Threat Intelligence Skill

Gather, analyze, and disseminate cyber threat intelligence with IOC extraction, threat actor profiling, and MITRE ATT&CK mapping.

Capabilities

• IOC Extraction: Extract indicators from text, logs, and reports

• IOC Management: Deduplicate, validate, and enrich indicators

• Threat Profiling: Document threat actors and campaigns

• ATT&CK Mapping: Map threats to MITRE ATT&CK framework

• Intelligence Reports: Generate threat bulletins and assessments

• Feed Processing: Parse and normalize threat feeds

Quick Start

from cti_utils import IOCExtractor, ThreatActor, IntelReport

Extract IOCs from text

extractor = IOCExtractor() iocs = extractor.extract_from_text(''' Malware connects to 192.168.1.100 and evil.com. Hash: d41d8cd98f00b204e9800998ecf8427e ''') print(iocs)

Document threat actor

actor = ThreatActor('APT29', aliases=['Cozy Bear', 'The Dukes']) actor.add_ttp('T1566', 'Phishing') actor.set_motivation('espionage')

Generate intel report

report = IntelReport('Emerging Ransomware Campaign') report.add_ioc('ip', '10.0.0.1', 'C2 server') print(report.generate())

Usage

IOC Extraction

Extract indicators of compromise from various text sources.

Example:

from cti_utils import IOCExtractor

extractor = IOCExtractor()

Extract from text

text = ''' The malware was downloaded from hxxp://malware[.]evil[.]com/payload.exe It connects to C2 server at 192.168.100.50 on port 443. The file hash is: a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 Email originated from attacker@phishing.com '''

iocs = extractor.extract_from_text(text)

print(f"IPs: {iocs['ip']}") print(f"Domains: {iocs['domain']}") print(f"URLs: {iocs['url']}") print(f"Hashes: {iocs['hash']}") print(f"Emails: {iocs['email']}")

Defang/refang IOCs

defanged = extractor.defang('http://evil.com') # hxxp://evil[.]com refanged = extractor.refang('hxxp://evil[.]com') # http://evil.com

Validate IOCs

valid = extractor.validate_ioc('ip', '192.168.1.1') # True invalid = extractor.validate_ioc('ip', '999.999.999.999') # False

IOC Management

Manage collections of indicators with context.

Example:

from cti_utils import IOCCollection

collection = IOCCollection('Campaign-2024-001')

Add IOCs with context

collection.add_ioc( ioc_type='ip', value='192.168.1.100', context='C2 server', confidence='high', source='Sandbox analysis' )

collection.add_ioc( ioc_type='domain', value='malware.evil.com', context='Payload delivery', confidence='medium', source='Network logs' )

collection.add_ioc( ioc_type='hash', value='a1b2c3d4e5f6...', context='Ransomware executable', confidence='high', source='EDR' )

Deduplicate

collection.deduplicate()

Export formats

print(collection.to_csv()) print(collection.to_json()) print(collection.to_stix()) # STIX 2.1 format

Threat Actor Profiling

Document threat actors and their characteristics.

Example:

from cti_utils import ThreatActor

actor = ThreatActor( name='APT29', aliases=['Cozy Bear', 'The Dukes', 'YTTRIUM'] )

Set attributes

actor.set_motivation('espionage') actor.set_sophistication('advanced') actor.set_origin('Russia')

Add TTPs (MITRE ATT&CK)

actor.add_ttp('T1566.001', 'Spearphishing Attachment') actor.add_ttp('T1059.001', 'PowerShell') actor.add_ttp('T1071.001', 'Web Protocols') actor.add_ttp('T1486', 'Data Encrypted for Impact')

Add targeting

actor.add_target_sector('Government') actor.add_target_sector('Healthcare') actor.add_target_region('North America') actor.add_target_region('Europe')

Add tools

actor.add_tool('Cobalt Strike') actor.add_tool('Mimikatz')

Add infrastructure

actor.add_infrastructure('ip', '192.168.1.100', 'C2 server') actor.add_infrastructure('domain', 'actor-c2.com', 'Primary C2')

Generate profile

print(actor.generate_profile())

Campaign Tracking

Track threat campaigns over time.

Example:

from cti_utils import Campaign

campaign = Campaign( name='Operation DarkSide', first_seen='2024-01-01', threat_actor='APT29' )

Add campaign details

campaign.set_description(''' Targeted campaign against financial institutions using spearphishing emails with malicious Excel attachments. ''')

campaign.set_objective('Financial theft and espionage')

Add IOCs

campaign.add_ioc('domain', 'campaign-c2.evil.com') campaign.add_ioc('hash', 'abc123...', 'Excel dropper')

Add TTPs

campaign.add_ttp('T1566.001', 'Initial access via phishing') campaign.add_ttp('T1059.005', 'VBA macro execution')

Add targets

campaign.add_target('Financial Services', 'North America')

Timeline events

campaign.add_event('2024-01-01', 'First phishing emails observed') campaign.add_event('2024-01-05', 'New C2 infrastructure identified') campaign.add_event('2024-01-10', 'Malware variant updated')

Generate report

print(campaign.generate_report())

MITRE ATT&CK Mapping

Map threats to the ATT&CK framework.

Example:

from cti_utils import ATTACKMapper

mapper = ATTACKMapper()

Map techniques

mapper.add_technique('T1566.001', 'Spearphishing used for initial access') mapper.add_technique('T1059.001', 'PowerShell scripts executed') mapper.add_technique('T1055', 'Process injection observed') mapper.add_technique('T1486', 'Files encrypted with ransomware')

Generate matrix view

print(mapper.generate_matrix())

Get technique details

print(mapper.get_technique_info('T1566.001'))

Export for ATT&CK Navigator

mapper.export_navigator('attack_layer.json')

Intelligence Reports

Generate threat intelligence reports.

Example:

from cti_utils import IntelReport

report = IntelReport( title='Emerging Ransomware Campaign Targeting Healthcare', classification='TLP:AMBER' )

Executive summary

report.set_summary(''' A new ransomware campaign has been identified targeting healthcare organizations in North America. The campaign uses phishing emails with malicious attachments to gain initial access. ''')

Key findings

report.add_finding('New ransomware variant identified: "MedLocker"') report.add_finding('Campaign active since January 2024') report.add_finding('At least 5 healthcare organizations targeted')

Add IOCs

report.add_ioc('hash', 'abc123...', 'Ransomware executable') report.add_ioc('domain', 'medlocker-payment.onion', 'Payment portal') report.add_ioc('ip', '192.168.1.100', 'C2 server')

Add TTPs

report.add_ttp('T1566.001', 'Phishing with malicious attachments') report.add_ttp('T1486', 'Data encryption')

Recommendations

report.add_recommendation('Block IOCs at perimeter') report.add_recommendation('Update endpoint detection signatures') report.add_recommendation('Conduct phishing awareness training')

Generate outputs

print(report.generate()) print(report.generate_executive_brief())

Configuration

Environment Variables

Variable Description Required Default

CTI_FEED_API_KEY

API key for threat feeds No None

CTI_OUTPUT_DIR

Output directory for reports No ./output

Supported IOC Types

• ip - IPv4 and IPv6 addresses

• domain - Domain names

• url - Full URLs

• hash - MD5, SHA1, SHA256 hashes

• email - Email addresses

• cve - CVE identifiers

Limitations

• No Live Feeds: Feed fetching requires manual configuration

• Offline ATT&CK: Uses embedded technique data

• No Enrichment APIs: External enrichment not included

Troubleshooting

Invalid IOC Format

IOC validation uses standard regex patterns:

Valid

extractor.validate_ioc('ip', '192.168.1.1') # True

Invalid

extractor.validate_ioc('ip', '192.168.1.256') # False

Defanging Issues

Use consistent defanging format:

Standard defanging

extractor.defang('http://evil.com')

Returns: hxxp://evil[.]com

Related Skills

• incident-response: Apply CTI during incidents

• soc-operations: CTI-informed detection

• research: General research capabilities

References

• Detailed API Reference

• MITRE ATT&CK

• STIX 2.1 Specification