into the first type of hunter, the one
that relies on threat intelligence.
“Threat Intelligence is data on threats.”
3.1 Introduction
As you may recall, for data to become intelligence, it has to

be processed, analyzed, and become actionable. The data
will be pertinent to your infrastructure and assets. The data
will include context, not just indicators.
The intelligence may contain more than IP addresses, file

hashes, etc. It may contain TTPs, advice on how to stop
their attack, etc. Remember that this type of hunter is
relying on the information of known threats.
3.1 Introduction
The rest of this module will primarily focus on the manual

efforts a threat hunter will take to take to obtain threat data.
Of course, the preferred method would be through

automation (data automatically fed into a security appliance,
such as a SIEM, which works harmoniously with a
combination of other security appliances to give you
intelligence), but that is beyond the scope of this course.

3.1 Introduction
Although discussed in a later module, a SIEM is a Security

Information and Event Management solution. It is a centralized
collection point where all logs (firewall, network, application,
event, etc.) are collected, so that the Security Analyst can analyze
them in one place, instead of logging into various consoles to
view log data. The logs can also contain external data.
To really benefit from cyber threat intelligence, you should

already be gathering internal data using a SIEM before you start
looking for threat intel externally.
3.2
Threat Intelligence
Reports and Research

3.2 Threat Intelligence Reports
Several trusted third-parties collect and gather cyber intel

data and release Threat Intelligence reports. These reports
typically cover malicious activity that was observed and
explain specific threat actors associated with that activity.
As a threat hunter, you should be accustomed to reading

these reports when they are released.

3.2 Threat Intelligence Reports
Some of those third-parties include but not limited to:

• FireEye • Palo Alto Networks
• Verizon • Cylance
• TrustWave • F-Secure
• CrowdStrike
Note - we are not promoting one vendor over another or any

company’s services/equipment.
3.2.1 Threat Intelligence Reports - FireEye
For the sake of completeness, if we take FireEye as an

example, they create and publish threat intelligence reports
regularly, as well as an annual threat report.
The regular reports are available on their website, under

Resources > Threat Intelligence Reports. Those reports
focus on threat intelligence regarding threat actors, such as
APT28, and threat groups, such as FIN6.
https://www.fireeye.com/current-threats/threat-intelligence-reports.html
https://www.fireeye.com/current-threats/apt-groups/rpt-apt28.html
https://www.fireeye.com/solutions/financial-services/rpt-fin6.html THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.11
The naming convention for Financial Threats is known as FIN

groups. In the previous slide, FIN6 was listed. According to
MITRE, FIN6 is a cybercrime group that steals credit card data
and sells it in underground markets. They target PoS (Point of
Sale) systems in the retail and hospitality sectors.
As you may recall, each vendor might have a different naming

convention for a particular threat group. For example, the FIN6
group is also known as G0037 under MITRE’s naming
convention.
https://attack.MITRE.org/groups/G0037/ THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.12
The annual threat report from FireEye, called M-Trends,

focuses on trends from the year’s breaches and cyber-
attacks. According to their website, the M-Trends report
provides an intelligence-led look at various topics, such as
emerging global threats and the latest defensive strategies.
The latest edition of M-Trends is published here. Although

we will highlight certain sections of the report, it is highly
recommended to read the entire report.
https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.13
The Executive Summary of M-Trends 2019 outlines:

In the screenshot here,

the image shows us
that the two most
common industries for
the generation of the
report are Financial,
and Business and
Professional Services.
Note that this is based

on FireEye’s
investigations.
There is an increase of
attacks on organizations that
had previously experienced a
security incident by the same
or similarly motivated attack
group.

The last thing we’ll mention regarding the report is that it will
outline some of the TTPs uncovered in various
investigations.

FireEye also publishes threat intelligence reports by

industry. So if your industry is Education, you will be able to
read a report specific to this industry.
You can get more information on these reports here.
https://www.fireeye.com/current-threats/reports-by-industry.html THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.18

3.2.2 Threat Intelligence Research
Other than these reports, many companies and researchers

frequently publish new research reports on emerging
threats, often containing IOCs.
As an example, we’ll look into a publication from Palo Alto

Network’s Unit42 on a recent vulnerability in Citrix ADC and
Citrix Gateway.
https://unit42.paloaltonetworks.com/unit42-nexuslogger-new-cloud-based-keylogger-enters-market/ THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.19

https://unit42.paloaltonetworks.com/
The blog mentions that the vulnerability “allowed remote

attackers to easily send directory traversal requests, read
sensitive information from system configuration files
without the need for user authentication, and remotely
execute arbitrary code.”
This vulnerability is tracked using CVE-2019-19781 and

given a critical risk rating with a score of 9.8.
https://unit42.paloaltonetworks.com/exploits-in-the-wild-for-citrix-adc-and-citrix-gateway-directory-traversal-vulnerability-cve-2019-19781/
https://cve.MITRE.org/cgi-bin/cvename.cgi?name=CVE-2019-19781

In the publication, a detailed root cause analysis is provided
as well as Proof-of-Concept exploitation.
https://unit42.paloaltonetworks.com/exploits-in-the-wild-for-citrix-adc-and-citrix- THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.21

gateway-directory-traversal-vulnerability-cve-2019-19781/
Finally, in the conclusion section, they

provide a temporary fix recommended
by the vendor as well as IOCs and IP
addresses associated with abnormal
scanning activity designed to exploit
this vulnerability.
https://unit42.paloaltonetworks.com/exploits-in-the-wild-for-citrix-adc-and-citrix- THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.22

gateway-directory-traversal-vulnerability-cve-2019-19781/
When reading a report or research publication, you should

try to gain the most out of it by asking questions such as:
• What / how was the objective achieved?
• What can we do to detect this activity?
• Is this similar to previously known activity?
Aim to identify some behavioral trends and map them to

TTPs. Focus on those that are difficult to change.
As you can imagine, constantly going through various blogs

can be a time consuming and daunting task, especially with
more vendors entering into this space.
One suggestion would be to create a dashboard and have

feeds auto-populate the dashboard with data from multiple
vendors

Here is a snippet of the

dashboard that we use
when gathering threat
intelligence from
multiple sources.
This will allow us to be

constantly in the know
as threat intelligence is
made available.
3.3
Threat Sharing and

Exchanges

3.3.1 Threat Sharing and Exchanges – ISACs
Information Sharing and Analysis Centers (ISACs) are

member-driven organizations, delivering all-hazards threat
and mitigation information to asset owners and operators.
To maintain situational awareness across the various

critical infrastructure sectors, ISACs collaborate and share
threat and mitigation information with each other, and with
other partners through the National Council of ISACs.
3.3.1 Threat Sharing and Exchanges – ISACs
You can view more information about ISACs, the National

Council of ISACs, and a list of member ISACs here.
https://www.nationalisacs.org/ THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.28

3.3.2 Threat Sharing and Exchanges – US-CERT
The United States Computer Emergency Readiness Team

(US-CERT) responds to major incidents, analyzes threats,
and provides critical cybersecurity information. You can
read more about them on their site. Below is an example of
the latest feed.
https://www.us-cert.gov/ THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.29

3.3.2 Threat Sharing and Exchanges – US-CERT
Many countries have similar teams, and you may check

with them for information on threat sharing.

3.3.3 Threat Sharing and Exchanges – OTX
AlienVault’s Open Threat Exchange is an open threat

intelligence community that enables collaborative defense
with actionable, community-powered threat data. You can
join OTX here to view threat intelligence feed right away.
https://www.alienvault.com/open-threat-exchange THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.31

3.3.3.1 VIDEO
Check out the video on Open
Threat Exchange & IOCs!
To ACCESS your video, go to

the course in your members
area and click the resources
drop-down in the appropriate
module line.
Note that all videos are only

available in Full or Elite
Editions of the course.
To upgrade, click LINK.
3.3.4 Threat Sharing and Exchanges – Threat
Connect
Threat Connect is another platform, similar to OTX, where

you can obtain threat intelligence freely. You can create an
account and join right away to start sifting through threat
intel.
You can join Threat Connect here.
https://www.threatconnect.com/ THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.33

3.3.4 Threat Sharing and Exchanges – Threat
Connect

3.3.5 Threat Sharing and Exchanges – MISP
Finally, the Malware Information Sharing Platform (MISP)

is an open-source software solution for collecting, storing,
distributing, and sharing cybersecurity indicators and
threats about cybersecurity incident analysis and malware
analysis.
http://www.misp-project.org/ THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.35

3.3.5 Threat Sharing and Exchanges – MISP
MISP provides functionalities to support the exchange of

information but also the consumption of said information
by Network Intrusion Detection Systems (NIDS) and also
log analysis tools, such as SIEMs.
You can visit the MISP Project for detailed information and
guidelines here.
http://www.misp-project.org/ THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.36

3.4
Indicators of
Compromise

Digital Guardian gives a good definition as to what IOCs

are.
Indicators of compromise (IOCs) are “pieces of forensic

data, such as data found in system log entries or files, that
identify potentially malicious activity on a system or
network.”
https://digitalguardian.com/blog/what-are-indicators-compromise THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.38

Indicators of compromise aid information security and IT

professionals in detecting:
• Data breaches
• Malware infections
• Other threat activity
By monitoring for indicators of compromise, organizations can

detect attacks and act quickly to prevent breaches from
occurring, or limit damages by stopping attacks in earlier stages.
When we obtain IOCs from ISACs, threat sharing platforms,

etc., we need to get the IOC in the format that our tools will
understand. For instance, OTX allows us to download IOCs
in the OpenIOC format.
Typically, IOCs are malware signatures, MD5 hashes of

malware files, IP addresses, and URLs or domain names of
botnet command and control servers.
3.4.1 Indicators of Compromise – OpenIOC
OpenIOC, developed by FireEye, provides a standard format

and terms for describing the artifacts encountered during
the course of an investigation.
This course focuses only on the OpenIOC format, while

others also exist.

3.4.2 Indicators of Compromise – IOC Editor
IOC Editor is a tool that we’ll look at within this course. It is

a free tool that provides an interface for managing data and
manipulating the logical structures of IOCs.
IOCs are XML documents that help security professionals

capture diverse information about threats, including
attributes of malicious files, characteristics of registry
changes, and artifacts in memory. You can download the
tool here.
https://www.fireeye.com/services/freeware/ioc-editor.html THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.42
3.4.2.1 VIDEO
Check out the video on

Creating IOCs with IOC Editor!

module line.

3.4.3 Indicators of Compromise – Redline
Another tool from FireEye that we’ll look at within this

course is Redline.
Although we will look at Redline more extensively when

performing memory analysis in a later module, for now, we
will use the tool to search for IOCs on a machine.

3.4.3 Indicators of Compromise – Redline
Redline can perform an Indicators of Compromise (IOC)

analysis. Supplied with a set of IOCs, the Redline Portable
Agent is automatically configured to gather the data
required to perform the IOC analysis, and an IOC hit result
review.
You can download the tool from here.
https://www.fireeye.com/services/freeware/redline.html THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.45

3.4.3.1 VIDEO
Check out the video on Redline

and IOCs!

module line.

3.4.4 Indicators of Compromise – YARA
Lastly, in this chapter, let’s look at YARA.
YARA is a tool aimed at (but not limited to) helping malware

researchers to identify and classify malware samples. With
YARA, you can create descriptions of malware families (or
whatever you want to describe) based on textual or binary
patterns.

3.4.4 Indicators of Compromise – YARA
Even though we won’t be performing malware analysis in

this course, we will still use YARA to detect the presence of
IOCs on a particular machine.
You can read more about Yara and download the tool here.
https://virustotal.github.io/yara/ THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.48

3.4.4.1 VIDEO
Check out the video on Yara

and Yara Rules!

module line.

3.4.5 Hera Lab
Put what you’ve learned to
practice with the Hunting with
IOCs lab!
To ACCESS your lab, go to the

course in your members area
and click the labs drop-down in
the appropriate module line,
then click the manual icon.
All labs are only available

in Full or Elite Editions of
the course. To upgrade, *NOTE: some courses contain several labs and manuals, please make sure to click the file icon as it may
click LINK. be a zip that contains multiple lab manuals.

Conclusion
This concludes this module on Threat Intelligence. We have
covered:
✓ Manually gathering threat intelligence:
• Vendors that publish annual threat intelligence reports
• Vendors that publish occasional threat research reports
and/or blogs with IOCs that we can use
• Threat sharing organizations
✓ IOC formats and tools for creating/editing IOCs

References

References
FireEye
https://www.fireeye.com/
Threat Intelligence Reports

https://www.fireeye.com/current-threats/threat-intelligence-reports.html
Complimentary Intel Report: Russia’s APT28 Strategically Evolves

its Cyber Operations
https://www.fireeye.com/current-threats/apt-groups/rpt-apt28.html
From Intrusion to Underground Card Shop

https://www2.fireeye.com/WEB-RPT-FIN6.html

References
FIN6
https://attack.MITRE.org/groups/G0037/
M-Trends 2020
https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html
Threat Intelligence Reports by Industry

https://www.fireeye.com/current-threats/reports-by-industry.html
Exploits in the Wild for Citrix ADC and Citrix Gateway Directory
Traversal Vulnerability CVE-2019-19781
https://unit42.paloaltonetworks.com/exploits-in-the-wild-for-citrix-adc-and-citrix-gateway-
directory-traversal-vulnerability-cve-2019-19781/
References
Palo Alto Network’s Unit42
https://unit42.paloaltonetworks.com/
CVE-2019-19781
https://cve.MITRE.org/cgi-bin/cvename.cgi?name=CVE-2019-19781
National Council of ISACs

https://www.nationalisacs.org/
CISA
https://www.us-cert.gov/

References
Open Threat Exchange (OTX)
https://www.alienvault.com/open-threat-exchange
ThreatConnect
https://www.threatconnect.com/
MISP
http://www.misp-project.org/
What are Indicators of Compromise?

https://digitalguardian.com/blog/what-are-indicators-compromise

References
IOC Editor
https://www.fireeye.com/services/freeware/ioc-editor.html
Redline
https://www.fireeye.com/services/freeware/redline.html
YARA
https://virustotal.github.io/yara/

Videos
Here’s a list of all videos in this module. To ACCESS your video, go to the
course in your members area and click the resources drop-down in the
appropriate module line.
Note that all videos are only available in Full or Elite Editions of the course.
Open Threat Exchange & IOCs
Creating IOCs with IOC Editor
Redline and IOCs
YARA and YARA Rules

Labs
Hunting with IOCs
Another organization within your ISAC has shared a malicious binary with your
security team. They mentioned this malware was detected by one of their threat
hunters. The malware was found inside various network shares within the
organization, disguising itself as a PDF file. Your manager has tasked you with
creating an IOC and YARA rule to scan the network for this malware.
*Labs are only available in Full or Elite Editions of the course. To ACCESS your labs, go to the course
in your members area and click the labs drop-down in the appropriate module line. To UPGRADE to
gain access, click LINK.

130 Threat Intelligence

Uploaded by

Copyright:

Available Formats

130 Threat Intelligence

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

130 Threat Intelligence

Uploaded by

Copyright:

Available Formats

Threat Hunting

MODULE 03 | THREAT INTELLIGENCE

3.2 Threat Intelligence Reports and Research

3.3 Threat Sharing and Exchanges

3.4 Indicators of Compromise

THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.2

THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.3

In the previous module, Module 2 – Threat Hunting

As you may recall, for data to become intelligence, it has to

The intelligence may contain more than IP addresses, file

The rest of this module will primarily focus on the manual

Of course, the preferred method would be through

THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.6

Although discussed in a later module, a SIEM is a Security

To really benefit from cyber threat intelligence, you should

THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.8

Several trusted third-parties collect and gather cyber intel

As a threat hunter, you should be accustomed to reading

THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.9

Some of those third-parties include but not limited to:

Note - we are not promoting one vendor over another or any

For the sake of completeness, if we take FireEye as an

The regular reports are available on their website, under

The naming convention for Financial Threats is known as FIN

As you may recall, each vendor might have a different naming

The annual threat report from FireEye, called M-Trends,

The latest edition of M-Trends is published here. Although

The Executive Summary of M-Trends 2019 outlines:

https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.14

In the screenshot here,

Note that this is based

https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.16

https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.17

FireEye also publishes threat intelligence reports by

You can get more information on these reports here.

https://www.fireeye.com/current-threats/reports-by-industry.html THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.18

Other than these reports, many companies and researchers

As an example, we’ll look into a publication from Palo Alto

https://unit42.paloaltonetworks.com/unit42-nexuslogger-new-cloud-based-keylogger-enters-market/ THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.19

The blog mentions that the vulnerability “allowed remote

This vulnerability is tracked using CVE-2019-19781 and

THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.20

https://unit42.paloaltonetworks.com/exploits-in-the-wild-for-citrix-adc-and-citrix- THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.21

Finally, in the conclusion section, they

https://unit42.paloaltonetworks.com/exploits-in-the-wild-for-citrix-adc-and-citrix- THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.22

When reading a report or research publication, you should

Aim to identify some behavioral trends and map them to

As you can imagine, constantly going through various blogs

One suggestion would be to create a dashboard and have

THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.24

Here is a snippet of the

This will allow us to be

Threat Sharing and

THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.26

Information Sharing and Analysis Centers (ISACs) are

To maintain situational awareness across the various

You can view more information about ISACs, the National

https://www.nationalisacs.org/ THPv2: Section 01, Module 03 - Caendra Inc. © 2020 | p.28

The United States Computer Emergency Readiness Team