L2 Threat Intel
BAB 8 THREAT INTELLIGENCE
08
Cyber Threat Intelligence Lifecycle
6 Fase CTI Lifecycle
| # | Fase | Aktivitas | Output |
|---|---|---|---|
| 1 | Direction | Tentukan kebutuhan intel (PIR Priority Intelligence Requirements) | Requirements document |
| 2 | Collection | Kumpulkan data dari OSINT, commercial feeds, dark web, internal telemetry | Raw data |
| 3 | Processing | Normalisasi, de-duplicate, enrichment | Structured data (STIX format) |
| 4 | Analysis | Korelasi, trend analysis, attribution, confidence assessment | Finished intelligence |
| 5 | Dissemination | Distribusi ke stakeholder yang tepat (SOC, IR, management) | Reports, IOC feeds, briefings |
| 6 | Feedback | Evaluasi apakah intel berguna, refine requirements | Improved PIR |
Level Threat Intelligence
| Level | Audience | Contoh |
|---|---|---|
| Strategic | C-level, Board | Trend ancaman industri, geopolitical risk, threat landscape report |
| Operational | SOC Manager, IR Lead | Detail kampanye APT, TTPs, target sektor |
| Tactical | SOC Analyst, IR | IOC feeds, detection rules, malware family behavior |
| Technical | SIEM, Firewall, EDR | IP, domain, hash blocklists untuk automated ingestion |
APT Groups
APT (Advanced Persistent Threat) adalah grup threat actor yang well-funded (biasanya state-sponsored) dengan kemampuan dan persistensi tinggi. Sebagai L2, kamu harus familiar dengan APT groups utama.
| Grup | Alias | Atribusi | Target | Teknik Khas |
|---|---|---|---|---|
| APT28 | Fancy Bear, Sofacy | Russia (GRU) | Government, military, media | Spear phishing, zero-days, credential harvesting |
| APT29 | Cozy Bear | Russia (SVR) | Government, think tanks | Supply chain (SolarWinds), stealth, long dwell time |
| APT41 | Winnti, Double Dragon | China | Healthcare, telecom, gaming | Supply chain, dual espionage + financial crime |
| Lazarus | APT38, Hidden Cobra | North Korea | Financial, crypto, defense | Destructive malware, cryptocurrency theft, social engineering |
| APT33 | Elfin, Refined Kitten | Iran | Energy, aerospace, government | Spear phishing, destructive wiper malware |
Resource: MITRE ATT&CK Groups page
(attack.mitre.org/groups) memiliki profil lengkap setiap APT group
termasuk software dan teknik yang mereka gunakan.
YARA & Sigma Rules
YARA Rules Pattern Matching untuk Malware
YARA digunakan untuk mengidentifikasi dan mengklasifikasikan malware berdasarkan pattern (strings, byte sequences, conditions).
rule
Detect_CobaltStrike_Beacon {
meta:
description =
"Detects Cobalt Strike Beacon payload"
author = "SOC Team" severity =
"high"
strings:
$s1 = "beacon.dll" ascii wide $s2 =
"ReflectiveLoader" ascii $s3 = {
4D 5A 90 00 }
// MZ header $s4 =
"%.4x%.4x%.4x%.4x%.4x"
// Beacon config pattern $pipe =
"\\\\.\\pipe\\msagent_"
// Default named pipe
condition:
uint16(0) == 0x5A4D and
// Must be PE file filesize <
1MB and (2
of ($s*))
or $pipe }
Sigma Rules Detection Rules Universal
Sigma adalah format standar untuk menulis detection rules yang bisa dikonversi ke query SIEM manapun (Splunk, Sentinel, QRadar, ELK).
title:
Suspicious Encoded PowerShell Command
status: production
description:
Detects PowerShell with encoded command common malware
technique
author:
SOC Team
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith:
'\powershell.exe' CommandLine|contains: -
'-EncodedCommand' -
'-enc ' -
'-e ' -
'FromBase64String'
filter:
User|contains: 'SYSTEM'
# Exclude legitimate system processes
condition: selection
and not filter
level: high
tags:
- attack.execution - attack.t1059.001
# Konversi Sigma ke SIEM query:
sigmac -t splunk rule.yml
# → Splunk SPL
sigmac -t qradar rule.yml
# → QRadar AQL
sigmac -t sentinel rule.yml
# → Microsoft Sentinel KQL
Diamond Model of Intrusion Analysis
Diamond Model menstrukturkan analisis intrusi ke dalam 4 elemen yang saling terkait:
| Elemen | Pertanyaan | Contoh |
|---|---|---|
| Adversary | Siapa yang menyerang? | APT29, cybercriminal group, insider |
| Infrastructure | Dengan apa mereka menyerang? | C2 server IP, phishing domain, malware hosting |
| Capability | Bagaimana cara mereka? | Exploit, malware family, TTPs |
| Victim | Siapa targetnya? | Organisasi, user, sistem tertentu |
Cara Penggunaan: Ketika menginvestigasi insiden, isi
keempat elemen. Ini membantu: 1) Menghubungkan insiden berbeda yang
menggunakan infrastructure atau capability sama. 2) Attribution
menentukan siapa adversary. 3) Prediksi serangan berikutnya
berdasarkan pattern.