What You'll Learn
- Extract Indicators of Compromise (IOCs) from a written threat intelligence report
- Search MISP for matching IOCs to determine organizational exposure
- Map adversary techniques to the MITRE ATT&CK framework using ATT&CK Navigator
- Correlate MISP event data with ATT&CK technique IDs to build a campaign profile
- Write a concise "Are We Affected?" executive briefing with IOC matches, technique coverage, and risk assessment
Lab Overview
| Detail | Value |
|---|---|
| Lab Profile | lab-misp |
| Containers | MISP Core, MISP Database, MISP Workers |
| Estimated Time | 65 minutes |
| Difficulty | Intermediate–Advanced |
| Browser Access | MISP Web UI + ATT&CK Navigator (external) |
| Pre-Loaded Data | LockBit 3.0 ransomware campaign event with IPs, file hashes, domains, and ATT&CK tags |
| Deliverable | "Are We Affected?" one-page briefing with IOC matches, ATT&CK mapping, and risk assessment |
Why Campaign Mapping Matters. When a new ransomware campaign hits the news, the first question from leadership is always: "Are we affected?" Answering that question requires three skills: extracting IOCs from threat intel, searching your TIP for matches, and mapping the campaign's TTPs to your defensive coverage. This lab teaches all three.
The Scenario
Your organization's CISO forwards you an urgent threat intelligence report:
FLASH ALERT — LockBit 3.0 Ransomware Campaign Targeting Healthcare and Financial Services
A new LockBit 3.0 campaign has been observed targeting organizations in healthcare and financial services across North America. The threat actor group (tracked as LockBit Black) gains initial access via phishing emails with malicious Office macros, then deploys Cobalt Strike beacons for C2 communication before encrypting systems.
Known Indicators of Compromise:
Type Value Context IP Address 185.112.83.96Cobalt Strike C2 server IP Address 91.242.217.104Payload staging server IP Address 45.227.255.215Exfiltration endpoint Domain update-microsoft365.comPhishing landing page Domain cdn-cloudflare-security.netMalware delivery domain SHA-256 a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2LockBit 3.0 encryptor SHA-256 9f8e7d6c5b4a9f8e7d6c5b4a9f8e7d6c5b4a9f8e7d6c5b4a9f8e7d6c5b4a9f8eCobalt Strike beacon DLL MD5 d41d8cd98f00b204e9800998ecf8427eDropper macro document hr-benefits@update-microsoft365.comPhishing sender address ATT&CK Techniques Observed: T1566.001 (Spearphishing Attachment), T1204.002 (Malicious File), T1059.001 (PowerShell), T1059.003 (Windows Command Shell), T1071.001 (Web Protocols for C2), T1486 (Data Encrypted for Impact), T1048.003 (Exfiltration Over Unencrypted Protocol), T1078 (Valid Accounts), T1053.005 (Scheduled Task), T1021.002 (SMB/Windows Admin Shares for Lateral Movement)
Your CISO wants a formal answer within one hour: "Are we affected, and what's our exposure?"
This is a realistic workflow. In production SOC environments, analysts receive flash alerts like this multiple times per week. The ability to quickly extract IOCs, check them against your TIP, and produce a leadership-ready briefing is a core competency for any SOC Tier 2+ analyst.
Part 1: Extract IOCs from the Report (10 minutes)
Before touching any tool, systematically extract every IOC from the report above.
Step 1: Create an IOC Extraction Table
Open a text editor (or use the notes area below) and organize every indicator:
IOC EXTRACTION — LockBit 3.0 Campaign
══════════════════════════════════════
Source: FLASH ALERT (provided by CISO)
Date Extracted: [today's date]
Analyst: [your name]
IP Addresses (3):
1. 185.112.83.96 — Cobalt Strike C2
2. 91.242.217.104 — Payload staging
3. 45.227.255.215 — Exfiltration endpoint
Domains (2):
1. update-microsoft365.com — Phishing landing page
2. cdn-cloudflare-security.net — Malware delivery
File Hashes (3):
SHA-256: a1b2c3d4...a1b2 — LockBit 3.0 encryptor
SHA-256: 9f8e7d6c...9f8e — Cobalt Strike beacon DLL
MD5: d41d8cd9...427e — Dropper macro document
Email Addresses (1):
hr-benefits@update-microsoft365.com — Phishing sender
ATT&CK Techniques (10):
T1566.001, T1204.002, T1059.001, T1059.003,
T1071.001, T1486, T1048.003, T1078, T1053.005, T1021.002
Total IOCs: 9 network/file indicators + 10 ATT&CK techniques
Structured Extraction is Key. Resist the urge to jump straight into MISP. Organized extraction ensures you don't miss indicators and gives you a checklist to track which IOCs you've searched. In a real incident, missing even one IOC could mean missing active compromise.
Part 2: Search MISP for IOC Matches (20 minutes)
Step 2: Log into MISP
Open your MISP lab environment. Default credentials are displayed on the lab launch page.
Navigate to Home to see the event list. You should see a pre-loaded event titled "LockBit 3.0 — Healthcare/Financial Campaign (2024)" containing the campaign's IOCs.
Step 3: Search for IP Addresses
Navigate to Event Actions → Search Attributes (or use the global search bar).
Search for each IP address from your extraction table:
Search: 185.112.83.96
Record for each IP:
- Was a match found? (Yes/No)
- Which MISP event contains it?
- What category and type is it tagged as?
- What is the
to_idsflag value? (This indicates whether the IOC should be pushed to detection tools)
Repeat for 91.242.217.104 and 45.227.255.215.
Step 4: Search for Domains
Search: update-microsoft365.com
Then search for cdn-cloudflare-security.net.
Record:
- Match found?
- What MISP category? (Network activity → domain)
- Are there related attributes in the same event?
Step 5: Search for File Hashes
Search: a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2
Repeat for the other two hashes.
Record:
- Match found?
- What malware family is tagged?
- Is there a filename associated with the hash?
Step 6: Compile Your MISP Search Results
MISP SEARCH RESULTS
════════════════════
Search Date: [today]
| IOC | Type | Match? | MISP Event | Category | to_ids |
|-----|------|--------|------------|----------|--------|
| 185.112.83.96 | ip-dst | ✅ YES | LockBit 3.0 Campaign | Network activity | true |
| 91.242.217.104 | ip-dst | ✅ YES | LockBit 3.0 Campaign | Network activity | true |
| 45.227.255.215 | ip-dst | ✅ YES | LockBit 3.0 Campaign | Network activity | true |
| update-microsoft365.com | domain | ✅ YES | LockBit 3.0 Campaign | Network activity | true |
| cdn-cloudflare-security.net | domain | ✅ YES | LockBit 3.0 Campaign | Network activity | true |
| a1b2c3d4...a1b2 | sha256 | ✅ YES | LockBit 3.0 Campaign | Payload delivery | true |
| 9f8e7d6c...9f8e | sha256 | ✅ YES | LockBit 3.0 Campaign | Payload delivery | true |
| d41d8cd9...427e | md5 | ✅ YES | LockBit 3.0 Campaign | Payload delivery | true |
| hr-benefits@... | email-src | ✅ YES | LockBit 3.0 Campaign | Payload delivery | true |
Matches: 9/9 IOCs found in MISP
All IOCs Matching Doesn't Mean You're Compromised. It means your TIP has intelligence about this campaign. The next step is checking whether any of these IOCs have been observed in your internal logs (SIEM, firewall, proxy, endpoint). In this lab, we focus on the TIP search and ATT&CK mapping steps.
Part 3: Map ATT&CK Techniques (15 minutes)
Step 7: Open ATT&CK Navigator
Open a new browser tab and navigate to MITRE ATT&CK Navigator.
Click Create New Layer → Enterprise.
Step 8: Map Campaign Techniques
Using the 10 ATT&CK technique IDs from the threat report, search for and highlight each one:
-
Click Search & Multiselect (magnifying glass icon)
-
Search for
T1566.001→ select it -
Repeat for all 10 techniques:
T1566.001— Spearphishing Attachment (Initial Access)T1204.002— Malicious File (Execution)T1059.001— PowerShell (Execution)T1059.003— Windows Command Shell (Execution)T1071.001— Web Protocols (Command and Control)T1486— Data Encrypted for Impact (Impact)T1048.003— Exfiltration Over Unencrypted Protocol (Exfiltration)T1078— Valid Accounts (Persistence / Privilege Escalation)T1053.005— Scheduled Task (Persistence / Execution)T1021.002— SMB/Windows Admin Shares (Lateral Movement)
-
After selecting all techniques, click the color dropdown and choose red (
#ff0000) -
Set the score for all selected techniques to
1
Step 9: Annotate the Layer
- Set the layer name to: LockBit 3.0 Campaign — [today's date]
- Add a description: Techniques observed in LockBit 3.0 targeting Healthcare/Financial sectors
- Note the kill chain coverage:
- Initial Access: 1 technique
- Execution: 3 techniques
- Persistence: 2 techniques
- Privilege Escalation: 1 technique
- Lateral Movement: 1 technique
- Command and Control: 1 technique
- Exfiltration: 1 technique
- Impact: 1 technique
Step 10: Export the ATT&CK Layer
Click Export → Download Layer as JSON. Save this file — it's part of your deliverable.
ATT&CK Layers Are Living Documents. In a real SOC, you'd overlay this campaign layer with your detection coverage layer (showing which techniques your SIEM rules cover). Gaps between the red (threat) and green (detection) layers reveal your blind spots. This is how mature SOC teams prioritize new detection rules.
Part 4: Write the "Are We Affected?" Briefing (15 minutes)
Step 11: Use the Briefing Template
Write a one-page executive briefing using this structure:
═══════════════════════════════════════════════════════════
"ARE WE AFFECTED?" — THREAT INTELLIGENCE BRIEFING
═══════════════════════════════════════════════════════════
CLASSIFICATION: TLP:AMBER
DATE: [today's date]
ANALYST: [your name]
THREAT: LockBit 3.0 Ransomware Campaign
TARGET SECTORS: Healthcare, Financial Services
───────────────────────────────────────────────────────────
1. EXECUTIVE SUMMARY
───────────────────────────────────────────────────────────
A LockBit 3.0 ransomware campaign targeting our sector has been
reported. [X] of [Y] reported IOCs were found in our threat
intelligence platform (MISP). [Summary of exposure level].
───────────────────────────────────────────────────────────
2. IOC MATCH RESULTS
───────────────────────────────────────────────────────────
Total IOCs from Report: 9
Matched in MISP: [count]
Match Rate: [percentage]
Key Matches:
• [List top 3 most critical matches with context]
Unmatched IOCs:
• [List any IOCs NOT found, or note "All matched"]
───────────────────────────────────────────────────────────
3. ATT&CK TECHNIQUE COVERAGE
───────────────────────────────────────────────────────────
Techniques in Campaign: 10
Kill Chain Phases Covered: 8 of 14
Attack Path Summary:
Phishing → Macro Execution → PowerShell → Cobalt Strike C2
→ Credential Access → Lateral Movement → Exfiltration → Encryption
Detection Gaps (techniques without current SIEM coverage):
• [List any gaps identified]
───────────────────────────────────────────────────────────
4. RISK ASSESSMENT
───────────────────────────────────────────────────────────
Likelihood of Impact: [HIGH / MEDIUM / LOW]
Confidence Level: [HIGH / MEDIUM / LOW]
Recommended Actions:
1. [Immediate action — e.g., block IOCs at perimeter]
2. [Short-term action — e.g., hunt for IOCs in SIEM logs]
3. [Medium-term action — e.g., deploy new detection rules]
───────────────────────────────────────────────────────────
5. APPENDIX
───────────────────────────────────────────────────────────
• Full IOC list: [reference extraction table above]
• ATT&CK Navigator layer: [exported JSON filename]
• MISP Event ID: [event ID from your search]
TLP:AMBER Means Restricted Distribution. In real-world TI sharing, Traffic Light Protocol (TLP) designates who can see the report. TLP:AMBER means limited distribution within your organization and to clients/customers who need it to protect themselves. Always include a TLP marking on threat briefings.
Part 5: Cross-Reference MISP Tags with ATT&CK (5 minutes)
Step 12: Check MISP Galaxy Tags
Return to your MISP event. Click on the event title to view its full details.
Look for Galaxy Clusters and Tags attached to the event:
- Are any ATT&CK technique tags present on the MISP event?
- Do the MISP tags match the techniques from the threat report?
- Are there additional techniques tagged in MISP that were NOT in the original report?
Record any additional techniques and consider adding them to your ATT&CK Navigator layer.
This step demonstrates a key TI workflow: MISP events often contain MORE intelligence than the original report because they aggregate data from multiple sources and community contributions.
Deliverable Checklist
Before completing the lab, ensure you have:
- IOC Extraction Table — All 9 indicators organized by type with context
- MISP Search Results — Each IOC searched with match/no-match documented
- ATT&CK Navigator Layer — 10 techniques highlighted, named, and exported as JSON
- "Are We Affected?" Briefing — Complete one-page document using the template
- Cross-Reference Notes — MISP Galaxy tags compared with report techniques
Key Takeaways
- IOC extraction should be systematic and organized BEFORE searching any tool — structure prevents missed indicators
- MISP attribute search matches IOCs across all events, giving you immediate visibility into whether a campaign's infrastructure is known to your organization
- ATT&CK Navigator layers transform a list of technique IDs into a visual kill chain map that reveals attack coverage and detection gaps
- The "Are We Affected?" briefing is the single most common deliverable SOC analysts produce from threat intelligence — practice this format until it's second nature
- Cross-referencing MISP Galaxy tags with report data often reveals additional intelligence not in the original report
What's Next
In Module 8 — Endpoint Detection & Response, you'll shift from network and intelligence analysis to the endpoint. You'll use Velociraptor to investigate what happens AFTER an attacker gains access — hunting for persistence mechanisms, suspicious processes, and forensic artifacts directly on compromised hosts.
Lab Challenge: Campaign Mapping
10 questions · 70% to pass
Log into MISP and search for the IP address 185.112.83.96. What category is this attribute stored under in the LockBit 3.0 event?
Search MISP for the domain 'update-microsoft365.com'. What is the 'to_ids' flag set to, and what does this mean?
How many total attributes (IOCs) are in the pre-loaded LockBit 3.0 MISP event? Navigate to the event and count all attributes.
In the MISP event, click on the SHA-256 hash for the LockBit 3.0 encryptor. What MISP 'type' is this attribute classified as?
Check the Galaxy Clusters attached to the LockBit 3.0 event in MISP. Which ATT&CK tactic has the MOST techniques mapped in this campaign?
In ATT&CK Navigator, after mapping all 10 campaign techniques, how many of the 14 ATT&CK Enterprise tactics are covered by this campaign?
You're writing the 'Are We Affected?' briefing. All 9 IOCs matched in MISP. Does this mean your organization is compromised?
In your ATT&CK Navigator layer, T1486 (Data Encrypted for Impact) falls under which tactic, and why is it the LAST technique in the LockBit kill chain?
Navigate to the MISP event and use Event Actions → Download as to export the event. Which export format would you use to import these IOCs into a Suricata IDS?
What is the recommended FIRST action in the 'Risk Assessment' section of your briefing after confirming IOC matches in MISP?
0/10 answered