In a Security Operations Center (SOC), understanding threat intelligence and attack frameworks is crucial for identifying, analyzing, and mitigating cyber threats. Here are the top 15 questions and answers you need to know.
Q.1 What is Threat Intelligence (TI)?
Threat Intelligence (TI) is information about potential or active cyber threats that helps organizations prevent, detect, and respond to attacks. It includes knowledge about attackers, their tools, techniques, and the vulnerabilities they exploit.
Q.2 What are the types of threat intelligence?
Threat intelligence is generally divided into four types:
- Strategic: High-level view for decision-makers; focuses on trends, risks, and potential impact.
- Tactical: Provides attacker behavior and methods (TTPs) to guide SOC operations.
- Operational: Information about specific attacks happening now or recently.
- Technical: Specific indicators of compromise (IoCs) like malicious IPs, domains, and file hashes.
Q.3 What is the MITRE ATT&CK framework?
MITRE ATT&CK is a knowledge base of attacker tactics, techniques, and procedures (TTPs) based on real-world observations. It helps SOC teams understand how attackers operate and map attacks to a structured framework.
Q.4 How is MITRE ATT&CK used in SOC operations?
SOC analysts use MITRE ATT&CK to:
- Map alerts to known attacker behaviors
- Plan detection and prevention strategies
- Prioritize responses based on risk
Q.5 What is the Lockheed Martin Cyber Kill Chain?
The Cyber Kill Chain is a model developed by Lockheed Martin to describe the stages of a cyber attack from planning to impact. It helps SOC teams identify threats at each stage and stop attacks early.
Q.6 What are the 7 stages of the Cyber Kill Chain?
- Reconnaissance: Attacker gathers information.
- Weaponization: Malware or exploit is prepared.
- Delivery: Attack is delivered (email, website, etc.).
- Exploitation: Vulnerability is exploited.
- Installation: Malware is installed.
- Command and Control (C2): Attacker communicates with infected systems.
- Actions on Objectives: Attacker achieves goals (data theft, encryption).
Q.7 What is threat hunting and how does it differ from incident response?
Threat Hunting: Proactive search for hidden threats in the network before they cause damage.
Incident Response: Reactive process to contain, investigate, and mitigate threats after they are detected.
Q.8 What is the Diamond Model of Intrusion Analysis?
The Diamond Model helps analysts understand attacks by examining four components:
- Adversary: Who is attacking
- Infrastructure: Systems used in the attack
- Capability: Tools and malware used
- Victim: Target of the attack
Q.9 What are TTPs (Tactics, Techniques, and Procedures)?
TTPs describe how attackers operate:
- Tactics: Goals of the attacker (e.g., gaining access)
- Techniques: Methods to achieve goals (e.g., phishing)
- Procedures: Step-by-step execution (e.g., email with malicious link)
Example:
Using brute-force attacks to access admin accounts is a technique within the tactic “Credential Access.”
Q.10 What is adversary emulation?
Adversary emulation is simulating an attacker’s behavior in a controlled environment to test SOC defenses.
Example:
Red team exercises emulate ransomware attacks to see if SOC tools detect and respond correctly.
Q.11 What is open-source threat intelligence?
Open-source threat intelligence (OSINT) is publicly available information about threats.
Sources include: security blogs, malware databases, social media, and forums.
Q.12 How can you use threat feeds in a SIEM?
Threat feeds provide real-time IoCs (IP addresses, domains, file hashes).
Integrating them into a SIEM helps SOC analysts automatically detect malicious activity.
Q.13 What are YARA rules used for?
YARA rules are used to identify and classify malware based on patterns in files, memory, or behavior.
Example:
A YARA rule can detect ransomware by looking for specific strings or code patterns in executable files.
Q.14 What is the difference between static and dynamic malware analysis?
- Static Analysis: Examining malware without running it (looking at code, strings, or file structure).
- Dynamic Analysis: Running malware in a controlled environment to observe behavior.
Q.15 What is sandboxing and why is it used in malware analysis?
Sandboxing runs suspicious files or programs in a safe, isolated environment so analysts can study them without risking the real network.
Example:
A downloaded file is executed in a sandbox, revealing it attempts to encrypt files and contact an attacker server — safely showing the malware’s behavior.
Conclusion
Understanding threat intelligence and attack frameworks helps SOC analysts detect, analyze, and respond to cyber threats more efficiently. Tools like MITRE ATT&CK, YARA, SIEM feeds, and practices like threat hunting or sandboxing provide visibility into attacker behavior, improving overall network security.
No comment yet, add your voice below!