Beginner
Workbook
Five self-guided exercises that teach you to gather, analyse, and structure real threat intelligence — using only free, publicly available tools.
Introduction to Cyber Threat Intelligence
Cyber Threat Intelligence (CTI) is the practice of collecting, analysing, and sharing information about threats, threat actors, and their techniques — so that defenders can take proactive action before an attack succeeds, or respond more effectively when one does.
Unlike simply knowing that an attack happened, good threat intelligence answers the harder questions: Who is attacking? Why are they attacking? How do they operate? What will they target next? With this knowledge, security teams can prioritise defences, hunt for hidden threats, and share warnings with partner organisations.
The Intelligence Cycle
CTI follows a well-defined process called the Intelligence Cycle. Every exercise in this workbook maps to one or more phases of this cycle.
| Phase | What Happens | Workbook Link |
|---|---|---|
| 1. Direction | Define what intelligence you need and why | All exercises |
| 2. Collection | Gather raw data from OSINT, feeds, reports | Exercises 1, 3, 4 |
| 3. Processing | Normalise and structure the raw data | Exercises 2, 4 |
| 4. Analysis | Turn processed data into actionable intelligence | Exercises 2, 3, 5 |
| 5. Dissemination | Share findings with relevant stakeholders | Exercise 3 |
| 6. Feedback | Review quality and adjust direction | All exercises |
Types of Threat Intelligence
There are four recognised types of CTI, each serving a different audience in your organisation:
| Type | Audience | Example |
|---|---|---|
| Strategic | C-suite, Board | Nation-state threat actors targeting the financial sector |
| Operational | SOC Managers, IR Teams | Active APT28 campaign targeting your region this quarter |
| Tactical | Security Analysts | TTPs mapped to MITRE ATT&CK technique IDs |
| Technical | Firewalls, SIEM, EDR | IP blocklist, malware hashes, YARA rules |
How to Use This Workbook
Each exercise follows the same structure so you always know where you are and what to do next:
| Section | What It Contains |
|---|---|
| Overview | Plain-English explanation of the exercise and why it matters |
| Background | Key concepts you need to understand before you start |
| Tools Required | Platforms and accounts needed (all free) |
| Step-by-Step | Numbered instructions guiding you through the full exercise |
| What to Record | Fields to fill in for your deliverable |
| Reflection Questions | Questions to deepen your understanding after completion |
| Example Answer | A worked example showing what a complete response looks like |
Account Setup — Do This First
Register free accounts on the following platforms before your first session to avoid interruption during exercises.
| Platform | URL | Used In |
|---|---|---|
| VirusTotal | virustotal.com | Ex. 1, 2, 4 |
| Shodan | shodan.io | Ex. 1 |
| AbuseIPDB | abuseipdb.com | Ex. 1 |
| IPinfo | ipinfo.io | Ex. 1 |
| MalwareBazaar | bazaar.abuse.ch | Ex. 2 |
| HybridAnalysis | hybrid-analysis.com | Ex. 2 |
| ATT&CK Navigator | mitre-attack.github.io | Ex. 5 |
OSINT on an IP Address
Pivot through four public threat intelligence platforms to build a one-page threat profile of a suspicious IP.
Overview
One of the most common tasks a CTI analyst performs is investigating a suspicious IP address. An IP can surface in a firewall log, an email header, a phishing URL, or a malware command-and-control beacon. Before blocking or escalating, a good analyst collects context from multiple sources to understand what the IP is, who operates it, and what malicious activity has been linked to it.
In this exercise you will take a single suspicious IP address and pivot through four public intelligence platforms to build a one-page threat profile — exactly as a real SOC analyst would.
- Understand what information can be derived from a public IP address
- Use four OSINT platforms: VirusTotal, Shodan, AbuseIPDB, and IPinfo
- Practise pivoting — using one data point to discover related data points
- Produce a structured one-page IP Threat Profile
Background Concepts
What is OSINT?
Open Source Intelligence (OSINT) is intelligence gathered from publicly available sources: websites, domain registrations, certificate transparency logs, and community threat feeds. In CTI, OSINT is the primary method for investigating external threats without needing access to private or classified data.
What is an ASN?
An Autonomous System Number (ASN) is a unique identifier assigned to a collection of IP addresses managed by a single organisation — an ISP, a company, or a hosting provider. When you see AS14618 (Amazon), the IP is hosted on Amazon's infrastructure. This matters because attackers often use cloud providers or "bulletproof hosters" to mask their true location.
Reputation Scores
Threat intelligence platforms assign reputation scores to IPs based on community reports, automated scanning, and historical behaviour. A high abuse confidence score on AbuseIPDB (e.g. 95%) means the community strongly believes the IP is malicious. These scores are a starting point — always correlate across multiple sources before acting.
Why Pivot?
Pivoting means using one piece of data to discover related data. An IP leads to a domain, the domain leads to other IPs, those IPs lead to malware samples. This chain of discovery lets you map an attacker's full infrastructure rather than just one indicator.
Tools for This Exercise
| Tool | URL | What It Provides |
|---|---|---|
| VirusTotal | virustotal.com | Reputation score, associated files, URLs, domains, and community votes |
| Shodan | shodan.io | Open ports, services, banners, and SSL certificates on the IP |
| AbuseIPDB | abuseipdb.com | Community-reported abuse history and confidence score |
| IPinfo | ipinfo.io | Geolocation, ISP, organisation name, and ASN |
Target IP
Target IP: 185.220.101.45
Step-by-Step Instructions
Step 1 — Geolocate and Identify the Operator (IPinfo)
Navigate to ipinfo.io and enter
185.220.101.45in the search box.Locate and record the following fields:
| Field | What to Look For |
|---|---|
| City / Region | Geographic location of the IP |
| Country | Country this IP block is registered in |
| Organisation | Company or hosting provider that owns this IP range |
| ASN | The Autonomous System Number (e.g. AS4134) |
| Hostname | Any reverse DNS name associated with the IP |
Step 2 — Check Abuse History (AbuseIPDB)
Navigate to abuseipdb.com and enter the IP address.
Record the following from the results page:
| Field | What It Means |
|---|---|
| Abuse Confidence Score | A percentage 0–100. Above 80 is considered highly malicious. |
| Total Reports | Number of times this IP has been reported by community members |
| Distinct Users Reporting | How many different users reported it — more reporters = more credible |
| Last Reported | Date of the most recent report |
| Report Categories | Types of abuse: Port Scan, SSH Brute Force, DDoS, etc. |
- Port Scan — probing for open ports across many IP addresses
- Brute Force — repeated login attempts against SSH, RDP, or FTP
- Web App Attack — SQL injection, directory traversal, credential stuffing
- DDoS Attack — flood traffic designed to overwhelm a target
Step 3 — Check Threat Reputation (VirusTotal)
Navigate to virustotal.com and click the Search icon.
Enter
185.220.101.45and press Enter.Work through the DETECTION, DETAILS, and RELATIONS tabs and record:
| Field | Where to Find It |
|---|---|
| Detection Ratio | DETECTION tab — e.g. "12/93" means 12 of 93 vendors flagged it |
| Categories | DETECTION tab — how vendors classify the IP |
| Last Analysis Date | DETAILS tab |
| Associated Domains | RELATIONS → Domains: domains that have resolved to this IP |
| Associated Files | RELATIONS → Files: malware samples that communicated with this IP |
| Community Score | Bottom of DETECTION — votes from the security community |
Step 4 — Examine Exposed Services (Shodan)
Navigate to shodan.io. Create a free account if prompted.
Enter
185.220.101.45in the search bar and review the host page.Record:
| Field | What to Look For |
|---|---|
| Open Ports | All TCP/UDP ports Shodan has found open on this IP |
| Services / Banners | Software running on each port (e.g. OpenSSH 8.2, nginx 1.18) |
| Operating System | OS running on the server, if detectable |
| SSL Certificates | TLS certs — can reveal domain names and org names |
| Shodan Tags | Labels such as 'tor', 'vpn', 'cloud' applied automatically |
| Vulnerabilities | CVEs associated with the running software versions |
22— SSH (remote access / brute force)80/443— HTTP/HTTPS (web server)3389— RDP (Windows remote desktop)1194— OpenVPN9001/9030— Tor relay ports. If you see these open, the IP is likely a Tor exit node — frequently used by attackers to anonymise traffic.
Deliverable — IP Threat Profile
Fill in this template to produce your completed threat profile. Submit this as your exercise deliverable.
| Field | Your Finding |
|---|---|
| IP Address | 185.220.101.45 |
| Country | your answer |
| City / Region | your answer |
| Hosting Provider / ISP | your answer |
| ASN | your answer |
| Abuse Confidence Score | your answer |
| Number of Abuse Reports | your answer |
| Primary Abuse Categories | your answer |
| VirusTotal Detection Ratio | your answer |
| VirusTotal Classification | your answer |
| Open Ports (Shodan) | your answer |
| Services Identified | your answer |
| Associated Domains (VT) | your answer |
| Shodan Tags | your answer |
| Overall Assessment | HIGH / MEDIUM / LOW RISK — explain |
| Recommended Action | Block / Watchlist / Investigate further |
Example Answer
| Field | Sample Finding |
|---|---|
| Country | Germany |
| Hosting Provider | Frantech Solutions — a known bulletproof hosting provider |
| ASN | AS53667 |
| Abuse Confidence Score | 100% — maximum community confidence |
| Primary Abuse Categories | Port Scan, Brute Force, DDoS Attack |
| VirusTotal Detection | 14/93 vendors flagged as malicious |
| VirusTotal Classification | Botnet C2, Tor Exit Node, Scanner |
| Open Ports | 22 (SSH), 80 (HTTP), 9001 (Tor), 9030 (Tor) |
| Overall Assessment | HIGH RISK — Tor exit node on bulletproof hosting with active brute force history across multiple sources |
| Recommended Action | Block at perimeter firewall. Add to SIEM watchlist. Alert if seen in internal logs. |
Reflection Questions
- Based on your findings, is this IP likely a residential user, a legitimate business, or a threat actor? What evidence supports your conclusion?
- Why might an attacker choose to host their infrastructure on a cloud provider rather than using their own systems?
- If you found this IP in your company's firewall logs connecting to an internal server, what would your next investigative steps be?
- What is the difference between an indicator that is malicious and one that is suspicious? How does confidence level affect this distinction?
Hash Lookup & Malware Identification
Investigate a suspicious file hash to identify its malware family, sandbox behaviour, and command-and-control infrastructure.
Overview
When a suspicious file is found on a system — quarantined by an antivirus, pulled from an email attachment, or discovered during a forensic investigation — one of the first analyst steps is to compute or obtain its cryptographic hash and look it up in threat intelligence databases.
A file hash is a unique digital fingerprint for a file's contents. Even a single changed byte produces a completely different hash. This means that if a known malware sample's hash is stored in a database, any copy of that file can be instantly identified — even if the filename has been changed or disguised.
- Understand cryptographic hashes and why they are used in malware analysis
- Look up a known malware hash on VirusTotal, MalwareBazaar, and HybridAnalysis
- Identify the malware family, first-seen date, and associated C2 infrastructure
- Record the detection ratio across multiple antivirus vendors
Background Concepts
Hash Types: MD5, SHA1, SHA256
| Type | Length | Used in CTI? | Notes |
|---|---|---|---|
| MD5 | 32 hex chars | Yes | Fast to compute. Weak against deliberate collisions, but widely used for malware tracking. |
| SHA1 | 40 hex chars | Less common | Stronger than MD5, but also considered weak for cryptographic purposes. |
| SHA256 | 64 hex chars | Preferred | The current gold standard. Extremely collision-resistant. Used in STIX and modern feeds. |
What is a Malware Family?
A malware family is a group of variants sharing the same code lineage, behaviour, or origin. "Emotet" is a family — thousands of different Emotet samples have existed over the years, each with a unique hash, but they all share the same core code, infrastructure, and purpose.
Identifying the family is crucial because it immediately tells you: what the malware does, what infrastructure it uses, how it achieves persistence, and which threat actor has historically deployed it.
What is a C2 Domain?
C2 (Command-and-Control) is the server the malware calls home to — receiving instructions from the attacker and sending stolen data back. Identifying C2 infrastructure is critical: (a) you can block those domains/IPs on your firewall, and (b) if you see those domains in DNS logs, it confirms a device is infected.
Static vs Dynamic Analysis
| Method | What It Does | Tools |
|---|---|---|
| Static Analysis | Examines the file's properties without running it — strings, imports, code structure | VirusTotal, strings, IDA Pro |
| Dynamic Analysis | Runs the file in a controlled sandbox and observes what it actually does | HybridAnalysis, any.run, Joe Sandbox |
Target Hash
SHA256: 1f2e3d4c5b6a7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e
Step-by-Step Instructions
Step 1 — Look Up the Hash on VirusTotal
Navigate to virustotal.com, click the search icon, and paste your SHA256 hash.
If the hash is known, you will see results with DETECTION, DETAILS, RELATIONS, and COMMUNITY tabs. If unknown, ask your instructor for a working hash.
On the DETECTION tab, record:
| Field | What to Look For |
|---|---|
| Detection Ratio | e.g. "52/72" — 52 of 72 AV engines flagged this as malicious |
| Detection Names | The various names different vendors give this malware — notice the variation |
| First Submission | Date this hash was first submitted to VirusTotal |
| File Type | PE32 = Windows executable, ELF = Linux binary, PDF, Office document, etc. |
| File Size | Size in bytes |
Click the DETAILS tab and record:
| Field | What It Tells You |
|---|---|
| File Names | All names this file has been submitted under — attackers rename malware to look legitimate |
| Imphash | A hash of the file's imported functions — useful for finding related samples from the same author |
| Magic | The file's true type as determined by its header bytes, not its extension |
Click the RELATIONS tab. Record all entries under Contacted Domains, Contacted IPs, and Dropped Files.
Step 2 — Look Up the Hash on MalwareBazaar
Navigate to bazaar.abuse.ch. Select "SHA256 hash" from the search dropdown and paste your hash.
If known, record:
| Field | What It Tells You |
|---|---|
| Malware Family | Family name assigned by the MalwareBazaar community (e.g. Emotet, AgentTesla, Qakbot) |
| Tags | Free-form analyst tags (e.g. 'loader', 'stealer', 'banker', 'ransomware') |
| Delivery Method | Typical delivery vector: email attachment, macro document, exploit, etc. |
| YARA Signatures | Names of YARA rules that match this sample |
| Reporter | The user or organisation that originally submitted this hash |
Step 3 — Analyse Sandbox Behaviour on HybridAnalysis
Navigate to hybrid-analysis.com and click the search icon.
Select "Hash" as the search type, paste your SHA256, and press Enter.
If a sandbox report exists, record:
| Field | What to Look For |
|---|---|
| Verdict | Overall verdict: Malicious / Suspicious / Clean |
| Threat Score | Numerical score 0–100 |
| Processes Created | What child processes the malware spawned when executed |
| DNS Requests | Domains the malware queried via DNS — critical C2 indicators |
| HTTP Requests | URLs the malware contacted over HTTP/HTTPS |
| Registry Changes | Autorun keys or other registry modifications for persistence |
| Files Created | Any files written to disk (secondary payloads, configuration files) |
Step 4 — Research the Malware Family
Compare the family name across all three platforms. Do they agree? Record any discrepancies.
Search the family name on Google (e.g. "Emotet malware overview"). Find a reputable source (Mandiant, CISA, security vendor blog) and record a 2–3 sentence summary covering:
- What the malware does (infostealer, banking trojan, ransomware dropper, remote access tool)
- The threat actor(s) historically associated with this family
- The primary delivery method
Deliverable — Malware Profile
| Field | Your Finding |
|---|---|
| SHA256 Hash | your hash |
| File Type | your answer |
| File Size | your answer |
| First Seen (VirusTotal) | your answer |
| Detection Ratio | your answer |
| Most Common AV Name | your answer |
| Malware Family | your answer |
| Malware Purpose | your answer |
| Delivery Method | your answer |
| C2 Domains Identified | your answer (defanged) |
| C2 IPs Identified | your answer |
| Persistence Mechanism | your answer |
| Threat Actor (if known) | your answer |
| Overall Severity | Critical / High / Medium / Low |
Reflection Questions
- Why might different antivirus vendors give the same malware different names? What challenges does this inconsistency create for analysts?
- If you found this file's hash in logs from a workstation in your organisation, what immediate steps would you take?
- What is the difference between static analysis and dynamic analysis? When would you rely on each?
- Why is it important to identify C2 infrastructure as quickly as possible after detecting a malware infection?
Reading a Threat Intelligence Report
Extract structured intelligence from a published APT report — actor profile, TTPs mapped to ATT&CK, and a full IOC list.
Overview
Published threat intelligence reports from Mandiant, CrowdStrike, CISA, and MITRE are among the most valuable free resources available to any security team. A single well-written report can contain intelligence that would take an in-house team months to develop independently.
A raw threat report can be 20–100 pages long and dense with technical detail. The skill of a CTI analyst is knowing exactly what to extract, how to structure it, and how to make it actionable. In this exercise, you will practise extracting four key categories of intelligence from a real published report.
- Navigate to and read a real, published CTI report from a credible source
- Extract the threat actor name, origin, motivation, and targeted sectors
- Map documented TTPs to MITRE ATT&CK technique IDs
- Compile a structured Indicators of Compromise (IOC) list
Background Concepts
What is a Threat Actor / APT Group?
An Advanced Persistent Threat (APT) group is a sophisticated, usually state-sponsored adversary that conducts long-term, targeted cyber espionage or disruption campaigns. APT groups are given names by the vendors that track them. The same threat actor often has multiple names:
Vendor Name Mandiant → APT28 CrowdStrike → Fancy Bear Microsoft → Forest Blizzard Secureworks → Iron Twilight
What are TTPs?
TTPs (Tactics, Techniques, and Procedures) are the most valuable and durable intelligence a report can contain. While an actor can cheaply change their IPs and domains (IOCs), changing fundamental operating methods is expensive and reveals investigative pressure.
| Term | Definition | Example |
|---|---|---|
| Tactic | High-level goal the attacker is trying to achieve | Initial Access, Persistence, Exfiltration |
| Technique | Specific method used to achieve the tactic | T1566.001 — Spearphishing Attachment |
| Procedure | Exact implementation — tools, commands, scripts used | Sending .docx with VBA macro that downloads Cobalt Strike |
What are IOCs?
IOCs are artefacts that indicate a security breach has occurred. They are the most immediately actionable intelligence — you can block an IP or hash in minutes.
| IOC Type | Example |
|---|---|
| IP Address | 185.220.101.45 |
| Domain | updates-cdn-service[.]com |
| URL | hxxp://evil[.]com/stage2/payload.exe |
| File Hash (SHA256) | 1f2e3d...c1d2e |
| Email Address | hr-noreply@update-notice[.]org |
| Registry Key | HKCU\Software\Microsoft\Windows\Run\svchost32 |
| Mutex | Global\{4A7B3F2E-...} |
- Replace
http://withhxxp:// - Replace dots in domains:
evil.com→evil[.]com - Replace
@in emails:attacker@evil[.]com
Recommended Reports
Choose one of the following freely available reports. Your instructor may assign a specific one.
| Threat Actor | Publisher | How to Find It |
|---|---|---|
| APT28 (Fancy Bear) | CISA / NSA / FBI | Search: "CISA APT28 advisory" at cisa.gov |
| Lazarus Group | US-CERT / Mandiant | Search: "CISA North Korea Lazarus Group advisory" |
| FIN7 | Mandiant | Search: "Mandiant FIN7 threat actor profile" |
| Volt Typhoon | CISA / Microsoft | Search: "CISA Volt Typhoon advisory" |
| APT41 | Mandiant | Search: "Mandiant APT41 report" at mandiant.com/resources |
Step-by-Step Instructions
Step 1 — Locate and Skim the Report
Use the table above to find your assigned report. Download the PDF or open the web version.
Skim the executive summary first (usually the first 1–2 pages). This gives you the big picture before the technical detail.
Identify the report's structure — most follow this pattern:
- Executive summary
- Threat actor overview
- Campaign timeline
- Technical analysis (TTPs)
- IOC appendix
Step 2 — Extract the Threat Actor Profile
From the report's overview section, fill in the threat actor profile below:
| Field | Your Finding |
|---|---|
| Threat Actor Name(s) | All known aliases |
| Suspected Origin | Nation-state or organisation attributed |
| Motivation | Espionage / Financial / Destructive / Hacktivism |
| Active Since | Earliest known activity date |
| Target Sectors | Industries or regions typically targeted |
| Signature Tools | Custom or preferred tools (e.g. Cobalt Strike, X-Agent) |
Step 3 — Map TTPs to MITRE ATT&CK
As you read the technical section, identify specific techniques. For each one:
- Write down the description from the report
- Go to attack.mitre.org and search for the matching technique
- Record the technique ID and name in the table below
Aim for at least 8–10 techniques:
| Tactic Phase | Technique ID | Technique Name | Evidence from Report |
|---|---|---|---|
| Initial Access | |||
| Execution | |||
| Persistence | |||
| Privilege Escalation | |||
| Defence Evasion | |||
| Credential Access | |||
| Discovery | |||
| Lateral Movement | |||
| Collection | |||
| Exfiltration |
Step 4 — Compile the IOC List
Navigate to the IOC appendix (usually at the end of the report, or a separate CSV/STIX file).
Classify each IOC by type and fill in the table below. Aim for at least 10 IOCs. Remember to defang all entries:
| IOC Value (defanged) | Type | Context |
|---|---|---|
| IP Address | ||
| Domain | ||
| URL | ||
| SHA256 Hash | ||
| Email Address | ||
| Registry Key | ||
Deliverable — Intelligence Summary
| Section | Your Summary |
|---|---|
| Threat Actor Name | |
| Also Known As (aliases) | |
| Suspected Origin | |
| Motivation | |
| Primary Target Sectors | |
| Top 5 TTPs (with IDs) | |
| Recommended Detections | |
| Number of IOCs Extracted | |
| Priority IOCs to Block | |
| Confidence Level | Low / Medium / High — and why |
Reflection Questions
- What is the difference between low-confidence and high-confidence attribution? What evidence would raise your confidence level?
- Why are TTPs considered more valuable than IOCs for long-term defence? Give a specific example from your report.
- You find an IP from this report in your organisation's web proxy logs. What additional context do you need before escalating to incident response?
- What is the TLP (Traffic Light Protocol) marking on your chosen report, and what does it mean for how you can share the information?
IOC Enrichment from a Feed
Pull raw indicators from a live public threat feed, classify them by type, enrich with VirusTotal, and rate IOC quality.
Overview
Real-world threat intelligence is not just about analysing individual indicators — it is about processing them at scale. CTI teams ingest thousands of indicators per day from commercial and free threat feeds. Each needs to be classified, enriched, and prioritised before it is useful to the teams defending the network.
In this exercise, you will pull live IOCs from a free public feed, classify each indicator by type, enrich a sample using VirusTotal, and tag them with a threat category. This simulates the first stage of a real IOC ingestion workflow.
- Access and navigate a free public threat intelligence feed
- Classify IOCs by type: IP, domain, URL, or hash
- Enrich a sample of IOCs using VirusTotal and record findings
- Tag each IOC with a threat category: botnet, phishing, ransomware C2, etc.
- Evaluate IOC quality and assign confidence ratings
Background Concepts
What is a Threat Intelligence Feed?
A threat intelligence feed is a continuous stream of structured data about malicious indicators, updated regularly — sometimes in real time. Feeds come from commercial vendors, open-source community projects, government agencies, or Information Sharing and Analysis Centres (ISACs). They are the raw material that analysts and automated systems use to block threats and detect intrusions.
Feed Quality and the IOC Lifecycle
Not all IOCs in a feed are equally useful. Common quality problems include:
- False positives — legitimate services incorrectly flagged as malicious
- Stale indicators — C2 servers that were taken down months ago but remain in the feed
- Low-confidence submissions — single community reports without corroboration
Every IOC has a lifecycle: Active (currently used), Stale (infrastructure abandoned), and Revoked (previous report was incorrect). Good analysts assess quality before acting.
The Free Abuse.ch Feeds
| Feed | URL | What It Contains |
|---|---|---|
| URLhaus | urlhaus.abuse.ch | Malicious URLs currently used to distribute malware |
| Feodo Tracker | feodotracker.abuse.ch | C2 infrastructure for Emotet, Qakbot, IcedID, Dridex |
| MalwareBazaar | bazaar.abuse.ch | Malware samples and associated hashes |
| ThreatFox | threatfox.abuse.ch | Mixed IOC feed — IPs, domains, hashes across all families |
| SSL Blacklist | sslbl.abuse.ch | Malicious SSL certificates and associated IP:port combos |
Step-by-Step Instructions
Step 1 — Access the ThreatFox Feed
Navigate to threatfox.abuse.ch and click Browse IOCs in the navigation menu.
You will see a live table of recently submitted IOCs. Before collecting your sample, understand each column:
| Column | What It Means |
|---|---|
| IOC | The actual indicator value — an IP:port, domain, URL, or hash |
| IOC Type | Classification: ip:port, domain, url, sha256_hash, md5_hash |
| Malware | The malware family this IOC is associated with |
| Confidence Level | Community confidence 0–100%. Higher = more credible. |
| Reporter | User or organisation that submitted this IOC |
| First Seen | When this IOC was first observed in the wild |
Step 2 — Collect Your Sample of 10 IOCs
From the ThreatFox browse page, select 10 recent IOCs. Aim for variety: at least 2 IP addresses, 2 domains, 2 URLs, and 2 hashes.
Record each IOC in the table below. Defang all domains and URLs as you record them:
| # | IOC Value (defanged) | IOC Type | Malware Family | Confidence % | First Seen |
|---|---|---|---|---|---|
| 1 | |||||
| 2 | |||||
| 3 | |||||
| 4 | |||||
| 5 | |||||
| 6 | |||||
| 7 | |||||
| 8 | |||||
| 9 | |||||
| 10 |
Step 3 — Classify and Tag Each IOC
For each IOC, assign a threat category using the reference table below. Base your classification on the malware family name and any additional context from ThreatFox.
| Category | Description | Common Malware Families |
|---|---|---|
| Botnet C2 | Command-and-control infrastructure for a botnet or RAT | Emotet, Qakbot, IcedID, TrickBot |
| Ransomware C2 | C2 infrastructure for ransomware operations | LockBit, BlackCat, Conti, REvil |
| Banking Trojan | Targets financial credentials and banking sessions | Dridex, Ursnif, ZLoader, Gozi |
| Information Stealer | Exfiltrates credentials, cookies, and personal data | AgentTesla, RedLine, Vidar, Raccoon |
| Phishing | Email delivery infrastructure or landing pages | Various — check domain age |
| Loader / Dropper | Downloads and executes secondary payloads | Bumblebee, GuLoader, PrivateLoader |
| RAT | Remote Access Trojan — full remote control of infected host | AsyncRAT, NjRAT, QuasarRAT |
| Exploit Kit | Infrastructure exploiting browser/plugin vulnerabilities | RIG EK, Purple Fox |
Step 4 — Enrich 5 IOCs with VirusTotal
Select 5 IOCs for enrichment — aim for 2 IPs, 2 domains, and 1 hash.
For each, navigate to virustotal.com, paste the indicator in the search box (re-fang it first — remove the brackets), and record:
| IOC Value | VT Detection Ratio | VT Categories | Last Analysis | Threat Category |
|---|---|---|---|---|
Step 5 — Rate IOC Quality
For each of your 10 IOCs, assign a quality rating using the criteria below:
| Rating | Criteria |
|---|---|
| High | Confidence >75%, corroborated by VirusTotal, seen within last 30 days, specific malware family identified |
| Medium | Confidence 40–74%, partially corroborated, or seen 30–90 days ago |
| Low | Confidence <40%, no VirusTotal corroboration, or seen more than 90 days ago (likely stale) |
For any IOC rated Low, note the reason: stale, low confidence, or uncorroborated.
Based on your quality assessment, list which IOCs you would recommend blocking at the firewall, and explain why.
Deliverable — IOC Summary Report
| Field | Your Answer |
|---|---|
| Total IOCs collected | 10 |
| IOCs by type: IP | |
| IOCs by type: Domain | |
| IOCs by type: URL | |
| IOCs by type: Hash | |
| Most common threat category | |
| Most common malware family | |
| Number rated High quality | |
| Number rated Low / stale | |
| IOCs recommended for immediate blocking | |
| IOCs requiring further investigation |
Reflection Questions
- What risks arise from automatically blocking every IOC in a public feed without quality assessment? Can you think of a scenario where this could cause an outage?
- Why does a high confidence score alone not guarantee an IOC is worth acting on? What else matters?
- How would your process differ if you were enriching 10,000 IOCs per day rather than 10? What steps would you automate first?
- A colleague suggests switching to a paid commercial feed. What questions would you ask to evaluate whether it is worth the cost?
MITRE ATT&CK Navigator Basics
Map threat actor techniques, build a detection coverage layer, identify gaps, and write targeted detection recommendations.
Overview
The MITRE ATT&CK framework is the closest thing the cybersecurity industry has to a universal language for adversary behaviour. It is a comprehensive, community-maintained knowledge base of tactics and techniques used by real threat actors, each documented with evidence from actual incidents.
The ATT&CK Navigator is a free, browser-based tool that lets you create visual heat maps of the ATT&CK matrix — highlighting which techniques a threat actor uses, which your organisation can detect, and where the gaps are. In this exercise you will use the Navigator to profile APT28 and assess a mock SOC's detection coverage.
- Understand the structure of the MITRE ATT&CK Enterprise Matrix
- Locate and review the technique profile for a known APT group
- Create and annotate a custom Navigator layer showing that group's TTPs
- Identify detection gaps by overlaying a mock detection coverage layer
- Write at least three high-priority detection recommendations
Background Concepts
Structure of the ATT&CK Matrix
The Enterprise ATT&CK Matrix is organised into columns (Tactics) and rows (Techniques). Each cell is a specific Technique within a Tactic.
| Component | Definition | Example |
|---|---|---|
| Tactic | The adversary's goal — why they are doing something | TA0001: Initial Access |
| Technique | How the adversary achieves the tactic | T1566: Phishing |
| Sub-technique | A more specific variant of a technique | T1566.001: Spearphishing Attachment |
| Procedure | The exact implementation observed in a real incident | APT28 used spearphishing with .docx exploit |
| Group | A named threat actor with documented ATT&CK mappings | G0007: APT28 |
| Software | Malware or tools with documented ATT&CK mappings | S0154: Cobalt Strike |
ATT&CK Tactic Reference
| Tactic ID | Name | What Attackers Are Doing |
|---|---|---|
| TA0001 | Initial Access | Getting into the network for the first time |
| TA0002 | Execution | Running malicious code on the target system |
| TA0003 | Persistence | Ensuring they survive reboots and password changes |
| TA0004 | Privilege Escalation | Gaining administrator or SYSTEM level access |
| TA0005 | Defence Evasion | Avoiding detection by security tools |
| TA0006 | Credential Access | Stealing usernames, passwords, and tokens |
| TA0007 | Discovery | Learning about the network, systems, and users |
| TA0008 | Lateral Movement | Moving from one system to other systems |
| TA0009 | Collection | Gathering files, keystrokes, and data of interest |
| TA0010 | Exfiltration | Stealing collected data out of the organisation |
| TA0011 | Command and Control | Maintaining communication with infected systems |
| TA0040 | Impact | Disrupting, destroying, or manipulating systems |
What is the Navigator?
The ATT&CK Navigator is a web application that renders the ATT&CK matrix as an interactive grid. You create layers — each layer colours the matrix to represent something real: which techniques an actor uses, which your SIEM can detect, which your red team tested. Layers are saved as JSON files that can be shared or imported into other tools.
Common uses:
- Threat actor profiling — which techniques does APT28 use?
- Detection coverage mapping — which techniques can our SIEM detect?
- Red team planning — which techniques will we emulate in our next exercise?
- Gap analysis — overlay the first two layers to find where you have no coverage for techniques an adversary uses
Step-by-Step Instructions
Step 1 — Explore the ATT&CK Website
Navigate to attack.mitre.org and click Matrices → Enterprise.
Take a moment to read the matrix. Notice tactics run across the top (columns) and techniques fill the columns below. Sub-techniques are indicated with a small
>symbol.In the search bar, type APT28 and click on the APT28 group page. Record:
| Field | Your Finding |
|---|---|
| ATT&CK Group ID | G00XX identifier |
| Aliases | All known names |
| Suspected Attribution | Country or organisation |
| Number of Techniques Listed | Count the rows |
| Associated Software | Tools and malware linked to APT28 |
Step 2 — Open the ATT&CK Navigator
Navigate to mitre-attack.github.io/attack-navigator/.
Click Create New Layer → Enterprise ATT&CK. You will see a blank Enterprise matrix.
Familiarise yourself with the toolbar. Key controls:
| Button | Function |
|---|---|
| Search & Multiselect | Search for techniques by name or ID and select multiple at once |
| Colour Setup | Choose the colour used to highlight selected techniques |
| Score Setup | Assign a numerical score to techniques — useful for coverage percentages |
| Layer Settings | Set the layer name, description, and default background colour |
| Export | Save the layer as JSON, SVG, or Excel |
Step 3 — Create the APT28 Threat Actor Layer
In the Navigator toolbar, click the search icon (magnifying glass).
Type
APT28in the search box. Select APT28 from the Groups section in the dropdown.The Navigator will automatically highlight all techniques attributed to APT28. You should see a significant number of cells activate.
Open Colour Setup and choose a strong blue (e.g.
#1A5276). This is your threat actor colour.Open Layer Settings and set: Name = "APT28 Techniques", Description = "Techniques attributed to APT28 per MITRE ATT&CK".
Count and record:
| Field | Your Finding |
|---|---|
| Total Techniques Highlighted | count the cells |
| Tactics with Most Techniques | which columns have the most APT28 cells? |
| Initial Access Techniques | list the highlighted techniques in this column |
| Exfiltration Techniques | list the highlighted techniques in this column |
Step 4 — Identify Your 5 Highest-Priority Techniques
Scroll through the APT28 layer and look for technique clusters — areas where multiple adjacent techniques are highlighted within the same tactic.
Select the 5 techniques you consider highest priority for detection. Ask yourself:
- Is this technique used in multiple APT28 campaigns?
- Would detecting it early in the attack chain prevent the attack from succeeding?
- Is this technique uncommon in legitimate software — meaning low false-positive rate?
| Priority | Technique ID | Technique Name | Tactic | Why High Priority? |
|---|---|---|---|---|
| 1 | ||||
| 2 | ||||
| 3 | ||||
| 4 | ||||
| 5 |
Step 5 — Create a Detection Coverage Layer
In the Navigator, click the + button next to the layer tab to add a new layer. Select Enterprise ATT&CK.
This layer represents a mock SOC's current detection coverage. Highlight each of the following techniques in green (
#1E7A3C):
| Technique ID | Technique Name | How the Mock SOC Detects It |
|---|---|---|
| T1078 | Valid Accounts | Failed login alerts in SIEM |
| T1566.001 | Spearphishing Attachment | Email gateway sandboxing |
| T1059.001 | PowerShell | PowerShell script block logging (Event ID 4104) |
| T1053.005 | Scheduled Task/Job | Windows Event ID 4698 monitoring |
| T1021.001 | Remote Desktop Protocol | RDP connection logging |
| T1082 | System Information Discovery | EDR process monitoring |
| T1016 | System Network Config Discovery | EDR process monitoring |
| T1003.001 | LSASS Memory | EDR memory protection alerts |
| T1105 | Ingress Tool Transfer | Proxy URL filtering |
| T1041 | Exfiltration Over C2 Channel | DLP and firewall egress rules |
Name this layer: "Mock SOC Detection Coverage".
Step 6 — Perform the Gap Analysis
You now have two layers: APT28 Techniques (blue) and Mock SOC Detection Coverage (green). Visually compare them — which APT28 techniques (blue) are not covered by the green layer?
These are your coverage gaps — APT28 techniques the mock SOC cannot currently detect. List at least 5:
| Technique ID | Technique Name | Tactic | Why Is This a Critical Gap? |
|---|---|---|---|
- Appear early in the attack chain (Initial Access, Execution, Persistence)
- Are used frequently by APT28 (check the procedure count on attack.mitre.org)
- Have well-established, low-effort detection methods available
Step 7 — Write Detection Recommendations
For your 3 highest-priority gaps, write a brief detection recommendation. Navigate to each technique's ATT&CK page and read its Detection section for guidance.
| Field | Gap #1 | Gap #2 | Gap #3 |
|---|---|---|---|
| Technique ID | |||
| Data Source Required | |||
| Recommended Detection | |||
| SIEM Event ID / Log Source | |||
| Implementation Difficulty | Low/Med/High | Low/Med/High | Low/Med/High |
Step 8 — Export Your Layers
Click the APT28 layer tab, then the download icon (export). Save the JSON file as
apt28_layer.json.Do the same for your coverage layer:
detection_coverage.json.
Reflection Questions
- Why is it more important to close detection gaps in Initial Access and Execution compared to later tactics like Exfiltration?
- ATT&CK is updated roughly twice per year. What process would you put in place to ensure your coverage layer stays current with each new release?
- A colleague argues you should focus detection engineering on the most commonly used techniques across all threat actors, not just APT28. What are the merits and drawbacks of this approach?
- How would you use the Navigator to communicate detection gaps to a non-technical executive? What format would be most effective?
Free Tool Stack
Every platform used in this workbook is free. Register before your first session.
Platform Directory
| Tool | URL | Primary Use | Exercises |
|---|---|---|---|
| VirusTotal | virustotal.com | File / URL / IP / domain reputation and enrichment | 1, 2, 4 |
| Shodan | shodan.io | Internet-wide asset intelligence — open ports, service banners | 1 |
| AbuseIPDB | abuseipdb.com | Community abuse history for IPs and networks | 1 |
| IPinfo | ipinfo.io | IP geolocation, ASN, and organisation lookup | 1 |
| MalwareBazaar | bazaar.abuse.ch | Malware hash repository with community family tagging | 2 |
| HybridAnalysis | hybrid-analysis.com | Free online malware sandbox with detailed behaviour reports | 2 |
| ThreatFox | threatfox.abuse.ch | Community IOC feed across all malware families | 4 |
| URLhaus | urlhaus.abuse.ch | Malicious URL feed for active malware distribution | 4 |
| Feodo Tracker | feodotracker.abuse.ch | Banking trojan C2 infrastructure feed | 4 |
| MITRE ATT&CK | attack.mitre.org | Threat actor profiles and technique knowledge base | 3, 5 |
| ATT&CK Navigator | mitre-attack.github.io | Visual TTP mapping and detection coverage analysis | 5 |
| MXToolbox | mxtoolbox.com | Email header analysis, SPF/DKIM/DMARC checks, DNS lookup | Reference |
| URLscan.io | urlscan.io | Safe URL and domain analysis with screenshot capture | Reference |
| PhishTank | phishtank.org | Community-verified phishing URL database | Reference |
| OpenPhish | openphish.com | Automated phishing intelligence feed | Reference |
Tool Cards
Which Tool to Use When
| Scenario | Start With | Then Pivot To |
|---|---|---|
| Suspicious IP in firewall logs | IPinfo (geolocation) | AbuseIPDB → VirusTotal → Shodan |
| Unknown file on a workstation | VirusTotal (hash lookup) | MalwareBazaar → HybridAnalysis |
| Suspicious domain in DNS logs | VirusTotal (domain search) | URLscan.io → PassiveTotal |
| Daily IOC ingestion workflow | ThreatFox (browse IOCs) | VirusTotal enrichment → SIEM import |
| New threat actor report received | MITRE ATT&CK (group page) | Navigator (create layer) → gap analysis |
| Suspicious email received | MXToolbox (header analysis) | VirusTotal (links) → URLscan.io |
Glossary
Key terms used throughout this workbook.
- APT
- Advanced Persistent Threat. A sophisticated, long-term, targeted cyberattack — usually attributed to nation-state or organised criminal actors with specific objectives.
- ASN
- Autonomous System Number. A unique identifier for a collection of IP address ranges managed by a single network operator (an ISP, company, or hosting provider).
- ATT&CK
- Adversarial Tactics, Techniques, and Common Knowledge. MITRE's open framework cataloguing adversary behaviour observed in real-world incidents. Used as the universal language for describing TTPs.
- C2 / C&C
- Command and Control. The infrastructure (servers, domains) that malware communicates with to receive instructions from the attacker and send back stolen data.
- CTI
- Cyber Threat Intelligence. The practice of gathering, processing, analysing, and disseminating information about threats to inform and improve defensive decisions.
- CVE
- Common Vulnerabilities and Exposures. A standardised identifier for a specific software vulnerability — e.g. CVE-2021-44228 (Log4Shell). Maintained by MITRE.
- Defanging
- Modifying an IOC so it cannot be accidentally clicked or executed. Replace
http://withhxxp://and dots in domains with[.]. Always defang before sharing. - Dynamic Analysis
- Analysing malware by actually running it in a controlled sandbox environment and observing its behaviour — processes created, network connections, file changes.
- EDR
- Endpoint Detection and Response. Security software that monitors endpoints (workstations, servers) in real time for malicious activity and provides investigation and response capabilities.
- False Positive
- A legitimate, benign system or file that is incorrectly flagged as malicious. High false-positive rates in a feed or rule erode analyst trust and create alert fatigue.
- Hash
- A fixed-length string produced by applying a hash function (MD5, SHA1, SHA256) to a file's contents. Used as a unique fingerprint for malware identification and tracking.
- IOC
- Indicator of Compromise. An observable artefact — IP address, domain, file hash, URL, registry key — that indicates a system has been or is being compromised.
- ISAC
- Information Sharing and Analysis Centre. Sector-specific organisations (e.g. FS-ISAC for finance, H-ISAC for healthcare) that facilitate threat intelligence sharing between member organisations.
- Kill Chain
- A model describing the sequential stages of a cyberattack, from initial reconnaissance through to the final impact. Used to understand where in an attack defences can interrupt the adversary.
- Malware Family
- A group of malware variants sharing the same code lineage, behaviour, or origin — e.g. Emotet. Individual samples within a family each have unique hashes but share core functionality.
- MISP
- Malware Information Sharing Platform. An open-source threat intelligence platform for structured IOC storage, correlation, and sharing between organisations.
- OSINT
- Open Source Intelligence. Intelligence gathered from publicly available sources — websites, domain registrations, certificate logs, social media — without any special or privileged access.
- Pivot
- Using one piece of intelligence to discover related indicators or infrastructure. For example, an IP leads to a domain, the domain leads to other IPs, those IPs lead to malware samples.
- Sandbox
- An isolated, controlled environment used to safely execute suspicious files and observe their behaviour without risking the host system or network.
- SIEM
- Security Information and Event Management. A platform that aggregates and correlates log data from across the environment to detect threats, generate alerts, and support investigations.
- Static Analysis
- Examining a file's properties — code, strings, imports, structure — without executing it. Complements dynamic analysis for a complete picture of malware behaviour.
- STIX
- Structured Threat Information Expression. A standardised JSON-based format for representing CTI data — threat actors, TTPs, IOCs, campaigns — enabling automated exchange between tools.
- Tactic
- In ATT&CK, the high-level objective of an adversary action — the why. Examples: Initial Access, Persistence, Lateral Movement. There are 14 tactics in the Enterprise matrix.
- TAXII
- Trusted Automated eXchange of Intelligence Information. A protocol for transmitting STIX data between systems and organisations in a standardised, machine-readable format.
- Technique
- In ATT&CK, the specific method used to achieve a tactic — the how. Identified by a T-number, e.g. T1566 (Phishing). Sub-techniques add further specificity, e.g. T1566.001.
- TLP
- Traffic Light Protocol. A standardised sharing classification: TLP:RED (no sharing), TLP:AMBER (limited to specific recipients), TLP:GREEN (community), TLP:CLEAR (public).
- TTP
- Tactics, Techniques, and Procedures. The full description of how a threat actor operates. TTPs are the most durable intelligence — harder for an attacker to change than IOCs.
- VPS
- Virtual Private Server. A cloud-based server that threat actors commonly use to host malicious infrastructure because they are cheap, anonymous, and can be spun up or shut down rapidly.
- YARA
- A pattern-matching tool used to write rules that detect specific malware based on unique byte sequences, strings, or structural characteristics. Used in threat hunting and malware classification.