Threat Intelligence & IOC Analysis
Overview
Cyber threat intelligence enables security professionals to identify, analyze, and respond to cyber threats effectively. This lab will teach you how to collect, analyze, and apply Indicators of Compromise (IOCs) to security monitoring.
Lab Instructions
1. Setting Up Your Environment
You will need:
- A Linux or Windows VM
- Access to AlienVault OTX, VirusTotal, and MITRE ATT&CK
- A SIEM tool (Wazuh, Splunk) installed for IOC analysis
2. Collecting Threat Intelligence Data
Threat intelligence comes from many sources, including open-source feeds, security vendors, and malware analysis platforms.
Step 1: Search for IOCs using AlienVault OTX
- Go to AlienVault OTX.
- Create an account and log in.
- Search for a recent threat (e.g., “Emotet malware”).
- Identify IPs, domains, and file hashes associated with the attack.
- Copy the IOCs for later analysis.
๐ Proof of Completion: Take a screenshot of the threat report page.
3. Analyzing Malicious IOCs
Once you have threat intelligence data, the next step is to analyze it.
Step 1: Check IP and Domain Reputation
- Open VirusTotal.
- Paste an IP address or domain from your OTX results.
- Review detection results from different security vendors.
- Determine if the IOC is malicious, suspicious, or clean.
Step 2: Investigate File Hashes
- Copy a malware file hash (SHA256) from OTX.
- Search for it on VirusTotal and Hybrid Analysis.
- Review the behavioral analysis of the file.
๐ Proof of Completion: Submit a report summarizing whether the IOCs are malicious or false positives.
4. Applying IOCs to a SIEM
To detect threats in a live environment, security analysts apply IOCs to SIEM tools.
Step 1: Configure Wazuh to Detect IOCs
- Open Wazuhโs Kibana dashboard.
- Navigate to Threat Intelligence > Custom Rules.
- Add a rule for a malicious IP or domain from your OTX findings.
- Enable logging to trigger alerts if the IOC appears in logs.
Step 2: Check Security Logs for IOC Matches
- Upload a sample log file containing malicious IPs.
- Use regex searches to find known IOCs.
- If a match is found, generate an alert in the SIEM.
๐ Proof of Completion: Take a screenshot of your custom IOC rule and alerts in Wazuh.
Final Submission
- Submit a Google Doc with:
- Screenshots of threat intelligence reports, IOC analysis, and SIEM alerts.
- A short write-up summarizing your findings.
- Ensure all steps are documented and properly labeled.
๐ Congratulations! You’ve completed Threat Intelligence & IOC Analysis! ๐