Threat Intel & Containment

This room is going to introduce you to what containment involves, as well as some containment strategies. Additionally, this room is going to introduce what threat intelligence is and how it can be used to understand our adversary.

You will use some of the Indicators Of Attack (IOA) & Indicators Of Compromise (IOC) from the module in the practical element of this room to analyse some threat intelligence.

Containment is a crucial phase in incidence response because the core aim is to minimise the damage caused by an incident and prevent further damage. For example, we can prevent our adversary from accessing other devices by containing infected devices. - containment is a fantastic way to preserve and record evidence that can be used in forensic analysis.

Effective containment is essential in restoring normal operations. Once a threat has been successfully contained, normal day-to-day operations can continue.

Threat intelligence, briefly, is the knowledge gained from collecting and analyzing intelligence about a threat actor. Intelligence such as IP addresses can be used to identify a specific threat actor or, for example, analyse their tactics, techniques, and procedures (TTPs). More on this later. 

Learning Objectives:

By the end of the room, you should be able to:

• Recognise potential threat intelligence.
• Analyse threat intelligence to understand how an adversary operates.

• Understand what containment involves and some of the approaches that can be taken with their pros and cons.

Room Pre-requisites

This room expects you to have:

• At least an understanding that the ATT&CK framework exists.
• Familiarity with IP addresses. I.e., knowing what an IP address (private and public) looks like.
• At least an awareness of adversary techniques, i.e. persistence, lateral movement, etc.
• Be capable of identifying what a hash looks like - I highly recommend checking out the Preparation room that is a part of this module.