Delight Cyber · Workbook Series
Cyber Threat Intelligence
Enter the access code provided by your instructor to open the CTI Beginner Workbook.
— Delight Cyber
Delight Cybersecurity Workbook Series · Cyber Threat Intelligence

Beginner
Workbook

Five self-guided exercises that teach you to gather, analyse, and structure real threat intelligence — using only free, publicly available tools.

Level: Beginner Time: 2–3 hours Lab: No setup needed Tools: All free

Introduction to Cyber Threat Intelligence

Cyber Threat Intelligence (CTI) is the practice of collecting, analysing, and sharing information about threats, threat actors, and their techniques — so that defenders can take proactive action before an attack succeeds, or respond more effectively when one does.

Unlike simply knowing that an attack happened, good threat intelligence answers the harder questions: Who is attacking? Why are they attacking? How do they operate? What will they target next? With this knowledge, security teams can prioritise defences, hunt for hidden threats, and share warnings with partner organisations.

The Intelligence Cycle

CTI follows a well-defined process called the Intelligence Cycle. Every exercise in this workbook maps to one or more phases of this cycle.

PhaseWhat HappensWorkbook Link
1. DirectionDefine what intelligence you need and whyAll exercises
2. CollectionGather raw data from OSINT, feeds, reportsExercises 1, 3, 4
3. ProcessingNormalise and structure the raw dataExercises 2, 4
4. AnalysisTurn processed data into actionable intelligenceExercises 2, 3, 5
5. DisseminationShare findings with relevant stakeholdersExercise 3
6. FeedbackReview quality and adjust directionAll exercises

Types of Threat Intelligence

There are four recognised types of CTI, each serving a different audience in your organisation:

TypeAudienceExample
StrategicC-suite, BoardNation-state threat actors targeting the financial sector
OperationalSOC Managers, IR TeamsActive APT28 campaign targeting your region this quarter
TacticalSecurity AnalystsTTPs mapped to MITRE ATT&CK technique IDs
TechnicalFirewalls, SIEM, EDRIP blocklist, malware hashes, YARA rules
📝
Note The five exercises in this workbook focus primarily on Technical and Tactical intelligence — the hands-on, analyst-level work that forms the foundation of any CTI practice.

How to Use This Workbook

Each exercise follows the same structure so you always know where you are and what to do next:

SectionWhat It Contains
OverviewPlain-English explanation of the exercise and why it matters
BackgroundKey concepts you need to understand before you start
Tools RequiredPlatforms and accounts needed (all free)
Step-by-StepNumbered instructions guiding you through the full exercise
What to RecordFields to fill in for your deliverable
Reflection QuestionsQuestions to deepen your understanding after completion
Example AnswerA worked example showing what a complete response looks like

Account Setup — Do This First

Register free accounts on the following platforms before your first session to avoid interruption during exercises.

PlatformURLUsed In
VirusTotalvirustotal.comEx. 1, 2, 4
Shodanshodan.ioEx. 1
AbuseIPDBabuseipdb.comEx. 1
IPinfoipinfo.ioEx. 1
MalwareBazaarbazaar.abuse.chEx. 2
HybridAnalysishybrid-analysis.comEx. 2
ATT&CK Navigatormitre-attack.github.ioEx. 5
⚠️
Important Some platforms (Shodan, VirusTotal) throttle API requests on free tiers. This workbook uses only the web interface, so you will not hit rate limits. Never enter real credentials, personal data, or proprietary company information into these platforms.
Exercise 01

OSINT on an IP Address

Pivot through four public threat intelligence platforms to build a one-page threat profile of a suspicious IP.

Overview

One of the most common tasks a CTI analyst performs is investigating a suspicious IP address. An IP can surface in a firewall log, an email header, a phishing URL, or a malware command-and-control beacon. Before blocking or escalating, a good analyst collects context from multiple sources to understand what the IP is, who operates it, and what malicious activity has been linked to it.

In this exercise you will take a single suspicious IP address and pivot through four public intelligence platforms to build a one-page threat profile — exactly as a real SOC analyst would.

🎯
Learning Objectives
  • Understand what information can be derived from a public IP address
  • Use four OSINT platforms: VirusTotal, Shodan, AbuseIPDB, and IPinfo
  • Practise pivoting — using one data point to discover related data points
  • Produce a structured one-page IP Threat Profile

Background Concepts

What is OSINT?

Open Source Intelligence (OSINT) is intelligence gathered from publicly available sources: websites, domain registrations, certificate transparency logs, and community threat feeds. In CTI, OSINT is the primary method for investigating external threats without needing access to private or classified data.

What is an ASN?

An Autonomous System Number (ASN) is a unique identifier assigned to a collection of IP addresses managed by a single organisation — an ISP, a company, or a hosting provider. When you see AS14618 (Amazon), the IP is hosted on Amazon's infrastructure. This matters because attackers often use cloud providers or "bulletproof hosters" to mask their true location.

Reputation Scores

Threat intelligence platforms assign reputation scores to IPs based on community reports, automated scanning, and historical behaviour. A high abuse confidence score on AbuseIPDB (e.g. 95%) means the community strongly believes the IP is malicious. These scores are a starting point — always correlate across multiple sources before acting.

Why Pivot?

Pivoting means using one piece of data to discover related data. An IP leads to a domain, the domain leads to other IPs, those IPs lead to malware samples. This chain of discovery lets you map an attacker's full infrastructure rather than just one indicator.

Tools for This Exercise

ToolURLWhat It Provides
VirusTotalvirustotal.comReputation score, associated files, URLs, domains, and community votes
Shodanshodan.ioOpen ports, services, banners, and SSL certificates on the IP
AbuseIPDBabuseipdb.comCommunity-reported abuse history and confidence score
IPinfoipinfo.ioGeolocation, ISP, organisation name, and ASN

Target IP

Target IP:  185.220.101.45
  
📝
Note This IP is publicly documented in threat intelligence feeds and is safe to look up. You are performing passive lookups only — you are querying databases that already hold information about this IP. No traffic reaches the IP itself.

Step-by-Step Instructions

Step 1 — Geolocate and Identify the Operator (IPinfo)

  1. Navigate to ipinfo.io and enter 185.220.101.45 in the search box.

  2. Locate and record the following fields:

FieldWhat to Look For
City / RegionGeographic location of the IP
CountryCountry this IP block is registered in
OrganisationCompany or hosting provider that owns this IP range
ASNThe Autonomous System Number (e.g. AS4134)
HostnameAny reverse DNS name associated with the IP
💡
Tip If IPinfo shows a hosting company (e.g. Hetzner, Frantech) rather than a residential ISP, this is a strong indicator that the IP is a VPS (Virtual Private Server) — commonly used by attackers because they are cheap, anonymous, and easy to provision.

Step 2 — Check Abuse History (AbuseIPDB)

  1. Navigate to abuseipdb.com and enter the IP address.

  2. Record the following from the results page:

FieldWhat It Means
Abuse Confidence ScoreA percentage 0–100. Above 80 is considered highly malicious.
Total ReportsNumber of times this IP has been reported by community members
Distinct Users ReportingHow many different users reported it — more reporters = more credible
Last ReportedDate of the most recent report
Report CategoriesTypes of abuse: Port Scan, SSH Brute Force, DDoS, etc.
📝
Common AbuseIPDB Categories
  • Port Scan — probing for open ports across many IP addresses
  • Brute Force — repeated login attempts against SSH, RDP, or FTP
  • Web App Attack — SQL injection, directory traversal, credential stuffing
  • DDoS Attack — flood traffic designed to overwhelm a target

Step 3 — Check Threat Reputation (VirusTotal)

  1. Navigate to virustotal.com and click the Search icon.

  2. Enter 185.220.101.45 and press Enter.

  3. Work through the DETECTION, DETAILS, and RELATIONS tabs and record:

FieldWhere to Find It
Detection RatioDETECTION tab — e.g. "12/93" means 12 of 93 vendors flagged it
CategoriesDETECTION tab — how vendors classify the IP
Last Analysis DateDETAILS tab
Associated DomainsRELATIONS → Domains: domains that have resolved to this IP
Associated FilesRELATIONS → Files: malware samples that communicated with this IP
Community ScoreBottom of DETECTION — votes from the security community
⚠️
Important A low detection ratio does not mean the IP is safe — it may simply be too new for vendors to have flagged it yet. Always correlate with AbuseIPDB and Shodan before concluding.

Step 4 — Examine Exposed Services (Shodan)

  1. Navigate to shodan.io. Create a free account if prompted.

  2. Enter 185.220.101.45 in the search bar and review the host page.

  3. Record:

FieldWhat to Look For
Open PortsAll TCP/UDP ports Shodan has found open on this IP
Services / BannersSoftware running on each port (e.g. OpenSSH 8.2, nginx 1.18)
Operating SystemOS running on the server, if detectable
SSL CertificatesTLS certs — can reveal domain names and org names
Shodan TagsLabels such as 'tor', 'vpn', 'cloud' applied automatically
VulnerabilitiesCVEs associated with the running software versions
💡
Key Ports to Know
  • 22 — SSH (remote access / brute force)
  • 80/443 — HTTP/HTTPS (web server)
  • 3389 — RDP (Windows remote desktop)
  • 1194 — OpenVPN
  • 9001/9030 — Tor relay ports. If you see these open, the IP is likely a Tor exit node — frequently used by attackers to anonymise traffic.

Deliverable — IP Threat Profile

Fill in this template to produce your completed threat profile. Submit this as your exercise deliverable.

FieldYour Finding
IP Address185.220.101.45
Countryyour answer
City / Regionyour answer
Hosting Provider / ISPyour answer
ASNyour answer
Abuse Confidence Scoreyour answer
Number of Abuse Reportsyour answer
Primary Abuse Categoriesyour answer
VirusTotal Detection Ratioyour answer
VirusTotal Classificationyour answer
Open Ports (Shodan)your answer
Services Identifiedyour answer
Associated Domains (VT)your answer
Shodan Tagsyour answer
Overall AssessmentHIGH / MEDIUM / LOW RISK — explain
Recommended ActionBlock / Watchlist / Investigate further

Example Answer

📝
Note This is a sample completed profile. Your findings may differ slightly depending on when you perform the exercise, as threat data is updated continuously.
FieldSample Finding
CountryGermany
Hosting ProviderFrantech Solutions — a known bulletproof hosting provider
ASNAS53667
Abuse Confidence Score100% — maximum community confidence
Primary Abuse CategoriesPort Scan, Brute Force, DDoS Attack
VirusTotal Detection14/93 vendors flagged as malicious
VirusTotal ClassificationBotnet C2, Tor Exit Node, Scanner
Open Ports22 (SSH), 80 (HTTP), 9001 (Tor), 9030 (Tor)
Overall AssessmentHIGH RISK — Tor exit node on bulletproof hosting with active brute force history across multiple sources
Recommended ActionBlock at perimeter firewall. Add to SIEM watchlist. Alert if seen in internal logs.

Reflection Questions

  • Based on your findings, is this IP likely a residential user, a legitimate business, or a threat actor? What evidence supports your conclusion?
  • Why might an attacker choose to host their infrastructure on a cloud provider rather than using their own systems?
  • If you found this IP in your company's firewall logs connecting to an internal server, what would your next investigative steps be?
  • What is the difference between an indicator that is malicious and one that is suspicious? How does confidence level affect this distinction?
Exercise 02

Hash Lookup & Malware Identification

Investigate a suspicious file hash to identify its malware family, sandbox behaviour, and command-and-control infrastructure.

Overview

When a suspicious file is found on a system — quarantined by an antivirus, pulled from an email attachment, or discovered during a forensic investigation — one of the first analyst steps is to compute or obtain its cryptographic hash and look it up in threat intelligence databases.

A file hash is a unique digital fingerprint for a file's contents. Even a single changed byte produces a completely different hash. This means that if a known malware sample's hash is stored in a database, any copy of that file can be instantly identified — even if the filename has been changed or disguised.

🎯
Learning Objectives
  • Understand cryptographic hashes and why they are used in malware analysis
  • Look up a known malware hash on VirusTotal, MalwareBazaar, and HybridAnalysis
  • Identify the malware family, first-seen date, and associated C2 infrastructure
  • Record the detection ratio across multiple antivirus vendors

Background Concepts

Hash Types: MD5, SHA1, SHA256

TypeLengthUsed in CTI?Notes
MD532 hex charsYesFast to compute. Weak against deliberate collisions, but widely used for malware tracking.
SHA140 hex charsLess commonStronger than MD5, but also considered weak for cryptographic purposes.
SHA25664 hex charsPreferredThe current gold standard. Extremely collision-resistant. Used in STIX and modern feeds.
💡
Tip In threat intelligence, SHA256 is almost always the primary file identifier. The same binary with a different hash (e.g. slightly modified to evade detection) is treated as a different sample — each requires its own analysis.

What is a Malware Family?

A malware family is a group of variants sharing the same code lineage, behaviour, or origin. "Emotet" is a family — thousands of different Emotet samples have existed over the years, each with a unique hash, but they all share the same core code, infrastructure, and purpose.

Identifying the family is crucial because it immediately tells you: what the malware does, what infrastructure it uses, how it achieves persistence, and which threat actor has historically deployed it.

What is a C2 Domain?

C2 (Command-and-Control) is the server the malware calls home to — receiving instructions from the attacker and sending stolen data back. Identifying C2 infrastructure is critical: (a) you can block those domains/IPs on your firewall, and (b) if you see those domains in DNS logs, it confirms a device is infected.

Static vs Dynamic Analysis

MethodWhat It DoesTools
Static AnalysisExamines the file's properties without running it — strings, imports, code structureVirusTotal, strings, IDA Pro
Dynamic AnalysisRuns the file in a controlled sandbox and observes what it actually doesHybridAnalysis, any.run, Joe Sandbox

Target Hash

SHA256:
1f2e3d4c5b6a7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e
  
📝
Note The hash above is a representative example. Your instructor may provide a current hash from MalwareBazaar. You can find real active samples at bazaar.abuse.ch/browse/ — filter by family name (e.g. Emotet, AgentTesla).

Step-by-Step Instructions

Step 1 — Look Up the Hash on VirusTotal

  1. Navigate to virustotal.com, click the search icon, and paste your SHA256 hash.

  2. If the hash is known, you will see results with DETECTION, DETAILS, RELATIONS, and COMMUNITY tabs. If unknown, ask your instructor for a working hash.

  3. On the DETECTION tab, record:

FieldWhat to Look For
Detection Ratioe.g. "52/72" — 52 of 72 AV engines flagged this as malicious
Detection NamesThe various names different vendors give this malware — notice the variation
First SubmissionDate this hash was first submitted to VirusTotal
File TypePE32 = Windows executable, ELF = Linux binary, PDF, Office document, etc.
File SizeSize in bytes
  1. Click the DETAILS tab and record:

FieldWhat It Tells You
File NamesAll names this file has been submitted under — attackers rename malware to look legitimate
ImphashA hash of the file's imported functions — useful for finding related samples from the same author
MagicThe file's true type as determined by its header bytes, not its extension
  1. Click the RELATIONS tab. Record all entries under Contacted Domains, Contacted IPs, and Dropped Files.

Step 2 — Look Up the Hash on MalwareBazaar

  1. Navigate to bazaar.abuse.ch. Select "SHA256 hash" from the search dropdown and paste your hash.

  2. If known, record:

FieldWhat It Tells You
Malware FamilyFamily name assigned by the MalwareBazaar community (e.g. Emotet, AgentTesla, Qakbot)
TagsFree-form analyst tags (e.g. 'loader', 'stealer', 'banker', 'ransomware')
Delivery MethodTypical delivery vector: email attachment, macro document, exploit, etc.
YARA SignaturesNames of YARA rules that match this sample
ReporterThe user or organisation that originally submitted this hash

Step 3 — Analyse Sandbox Behaviour on HybridAnalysis

  1. Navigate to hybrid-analysis.com and click the search icon.

  2. Select "Hash" as the search type, paste your SHA256, and press Enter.

  3. If a sandbox report exists, record:

FieldWhat to Look For
VerdictOverall verdict: Malicious / Suspicious / Clean
Threat ScoreNumerical score 0–100
Processes CreatedWhat child processes the malware spawned when executed
DNS RequestsDomains the malware queried via DNS — critical C2 indicators
HTTP RequestsURLs the malware contacted over HTTP/HTTPS
Registry ChangesAutorun keys or other registry modifications for persistence
Files CreatedAny files written to disk (secondary payloads, configuration files)
📝
Static vs Dynamic Sandbox analysis shows what a file does when it runs — that is dynamic analysis. VirusTotal's detection tab shows what AV engines think it is — that is static analysis. Combining both gives you the most complete picture.

Step 4 — Research the Malware Family

  1. Compare the family name across all three platforms. Do they agree? Record any discrepancies.

  2. Search the family name on Google (e.g. "Emotet malware overview"). Find a reputable source (Mandiant, CISA, security vendor blog) and record a 2–3 sentence summary covering:

  • What the malware does (infostealer, banking trojan, ransomware dropper, remote access tool)
  • The threat actor(s) historically associated with this family
  • The primary delivery method

Deliverable — Malware Profile

FieldYour Finding
SHA256 Hashyour hash
File Typeyour answer
File Sizeyour answer
First Seen (VirusTotal)your answer
Detection Ratioyour answer
Most Common AV Nameyour answer
Malware Familyyour answer
Malware Purposeyour answer
Delivery Methodyour answer
C2 Domains Identifiedyour answer (defanged)
C2 IPs Identifiedyour answer
Persistence Mechanismyour answer
Threat Actor (if known)your answer
Overall SeverityCritical / High / Medium / Low

Reflection Questions

  • Why might different antivirus vendors give the same malware different names? What challenges does this inconsistency create for analysts?
  • If you found this file's hash in logs from a workstation in your organisation, what immediate steps would you take?
  • What is the difference between static analysis and dynamic analysis? When would you rely on each?
  • Why is it important to identify C2 infrastructure as quickly as possible after detecting a malware infection?
Exercise 03

Reading a Threat Intelligence Report

Extract structured intelligence from a published APT report — actor profile, TTPs mapped to ATT&CK, and a full IOC list.

Overview

Published threat intelligence reports from Mandiant, CrowdStrike, CISA, and MITRE are among the most valuable free resources available to any security team. A single well-written report can contain intelligence that would take an in-house team months to develop independently.

A raw threat report can be 20–100 pages long and dense with technical detail. The skill of a CTI analyst is knowing exactly what to extract, how to structure it, and how to make it actionable. In this exercise, you will practise extracting four key categories of intelligence from a real published report.

🎯
Learning Objectives
  • Navigate to and read a real, published CTI report from a credible source
  • Extract the threat actor name, origin, motivation, and targeted sectors
  • Map documented TTPs to MITRE ATT&CK technique IDs
  • Compile a structured Indicators of Compromise (IOC) list

Background Concepts

What is a Threat Actor / APT Group?

An Advanced Persistent Threat (APT) group is a sophisticated, usually state-sponsored adversary that conducts long-term, targeted cyber espionage or disruption campaigns. APT groups are given names by the vendors that track them. The same threat actor often has multiple names:

Vendor         Name
Mandiant   →   APT28
CrowdStrike →  Fancy Bear
Microsoft  →   Forest Blizzard
Secureworks →  Iron Twilight
  

What are TTPs?

TTPs (Tactics, Techniques, and Procedures) are the most valuable and durable intelligence a report can contain. While an actor can cheaply change their IPs and domains (IOCs), changing fundamental operating methods is expensive and reveals investigative pressure.

TermDefinitionExample
TacticHigh-level goal the attacker is trying to achieveInitial Access, Persistence, Exfiltration
TechniqueSpecific method used to achieve the tacticT1566.001 — Spearphishing Attachment
ProcedureExact implementation — tools, commands, scripts usedSending .docx with VBA macro that downloads Cobalt Strike

What are IOCs?

IOCs are artefacts that indicate a security breach has occurred. They are the most immediately actionable intelligence — you can block an IP or hash in minutes.

IOC TypeExample
IP Address185.220.101.45
Domainupdates-cdn-service[.]com
URLhxxp://evil[.]com/stage2/payload.exe
File Hash (SHA256)1f2e3d...c1d2e
Email Addresshr-noreply@update-notice[.]org
Registry KeyHKCU\Software\Microsoft\Windows\Run\svchost32
MutexGlobal\{4A7B3F2E-...}
⚠️
Always Defang IOCs When sharing IOCs in reports, notes, or messages, write them in a format that cannot be accidentally clicked or executed:
  • Replace http:// with hxxp://
  • Replace dots in domains: evil.comevil[.]com
  • Replace @ in emails: attacker@evil[.]com

Recommended Reports

Choose one of the following freely available reports. Your instructor may assign a specific one.

Threat ActorPublisherHow to Find It
APT28 (Fancy Bear)CISA / NSA / FBISearch: "CISA APT28 advisory" at cisa.gov
Lazarus GroupUS-CERT / MandiantSearch: "CISA North Korea Lazarus Group advisory"
FIN7MandiantSearch: "Mandiant FIN7 threat actor profile"
Volt TyphoonCISA / MicrosoftSearch: "CISA Volt Typhoon advisory"
APT41MandiantSearch: "Mandiant APT41 report" at mandiant.com/resources

Step-by-Step Instructions

Step 1 — Locate and Skim the Report

  1. Use the table above to find your assigned report. Download the PDF or open the web version.

  2. Skim the executive summary first (usually the first 1–2 pages). This gives you the big picture before the technical detail.

  3. Identify the report's structure — most follow this pattern:

  • Executive summary
  • Threat actor overview
  • Campaign timeline
  • Technical analysis (TTPs)
  • IOC appendix

Step 2 — Extract the Threat Actor Profile

  1. From the report's overview section, fill in the threat actor profile below:

FieldYour Finding
Threat Actor Name(s)All known aliases
Suspected OriginNation-state or organisation attributed
MotivationEspionage / Financial / Destructive / Hacktivism
Active SinceEarliest known activity date
Target SectorsIndustries or regions typically targeted
Signature ToolsCustom or preferred tools (e.g. Cobalt Strike, X-Agent)

Step 3 — Map TTPs to MITRE ATT&CK

  1. As you read the technical section, identify specific techniques. For each one:

  • Write down the description from the report
  • Go to attack.mitre.org and search for the matching technique
  • Record the technique ID and name in the table below

Aim for at least 8–10 techniques:

Tactic PhaseTechnique IDTechnique NameEvidence from Report
Initial Access
Execution
Persistence
Privilege Escalation
Defence Evasion
Credential Access
Discovery
Lateral Movement
Collection
Exfiltration
💡
Tip Use the search box at attack.mitre.org to quickly find techniques. Searching "spearphishing" shows T1566 and its sub-techniques. The MITRE website also lists which techniques each known APT group uses — cross-check your findings there.

Step 4 — Compile the IOC List

  1. Navigate to the IOC appendix (usually at the end of the report, or a separate CSV/STIX file).

  2. Classify each IOC by type and fill in the table below. Aim for at least 10 IOCs. Remember to defang all entries:

IOC Value (defanged)TypeContext
IP Address
Domain
URL
SHA256 Hash
Email Address
Registry Key

Deliverable — Intelligence Summary

SectionYour Summary
Threat Actor Name
Also Known As (aliases)
Suspected Origin
Motivation
Primary Target Sectors
Top 5 TTPs (with IDs)
Recommended Detections
Number of IOCs Extracted
Priority IOCs to Block
Confidence LevelLow / Medium / High — and why

Reflection Questions

  • What is the difference between low-confidence and high-confidence attribution? What evidence would raise your confidence level?
  • Why are TTPs considered more valuable than IOCs for long-term defence? Give a specific example from your report.
  • You find an IP from this report in your organisation's web proxy logs. What additional context do you need before escalating to incident response?
  • What is the TLP (Traffic Light Protocol) marking on your chosen report, and what does it mean for how you can share the information?
Exercise 04

IOC Enrichment from a Feed

Pull raw indicators from a live public threat feed, classify them by type, enrich with VirusTotal, and rate IOC quality.

Overview

Real-world threat intelligence is not just about analysing individual indicators — it is about processing them at scale. CTI teams ingest thousands of indicators per day from commercial and free threat feeds. Each needs to be classified, enriched, and prioritised before it is useful to the teams defending the network.

In this exercise, you will pull live IOCs from a free public feed, classify each indicator by type, enrich a sample using VirusTotal, and tag them with a threat category. This simulates the first stage of a real IOC ingestion workflow.

🎯
Learning Objectives
  • Access and navigate a free public threat intelligence feed
  • Classify IOCs by type: IP, domain, URL, or hash
  • Enrich a sample of IOCs using VirusTotal and record findings
  • Tag each IOC with a threat category: botnet, phishing, ransomware C2, etc.
  • Evaluate IOC quality and assign confidence ratings

Background Concepts

What is a Threat Intelligence Feed?

A threat intelligence feed is a continuous stream of structured data about malicious indicators, updated regularly — sometimes in real time. Feeds come from commercial vendors, open-source community projects, government agencies, or Information Sharing and Analysis Centres (ISACs). They are the raw material that analysts and automated systems use to block threats and detect intrusions.

Feed Quality and the IOC Lifecycle

Not all IOCs in a feed are equally useful. Common quality problems include:

  • False positives — legitimate services incorrectly flagged as malicious
  • Stale indicators — C2 servers that were taken down months ago but remain in the feed
  • Low-confidence submissions — single community reports without corroboration

Every IOC has a lifecycle: Active (currently used), Stale (infrastructure abandoned), and Revoked (previous report was incorrect). Good analysts assess quality before acting.

⚠️
Important Blocking a stale or false-positive IOC has real costs: it may disrupt legitimate services, create alert fatigue, or damage trust with business units. Always validate before blocking — especially for high-traffic domains and shared infrastructure.

The Free Abuse.ch Feeds

FeedURLWhat It Contains
URLhausurlhaus.abuse.chMalicious URLs currently used to distribute malware
Feodo Trackerfeodotracker.abuse.chC2 infrastructure for Emotet, Qakbot, IcedID, Dridex
MalwareBazaarbazaar.abuse.chMalware samples and associated hashes
ThreatFoxthreatfox.abuse.chMixed IOC feed — IPs, domains, hashes across all families
SSL Blacklistsslbl.abuse.chMalicious SSL certificates and associated IP:port combos

Step-by-Step Instructions

Step 1 — Access the ThreatFox Feed

  1. Navigate to threatfox.abuse.ch and click Browse IOCs in the navigation menu.

  2. You will see a live table of recently submitted IOCs. Before collecting your sample, understand each column:

ColumnWhat It Means
IOCThe actual indicator value — an IP:port, domain, URL, or hash
IOC TypeClassification: ip:port, domain, url, sha256_hash, md5_hash
MalwareThe malware family this IOC is associated with
Confidence LevelCommunity confidence 0–100%. Higher = more credible.
ReporterUser or organisation that submitted this IOC
First SeenWhen this IOC was first observed in the wild

Step 2 — Collect Your Sample of 10 IOCs

  1. From the ThreatFox browse page, select 10 recent IOCs. Aim for variety: at least 2 IP addresses, 2 domains, 2 URLs, and 2 hashes.

  2. Record each IOC in the table below. Defang all domains and URLs as you record them:

#IOC Value (defanged)IOC TypeMalware FamilyConfidence %First Seen
1
2
3
4
5
6
7
8
9
10

Step 3 — Classify and Tag Each IOC

For each IOC, assign a threat category using the reference table below. Base your classification on the malware family name and any additional context from ThreatFox.

CategoryDescriptionCommon Malware Families
Botnet C2Command-and-control infrastructure for a botnet or RATEmotet, Qakbot, IcedID, TrickBot
Ransomware C2C2 infrastructure for ransomware operationsLockBit, BlackCat, Conti, REvil
Banking TrojanTargets financial credentials and banking sessionsDridex, Ursnif, ZLoader, Gozi
Information StealerExfiltrates credentials, cookies, and personal dataAgentTesla, RedLine, Vidar, Raccoon
PhishingEmail delivery infrastructure or landing pagesVarious — check domain age
Loader / DropperDownloads and executes secondary payloadsBumblebee, GuLoader, PrivateLoader
RATRemote Access Trojan — full remote control of infected hostAsyncRAT, NjRAT, QuasarRAT
Exploit KitInfrastructure exploiting browser/plugin vulnerabilitiesRIG EK, Purple Fox

Step 4 — Enrich 5 IOCs with VirusTotal

  1. Select 5 IOCs for enrichment — aim for 2 IPs, 2 domains, and 1 hash.

  2. For each, navigate to virustotal.com, paste the indicator in the search box (re-fang it first — remove the brackets), and record:

IOC ValueVT Detection RatioVT CategoriesLast AnalysisThreat Category
💡
Domain Age Analysis For domain lookups on VirusTotal, check the DETAILS tab for the creation date. Domains created very recently (days or weeks old) are far more likely to be malicious — legitimate services tend to have domains that are months or years old.

Step 5 — Rate IOC Quality

  1. For each of your 10 IOCs, assign a quality rating using the criteria below:

RatingCriteria
HighConfidence >75%, corroborated by VirusTotal, seen within last 30 days, specific malware family identified
MediumConfidence 40–74%, partially corroborated, or seen 30–90 days ago
LowConfidence <40%, no VirusTotal corroboration, or seen more than 90 days ago (likely stale)
  1. For any IOC rated Low, note the reason: stale, low confidence, or uncorroborated.

  2. Based on your quality assessment, list which IOCs you would recommend blocking at the firewall, and explain why.

Deliverable — IOC Summary Report

FieldYour Answer
Total IOCs collected10
IOCs by type: IP
IOCs by type: Domain
IOCs by type: URL
IOCs by type: Hash
Most common threat category
Most common malware family
Number rated High quality
Number rated Low / stale
IOCs recommended for immediate blocking
IOCs requiring further investigation

Reflection Questions

  • What risks arise from automatically blocking every IOC in a public feed without quality assessment? Can you think of a scenario where this could cause an outage?
  • Why does a high confidence score alone not guarantee an IOC is worth acting on? What else matters?
  • How would your process differ if you were enriching 10,000 IOCs per day rather than 10? What steps would you automate first?
  • A colleague suggests switching to a paid commercial feed. What questions would you ask to evaluate whether it is worth the cost?
Exercise 05

MITRE ATT&CK Navigator Basics

Map threat actor techniques, build a detection coverage layer, identify gaps, and write targeted detection recommendations.

Overview

The MITRE ATT&CK framework is the closest thing the cybersecurity industry has to a universal language for adversary behaviour. It is a comprehensive, community-maintained knowledge base of tactics and techniques used by real threat actors, each documented with evidence from actual incidents.

The ATT&CK Navigator is a free, browser-based tool that lets you create visual heat maps of the ATT&CK matrix — highlighting which techniques a threat actor uses, which your organisation can detect, and where the gaps are. In this exercise you will use the Navigator to profile APT28 and assess a mock SOC's detection coverage.

🎯
Learning Objectives
  • Understand the structure of the MITRE ATT&CK Enterprise Matrix
  • Locate and review the technique profile for a known APT group
  • Create and annotate a custom Navigator layer showing that group's TTPs
  • Identify detection gaps by overlaying a mock detection coverage layer
  • Write at least three high-priority detection recommendations

Background Concepts

Structure of the ATT&CK Matrix

The Enterprise ATT&CK Matrix is organised into columns (Tactics) and rows (Techniques). Each cell is a specific Technique within a Tactic.

ComponentDefinitionExample
TacticThe adversary's goal — why they are doing somethingTA0001: Initial Access
TechniqueHow the adversary achieves the tacticT1566: Phishing
Sub-techniqueA more specific variant of a techniqueT1566.001: Spearphishing Attachment
ProcedureThe exact implementation observed in a real incidentAPT28 used spearphishing with .docx exploit
GroupA named threat actor with documented ATT&CK mappingsG0007: APT28
SoftwareMalware or tools with documented ATT&CK mappingsS0154: Cobalt Strike
📝
Note The ATT&CK matrix does not represent a required sequence or kill chain. Adversaries use techniques from different tactics simultaneously and non-linearly. The tactic columns simply categorise the purpose of each technique.

ATT&CK Tactic Reference

Tactic IDNameWhat Attackers Are Doing
TA0001Initial AccessGetting into the network for the first time
TA0002ExecutionRunning malicious code on the target system
TA0003PersistenceEnsuring they survive reboots and password changes
TA0004Privilege EscalationGaining administrator or SYSTEM level access
TA0005Defence EvasionAvoiding detection by security tools
TA0006Credential AccessStealing usernames, passwords, and tokens
TA0007DiscoveryLearning about the network, systems, and users
TA0008Lateral MovementMoving from one system to other systems
TA0009CollectionGathering files, keystrokes, and data of interest
TA0010ExfiltrationStealing collected data out of the organisation
TA0011Command and ControlMaintaining communication with infected systems
TA0040ImpactDisrupting, destroying, or manipulating systems

What is the Navigator?

The ATT&CK Navigator is a web application that renders the ATT&CK matrix as an interactive grid. You create layers — each layer colours the matrix to represent something real: which techniques an actor uses, which your SIEM can detect, which your red team tested. Layers are saved as JSON files that can be shared or imported into other tools.

Common uses:

  • Threat actor profiling — which techniques does APT28 use?
  • Detection coverage mapping — which techniques can our SIEM detect?
  • Red team planning — which techniques will we emulate in our next exercise?
  • Gap analysis — overlay the first two layers to find where you have no coverage for techniques an adversary uses

Step-by-Step Instructions

Step 1 — Explore the ATT&CK Website

  1. Navigate to attack.mitre.org and click Matrices → Enterprise.

  2. Take a moment to read the matrix. Notice tactics run across the top (columns) and techniques fill the columns below. Sub-techniques are indicated with a small > symbol.

  3. In the search bar, type APT28 and click on the APT28 group page. Record:

FieldYour Finding
ATT&CK Group IDG00XX identifier
AliasesAll known names
Suspected AttributionCountry or organisation
Number of Techniques ListedCount the rows
Associated SoftwareTools and malware linked to APT28
💡
Tip Scroll down on the APT28 page to see the full technique table with ATT&CK IDs, technique names, and specific procedure descriptions — the actual observed behaviours. Click any technique name to read its full detection guidance and mitigations.

Step 2 — Open the ATT&CK Navigator

  1. Navigate to mitre-attack.github.io/attack-navigator/.

  2. Click Create New Layer → Enterprise ATT&CK. You will see a blank Enterprise matrix.

  3. Familiarise yourself with the toolbar. Key controls:

ButtonFunction
Search & MultiselectSearch for techniques by name or ID and select multiple at once
Colour SetupChoose the colour used to highlight selected techniques
Score SetupAssign a numerical score to techniques — useful for coverage percentages
Layer SettingsSet the layer name, description, and default background colour
ExportSave the layer as JSON, SVG, or Excel

Step 3 — Create the APT28 Threat Actor Layer

  1. In the Navigator toolbar, click the search icon (magnifying glass).

  2. Type APT28 in the search box. Select APT28 from the Groups section in the dropdown.

  3. The Navigator will automatically highlight all techniques attributed to APT28. You should see a significant number of cells activate.

  4. Open Colour Setup and choose a strong blue (e.g. #1A5276). This is your threat actor colour.

  5. Open Layer Settings and set: Name = "APT28 Techniques", Description = "Techniques attributed to APT28 per MITRE ATT&CK".

  6. Count and record:

FieldYour Finding
Total Techniques Highlightedcount the cells
Tactics with Most Techniqueswhich columns have the most APT28 cells?
Initial Access Techniqueslist the highlighted techniques in this column
Exfiltration Techniqueslist the highlighted techniques in this column

Step 4 — Identify Your 5 Highest-Priority Techniques

  1. Scroll through the APT28 layer and look for technique clusters — areas where multiple adjacent techniques are highlighted within the same tactic.

  2. Select the 5 techniques you consider highest priority for detection. Ask yourself:

  • Is this technique used in multiple APT28 campaigns?
  • Would detecting it early in the attack chain prevent the attack from succeeding?
  • Is this technique uncommon in legitimate software — meaning low false-positive rate?
PriorityTechnique IDTechnique NameTacticWhy High Priority?
1
2
3
4
5

Step 5 — Create a Detection Coverage Layer

  1. In the Navigator, click the + button next to the layer tab to add a new layer. Select Enterprise ATT&CK.

  2. This layer represents a mock SOC's current detection coverage. Highlight each of the following techniques in green (#1E7A3C):

Technique IDTechnique NameHow the Mock SOC Detects It
T1078Valid AccountsFailed login alerts in SIEM
T1566.001Spearphishing AttachmentEmail gateway sandboxing
T1059.001PowerShellPowerShell script block logging (Event ID 4104)
T1053.005Scheduled Task/JobWindows Event ID 4698 monitoring
T1021.001Remote Desktop ProtocolRDP connection logging
T1082System Information DiscoveryEDR process monitoring
T1016System Network Config DiscoveryEDR process monitoring
T1003.001LSASS MemoryEDR memory protection alerts
T1105Ingress Tool TransferProxy URL filtering
T1041Exfiltration Over C2 ChannelDLP and firewall egress rules
  1. Name this layer: "Mock SOC Detection Coverage".

Step 6 — Perform the Gap Analysis

  1. You now have two layers: APT28 Techniques (blue) and Mock SOC Detection Coverage (green). Visually compare them — which APT28 techniques (blue) are not covered by the green layer?

  2. These are your coverage gaps — APT28 techniques the mock SOC cannot currently detect. List at least 5:

Technique IDTechnique NameTacticWhy Is This a Critical Gap?
💡
Prioritising Gaps When deciding which gaps are most critical, prioritise techniques that:
  • Appear early in the attack chain (Initial Access, Execution, Persistence)
  • Are used frequently by APT28 (check the procedure count on attack.mitre.org)
  • Have well-established, low-effort detection methods available

Step 7 — Write Detection Recommendations

  1. For your 3 highest-priority gaps, write a brief detection recommendation. Navigate to each technique's ATT&CK page and read its Detection section for guidance.

FieldGap #1Gap #2Gap #3
Technique ID
Data Source Required
Recommended Detection
SIEM Event ID / Log Source
Implementation DifficultyLow/Med/HighLow/Med/HighLow/Med/High

Step 8 — Export Your Layers

  1. Click the APT28 layer tab, then the download icon (export). Save the JSON file as apt28_layer.json.

  2. Do the same for your coverage layer: detection_coverage.json.

📝
Why Export? These JSON files can be shared with colleagues and imported into any other ATT&CK Navigator instance. This is how CTI teams share coverage assessments and threat actor profiles — the layer file is the deliverable, not a screenshot.

Reflection Questions

  • Why is it more important to close detection gaps in Initial Access and Execution compared to later tactics like Exfiltration?
  • ATT&CK is updated roughly twice per year. What process would you put in place to ensure your coverage layer stays current with each new release?
  • A colleague argues you should focus detection engineering on the most commonly used techniques across all threat actors, not just APT28. What are the merits and drawbacks of this approach?
  • How would you use the Navigator to communicate detection gaps to a non-technical executive? What format would be most effective?
Reference

Free Tool Stack

Every platform used in this workbook is free. Register before your first session.

Platform Directory

ToolURLPrimary UseExercises
VirusTotalvirustotal.comFile / URL / IP / domain reputation and enrichment1, 2, 4
Shodanshodan.ioInternet-wide asset intelligence — open ports, service banners1
AbuseIPDBabuseipdb.comCommunity abuse history for IPs and networks1
IPinfoipinfo.ioIP geolocation, ASN, and organisation lookup1
MalwareBazaarbazaar.abuse.chMalware hash repository with community family tagging2
HybridAnalysishybrid-analysis.comFree online malware sandbox with detailed behaviour reports2
ThreatFoxthreatfox.abuse.chCommunity IOC feed across all malware families4
URLhausurlhaus.abuse.chMalicious URL feed for active malware distribution4
Feodo Trackerfeodotracker.abuse.chBanking trojan C2 infrastructure feed4
MITRE ATT&CKattack.mitre.orgThreat actor profiles and technique knowledge base3, 5
ATT&CK Navigatormitre-attack.github.ioVisual TTP mapping and detection coverage analysis5
MXToolboxmxtoolbox.comEmail header analysis, SPF/DKIM/DMARC checks, DNS lookupReference
URLscan.iourlscan.ioSafe URL and domain analysis with screenshot captureReference
PhishTankphishtank.orgCommunity-verified phishing URL databaseReference
OpenPhishopenphish.comAutomated phishing intelligence feedReference

Tool Cards

VirusTotal
virustotal.com
Aggregates results from 90+ AV engines. Search files, IPs, domains, and URLs. The RELATIONS tab is especially powerful for pivoting.
Free API available
Shodan
shodan.io
Continuously scans the public internet. Shows open ports, running services, software versions, and TLS certificates for any IP.
Free tier API available
AbuseIPDB
abuseipdb.com
Community-driven IP reputation database. Each report is categorised and timestamped. High confidence scores are strongly actionable.
Free API available
MalwareBazaar
bazaar.abuse.ch
Run by Abuse.ch. Repository of malware samples with community-assigned family tags, YARA signatures, and download links for analysis.
Free Open source
HybridAnalysis
hybrid-analysis.com
Free sandbox by CrowdStrike. Submit files or search existing reports. Shows full process tree, network calls, registry changes, and ATT&CK mappings.
Free tier
ThreatFox
threatfox.abuse.ch
Mixed IOC feed from Abuse.ch. Browse recent community submissions or search by malware family, IOC type, or tag. Exportable as CSV or STIX.
Free Open source
MITRE ATT&CK
attack.mitre.org
The authoritative reference for adversary TTPs. Each technique page includes detection guidance, mitigations, procedure examples, and data sources.
Free Open source
ATT&CK Navigator
mitre-attack.github.io
Browser-based matrix editor. Create, annotate, and export coverage layers as JSON. Supports multi-layer comparison for gap analysis.
Free Open source

Which Tool to Use When

ScenarioStart WithThen Pivot To
Suspicious IP in firewall logsIPinfo (geolocation)AbuseIPDB → VirusTotal → Shodan
Unknown file on a workstationVirusTotal (hash lookup)MalwareBazaar → HybridAnalysis
Suspicious domain in DNS logsVirusTotal (domain search)URLscan.io → PassiveTotal
Daily IOC ingestion workflowThreatFox (browse IOCs)VirusTotal enrichment → SIEM import
New threat actor report receivedMITRE ATT&CK (group page)Navigator (create layer) → gap analysis
Suspicious email receivedMXToolbox (header analysis)VirusTotal (links) → URLscan.io
Reference

Glossary

Key terms used throughout this workbook.

APT
Advanced Persistent Threat. A sophisticated, long-term, targeted cyberattack — usually attributed to nation-state or organised criminal actors with specific objectives.
ASN
Autonomous System Number. A unique identifier for a collection of IP address ranges managed by a single network operator (an ISP, company, or hosting provider).
ATT&CK
Adversarial Tactics, Techniques, and Common Knowledge. MITRE's open framework cataloguing adversary behaviour observed in real-world incidents. Used as the universal language for describing TTPs.
C2 / C&C
Command and Control. The infrastructure (servers, domains) that malware communicates with to receive instructions from the attacker and send back stolen data.
CTI
Cyber Threat Intelligence. The practice of gathering, processing, analysing, and disseminating information about threats to inform and improve defensive decisions.
CVE
Common Vulnerabilities and Exposures. A standardised identifier for a specific software vulnerability — e.g. CVE-2021-44228 (Log4Shell). Maintained by MITRE.
Defanging
Modifying an IOC so it cannot be accidentally clicked or executed. Replace http:// with hxxp:// and dots in domains with [.]. Always defang before sharing.
Dynamic Analysis
Analysing malware by actually running it in a controlled sandbox environment and observing its behaviour — processes created, network connections, file changes.
EDR
Endpoint Detection and Response. Security software that monitors endpoints (workstations, servers) in real time for malicious activity and provides investigation and response capabilities.
False Positive
A legitimate, benign system or file that is incorrectly flagged as malicious. High false-positive rates in a feed or rule erode analyst trust and create alert fatigue.
Hash
A fixed-length string produced by applying a hash function (MD5, SHA1, SHA256) to a file's contents. Used as a unique fingerprint for malware identification and tracking.
IOC
Indicator of Compromise. An observable artefact — IP address, domain, file hash, URL, registry key — that indicates a system has been or is being compromised.
ISAC
Information Sharing and Analysis Centre. Sector-specific organisations (e.g. FS-ISAC for finance, H-ISAC for healthcare) that facilitate threat intelligence sharing between member organisations.
Kill Chain
A model describing the sequential stages of a cyberattack, from initial reconnaissance through to the final impact. Used to understand where in an attack defences can interrupt the adversary.
Malware Family
A group of malware variants sharing the same code lineage, behaviour, or origin — e.g. Emotet. Individual samples within a family each have unique hashes but share core functionality.
MISP
Malware Information Sharing Platform. An open-source threat intelligence platform for structured IOC storage, correlation, and sharing between organisations.
OSINT
Open Source Intelligence. Intelligence gathered from publicly available sources — websites, domain registrations, certificate logs, social media — without any special or privileged access.
Pivot
Using one piece of intelligence to discover related indicators or infrastructure. For example, an IP leads to a domain, the domain leads to other IPs, those IPs lead to malware samples.
Sandbox
An isolated, controlled environment used to safely execute suspicious files and observe their behaviour without risking the host system or network.
SIEM
Security Information and Event Management. A platform that aggregates and correlates log data from across the environment to detect threats, generate alerts, and support investigations.
Static Analysis
Examining a file's properties — code, strings, imports, structure — without executing it. Complements dynamic analysis for a complete picture of malware behaviour.
STIX
Structured Threat Information Expression. A standardised JSON-based format for representing CTI data — threat actors, TTPs, IOCs, campaigns — enabling automated exchange between tools.
Tactic
In ATT&CK, the high-level objective of an adversary action — the why. Examples: Initial Access, Persistence, Lateral Movement. There are 14 tactics in the Enterprise matrix.
TAXII
Trusted Automated eXchange of Intelligence Information. A protocol for transmitting STIX data between systems and organisations in a standardised, machine-readable format.
Technique
In ATT&CK, the specific method used to achieve a tactic — the how. Identified by a T-number, e.g. T1566 (Phishing). Sub-techniques add further specificity, e.g. T1566.001.
TLP
Traffic Light Protocol. A standardised sharing classification: TLP:RED (no sharing), TLP:AMBER (limited to specific recipients), TLP:GREEN (community), TLP:CLEAR (public).
TTP
Tactics, Techniques, and Procedures. The full description of how a threat actor operates. TTPs are the most durable intelligence — harder for an attacker to change than IOCs.
VPS
Virtual Private Server. A cloud-based server that threat actors commonly use to host malicious infrastructure because they are cheap, anonymous, and can be spun up or shut down rapidly.
YARA
A pattern-matching tool used to write rules that detect specific malware based on unique byte sequences, strings, or structural characteristics. Used in threat hunting and malware classification.
Delight Cybersecurity Workbook Series
— Delight Cyber