In today's digital world, organizations face constant cyber threats. This room will teach you how cybersecurity professionals act like detectives, using clues and intelligence to find, understand, and stop attacks before they cause harm.

Think of threat intelligence as the "news and research" about cyber attackers, and Indicators of Compromise (IOCs) as the specific "fingerprints" or "footprints" they leave behind. By the end of this room, you'll understand these core concepts and how they form the foundation of proactive cybersecurity.

What You Will Learn

• The core principles of cyber threat intelligence and its real-world value.
• What Indicators of Compromise (IOCs) are and the common types you will encounter.
• The step-by-step process analysts use to investigate IOCs.
• How threat intelligence feeds and platforms help automate defense.

Prerequisites

• Basic understanding of computer networks (like IP addresses).
• General knowledge of what malware and cyber attacks are.
• No prior experience with threat intelligence is required.

Optional Video

This optional video explains the core concepts of threat intelligence and Indicators of Compromise (IOCs) using a helpful detective analogy. It covers the "why" and "what" of these tools, providing a solid audio-visual introduction to the topics you'll explore in depth during this room. Watching it is helpful but not required to complete the room.

Have you ever checked a weather forecast before going out? Just as a forecast uses data (temperature, radar) to predict rain and help you decide to carry an umbrella, threat intelligence uses data about cyber attackers to predict and prevent digital storms. In simple terms, threat intelligence is information about current and potential cyber threats that helps organizations defend themselves.

It answers critical questions for security teams: Who might attack us? What tools will they use? How can we spot them early? This transforms security from a reactive "clean-up after the breach" job to a proactive "lock the doors before the burglar arrives" mission.

The Three Levels of Threat Intelligence

Threat intelligence isn't one-size-fits-all; it serves different people in an organization, from the CEO to the security analyst. We categorize it into three main levels:

Strategic Intelligence: The "big picture." This is for executives and decision-makers. It deals with long-term trends, risks, and the overall threat landscape. Example: A report showing that ransomware attacks against healthcare are increasing by 30% this year.

Operational Intelligence: The "campaign details." This helps security managers understand specific threat actors and their ongoing operations. It focuses on the "who, why, and how" of an attack campaign. Example: Intelligence that a known hacker group is planning to target financial institutions in your region next week.

Tactical Intelligence: The "technical fingerprints." This is the detailed, actionable data used by security analysts and tools to block attacks. It includes the specific Indicators of Compromise (IOCs) like malicious IP addresses, file hashes, and suspicious domain names. Example: A list of 50 malicious IP addresses associated with a new botnet.

Threat Intelligence Levels Comparison

Level	Who Uses It?	Main Purpose	Example
Strategic	Executives, Board	Long-term planning, budgeting, risk management	"Ransomware is the top threat to our industry this year."
Operational	Security Managers, Incident Responders	Understanding specific campaigns and threat actors	"Hacker group 'Alpha' is targeting our sector using phishing emails."
Tactical	Security Analysts, Automated Tools	Immediate detection and blocking of attacks	"Block traffic from IP `192.0.2.1` and delete files with hash `abc123`."

Where Does This Intelligence Come From?

Threat intelligence is gathered from many sources: commercial feeds from security companies, information sharing communities, public reports, and data from an organization's own security tools (like firewalls and antivirus logs). This collective knowledge makes every defender smarter.

In the previous task, we learned that Tactical Intelligence consists of specific, technical data used to block attacks. The most critical pieces of this data are called Indicators of Compromise, or IOCs.

If Threat Intelligence is the "detective's case file" on a criminal gang, then IOCs are the individual fingerprints, footprints, and stray hairs left at the scene of a crime. They are the forensic evidence of a cyber attack.

What Exactly is an IOC?

An IOC is a piece of data-such as a hash, an IP address, or a filename-that suggests a system or network may have been compromised by a malicious activity. Finding an IOC doesn't always mean you've been hacked, but it's a strong clue that you should investigate immediately.

Common Types of IOCs

Attackers leave behind many types of clues. Here are some of the most common IOCs that security tools scan for and analysts investigate:

• File Hash (MD5/SHA-256): A unique "fingerprint" for a file. If a file on your computer has the same hash as a known malware file, it's almost certainly malicious.
  Example: a1b2c3d4e5f6789012345678901234567
• Malicious IP Address/Domain: The internet address of a server used by attackers to control malware or steal data.
  Example: IP 192.0.2.1 or Domain malicious-traffic.com
• Suspicious File Path/Name: Unusual locations or names of files that are common in attacks.
  Example: C:\Windows\Temp\invoice.exe (an executable in a temporary folder)
• Unusual User Behavior: Activity that deviates from a user's normal pattern, like logging in at 3 a.m. or accessing massive amounts of data.
  Example: An accounting employee suddenly trying to download all client databases.

IOC Types Reference Table

IOC Type	What It Is	Example	What It Tells an Analyst
File Hash	A unique digital fingerprint of a file.	5f4dcc3b5aa765d61d8327deb882cf99	"This specific file is known malware."
IP Address	The numeric address of a computer on the internet.	203.0.113.10	"This server is known for malicious activity."
Domain Name	A human-readable website address.	download-malware.fake	"This website is used for phishing or hosting malware."
File Path	The location and name of a file on a system.	C:\Users\Public\update.scr	"Malware often hides in this location with this name."

Putting It Together: A Simple Scenario

Imagine you're a security analyst. An employee reports their computer is running very slowly. You check the security logs and find:

1. A file in the Temp folder with a hash that matches known ransomware.
2. Network connections to an IP address on a threat intelligence blacklist.
3. Several failed login attempts at 2:00 AM local time.

Each of these is an IOC. Together, they form a clear picture: the computer is likely infected with ransomware that is trying to communicate with an attacker's server. You can now isolate the computer to prevent the infection from spreading.

Now that you know what IOCs are, let's see how a cybersecurity analyst actually works with them. IOC analysis is a systematic process, like following a recipe or a detective's checklist. It turns a raw clue-like a suspicious IP address-into actionable understanding.

You don't just get an IOC and immediately shut down a server. You investigate it to answer: Is this malicious? How severe is it? What should we do?

The IOC Analysis Process: A Step-by-Step Guide

Here is a common workflow analysts use:

1. Collect & Triage: IOCs come from alerts, reports, or intelligence feeds. The analyst first triages them: How urgent is this? A malware hash is usually critical; a single failed login might be lower priority.
2. Investigate & Enrich: This is the core research phase. The analyst uses tools to add context. Is this IP on any blocklists? Has this file hash been seen before? What do other sources say?
3. Determine Action: Based on the investigation, the analyst decides on a response. Options include:
   • Block: Update firewalls to block the malicious IP.
   • Contain: Isolate the infected computer from the network.
   • Alert: Notify other team members.
   • Monitor: If the threat is low, just watch for more activity.
4. Document: Every step and finding is recorded. This helps with future investigations and improves the team's knowledge.

Walkthrough Example: Analyzing a Suspicious IP

Let's follow the steps with a fake example. Your security tool flags the IP address 198.51.100.25 for suspicious outbound connections.

• Step 1 (Triage): An unknown IP making outbound connections is medium priority. We investigate.
• Step 2 (Investigate & Enrich): You paste the IP into a few places:
  • A threat intelligence platform or a free service like VirusTotal's "Search" function. The results show it's listed on 3 out of 50 security vendors' blocklists, tagged as part of a "phishing campaign."
  • A WHOIS lookup shows the IP was registered very recently, which is often a red flag.
• Step 3 (Determine Action): The evidence suggests this IP is malicious. You create a ticket to block this IP at the company firewall.
• Step 4 (Document): You note the IP, your findings, the sources checked, and the action taken in the case ticket.

IOC Analysis Reference Table

IOC Type	Common Analysis Action	Example Tool/Resource (Concept)
File Hash	Check if the hash matches known malware databases.	VirusTotal, MalwareBazaar
IP Address	Check if the IP is on threat intelligence blocklists.	AbuseIPDB, VirusTotal, commercial threat feeds
Domain Name	Check domain registration details and reputation.	WHOIS lookup, URL scanners like URLhaus
Strange Behavior	Review user logs and system activity for patterns.	SIEM (Security Information & Event Management) logs

Congratulations! You've taken your first steps into the proactive side of cybersecurity, learning how defenders use information and evidence to stop attacks.

What You've Learned

• Threat Intelligence is organized information about cyber threats that helps organizations defend proactively. It operates at Strategic, Operational, and Tactical levels.
• Indicators of Compromise (IOCs) are the forensic "clues" or "fingerprints" of an attack, such as malicious file hashes, IP addresses, and suspicious behavior.
• IOC Analysis is a systematic process. Analysts triage, investigate, and enrich IOCs with context from tools and threat feeds before deciding on an action like blocking or containment.
• The combination of broad threat intelligence and specific IOC analysis shifts security from a reactive cleanup job to a proactive hunting mission.

Well done. Keep building your detective skills!