Inteligência de Ameaças Cibernéticas

Prévia do material em texto

<p>//abhinavsha077</p><p>Cyber Threat Intelligence is evidence-based knowledge about adversaries, including their indicators, tactics, motivations, and</p><p>actionable advice against them. It includes data about potential attackers, their methods, and the vulnerabilities they exploit. The</p><p>goal is to help organizations anticipate and defend against cyber attacks more effectively. It would be typical to use the terms</p><p>“data”, “information”, and “intelligence” interchangeably. However, let us distinguish between them to understand better how</p><p>CTI comes into play.</p><p>.</p><p>1. Internal Sources - These are sources within your own organization that provide direct insights into the security</p><p>landscape of your operational environment.</p><p>Corporate Security Events: Information from vulnerability assessments, penetration testing, and incident</p><p>response reports. This provides details on weaknesses and past breaches within the organization.</p><p>Cyber Awareness Training Reports: Data from employee training programs on cybersecurity awareness, which</p><p>helps to identify common vulnerabilities or gaps in understanding.</p><p>System Logs and Events: Logs from firewalls, IDS/IPS systems, endpoints, and other security tools that detect</p><p>anomalies, unauthorized access, or suspicious activity.</p><p>2. Community Sources: These are sources that come from the wider cybersecurity community, including both legal and</p><p>illegal communities.</p><p>Open Web Forums: Public forums and platforms where security researchers, professionals, and enthusiasts</p><p>discuss vulnerabilities, trends, and cyber threats.</p><p>Dark Web Communities: Forums and marketplaces on the dark web where cybercriminals exchange tools, stolen</p><p>data, and discuss tactics. This is often a valuable source for monitoring adversary chatter and emerging threats.</p><p>3. External Sources: These sources provide intelligence from outside the organization, often from third parties or publicly</p><p>available data.</p><p>Data: These are raw, discrete pieces of evidence, like individual IP addresses, URLs, domain names, or file hashes that are</p><p>known to be indicators of potential malicious activity.</p><p>Information: Information is what you get when you combine and contextualize data to answer specific questions. It helps to</p><p>provide more structure and meaning to the raw data, for example By tracking how often employees accessed a suspicious</p><p>webpage over the past month, you can determine patterns of potential exposure or risk.</p><p>Intelligence: The correlation of data and information to extract patterns of actions based on contextual analysis.</p><p>Intelligence is the result of further analysis, where you correlate various pieces of data and information to uncover larger</p><p>patterns or trends. It provides actionable insights, allowing decision-makers to anticipate threats and take informed actions.</p><p>For example By correlating data from multiple incidents (like similar IPs, attack methods, and times), intelligence can help</p><p>identify a particular adversary's tactics and predict future behavior.</p><p>The primary goal of CTI is to understand the relationship between your operational environment and your adversary and</p><p>how to defend your environment against any attacks. You would seek this goal by developing your cyber threat context by</p><p>trying to answer the following questions:</p><p>**Who’s attacking you? - Identify the threat actors</p><p>**What are their motivations? - Understand the attackers' goals</p><p>**What are their capabilities? - Assessing the tools and techniques they use</p><p>**What artefacts and indicators of compromise (IOCs) should you look out for? - Monitoring and detecting attacks,</p><p>CTI relies on gathering data from multiple sources to form a comprehensive view of potential threats. These sources can</p><p>be classified into three main categories:</p><p>Internal</p><p>Community</p><p>External</p><p>Cyber Threat Intelligence</p><p>//abhinavsha077</p><p>Cyber Threat Intel Life Cycle :</p><p>Threat intel is obtained from a data-churning process that transforms raw data into contextualised and action-oriented insights</p><p>geared towards triaging security incidents. The transformational process follows a six-phase cycle:</p><p>Threat Intelligence Classifications :</p><p>Direction</p><p>Collection</p><p>Processing</p><p>Analysis</p><p>Dissemination</p><p>Feedback</p><p>Threat Intel Feeds (Commercial & Open-source): Aggregated feeds from specialized vendors or open-source platforms</p><p>that provide real-time data on global cyber threats, such as IOCs, TTPs, and active campaigns.</p><p>Online Marketplaces: Websites where cybercrime services, exploit kits, or stolen data are sold. Monitoring these</p><p>markets can reveal insights into ongoing attacks or plans for future attacks.</p><p>Public Sources: These include government publications, advisories from cybersecurity agencies, social media</p><p>analysis, financial and industrial reports, and other public data that provide broader context on emerging cyber</p><p>threats.</p><p>1. Strategic Intel :</p><p>High-level intel that looks into the organization’s threat landscape and maps out the risk areas based on trends, patterns</p><p>and emerging threats that may impact business decisions.</p><p>Purpose: High-level analysis focused on understanding the broader threat landscape over time. Scope: This intel looks</p><p>at trends, patterns, and emerging threats that could impact an organization's long-term</p><p>strategies and business decisions. It often involves geopolitical analysis, industry trends, and threat actor</p><p>profiling.</p><p>2. Technical Intel :</p><p>Looks into evidence and artefacts of attack used by an adversary. Incident Response teams can use this intel to</p><p>create a baseline attack surface to analyze and develop defense mechanisms.</p><p>Purpose: Provides detailed technical data about specific threats, such as malware signatures, phishing URLs, or</p><p>file hashes. Scope: Focuses on the actual artifacts of an attack (e.g., malicious code, exploit methods). It is used by security</p><p>teams to detect, analyze, and block cyber threats.</p><p>3. Tactical Intel :</p><p>Assesses adversaries’ tactics, techniques, and procedures (TTPs). This intel can strengthen security controls and</p><p>address vulnerabilities through real-time investigations.</p><p>Purpose : Provides insights into an adversary's Tactics, Techniques, and Procedures (TTPs).</p><p>Scope : Focuses on understanding how attackers operate and what methods they use, enabling the organization</p><p>to adjust security controls and defenses in response. This type of intelligence is often used for real-time</p><p>investigations.'</p><p>4. Operational Intel : Looks into an adversary’s specific motives and intent to perform an attack. Security teams may use</p><p>this intel to understand the critical assets available in the organisation (people, processes and technologies) that may</p><p>be targeted.</p><p>Purpose: Understands the specific motives, goals, and immediate plans of an adversary targeting the</p><p>organization.</p><p>Scope: Focuses on active or planned attacks and helps security teams prioritize defense around critical assets,</p><p>such as sensitive data, infrastructure, or key personnel.</p><p>//abhinavsha077</p><p>Direction :</p><p>Collection :</p><p>Processing :</p><p>Every threat intel program requires to have objectives and goals defined, involving identifying the following parameters:</p><p>Information assets and business processes that require defending.</p><p>Potential impact to be experienced on losing the assets or through process interruptions.</p><p>Sources of data and intel to be used towards protection.</p><p>Tools and resources that are required to defend the assets.</p><p>Once objectives have been defined, security analysts will gather the required data to address them. Analysts will do this by using</p><p>commercial, private and open-source resources available. Due to the volume of data analysts usually face, it is recommended to</p><p>automate this phase to provide time for triaging incidents. Gathering data from public threat feeds, logs from intrusion detection</p><p>systems, and monitoring the dark web for chatter about specific attack methods.</p><p>This phase involves sorting, organizing, and correlating various data types—such as raw logs, vulnerability data, malware samples,</p><p>and network traffic—so that analysts can make sense of the information quickly</p><p>and effectively. Raw logs, vulnerability information,</p><p>malware and network traffic usually come in different formats and may be disconnected when used to investigate an incident. This</p><p>phase ensures that the data is extracted, sorted, organised, correlated with appropriate tags and presented visually in a usable and</p><p>understandable format to the analysts. SIEMs are valuable tools for achieving this and allow quick parsing of data.</p><p>//abhinavsha077</p><p>Analysis :</p><p>Feedback :</p><p>Dissemination :</p><p>Dissemination</p><p>The ATT&CK framework is a knowledge base of adversary behavior, focusing on the indicators and tactics. Security</p><p>analysts can use the information to be thorough while investigating and tracking adversarial behavior.</p><p>Standards and frameworks provide structures to rationalise the distribution and use of threat intel across industries. They</p><p>also allow for common terminology, which helps in collaboration and communication. Here, we briefly look at some</p><p>essential standards and frameworks commonly used.</p><p>Once the information aggregation is complete, security analysts must derive insights. Decisions to be made may involve:</p><p>Investigating a potential threat through uncovering indicators and attack patterns.</p><p>Defining an action plan to avert an attack and defend the infrastructure.</p><p>Strengthening security controls or justifying investment for additional resources.</p><p>The final phase covers the most crucial part, as analysts rely on the responses provided by stakeholders to improve the</p><p>threat intelligence process and implementation of security controls. Feedback should be regular interaction between teams</p><p>to keep the lifecycle working.</p><p>is the process of distributing the intelligence gathered, analyzed, and processed to the appropriate</p><p>stakeholders within an organization. It is a crucial stage in the Cyber Threat Intelligence (CTI) Lifecycle, as the</p><p>effectiveness of CTI relies not just on the quality of the intelligence but also on how well it is shared with the relevant</p><p>audience. Dissemination ensures that intelligence reaches the right people, in the right format, and at the right time to allow</p><p>for actionable decisions.</p><p>For example, C-suite members will require a concise report covering trends in adversary activities, financial implications</p><p>and strategic recommendations. At the same time, analysts will more likely inform the technical team about the threat IOCs,</p><p>adversary TTPs and tactical action plans.</p><p>CTI Standards & Frameworks :</p><p>MITRE ATT&CK</p><p>//abhinavsha077</p><p>https://tryhackme.com/room/mitre</p><p>https://tryhackme.com/room/mitre</p><p>STIX</p><p>TAXII</p><p>Cyber Kill Chain</p><p>Developed by Lockheed Martin, the Cyber Kill Chain breaks down adversary actions into steps. This breakdown helps</p><p>analysts and defenders identify which stage-specific activities occurred when investigating an attack.</p><p>Structured Threat Information Expression (STIX) is a language developed for the "specification, capture, characterisation</p><p>and communication of standardised cyber threat information". It provides defined relationships between sets of threat info</p><p>such as observables, indicators, adversary TTPs, attack campaigns, and more.</p><p>The Trusted Automated eXchange of Indicator Information (TAXII) defines protocols for securely exchanging threat intel to</p><p>have near real-time detection, prevention and mitigation of threats. The protocol supports two sharing models:</p><p>Collection: Threat intel is collected and hosted by a producer upon request by users using a request-response model.</p><p>Channel: Threat intel is pushed to users from a central server through a publish-subscribe model.</p><p>//abhinavsha077</p><p>https://oasis-open.github.io/cti-documentation/stix/intro</p><p>https://oasis-open.github.io/cti-documentation/taxii/intro</p><p>https://oasis-open.github.io/cti-documentation/taxii/intro</p><p>Technique</p><p>Reconnaissance</p><p>Purpose</p><p>Obtain information about the victim and the tactics used for</p><p>the attack.</p><p>Malware is engineered based on the needs and intentions</p><p>of the attack.</p><p>Covers how the malware would be delivered to the victim's</p><p>system.</p><p>Breach the victim's system vulnerabilities to execute code</p><p>and create scheduled jobs to establish persistence.</p><p>Install malware and other tools to gain access to the</p><p>victim's system.</p><p>Remotely control the compromised system, deliver</p><p>additional malware, move across valuable assets and</p><p>elevate privileges.</p><p>Fulfil the intended goals for the attack: financial gain,</p><p>corporate espionage, and data exfiltration.</p><p>Examples</p><p>Harvesting emails, OSINT, and</p><p>social media, network scans</p><p>Exploit with a backdoor,</p><p>malicious office document</p><p>Email, weblinks, USB</p><p>Delivery</p><p>Installation</p><p>Actions on</p><p>Objectives</p><p>Exploitation</p><p>Command &</p><p>Control</p><p>Weaponisation</p><p>EternalBlue, Zero-Logon, etc.</p><p>Data encryption, ransomware,</p><p>public defacement</p><p>Password dumping, backdoors,</p><p>remote access trojans</p><p>Empire, Cobalt Strike, etc.</p><p>Over time, the kill chain has been expanded using other frameworks such as ATT&CK and formulated a new Unified Kill</p><p>Chain.</p><p>//abhinavsha077</p><p>Tools that we will cover :</p><p>UrlScan.io to scan for malicious URLs.</p><p>Abuse.ch to track malware and botnet indicators.</p><p>Investigate phishing emails using PhishToo.</p><p>Cisco's Talos Intelligence platform for intel gathering.</p><p>urlscan.io is a free online service that allows you to analyze websites for potential security issues, threats, and track</p><p>various online behaviors.</p><p>It is developed to assist in scanning and analyzing websites. It is used to automate the process of browsing and crawling</p><p>through websites to record activities and interactions.</p><p>When a URL is submitted, the information recorded includes the domains and IP addresses contacted, resources</p><p>requested from the domains, a snapshot of the web page, technologies utilised and other metadata about the website.</p><p>The site provides two views, the first one showing the most recent scans performed and the second one showing current</p><p>live scans.</p><p>The diamond model looks at intrusion analysis and tracking attack groups over time. It focuses on four key areas, each</p><p>representing a different point on the diamond. These are:</p><p>Adversary: The focus here is on the threat actor behind an attack and allows analysts to identify the motive behind</p><p>the attack.</p><p>Victim: The opposite end of adversary looks at an individual, group or organisation affected by an attack.</p><p>Infrastructure: The adversaries' tools, systems, and software to conduct their attack are the main focus. Additionally,</p><p>the victim's systems would be crucial to providing information about the compromise.</p><p>Capabilities: The focus here is on the adversary's approach to reaching its goal. This looks at the means of</p><p>exploitation and the TTPs implemented across the attack timeline</p><p>An example of the diamond model in play would involve an adversary targeting a victim using phishing attacks to obtain</p><p>sensitive information and compromise their system, as displayed on the diagram. As a threat intelligence analyst, the model</p><p>allows you to pivot along its properties to produce a complete picture of an attack and correlate indicators.</p><p>Some notable threat reports come from Mandiant, Recorded Future and AT&TCybersecurity.</p><p>Threat Intelligence Tools :</p><p>1. Urlscan.io :</p><p>The Diamond Model</p><p>//abhinavsha077</p><p>https://urlscan.io/</p><p>https://urlscan.io/</p><p>https://www.mandiant.com/resources</p><p>https://www.mandiant.com/resources</p><p>https://www.recordedfuture.com/resources/global-issues</p><p>https://www.recordedfuture.com/resources/global-issues</p><p>https://cybersecurity.att.com/</p><p>https://cybersecurity.att.com/</p><p>As you can see there a lot of options available.</p><p>So while you at it explore a bit.</p><p>URL scan results provide ample information, with the following key areas being essential to look at:</p><p>Summary: Provides general information about the URL, ranging from the identified IP address, domain registration</p><p>details, page history and a screenshot of the site.</p><p>HTTP: Provides information on the HTTP connections made by the scanner to the site, with details about the data</p><p>fetched and the file types received.</p><p>Redirects: Shows information on any identified HTTP and client-side</p><p>redirects on the site.</p><p>Links: Shows all the identified links outgoing from the site's homepage.</p><p>Behaviour: Provides details of the variables and cookies found on the site. These may be useful in identifying the</p><p>frameworks used in developing the site.</p><p>Indicators: Lists all IPs, domains and hashes associated with the site. These indicators do not imply malicious activity</p><p>related to the site.</p><p>lets see and example for example.com</p><p>//abhinavsha077</p><p>2. Abuse.ch :</p><p>Abuse.ch is a Swiss-based platform that helps cybersecurity professionals and organizations combat malware, botnets, and online</p><p>threats. It focuses on tracking, collecting, and distributing information about cyber threats. It was developed to identify and track</p><p>malware and botnets through several operational platforms developed under the project. These platforms are:</p><p>Malware Bazar : MB - Malware</p><p>Scan a file with YARA »</p><p>Malware Bazaar: A resource for sharing malware samples.</p><p>Feodo Tracker: A resource used to track botnet command and control (C2) infrastructure linked with Emotet, Dridex</p><p>and TrickBot.</p><p>SSL Blacklist: A resource for collecting and providing a blocklist for malicious SSL certificates and JA3/JA3s</p><p>fingerprints.</p><p>URL Haus: A resource for sharing malware distribution sites.</p><p>Threat Fox: A resource for sharing indicators of compromise (IOCs).</p><p>YARAify: YARAhub, the platform also provides a structured way for sharing YARA rules with the community.</p><p>As the name suggests, this project is an all in one malware collection and analysis database, and supports some of the following</p><p>features:</p><p>Malware Samples Upload: Security analysts can upload their malware samples for analysis and build the intelligence</p><p>database. This can be done through the browser or an API.</p><p>Malware Hunting: Hunting for malware samples is possible through setting up alerts to match various elements such</p><p>as tags, signatures, YARA rules, ClamAV signatures and vendor detection.</p><p>//abhinavsha077</p><p>https://bazaar.abuse.ch/browse/</p><p>https://bazaar.abuse.ch/browse/</p><p>https://yaraify.abuse.ch/scan/</p><p>https://bazaar.abuse.ch/browse/</p><p>https://bazaar.abuse.ch/browse/</p><p>https://feodotracker.abuse.ch/</p><p>https://sslbl.abuse.ch/</p><p>https://sslbl.abuse.ch/</p><p>https://urlhaus.abuse.ch/</p><p>https://urlhaus.abuse.ch/</p><p>https://threatfox.abuse.ch/</p><p>https://yaraify.abuse.ch/</p><p>https://yaraify.abuse.ch/</p><p>FeeodoTracker : FT - Botnet</p><p>With this project, Abuse.ch is targeting to share intelligence on botnet Command & Control (C&C) servers associated with</p><p>Dridex, Emotes (aka Heodo), TrickBot, QakBot and BazarLoader/BazarBackdoor. This is achieved by providing a database</p><p>of the C&C servers that security analysts can search through and investigate any suspicious IP addresses they have come</p><p>across. Additionally, they provide various IP and IOC blocklists and mitigation information to be used to prevent botnet</p><p>infections.</p><p>Key Features of Feodo Tracker:</p><p>Botnet Tracking: Feodo Tracker monitors command-and-control (C2) servers used by botnets to communicate with</p><p>infected machines. These servers are crucial for attackers to control their malware remotely.</p><p>IP Blocklists: The tracker provides daily updated blocklists of malicious IP addresses associated with Feodo/Dridex</p><p>botnets. These blocklists help companies and security teams prevent their systems from communicating with known</p><p>malicious servers.</p><p>Historical Data: Feodo Tracker maintains a history of detected botnet C2 servers, allowing researchers to analyze past</p><p>botnet behavior and track trends over time.</p><p>Publicly Available Feeds: The tracker provides IP feeds that can be directly used by network administrators, ISPs, and</p><p>cybersecurity professionals to block access to known botnet servers, thus preventing infections or stopping active</p><p>malware communication.</p><p>//abhinavsha077</p><p>https://feodotracker.abuse.ch/</p><p>https://feodotracker.abuse.ch/</p><p>Explore the 4 options highlighted to identify the deafferent fields available in it.</p><p>Abuse.ch developed this tool to identify and detect malicious SSL connections. From these connections, SSL certificates</p><p>used by botnet C2 servers would be identified and updated on a denylist that is provided for use. The denylist is also used</p><p>to identify JA3 fingerprints that would help detect and block malware botnet C2 communications on the TCP layer.</p><p>You can browse through the SSL certificates and JA3 fingerprints lists or download them to add to your deny list or threat</p><p>hunting rulesets.</p><p>Key Features of SSLBL:</p><p>Tracking Malicious SSL Certificates: SSLBL collects and lists SSL certificates used by malware, phishing sites, and</p><p>other malicious activities. It helps security professionals identify and block these certificates.</p><p>JA3 Fingerprinting: SSLBL also uses JA3 fingerprints to detect malicious SSL connections. JA3 fingerprints are</p><p>based on the unique characteristics of SSL/TLS handshakes, which can help identify malware even if it uses</p><p>encrypted connections.</p><p>IP Blocklists: SSLBL provides IP blocklists of servers hosting malicious SSL certificates. These blocklists can be used</p><p>to block access to these servers, thus preventing malware from communicating or spreading.</p><p>Malware Campaign Detection: The project is particularly focused on detecting SSL certificates used in malware</p><p>campaigns. It monitors domains and IP addresses tied to botnets and other malicious activities.</p><p>SSLBL Blacklist : SB - SSL</p><p>//abhinavsha077</p><p>https://sslbl.abuse.ch/</p><p>https://sslbl.abuse.ch/</p><p>Explore the 4 options highlighted to identify the deafferent fields available in it.</p><p>As the name points out, this tool focuses on sharing malicious URLs used for malware distribution. As an analyst, you can</p><p>search through the database for domains, URLs, hashes and filetypes that are suspected to be malicious and validate your</p><p>investigations.</p><p>The tool also provides feeds associated with country, AS number and Top Level Domain that an analyst can generate</p><p>based on specific search needs.</p><p>Key Features of URLhaus:</p><p>Malware URL Tracking: URLhaus collects and lists URLs that are actively distributing malware. These URLs are often</p><p>submitted by security researchers, incident responders, and automated systems from around the world.</p><p>Threat Intelligence Feeds: URLhaus provides freely accessible feeds of malicious URLs. These feeds can be</p><p>integrated into security systems like firewalls, proxy servers, and email filters to automatically block malicious content.</p><p>Detailed Reports: Each URL entry includes detailed information, such as:</p><p>The type of malware being distributed (e.g., ransomware, trojans, etc.).</p><p>The hosting domain and IP address.</p><p>Metadata like the first and last seen dates, helping track when the threat was active.</p><p>Public Submissions: Anyone can submit new malware URLs to URLhaus, making it a community-driven effort. After</p><p>submission, the URLs are validated, and if confirmed to be malicious, they are added to the public database.</p><p>Historical Data: URLhaus maintains a historical archive of malware URLs, which is useful for understanding past</p><p>threats and analyzing trends.</p><p>Urlhaus : UH - Malicious Urls</p><p>//abhinavsha077</p><p>https://urlhaus.abuse.ch/</p><p>https://urlhaus.abuse.ch/</p><p>ThreatFox : TF - IOC</p><p>ThreatFox is another project by Abuse.ch that focuses on collecting and sharing indicators of compromise (IOCs) related to</p><p>malware, making it a key tool for cybersecurity professionals involved in threat detection and response. It is an open</p><p>platform where users can both submit and access a wide variety of threat data.</p><p>Key Features of ThreatFox:</p><p>Indicators of Compromise (IOCs): ThreatFox provides a large repository of IOCs, including malicious domains, IP</p><p>addresses, URLs, file hashes (e.g., MD5, SHA256), and more. These IOCs are critical for detecting and responding to</p><p>malware infections.</p><p>Crowdsourced Submissions: ThreatFox allows users to submit IOCs related to malware. These submissions are</p><p>validated and shared with the community, creating a constantly updated and growing threat intelligence database.</p><p>Free Access to Threat Data: All the IOCs on ThreatFox are freely accessible to the public. Cybersecurity</p><p>professionals</p><p>can use this data to improve their defenses against active threats.</p><p>Threat Intelligence Feeds: ThreatFox provides real-time threat intelligence feeds that can be integrated into security</p><p>infrastructure (e.g., firewalls, intrusion detection systems, and SIEM platforms) to automatically block known threats.</p><p>//abhinavsha077</p><p>https://threatfox.abuse.ch/</p><p>https://threatfox.abuse.ch/</p><p>YARAify : Yi</p><p>YARAif</p><p>y</p><p>PhishTool seeks to elevate the perception of phishing as a severe form of attack and provide a responsive means of email security.</p><p>Through email analysis, security analysts can uncover email IOCs, prevent breaches and provide forensic reports that could be used</p><p>in phishing containment and training engagements.</p><p>The core features include:</p><p>Perform email analysis: PhishTool retrieves metadata from phishing emails and provides analysts with the relevant</p><p>explanations and capabilities to follow the email’s actions, attachments, and URLs to triage the situation.</p><p>Heuristic intelligence: PhishTool integrates with Open Source Intelligence (OSINT) sources to give analysts up-to-</p><p>date information about ongoing phishing threats. This intelligence allows them to track tactics, techniques, and</p><p>procedures (TTPs) used by attackers to evade security controls, helping to predict and mitigate future attacks more</p><p>effectively.</p><p>Classification and reporting: Phishing email classifications are conducted to allow analysts to take action quickly.</p><p>Additionally, reports can be generated to provide a forensic record that can be shared.</p><p>Additional features are available on the Enterprise version:</p><p>is a project by Abuse.ch focused on sharing YARA rules to detect and identify malware. YARA rules are a key part</p><p>of malware research and detection, allowing security teams to describe patterns of malicious behavior in files and network traffic.</p><p>YARAify helps security professionals and researchers by providing a repository of community-contributed YARA rules that can be</p><p>used to improve malware detection.</p><p>Key Features of YARAify:</p><p>YARA Rules Repository: YARAify offers a collection of YARA rules that can be used to detect and classify malware.</p><p>These rules are contributed by the community and are specifically crafted to identify various malware families and</p><p>types of malicious behavior.</p><p>YARA Rule Submissions: Like other Abuse.ch projects, YARAify allows researchers and security professionals to</p><p>submit their own YARA rules to the platform. These rules are validated and then shared publicly to help others detect</p><p>malware more effectively.</p><p>Malware Detection and Classification: By using YARA rules from YARAify, security teams can enhance their detection</p><p>systems to automatically flag files and behaviors that match the patterns associated with known malware. This is</p><p>crucial for automated scanning, malware analysis, and incident response</p><p>3. PhishTool :</p><p>//abhinavsha077</p><p>https://yaraify.abuse.ch/</p><p>https://yaraify.abuse.ch/</p><p>https://www.phishtool.com/</p><p>email.</p><p>Security: Details on email security frameworks and policies such as Sender Policy Framework (SPF), DomainKeys Identified</p><p>Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC).</p><p>So for experiment purpose i am taking an sample phishing email from Github Repo So we</p><p>choose smaple1.eml</p><p>Manage user-reported phishing events. Report phishing email findings back to users and</p><p>keep them engaged in the process. Email stack integration with Microsoft 365 and Google</p><p>Workspace.</p><p>Once uploaded, we are presented with the details of our email for a more in-depth look. Here, we have the following tabs:</p><p>Headers: Provides the routing information of the email, such as source and destination email addresses, Originating</p><p>IP and DNS addresses and Timestamp.</p><p>Received Lines: Details on the email traversal process across various SMTP servers for tracing purposes.</p><p>X-headers: These are extension headers added by the recipient mailbox to provide additional information about the</p><p>Analysis Tab</p><p>//abhinavsha077</p><p>https://github.com/rf-peixoto/phishing_pot/tree/main/email</p><p>https://github.com/rf-peixoto/phishing_pot/tree/main/email</p><p>4. Cisco Talos Intelligence</p><p>IT and Cybersecurity companies collect massive amounts of information that could be used for threat analysis and</p><p>intelligence. Being one of those companies, Cisco assembled a large team of security practitioners called Cisco Talos to</p><p>provide actionable intelligence, visibility on indicators, and protection against emerging threats through data collected from</p><p>their products. The solution is accessible as Talos Intelligence.</p><p>Lists any file attachments found in the email.</p><p>Associated external URLs found in the email will be found here.</p><p>1. :</p><p>: This team is responsible for quickly correlating and tracking threats to provide actionable intelligence.</p><p>They take Indicators of Compromise (IOCs) such as IP addresses, file hashes, and URLs, and enrich them with</p><p>context. This enables more accurate threat detection and allows security teams to respond to evolving threats</p><p>with a deeper understanding of the attack vectors.</p><p>Focus: Turning simple IOCs into context-rich intelligence that can be used to block and prevent attacks.</p><p>2. Detection Research:</p><p>Function: Focused on vulnerability research and malware analysis. This team works on creating detection rules,</p><p>signatures, and other content for Cisco’s security products to protect against known and unknown threats.</p><p>Focus: Writing detection signatures for intrusion detection systems (IDS), antivirus programs, and other security</p><p>tools based on ongoing analysis of threats.</p><p>3. Engineering & Development:</p><p>Function: Provides ongoing support for Cisco's inspection engines, keeping them updated with the latest</p><p>capabilities to identify, categorize, and triage new and emerging threats. They ensure that security tools remain</p><p>effective as the threat landscape evolves.</p><p>Focus: Developing and maintaining the core inspection engines used in Cisco’s security products.</p><p>4. Vulnerability Research & Discovery:</p><p>Function: This team collaborates with software and service vendors to discover and report vulnerabilities in their</p><p>products. They develop repeatable methodologies for vulnerability discovery, often leading to responsible</p><p>disclosure and patch development.</p><p>Focus: Identifying and reporting software and hardware vulnerabilities to vendors, ensuring security flaws are</p><p>addressed before they can be exploited by attackers.</p><p>5. Communities:</p><p>Function: This team is responsible for maintaining Talos' image in the cybersecurity community. They manage</p><p>open-source projects, participate in industry events, and engage with the community to promote collaboration</p><p>and knowledge-sharing.</p><p>Focus: Sustaining the reputation of Talos and fostering relationships within the open-source community.</p><p>6. Global Outreach:</p><p>Function: Focused on disseminating intelligence to Cisco’s customers and the broader security community. They</p><p>publish research, threat reports, and security advisories to help organizations stay informed about the latest</p><p>cyber threats and defensive strategies.</p><p>Focus: Sharing knowledge and insights through publications, blogs, reports, and presentations to increase</p><p>awareness and understanding of emerging cyber threats.</p><p>More information about Cisco Talos can be found on their White Paper</p><p>Attachments:</p><p>Message URLs:</p><p>Cisco Talos' Six Key Teams:</p><p>Threat Intelligence & Interdiction</p><p>Function</p><p>//abhinavsha077</p><p>https://talosintelligence.com/</p><p>https://talosintelligence.com/</p><p>https://www.talosintelligence.com/docs/Talos_WhitePaper.pdf</p><p>https://www.talosintelligence.com/docs/Talos_WhitePaper.pdf</p><p>Cisco Talos Attack Map :</p><p>[Attack Map]((https://talosintelligence.com/ebc_spam)</p><p>This map shows an overview of email traffic with indicators of whether the emails are legitimate, spam or malware across</p><p>numerous countries. Clicking on any marker, we see more information associated with IP and hostname addresses, volume</p><p>on the day and the type.</p><p>Vulnerability Research: Disclosed and zero-day vulnerability reports marked with CVE numbers</p><p>and CVSS scores.</p><p>Details of the vulnerabilities reported are provided when you select a specific report, including the timeline taken to get</p><p>the report published. Microsoft vulnerability advisories are also provided, with the applicable snort rules that can be</p><p>used.</p><p>Intelligence Center: Provides access to searchable threat data related to IPs and files using their SHA256 hashes.</p><p>Analysts would rely on these options to conduct their investigations. Additional email and spam data can be found</p><p>under the Email & Spam Data tab.</p><p>Talos Dashboard :</p><p>//abhinavsha077</p><p>https://talosintelligence.com/ebc_spam</p><p>https://talosintelligence.com/ebc_spam</p><p>//abhinavsha077</p><p>Open-CTI :</p><p>OpenCTI is another open-sourced platform designed to provide organisations with the means to manage CTI through the</p><p>storage, analysis, visualisation and presentation of threat campaigns, malware and IOCs.</p><p>The platform's main objective is to create a comprehensive tool that allows users to capitalise on technical and non-</p><p>technical information while developing relationships between each piece of information and its primary source.</p><p>The platform can use the MITRE ATT&CK framework to structure the data. Additionally, it can be integrated with other</p><p>threat intel tools such as MISP and TheHive.</p><p>OpenCTI helps organizations manage cyber threat intelligence by collecting, structuring, and analyzing data from various</p><p>sources, visualizing relationships between threats, and enabling better-informed decisions. Its graph-based approach and</p><p>STIX2 compliance make it easy to share intelligence and gain deep insights into threats.</p><p>//abhinavsha077</p><p>https://github.com/OpenCTI-Platform/opencti</p><p>https://github.com/OpenCTI-Platform/opencti</p><p>https://tryhackme.com/room/mitre</p><p>https://tryhackme.com/room/mitre</p><p>https://tryhackme.com/room/mitre</p><p>Type</p><p>EXTERNAL_IMPORT</p><p>OpenCTI Data Model :</p><p>Description</p><p>Pull data from remote sources, convert it to STIX2</p><p>and insert it on the OpenCTI platform.</p><p>Listen for new OpenCTI entities or users requests,</p><p>pull data from remote sources to enrich.</p><p>Extract data from files uploaded on OpenCTI trough</p><p>the UI or the API.</p><p>Generate export from OpenCTI data, based on a</p><p>single object or a list.</p><p>Consume a platform data stream an do something</p><p>with events.</p><p>Examples</p><p>MITRE Datasets, MISP, CVE,</p><p>AlienVault, Mandiant, etc.</p><p>Shodan, DomainTools, IpInfo,</p><p>etc.</p><p>STIX 2.1, PDF, Text, HTML, etc.</p><p>STREAM</p><p>INTERNAL_IMPORT_FILE</p><p>INTERNAL_ENRICHMENT</p><p>INTERNAL_EXPORT_FILE</p><p>For more details on configuring connectors and the data schema you can visit the OpenCTI Documentation.</p><p>open CTI Dashboard :</p><p>STIX 2.1, CSV, PDF, etc.</p><p>Splunk, Elastic Security, Q-</p><p>Radar, etc.</p><p>The highlight services include:</p><p>GraphQL API: The API connects clients to the database and the messaging system.</p><p>Write workers: Python processes utilised to write queries asynchronously from the RabbitMQ messaging system.</p><p>Connectors: Another set of Python processes used to ingest, enrich or export data on the platform. These connectors</p><p>provide the application with a robust network of integrated systems and frameworks to create threat intelligence</p><p>relations and allow users to improve their defence tactics.</p><p>According to OpenCTI, connectors fall under the following classes:</p><p>OpenCTI uses a variety of knowledge schemas in structuring data, the main one being the Structured Threat Information</p><p>Expression (STIX2) standards. STIX is a serialised and standardised language format used in threat intelligence exchange.</p><p>It allows for the data to be implemented as entities and relationships, effectively tracing the origin of the provided</p><p>information.</p><p>This data model is supported by how the platform's architecture has been laid out.</p><p>//abhinavsha077</p><p>https://docs.opencti.io/5.8.X/usage/import-files/</p><p>https://docs.opencti.io/5.8.X/usage/export-structured/</p><p>https://docs.opencti.io/5.8.X/usage/export-structured/</p><p>https://docs.opencti.io/5.8.X/usage/feeds/</p><p>https://docs.opencti.io/5.8.X/usage/feeds/</p><p>https://docs.opencti.io/5.8.X/deployment/overview/</p><p>https://oasis-open.github.io/cti-documentation/stix/intro</p><p>The OpenCTI categorises and presents entities under the Activities and Knowledge groups on the left-side panel. The</p><p>activities section covers security incidents ingested onto the platform in the form of reports. It makes it easy for analysts to</p><p>investigate these incidents. In contrast, the Knowledge section provides linked data related to the tools adversaries use,</p><p>targeted victims and the type of threat actors and campaigns used.</p><p>The Analysis tab contains the input entities in reports analysed and associated external references. Reports are central to</p><p>OpenCTI as knowledge on threats and events are extracted and processed. They allow for easier identification of the</p><p>source of information by analysts. Additionally, analysts can add their investigation notes and other external resources for</p><p>knowledge enrichment.</p><p>Events</p><p>Analysis</p><p>//abhinavsha077</p><p>Security analysts investigate and hunt for events involving suspicious and malicious activities across their organisational</p><p>network. Within the Events tab, analysts can record their findings and enrich their threat intel by creating associations for</p><p>their incidents.</p><p>Technical elements, detection rules and artefacts identified during a cyber attack are listed under this tab: one or several</p><p>identifiable makeup indicators. These elements assist analysts in mapping out threat events during a hunt and perform</p><p>correlations between what they observe in their environments against the intel feeds.</p><p>See Image.</p><p>Observations</p><p>All information classified as threatening to an organisation or information would be classified under threats. These will</p><p>include:</p><p>Threat Actors: An individual or group of attackers seeking to propagate malicious actions against a target.</p><p>Intrusion Sets: An array of TTPs, tools, malware and infrastructure used by a threat actor against targets who share</p><p>some attributes. APTs and threat groups are listed under this category on the platform due to their known pattern of</p><p>actions.</p><p>Campaigns: Series of attacks taking place within a given period and against specific victims initiated by advanced</p><p>persistent threat actors who employ various TTPs. Campaigns usually have specified objectives and are orchestrated</p><p>by threat actors from a nation-state, crime syndicate or other disreputable organisation.</p><p>This tab lists all items related to an attack and any legitimate tools identified from the entities.</p><p>Malware: Known and active malware and trojan are listed with details of their identification and mapping based on the</p><p>knowledge ingested into the platform. In our example, we analyse the 4H RAT malware and we can extract</p><p>information and associations made about the malware.</p><p>Adversaries implement and use different TTPs to target, compromise, and achieve their objectives.</p><p>Here, we can look at the details of the</p><p>MITRE maps out concepts and technologies that can be used to prevent an attack technique</p><p>from being employed successfully. These are represented as Courses of Action (CoA) against the TTPs.</p><p>Tools: Lists all legitimate tools and services developed for network maintenance, monitoring and management.</p><p>Adversaries may also use these tools to achieve their objectives. For example, for the Command-Line Interface attack</p><p>pattern, it is possible to narrow down that CMD would be used as an execution tool. As an analyst, one can investigate</p><p>reports and instances associated with the use of the tool.</p><p>Vulnerabilities: Known software bugs, system weaknesses and exposures are listed to provide enrichment for what</p><p>attackers may use to exploit and gain access to systems. The Common Vulnerabilities and Exposures (CVE) list</p><p>maintained by MITRE is used and imported via a connector.</p><p>Arsenal</p><p>Attack Patterns:</p><p>Command-Line Interface and make decisions based on the relationships</p><p>established on the platform and navigate through an investigation associated with the technique.</p><p>Courses of Action:</p><p>Threats</p><p>//abhinavsha07</p><p>7</p><p>Entities</p><p>This tab categorises all entities based</p><p>on operational sectors, countries, organisations and individuals. This information</p><p>allows for knowledge enrichment on attacks, organisations or intrusion sets.</p><p>Overview Tab: Provides the general information about an entity being analysed and investigated. In our case, the</p><p>dashboard will present you with the entity ID, confidence level, description, relations created based on threats,</p><p>intrusion sets and attack patterns, reports mentioning the entity and any external references.</p><p>Knowledge Tab: Presents linked information associated with the entity selected. This tab will include the</p><p>associated reports, indicators, relations and attack pattern timeline of the entity. Additionally, an analyst can view</p><p>fine-tuned details from the tabs on the right-hand pane, where information about the threats, attack vectors,</p><p>events and observables used within the entity are presented.</p><p>//abhinavsha077</p><p>MISP :</p><p>Analysis Tab: Provides the reports where the identified entry has been seen. The analysis provides usable</p><p>information about a threat and guides investigation tasks.</p><p>Indicators Tab: Provides information on IOC identified for all the threats and entities.</p><p>Data Tab: Contains the files uploaded or generated for export that are related to the entity. These assist in</p><p>communicating information about threats being investigated in either technical or non-technical formats.</p><p>History Tab: Changes made to the element, attributes, and relations are tracked by the platform worker and this tab</p><p>will outline the changes.</p><p>MISP - MALWARE INFORMATION SHARING PLATFORM is an open-source threat information platform that facilitates</p><p>the collection, storage and distribution of threat intelligence and Indicators of Compromise (IOCs) related to malware, cyber</p><p>attacks, financial fraud or any intelligence within a community of trusted members.</p><p>MISP is effectively useful for the following use cases:</p><p>Malware Reverse Engineering: Sharing of malware indicators to understand how different malware families function.</p><p>Security Investigations: Searching, validating and using indicators in investigating security breaches.</p><p>Intelligence Analysis: Gathering information about adversary groups and their capabilities.</p><p>Law Enforcement: Using Indicators to support forensic investigations.</p><p>Risk Analysis: Researching new threats, their likelihood and occurrences.</p><p>Fraud Analysis: Sharing of financial indicators to detect financial fraud.</p><p>MISP provides the following core functionalities:</p><p>IOC database: This allows for the storage of technical and non-technical information about malware samples,</p><p>incidents, attackers and intelligence.</p><p>//abhinavsha077</p><p>Task.</p><p>Input Filters: Input filters alter how users enter data into this instance. Apart from the basic validation of attribute entry by</p><p>type, the site administrators can define regular expression replacements and blocklists for specific values and block</p><p>The analyst's view of MISP provides you with the functionalities to track, share and correlate events and IOCs identified</p><p>during your investigation. The dashboard's menu contains the following options, and we shall look into them further:</p><p>Home button: Returns you to the application's start screen, the event index page or the page set as a custom home</p><p>page using the star in the top bar.</p><p>Event Actions: All the malware data entered into MISP comprises an event object described by its connected</p><p>attributes. The Event actions menu gives access to all the functionality related to the creation, modification, deletion,</p><p>publishing, searching and listing of events and attributes.</p><p>Dashboard: This allows you to create a custom dashboard using widgets.</p><p>Galaxies: Shortcut to the list of MISP Galaxies on the MISP instance. More on these on the Feeds & Taxonomies</p><p>Automatic Correlation: Identification of relationships between attributes and indicators from malware, attack</p><p>campaigns or analysis.</p><p>Data Sharing: This allows for sharing of information using different models of distributions and among</p><p>different MISP instances.</p><p>Import & Export Features: This allows the import and export of events in different formats to integrate other systems</p><p>such as NIDS, HIDS, and OpenIOC.</p><p>Event Graph: Showcases the relationships between objects and attributes identified from events.</p><p>API support: Supports integration with own systems to fetch and export events and intelligence.</p><p>The following terms are commonly used within MISP and are related to the functionalities described above and the general</p><p>usage of the platform:</p><p>Events: Collection of contextually linked information.</p><p>Attributes: Individual data points associated with an event, such as network or system indicators.</p><p>Objects: Custom attribute compositions.</p><p>Object References: Relationships between different objects.</p><p>Sightings: Time-specific occurrences of a given data point or attribute detected to provide more credibility.</p><p>Tags: Labels attached to events/attributes.</p><p>Taxonomies: Classification libraries are used to tag, classify and organise information.</p><p>Galaxies: Knowledge base items used to label events/attributes.</p><p>Indicators: Pieces of information that can detect suspicious or malicious cyber activity.</p><p>Dashboard</p><p>//abhinavsha077</p><p>https://github.com/MISP/misp-book/blob/main/galaxy</p><p>https://github.com/MISP/misp-book/blob/main/galaxy</p><p>https://github.com/MISP/misp-book/blob/main/galaxy</p><p>Event Creation :</p><p>Event Management :</p><p>The Event Actions tab is where you, as an analyst, will create all malware investigation correlations by providing</p><p>descriptions and attributes associated with the investigation. Splitting the process into three significant phases, we have:</p><p>Event Creation.</p><p>Populating events with attributes and attachments.</p><p>Publishing.</p><p>In the beginning, events are a storage of general information about an incident or investigation. We add the description,</p><p>time, and risk level deemed appropriate for the incident by clicking the Add Event button. Additionally, we specify the</p><p>distribution level we would like our event to have on the MISP network and community. According to MISP, the following</p><p>distribution options are available:</p><p>Your organisation only: This only allows members of your organisation to see the event.</p><p>This Community-only: Users that are part of your MISP community will be able to see the event. This includes your</p><p>organisation, organisations on this MISP server and organisations running MISP servers that synchronise with this</p><p>server.</p><p>certain values from being exportable. Users can view these replacement and blocklist rules here, while an</p><p>administrator can alter them.</p><p>Global Actions: Access to information about MISP and this instance. You can view and edit your profile, view the</p><p>manual, read the news or the terms of use again, see a list of the active organisations on this instance and a</p><p>histogram of their contributions by an attribute type.</p><p>MISP: Simple link to your baseurl.</p><p>Name: Name (Auto-generated from Mail address) of currently logged in user.</p><p>Envelope: Link to User Dashboard to consult some of your notifications and changes since the last visit. Like some of</p><p>the proposals received for your organisation.</p><p>Log out: The Log out button to end your session immediately.</p><p>//abhinavsha077</p><p>Lets go to Populate From > Phishing E-mail</p><p>Event details can also be populated by filling out predefined fields on a defined template, including adding attributes to the</p><p>event. We can use the email details of the CobaltStrike investigation to populate details of our event. We will be using</p><p>the Phishing E-mail category from the templates.</p><p>we can add the required details by going to https://www.malware-traffic-analysis.net/2022/03/01/index.html , and</p><p>downloading the attached files and analyzing the .eml file and test it on "app.phishtool.com" or we can just read the IOC for</p><p>information.</p><p>Connected communities: Users who are part of your MISP community will see the event, including all organisations</p><p>on this MISP server, all organisations on MISP servers synchronising with this server, and the hosting organisations of</p><p>servers that are two</p><p>hops away from this one.</p><p>All communities: This will share the event with all MISP communities, allowing the event to be freely propagated from</p><p>one server to the next.</p><p>Additionally, MISP provides a means to add a sharing group, where an analyst can define a predefined list of</p><p>organisations to share events.</p><p>//abhinavsha077</p><p>https://www.malware-traffic-analysis.net/2022/03/01/index.html</p><p>https://www.malware-traffic-analysis.net/2022/03/01/index.html</p><p>Attributes & Attachments</p><p>The analyst can also add file attachments to the event. These may include malware, report files from external analysis or</p><p>simply artefacts dropped by the malware. You can have the Cobalt Strike EXE binary file from the link given before. You</p><p>also have to check the Malware checkbox to mark the file as malware. This will ensure that it is zipped and passworded to</p><p>protect users from accidentally downloading and executing the file.</p><p>Attributes can be added manually or imported through other formats such as OpenIOC and ThreatConnect. To add them</p><p>manually, click the Add Attribute and populate the form fields.</p><p>Some essential options to note are:</p><p>For Intrusion Detection System: This allows the attribute to be used as an IDS signature when exporting</p><p>the NIDS data unless it overrides the permitted list. If not set, the attribute is considered contextual information and not</p><p>used for automatic detection.</p><p>Batch import: If there are several attributes of the same type to enter (such as a list of IP addresses, it is possible to</p><p>join them all into the same value field, separated by a line break between each line. This will allow the system to</p><p>create separate lines for each attribute.</p><p>//abhinavsha077</p><p>Feeds are resources that contain indicators that can be imported into MISP and provide attributed information about</p><p>security events. These feeds provide analysts and organisations with continuously updated information on threats and</p><p>adversaries and aid in their proactive defence against attacks.</p><p>MISP Feeds provide a way to:</p><p>Exchange threat information.</p><p>Preview events along with associated attributes and objects.</p><p>Select and import events to your instance.</p><p>Correlate attributes identified between events and feeds.</p><p>Feeds are enabled and managed by the Site Admin for the analysts to obtain information on events and indicators.</p><p>Uploading the Cobalt Strike.exe.bin file.</p><p>Context should be : cobalit strike binary file.</p><p>Publish Event</p><p>Once the analysts have created events, the organisation admin will review and publish those events to add them to the pool</p><p>of events. This will also share the events to the distribution channels set during the creation of the events.</p><p>EVENT Creation Output on Dashboard : Link</p><p>Feeds</p><p>//abhinavsha077</p><p>http://u.pc.cd/4tN</p><p>Taxonomies</p><p>Taxonomies Dashboard :</p><p>taxonomies</p><p>Event Actiions > List Taxonomies</p><p>A taxonomy is a means of classifying information based on standard features or attributes. On MISP, taxonomies are used</p><p>to categorise events, indicators and threat actors based on tags that identify them.</p><p>Analysts can use taxonomies to:</p><p>Set events for further processing by external tools such as VirusTotal.</p><p>Ensure events are classified appropriately before the Organisation Admin publishes them.</p><p>Enrich intrusion detection systems' export values with tags that fit specific deployments.</p><p>Taxonomies are expressed in machine tags, which comprise three vital parts:</p><p>Namespace: Defines the tag's property to be used.</p><p>Predicate: Specifies the property attached to the data.</p><p>Value: Numerical or text details to map the property.</p><p>//abhinavsha077</p><p>https://github.com/MISP/misp-taxonomies</p><p>https://virustotal.com/</p><p>https://virustotal.com/</p><p>https://virustotal.com/</p><p>Tagging</p><p>Tagging Best Practices</p><p>Tagging at Event level vs Attribute Level</p><p>Tags can be added to an event and attributes. Tags are also inheritable when set. It is recommended to set tags on the</p><p>entire event and only include tags on attributes when they are an exception from what the event indicates. This will provide</p><p>a more fine-grained analysis.</p><p>The minimal subset of Tags</p><p>The following tags can be considered a must-have to provide a well-defined event for distribution:</p><p>Traffic Light Protocol: Provides a colour schema to guide how intelligence can be shared.</p><p>Confidence: Provides an indication as to whether or not the data being shared is of high quality and has been vetted</p><p>so that it can be trusted to be good for immediate usage.</p><p>Origin: Describes the source of information and whether it was from automation or manual investigation.</p><p>Permissible Actions Protocol: An advanced classification that indicates how the data can be used to search for</p><p>compromises within the organisation.</p><p>THM Task 5 PoC : Link</p><p>Information from feeds and taxonomies, tags can be placed on events and attributes to identify them based on the</p><p>indicators or threats identified correctly. Tagging allows for effective sharing of threat information between users,</p><p>communities and other organisations using MISP to identify various threats.</p><p>In our CobaltStrike event example, we can add tags by clicking on the buttons in the Tags section and searching from the</p><p>available options appropriate to the case. The buttons represent global tags and local tags, respectively. It is also important</p><p>to note that you can add your unique tags to your MISP instance as an analyst or organisation that would allow you to</p><p>ingest, navigate through and share information quickly within the organisation.</p><p>//abhinavsha077</p><p>https://www.first.org/tlp/</p><p>https://www.first.org/tlp/</p><p>http://u.pc.cd/n7j7</p><p>http://u.pc.cd/n7j7</p><p>CIRCL MISP Training Module 1</p><p>[CIRCL MISP Training Module 2](https://www.youtube.com/watch?v=Jqp8CVHtNVk</p><p>> 1 | =</p><p>| ^</p><p>Expected one of the following:</p><p>Dataview (inline field '='): Error:</p><p>-- PARSING FAILED --------------------------------------------------</p><p>'(', 'null', boolean, date, duration, file link, list ('[1, 2, 3]'), negated field,</p><p>number, object ('{ a: 1, b: 2 }'), string, variable</p><p>MISP Book</p><p>MISP GitHub</p><p>Additional Resources :</p><p>//abhinavsha077</p><p>https://www.youtube.com/watch?v=aM7czPsQyaI</p><p>https://www.youtube.com/watch?v=Jqp8CVHtNVk</p><p>https://www.youtube.com/watch?v=Jqp8CVHtNVk</p><p>https://www.circl.lu/doc/misp/</p><p>https://github.com/MISP/</p><p>//abhinavsha077</p>