// What is Threat Intelligence?
Threat intelligence (TI) is evidence-based knowledge about threats � who is attacking, how they operate, what infrastructure they use, and what their objectives are. For SOC analysts, practical TI primarily means enriching indicators of compromise (IOCs) to understand whether a suspicious IP, domain, hash, or email address is malicious and what threat actor or campaign it belongs to.
TI is commonly split into three tiers: strategic (APT reports, industry trends � for management), operational (TTPs, campaign analysis � for security architects), and tactical (IOCs, YARA rules, Sigma rules � for analysts).
IOCs have a short shelf life. IP addresses used by C2 servers rotate within days. Focus on TTPs (how attackers behave) for durable detection value, not just raw IOC lists.
// IOC Types
| IOC Type | Examples | Durability | Notes |
|---|---|---|---|
| File Hash (MD5/SHA256) | d41d8cd98f00b204e9800998ecf8427e | Low | Single-byte change defeats hash matching; use fuzzy hashing (ssdeep) for variants |
| IP Address | 185.220.101.47 | Very Low | Shared hosting means false positives; cloud IPs rotate rapidly |
| Domain | evil-c2.example.com | Low | DGAs generate thousands of domains; focus on registrar/WHOIS patterns |
| URL | http://evil.com/payload.ps1 | Low | More specific than domain alone; useful for phishing lure detection |
| Email Address | attacker@phish.com | Low | Trivial to change; useful within a campaign window |
| Registry Key | HKCU\...\Run\PersistMalware | Medium | More durable than network IOCs; specific persistence locations are reused |
| Mutex | Global\\ControlMutex01 | Medium | Malware families often reuse mutexes across versions |
| User-Agent | Mozilla/5.0 (compatible; MSIE 9.0) | Medium | Custom UAs in malware C2 are often reused; useful in proxy logs |
| JARM / JA3 | TLS fingerprint | Medium�High | TLS fingerprints are harder to change; effective for C2 detection in encrypted traffic |
| TTP (MITRE ATT&CK) | T1059.001 PowerShell | High | Behavioural patterns persist across campaigns and tool changes |
// Enrichment Tools
| Tool | Best For | Free Tier? |
|---|---|---|
| VirusTotal | File hashes, IPs, domains, URLs � multi-engine scanning and historical data | Yes (limited) |
| Shodan | Banner grabbing IPs, finding C2 infrastructure, exposed services | Yes (limited) |
| AbuseIPDB | IP reputation, abuse reports with categories and confidence scores | Yes |
| URLScan.io | Scanning URLs, screenshots, DOM analysis, redirect chains | Yes |
| MXToolbox | Email header analysis, SPF/DKIM/DMARC lookups, blacklist checks | Yes |
| AlienVault OTX | Community threat feeds, pulse reports, IOC correlation | Yes |
| Censys | Internet-wide scan data, certificate transparency, C2 infra hunting | Yes (limited) |
| Any.Run | Interactive malware sandbox with behaviour analysis and IOC extraction | Yes (public) |
| Hybrid Analysis | Free malware sandbox, links to CrowdStrike threat intel | Yes |
| MalwareBazaar | Malware sample repository with hash lookup and YARA search | Yes |
| Pulsedive | Risk-scored IOC enrichment, linked feeds, threat context | Yes |
| MISP | Self-hosted threat intelligence sharing platform | Open source |
// Threat Feeds
Threat feeds provide continuously updated lists of malicious indicators. Most SIEM platforms support automatic ingestion of these feeds for alerting and enrichment.
| Feed | Type | Source |
|---|---|---|
| abuse.ch URLhaus | Malicious URLs | Community-reported malware delivery URLs |
| abuse.ch ThreatFox | IPs, domains, hashes | IOCs from malware analysis |
| Feodo Tracker | C2 IPs | Botnet C2 infrastructure tracking |
| EmergingThreats | IDS rules, IPs | Snort/Suricata rule sets for known threats |
| CISA KEV | Vulnerabilities | Known Exploited Vulnerabilities catalogue |
| Spamhaus | IPs, domains | Spam and malware hosting infrastructure |
| OpenPhish | URLs | Phishing URL feed |
// Investigation Workflow
When an alert fires or a suspicious indicator appears, follow a consistent enrichment workflow before deciding on a response action.
| Step | Action | Tool |
|---|---|---|
| 1 | Identify indicator type (IP / domain / hash / URL) | Alert context |
| 2 | Check reputation and detection rate | VirusTotal, AbuseIPDB |
| 3 | Look up WHOIS / registration history for domains | Whois lookup, DomainTools |
| 4 | Check hosting provider and geo for IPs | Shodan, ipinfo.io |
| 5 | Search for the IOC in threat intel platforms | OTX, MISP, Pulsedive |
| 6 | Pivot � what else is hosted on that IP/domain? | Censys, Shodan, VirusTotal graph |
| 7 | Correlate with internal logs � who touched it? | SIEM, EDR |
| 8 | Determine if indicator is internal or ISP-shared | RFC 1918 check, ASN lookup |
| 9 | Document findings and assign confidence level | Ticket / SOAR platform |
| 10 | Share enriched IOCs with team / block if confirmed | MISP, EDR, firewall |
// TI Frameworks
Diamond Model
The Diamond Model represents an intrusion event across four axes: Adversary (who), Capability (what tool/exploit), Infrastructure (IP, domain, C2), and Victim (who was targeted). Pivoting between axes reveals related infrastructure and campaigns.
Pyramid of Pain
Created by David Bianco, the Pyramid of Pain ranks IOC types by how much pain they cause an adversary when blocked. Hash ? IP ? Domain ? Artefact ? TTP � blocking TTPs (the top) forces adversaries to fundamentally change how they operate, while blocking hashes (the bottom) is trivially bypassed.
| Level | IOC Type | Pain to Attacker |
|---|---|---|
| 6 (top) | TTPs | Tough � forces fundamental changes to how they operate |
| 5 | Tools (YARA/signatures) | Challenging � must find or build new tools |
| 4 | Network / Host Artefacts | Annoying � registry keys, mutexes, filenames |
| 3 | Domain Names | Simple � register new domain in minutes |
| 2 | IP Addresses | Easy � spin up new VPS |
| 1 (bottom) | File Hashes | Trivial � change one byte |
// Tips
Never submit sensitive samples to public sandboxes. Any.Run and Hybrid Analysis are public by default. A document with internal company data or a customer's file could be indexed and visible to anyone. Use private submission or an on-premises sandbox.
Low VT detection count doesn't mean benign. Fresh malware or targeted samples may have 0/70 detections on VirusTotal for days. Use behavioural analysis and context � a file dropped by mshta.exe with 0 detections is still suspicious.
Shared IPs cause false positives. Cloudflare, AWS, and Azure IPs are used by thousands of organisations. An IP flagged as malicious may also host legitimate services. Always check whether the specific domain or path is malicious, not just the IP.
Use MISP or OpenCTI for sharing threat intelligence within a team. Structured sharing using STIX/TAXII standards allows automated ingestion by SIEM and SOAR platforms.