Module 7: Threat Intelligence — Know Your Enemy

Don't investigate blind. Use intel to move faster and smarter.

Tools:MISP + ATT&CK Navigator
7
Lessons
6
Hands-on Labs
Operation Shadow Broker Thread

You'll enrich the attacker's IOCs (185.220.101.42, darknet.top domains) through MISP and connect them to known campaigns.

Lessons & Labs

IOC Types & Lifecycle

IPs, domains, hashes, freshness

Lab 7.1 — IOC Lookup

Search 5 IOCs in MISP.

Intermediate

Lesson 7.2 — Threat Feeds & Sharing

Events, attributes, tags, galaxies — navigating MISP

Lesson 7.3 — MISP for SOC Analysts

Open feeds, ISACs, TLP, and the sharing ecosystem

Lab 7.2 — Feed the SIEM

3 IOCs from MISP. Search Wazuh.

Intermediate

Pivoting: From One IOC to Many

IP → domain → hash → campaign

Lab 7.3 — Pivot and Expand

IP → MISP → Wazuh → threat profile.

Advanced

Intel-Driven Triage

IOCs change triage decisions

Lab 7.4 — Campaign Mapping

Extract IOCs, map ATT&CK, check env.

Advanced

Operationalizing Threat Reports

From reading a threat report to building detections — extract attack steps, map to ATT&CK, identify artifacts, map to evidence sources

Lab 7.5 — Threat Report to Hunt Plan

Given a simulated APT report: extract IOCs, map to ATT&CK, create MISP event, build hunt hypothesis document.

Advanced

OSINT for SOC Analysts

Free OSINT tools (VirusTotal, AbuseIPDB, Shodan, URLScan.io, WHOIS), the 5-step investigation workflow, reading results, OPSEC

Lab 7.6 — OSINT Investigation

Browser-only: Investigate 5 IOCs across free OSINT platforms (VirusTotal, AbuseIPDB, Shodan, URLScan.io, WHOIS). Produce a structured OSINT report.

Intermediate