Module 1 – Introduction to

Threat Intelligence
Advanced Threat Intelligence and
Penetration Testing
Semester 7 – B.Tech (Information
Technology)
 Learning Objectives
• Understand what Threat Intelligence (TI) is
• Identify different types of threat intelligence
• Learn about threat actors and their
motivations
• Understand the Threat Intelligence Lifecycle
 What is Threat Intelligence?
• Definition: Threat Intelligence (TI), also known as Cyber Threat
Intelligence (CTI), refers to evidence-based knowledge—
including context, mechanisms, indicators, implications, and
actionable advice—about existing or emerging threats to assets.
It helps organizations make informed security decisions, detect attacks,
and respond effectively to threats.
Example: Knowing that a certain IP address is associated with
ransomware activity helps you block it in your firewall.
Used to:
• - Prevent cyber attacks
• - Detect malicious activity
• - Improve defense strategies
 Types of Threat Intelligence

• Strategic: High-level risks and trends

(Executives/CISOs)
• Tactical: Tactics, Techniques & Procedures (TTPs)
(Security teams)
• Operational: Details about specific attacks (Incident
handlers)
• Technical: Specific indicators (IPs, hashes)
(Analysts/tools)
 1. Strategic Threat Intelligence
Definition: Strategic threat intelligence provides broad, long-term views of threat
landscapes. It focuses on high-level trends, geopolitical analysis, and risk predictions.
It is primarily consumed by senior leadership to inform security policies,
investment planning, and business risk assessment.

•Focus: High-level, long-term security trends.

•Audience: Senior management, board members, CISOs.
•Content:
Geopolitical trends
Emerging attack motives
Industry-specific risks
Threat actor profiles
•Purpose: Informs security investment and business risk decisions.
Example: A report showing a rise in state-sponsored cyber-attacks
targeting the healthcare sector.
 Case Study:
Sector: Financial Sector (Global Bank)
Scenario:
A global financial institution receives a strategic threat intelligence report
from a national cyber agency, indicating that Advanced Persistent Threat
(APT) group APT28 (linked to a nation-state) is targeting banks to destabilize
financial markets during political tension.
Insights Provided:
• APT28 is targeting SWIFT-based fund transfers.
• They exploit outdated VPN software.
• The motivation is political retaliation during a sanctions dispute.
Action Taken:
• The board increases investment in network segmentation.
• Risk analysts update the geopolitical risk map.
• The CISO updates the cyber resilience strategy, ensuring alignment with
national policies.

This is strategic because it’s high-level, forward-looking, and drives long-term

decisions.
 2. Tactical Threat Intelligence
Definition: Tactical intelligence focuses on the Tactics, Techniques, and
Procedures (TTPs) used by threat actors. It helps SOC (Security Operations Center)
teams understand how attacks are executed.

•Focus: Tactics, techniques, and procedures (TTPs) of attackers.

•Audience: Security operations teams, blue teams.
Content:
How attacks are carried out (e.g., phishing, lateral movement)
Common tools used (e.g., Cobalt Strike, Mimikatz)
•Purpose: Helps in designing detection and prevention mechanisms.
Example: Knowing attackers are exploiting a specific vulnerability
(like CVE-2023-23397) using malicious macros in Word documents.
 Case Study:
Sector: Healthcare IT Service Provider
Scenario:
A managed service provider (MSP) for hospitals gets reports from an ISAC
(Information Sharing and Analysis Center) indicating that ransomware groups
are using Remote Desktop Protocol (RDP) brute-force attacks to infiltrate
healthcare systems.
Insights Provided:
• Initial access via open RDP ports (TTP: brute-force).
• Privilege escalation using Mimikatz (TTP: credential dumping).
• Deployment of Ryuk ransomware.
Action Taken:
• Disable unused RDP ports across all networks.
• Deploy monitoring for abnormal login patterns.
• Train staff on suspicious login behavior.

This is tactical because it describes attacker behavior and informs defenses.

3. Operational Threat Intelligence
Definition: Operational intelligence provides real-time, event-
specific details. It answers who is attacking, why, and what
methods are being used in ongoing or recently observed attacks.
•Focus: Specific, real-time information about attacks.
•Audience: Incident response teams, threat hunters.
•Content:
Indicators of compromise (IOCs)
Campaign timelines
Attack motivations
•Purpose: Enables real-time defense and incident response.
Example: Intelligence indicating an ongoing phishing campaign
targeting banking customers in a specific country.
 Case Study:
Sector: E-Commerce Retailer
Scenario:
During a holiday sale, the company’s threat intelligence provider shares
an alert that a group known as Magecart is actively injecting card
skimmers into online stores using third-party JavaScript libraries.
Insights Provided:
•Magecart is targeting Magento-based websites.
•They compromise supply chain vendors like analytics scripts.
•Attacks are live in specific regions.
Action Taken:
•Block all third-party scripts not served over HTTPS.
•Conduct code reviews for e-commerce checkout pages.
•Notify impacted customers and law enforcement.
This is operational because it's based on specific events and helps in
incident handling.
4. Technical Threat Intelligence
Definition: Technical intelligence involves specific data indicators such as:
Malicious IP addresses, File hashes (MD5, SHA256), Domain names, Email
addresses used in phishing.
It is highly granular and used to feed into firewalls, SIEMs, IDS/IPS, and
endpoint protection systems.
•Focus: Raw, technical data used in attacks.
•Audience: Security tools, IDS/IPS systems, SIEMs.
•Content:
Malicious URLs, IP addresses, file hashes
Malware signatures
•Purpose: Used for automated detection and blacklisting.
•Example: SHA256 hash of a known ransomware executable shared
on a threat feed.
 Case Study:
Sector: University Network
Scenario:
A university receives a list of Indicators of Compromise (IOCs) from an open-
source threat feed. These include:
•Malicious domains hosting remote access trojans (RATs)
•File hashes linked to “NetWire” malware
•IPs involved in botnet C2 communication
Insights Provided:
•SHA256: 9f2d10f7... (NetWire sample)
•IP: 173.245.58.123 (Botnet C2 server)
•Domain: update-security-apple.com (phishing site)
Action Taken:
•IOCs are uploaded to the university’s firewall blocklist.
•Endpoint protection is updated to detect related malware.
•DNS sinkholing is enabled for malicious domains.
This is technical because it provides direct, machine-consumable
intelligence for blocking threats.
 Take a way
• Each type of threat intelligence plays a unique
role in securing an organization:
• Strategic gives vision
• Tactical gives direction
• Operational gives awareness
• Technical gives tools
• Combining all four creates a robust, layered
cyber defense strategy.
 Threat Intelligence Lifecycle
• The Threat Intelligence Lifecycle is a
structured, repeatable process that outlines
how raw data is transformed into actionable
threat intelligence. This process helps
organizations collect, analyze, and apply
intelligence to improve cybersecurity decision-
making.
 Threat Intelligence Lifecycle
• 1. Planning & Direction
• 2. Collection
• 3. Processing & Exploitation
• 4. Analysis
• 5. Dissemination
• 6. Feedback
1. Direction (Planning & Requirements)
This is the initial planning phase, where goals, needs, and intelligence
priorities are defined. It involves asking:
• What do we want to protect?
• What threats are most relevant?
• Who are our adversaries?
Example:
• A bank wants to identify if any ransomware groups are targeting
SWIFT transactions. The CISO sets a goal: “Track financial-
targeted ransomware campaigns for Q3.”
Output:
• Clear objectives
• Priority areas (e.g., ransomware, phishing)
• Questions for investigation (e.g., Are Russian APTs active in
financial sectors?)
 2. Collection
Gathering data from various internal and external sources, both structured and
unstructured.
Sources include:
• Open-source intelligence (OSINT)
• Dark web monitoring
• Logs from firewalls, IDS/IPS
• Threat feeds
• Human intelligence (HUMINT)
Example:
The bank uses:
• Threat feeds from FS-ISAC
• Dark web crawlers to monitor mentions of “bankname.com”
• Logs from endpoint detection systems
Output:
• Raw data: IP addresses, phishing emails, suspicious URLs, threat actor chatter
 3. Processing
Raw data is converted into a usable format. This includes:
• De-duplication
• Correlation of events
• Data normalization
• Filtering irrelevant data
Example:
The bank’s system removes duplicate indicators from 5 threat
feeds and correlates URLs with login attempts on its platform.
Unrelated social media posts are discarded.
Output:
• Processed data: Cleaned IOC lists, attack patterns, readable
logs
 4. Analysis
Processed data is analyzed to draw meaningful conclusions. Analysts
determine:
• Who is behind the threat (actor attribution)
• What are their capabilities, intent, and history?
• What vulnerabilities are being exploited?
Example:
The threat analyst links several IPs to a ransomware group named
Conti, known to use phishing emails with malicious Excel macros. They
match Conti’s TTPs with the recent spike in phishing attempts.
Output:
• Actionable intelligence:
• “Conti is likely preparing a campaign against financial orgs”
• IOC reports, threat actor profiles
• Attack timelines and tools used
 5. Dissemination
The intelligence is delivered to relevant stakeholders:
• Executives: Strategic insights
• SOC team: IOC lists, attack paths
• Developers: Patch recommendations
• Law enforcement: Legal evidence
Example:
The bank’s CISO receives a report for strategic planning.
• The SOC team gets updated firewall rules and detection signatures.
• The compliance team is briefed on regulatory risks.
Output:
• Tailored reports
• Dashboards
• Alerts
• Briefings
 6. Feedback
Stakeholders provide feedback on the usefulness of the intelligence:
• Was it timely?
• Was it actionable?
• What needs improvement?
• This feedback is fed back into the next intelligence cycle to refine
goals and methods.
Example:
• The SOC team requests more real-time alerts.
• Executives ask for simplified dashboards.
• Analysts discover new dark web forums to monitor.
Output:
• Updated requirements
• Improved collection and analysis in the next cycle
 Summary

Phase Description Example in Banking

Track ransomware targeting
Direction Define intelligence goals
SWIFT
Gather data from multiple Use threat feeds, dark web
Collection
sources crawlers
Remove duplicates,
Processing Organize and clean data
correlate IPs
Identify patterns, TTPs, Attribute phishing to Conti
Analysis
actors group
IOC to SOC, strategic report
Dissemination Share with right teams
to CISO
SOC asks for more real-time
Feedback Evaluate intelligence value
IOCs
 Take a Way
The Threat Intelligence Lifecycle is not a one-time process.
It is:
•Continuous: Intelligence is updated regularly.
•Collaborative: Involves multiple teams.
•Adaptive: Feedback drives improvement.
By using this lifecycle, organizations turn chaotic data into
strategic cybersecurity decisions.
 Threat Actors:Who are Threat Actors?
A threat actor (or bad actor) is an individual or group that
intentionally carries out malicious activities against digital systems,
networks, or organizations.
Types include:
• - Nation-State Actors (e.g., APTs)
• - Cybercriminals (ransomware, data theft)
• - Hacktivists (ideological)
• - Insider Threats
They aim to:
• Steal data
• Disrupt services
• Demand ransom
• Advance a political or ideological agenda
Threat actors vary in skill, resources, and intent.
 Types of Threat Actors and Their
Motivations
1. Cybercriminals
• Motivation: Financial Gain
Cybercriminals aim to make money through theft, fraud, extortion, or
selling stolen data. They often use:
• Ransomware
• Phishing
• Banking trojans
• Credit card skimmers
Example:
• The REvil Ransomware Group (also known as Sodinokibi) targeted
companies worldwide and demanded millions in Bitcoin to decrypt
locked systems. In 2021, they attacked Kaseya, affecting over 1,500
businesses.
 2. Nation-State Actors (APT Groups)
Motivation: Espionage, Political Advantage, Cyberwarfare
These actors work on behalf of governments to:
• Steal state or corporate secrets
• Disrupt rival nations’ infrastructure
• Influence elections or policies
• They are highly skilled, well-funded, and operate in stealth.
Example:
• APT29 (Cozy Bear), linked to the Russian government,
conducted cyber-espionage campaigns targeting:
• The US Democratic National Committee (2016)
• COVID-19 vaccine research in the UK, US, and Canada
(2020)
 3. Hacktivists
Motivation: Ideological, Political, or Social Causes
These attackers aim to spread a message or protest against
organizations they view as unethical. Their tools include:
• Website defacement
• DDoS attacks
• Leaking sensitive data
Example:
• Anonymous, a decentralized hacktivist collective, launched attacks
on:
• PayPal and Mastercard (2010), in protest of their blocking
WikiLeaks
• Russian government websites (2022), after the Ukraine invasion
 4. Insiders (Malicious or Negligent
Employees)
Motivation: Revenge, Profit, Negligence
Insiders are current or former employees who:
• Leak or steal data
• Sabotage systems
• Unintentionally expose sensitive info
Example:
• An employee at Tesla was caught attempting to
sabotage the company’s internal systems in 2020 by
injecting malware and trying to extort money.
Insider Threats can also be unintentional, like
employees falling for phishing emails.
 5. Script Kiddies
Motivation: Fun, Challenge, Recognition
• These are amateur hackers who use existing
tools and scripts without deep technical
knowledge. They often attack low-security
systems for fun or fame.
Example:
• A 17-year-old script kiddie was part of the group
that hacked Twitter in 2020, gaining access to
accounts of Elon Musk, Obama, and others,
running a Bitcoin scam.
6. Competitors (Corporate Espionage)
Motivation: Business Advantage
Some organizations engage in illegal data theft to gain an
edge over rivals.
Methods include:
• Stealing trade secrets
• Spying on R&D
• Monitoring key personnel
Example:
• In 2014, China’s APT1 group was accused of stealing
intellectual property from US companies in industries
like energy, aerospace, and manufacturing.
Comparison Table of Threat Actors
Threat Actor Motivation Typical Tactics Example Attack
Ransomware, REvil attack on
Cybercriminals Financial profit
phishing, data theft Kaseya
Espionage, political APT campaigns, APT29 targeting
Nation-States
power stealthy malware vaccine research
DDoS, defacement, Anonymous DDoS
Hacktivists Ideological causes
leaks on gov sites
Tesla employee
Revenge, Data theft,
Insiders attempted
negligence sabotage, phishing
sabotage
Pre-built tools, web Teen hacked Twitter
Script Kiddies Fun, recognition
defacement for Bitcoin scam
Corporate IP theft from US
Competitors Business advantage
espionage firms (APT1)
 Take a Way

Understanding who is attacking and why is critical in

cybersecurity.
It allows organizations to:
•Design appropriate defenses
•Prioritize threats
•Tailor awareness programs

“Know your enemy” is as crucial in cybersecurity as it is in

war.
 Summary
• TI helps anticipate and mitigate cyber threats
• Four types: Strategic, Tactical, Operational,
Technical
• Understanding threat actors is key to defense
• Lifecycle organizes the TI process
 Self-Learning Topics
• Cyber Kill Chain: Model for understanding
attack phases
• Threat Hunting: Proactive searching for
threats
 Real-World Example
• Example: SolarWinds Attack
• Nation-state attack (APT29)
• Used backdoor 'SUNBURST'
• Impacted government and private networks
 Sort the Shuffled Threat Intelligence
Lifecycle Cards
1 Distribute the analyzed intelligence to appropriate stakeholders (e.g., SOC team,
executives, IT admins) in the form of reports, dashboards, or alerts for timely action.

Gather raw data from internal logs, open-source intelligence (OSINT), threat feeds, and
2 dark web sources to support the intelligence requirements.

Examine processed data to identify threat actors, patterns, tools, and motivations.
3
Turn it into actionable insights.

Define the purpose of the intelligence process: what to investigate, what threats to
4
focus on, and what questions need answering.

Evaluate the usefulness of the delivered intelligence. Gather input to refine future
5
intelligence collection and analysis.

Organize, clean, filter, and format raw data (e.g., remove duplicates, normalize
6 indicators) to prepare for analysis.
 Assignment-1 Design a Threat Profile
Poster
Objective: Research and document a known threat
actor.
• How it works:
Research following points:
– Origin
– Motivations
– Tools & techniques
– Famous attacks
– Targeted industries
• Create a visual poster-digital and present to class.
• Threat Actor Profile: [Group Known Tactics and Tools:
Details-Name] [List TTPs like phishing, malware names,
zero-day exploits]
• Country of Origin:
Famous Attacks:
• [Insert nation/state if known] - [Year] – [Attack Name/Target]
- [Year] – [Attack Name/Target]
• Motivation:
• [e.g., Espionage, Financial Gain, MITRE ATT&CK Techniques Used:
Hacktivism] [e.g., T1566 - Phishing, T1086 - PowerShell]

Countermeasures:
• Active Since: [Defensive actions organizations can take]
• [Year or period]
Visuals:
• Target Industries: - Group logo (if known)
- Map of regions affected
• [e.g., Finance, Healthcare,
- Timeline of attacks
Government, Energy]