Back to Details

threat-intelligence

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Threat Intelligence Skill

威胁情报技能

Gather, analyze, and disseminate cyber threat intelligence with IOC extraction, threat actor profiling, and MITRE ATT&CK mapping.
通过IOC提取、威胁行为者画像和MITRE ATT&CK映射,收集、分析并传播网络威胁情报。

Capabilities

功能特性

  • IOC Extraction: Extract indicators from text, logs, and reports
  • IOC Management: Deduplicate, validate, and enrich indicators
  • Threat Profiling: Document threat actors and campaigns
  • ATT&CK Mapping: Map threats to MITRE ATT&CK framework
  • Intelligence Reports: Generate threat bulletins and assessments
  • Feed Processing: Parse and normalize threat feeds
  • IOC提取:从文本、日志和报告中提取威胁指标
  • IOC管理:去重、验证并丰富威胁指标
  • 威胁画像:记录威胁行为者和攻击活动
  • ATT&CK映射:将威胁映射至MITRE ATT&CK框架
  • 情报报告:生成威胁公告和评估报告
  • 威胁源处理:解析并标准化威胁源数据

Quick Start

快速开始

python
from cti_utils import IOCExtractor, ThreatActor, IntelReport
python
from cti_utils import IOCExtractor, ThreatActor, IntelReport

Extract IOCs from text

Extract IOCs from text

extractor = IOCExtractor() iocs = extractor.extract_from_text(''' Malware connects to 192.168.1.100 and evil.com. Hash: d41d8cd98f00b204e9800998ecf8427e ''') print(iocs)
extractor = IOCExtractor() iocs = extractor.extract_from_text(''' Malware connects to 192.168.1.100 and evil.com. Hash: d41d8cd98f00b204e9800998ecf8427e ''') print(iocs)

Document threat actor

Document threat actor

actor = ThreatActor('APT29', aliases=['Cozy Bear', 'The Dukes']) actor.add_ttp('T1566', 'Phishing') actor.set_motivation('espionage')
actor = ThreatActor('APT29', aliases=['Cozy Bear', 'The Dukes']) actor.add_ttp('T1566', 'Phishing') actor.set_motivation('espionage')

Generate intel report

Generate intel report

report = IntelReport('Emerging Ransomware Campaign') report.add_ioc('ip', '10.0.0.1', 'C2 server') print(report.generate())
undefined
report = IntelReport('Emerging Ransomware Campaign') report.add_ioc('ip', '10.0.0.1', 'C2 server') print(report.generate())
undefined

Usage

使用方法

IOC Extraction

IOC提取

Extract indicators of compromise from various text sources.
Example:
python
from cti_utils import IOCExtractor

extractor = IOCExtractor()
从各类文本源中提取入侵指标(IOC)。
示例:
python
from cti_utils import IOCExtractor

extractor = IOCExtractor()

Extract from text

Extract from text

text = ''' The malware was downloaded from hxxp://malware[.]evil[.]com/payload.exe It connects to C2 server at 192.168.100.50 on port 443. The file hash is: a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 Email originated from attacker@phishing.com '''
iocs = extractor.extract_from_text(text)
print(f"IPs: {iocs['ip']}") print(f"Domains: {iocs['domain']}") print(f"URLs: {iocs['url']}") print(f"Hashes: {iocs['hash']}") print(f"Emails: {iocs['email']}")
text = ''' The malware was downloaded from hxxp://malware[.]evil[.]com/payload.exe It connects to C2 server at 192.168.100.50 on port 443. The file hash is: a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 Email originated from attacker@phishing.com '''
iocs = extractor.extract_from_text(text)
print(f"IPs: {iocs['ip']}") print(f"Domains: {iocs['domain']}") print(f"URLs: {iocs['url']}") print(f"Hashes: {iocs['hash']}") print(f"Emails: {iocs['email']}")

Defang/refang IOCs

Defang/refang IOCs

defanged = extractor.defang('http://evil.com') # hxxp://evil[.]com refanged = extractor.refang('hxxp://evil[.]com') # http://evil.com
defanged = extractor.defang('http://evil.com') # hxxp://evil[.]com refanged = extractor.refang('hxxp://evil[.]com') # http://evil.com

Validate IOCs

Validate IOCs

valid = extractor.validate_ioc('ip', '192.168.1.1') # True invalid = extractor.validate_ioc('ip', '999.999.999.999') # False
undefined
valid = extractor.validate_ioc('ip', '192.168.1.1') # True invalid = extractor.validate_ioc('ip', '999.999.999.999') # False
undefined

IOC Management

IOC管理

Manage collections of indicators with context.
Example:
python
from cti_utils import IOCCollection

collection = IOCCollection('Campaign-2024-001')
结合上下文管理指标集合。
示例:
python
from cti_utils import IOCCollection

collection = IOCCollection('Campaign-2024-001')

Add IOCs with context

Add IOCs with context

collection.add_ioc( ioc_type='ip', value='192.168.1.100', context='C2 server', confidence='high', source='Sandbox analysis' )
collection.add_ioc( ioc_type='domain', value='malware.evil.com', context='Payload delivery', confidence='medium', source='Network logs' )
collection.add_ioc( ioc_type='hash', value='a1b2c3d4e5f6...', context='Ransomware executable', confidence='high', source='EDR' )
collection.add_ioc( ioc_type='ip', value='192.168.1.100', context='C2 server', confidence='high', source='Sandbox analysis' )
collection.add_ioc( ioc_type='domain', value='malware.evil.com', context='Payload delivery', confidence='medium', source='Network logs' )
collection.add_ioc( ioc_type='hash', value='a1b2c3d4e5f6...', context='Ransomware executable', confidence='high', source='EDR' )

Deduplicate

Deduplicate

collection.deduplicate()
collection.deduplicate()

Export formats

Export formats

print(collection.to_csv()) print(collection.to_json()) print(collection.to_stix()) # STIX 2.1 format
undefined
print(collection.to_csv()) print(collection.to_json()) print(collection.to_stix()) # STIX 2.1 format
undefined

Threat Actor Profiling

威胁行为者画像

Document threat actors and their characteristics.
Example:
python
from cti_utils import ThreatActor

actor = ThreatActor(
    name='APT29',
    aliases=['Cozy Bear', 'The Dukes', 'YTTRIUM']
)
记录威胁行为者及其特征。
示例:
python
from cti_utils import ThreatActor

actor = ThreatActor(
    name='APT29',
    aliases=['Cozy Bear', 'The Dukes', 'YTTRIUM']
)

Set attributes

Set attributes

actor.set_motivation('espionage') actor.set_sophistication('advanced') actor.set_origin('Russia')
actor.set_motivation('espionage') actor.set_sophistication('advanced') actor.set_origin('Russia')

Add TTPs (MITRE ATT&CK)

Add TTPs (MITRE ATT&CK)

actor.add_ttp('T1566.001', 'Spearphishing Attachment') actor.add_ttp('T1059.001', 'PowerShell') actor.add_ttp('T1071.001', 'Web Protocols') actor.add_ttp('T1486', 'Data Encrypted for Impact')
actor.add_ttp('T1566.001', 'Spearphishing Attachment') actor.add_ttp('T1059.001', 'PowerShell') actor.add_ttp('T1071.001', 'Web Protocols') actor.add_ttp('T1486', 'Data Encrypted for Impact')

Add targeting

Add targeting

actor.add_target_sector('Government') actor.add_target_sector('Healthcare') actor.add_target_region('North America') actor.add_target_region('Europe')
actor.add_target_sector('Government') actor.add_target_sector('Healthcare') actor.add_target_region('North America') actor.add_target_region('Europe')

Add tools

Add tools

actor.add_tool('Cobalt Strike') actor.add_tool('Mimikatz')
actor.add_tool('Cobalt Strike') actor.add_tool('Mimikatz')

Add infrastructure

Add infrastructure

actor.add_infrastructure('ip', '192.168.1.100', 'C2 server') actor.add_infrastructure('domain', 'actor-c2.com', 'Primary C2')
actor.add_infrastructure('ip', '192.168.1.100', 'C2 server') actor.add_infrastructure('domain', 'actor-c2.com', 'Primary C2')

Generate profile

Generate profile

print(actor.generate_profile())
undefined
print(actor.generate_profile())
undefined

Campaign Tracking

攻击活动追踪

Track threat campaigns over time.
Example:
python
from cti_utils import Campaign

campaign = Campaign(
    name='Operation DarkSide',
    first_seen='2024-01-01',
    threat_actor='APT29'
)
长期追踪威胁攻击活动。
示例:
python
from cti_utils import Campaign

campaign = Campaign(
    name='Operation DarkSide',
    first_seen='2024-01-01',
    threat_actor='APT29'
)

Add campaign details

Add campaign details

campaign.set_description(''' Targeted campaign against financial institutions using spearphishing emails with malicious Excel attachments. ''')
campaign.set_objective('Financial theft and espionage')
campaign.set_description(''' Targeted campaign against financial institutions using spearphishing emails with malicious Excel attachments. ''')
campaign.set_objective('Financial theft and espionage')

Add IOCs

Add IOCs

campaign.add_ioc('domain', 'campaign-c2.evil.com') campaign.add_ioc('hash', 'abc123...', 'Excel dropper')
campaign.add_ioc('domain', 'campaign-c2.evil.com') campaign.add_ioc('hash', 'abc123...', 'Excel dropper')

Add TTPs

Add TTPs

campaign.add_ttp('T1566.001', 'Initial access via phishing') campaign.add_ttp('T1059.005', 'VBA macro execution')
campaign.add_ttp('T1566.001', 'Initial access via phishing') campaign.add_ttp('T1059.005', 'VBA macro execution')

Add targets

Add targets

campaign.add_target('Financial Services', 'North America')
campaign.add_target('Financial Services', 'North America')

Timeline events

Timeline events

campaign.add_event('2024-01-01', 'First phishing emails observed') campaign.add_event('2024-01-05', 'New C2 infrastructure identified') campaign.add_event('2024-01-10', 'Malware variant updated')
campaign.add_event('2024-01-01', 'First phishing emails observed') campaign.add_event('2024-01-05', 'New C2 infrastructure identified') campaign.add_event('2024-01-10', 'Malware variant updated')

Generate report

Generate report

print(campaign.generate_report())
undefined
print(campaign.generate_report())
undefined

MITRE ATT&CK Mapping

MITRE ATT&CK映射

Map threats to the ATT&CK framework.
Example:
python
from cti_utils import ATTACKMapper

mapper = ATTACKMapper()
将威胁映射至ATT&CK框架。
示例:
python
from cti_utils import ATTACKMapper

mapper = ATTACKMapper()

Map techniques

Map techniques

mapper.add_technique('T1566.001', 'Spearphishing used for initial access') mapper.add_technique('T1059.001', 'PowerShell scripts executed') mapper.add_technique('T1055', 'Process injection observed') mapper.add_technique('T1486', 'Files encrypted with ransomware')
mapper.add_technique('T1566.001', 'Spearphishing used for initial access') mapper.add_technique('T1059.001', 'PowerShell scripts executed') mapper.add_technique('T1055', 'Process injection observed') mapper.add_technique('T1486', 'Files encrypted with ransomware')

Generate matrix view

Generate matrix view

print(mapper.generate_matrix())
print(mapper.generate_matrix())

Get technique details

Get technique details

print(mapper.get_technique_info('T1566.001'))
print(mapper.get_technique_info('T1566.001'))

Export for ATT&CK Navigator

Export for ATT&CK Navigator

mapper.export_navigator('attack_layer.json')
undefined
mapper.export_navigator('attack_layer.json')
undefined

Intelligence Reports

情报报告

Generate threat intelligence reports.
Example:
python
from cti_utils import IntelReport

report = IntelReport(
    title='Emerging Ransomware Campaign Targeting Healthcare',
    classification='TLP:AMBER'
)
生成威胁情报报告。
示例:
python
from cti_utils import IntelReport

report = IntelReport(
    title='Emerging Ransomware Campaign Targeting Healthcare',
    classification='TLP:AMBER'
)

Executive summary

Executive summary

report.set_summary(''' A new ransomware campaign has been identified targeting healthcare organizations in North America. The campaign uses phishing emails with malicious attachments to gain initial access. ''')
report.set_summary(''' A new ransomware campaign has been identified targeting healthcare organizations in North America. The campaign uses phishing emails with malicious attachments to gain initial access. ''')

Key findings

Key findings

report.add_finding('New ransomware variant identified: "MedLocker"') report.add_finding('Campaign active since January 2024') report.add_finding('At least 5 healthcare organizations targeted')
report.add_finding('New ransomware variant identified: "MedLocker"') report.add_finding('Campaign active since January 2024') report.add_finding('At least 5 healthcare organizations targeted')

Add IOCs

Add IOCs

report.add_ioc('hash', 'abc123...', 'Ransomware executable') report.add_ioc('domain', 'medlocker-payment.onion', 'Payment portal') report.add_ioc('ip', '192.168.1.100', 'C2 server')
report.add_ioc('hash', 'abc123...', 'Ransomware executable') report.add_ioc('domain', 'medlocker-payment.onion', 'Payment portal') report.add_ioc('ip', '192.168.1.100', 'C2 server')

Add TTPs

Add TTPs

report.add_ttp('T1566.001', 'Phishing with malicious attachments') report.add_ttp('T1486', 'Data encryption')
report.add_ttp('T1566.001', 'Phishing with malicious attachments') report.add_ttp('T1486', 'Data encryption')

Recommendations

Recommendations

report.add_recommendation('Block IOCs at perimeter') report.add_recommendation('Update endpoint detection signatures') report.add_recommendation('Conduct phishing awareness training')
report.add_recommendation('Block IOCs at perimeter') report.add_recommendation('Update endpoint detection signatures') report.add_recommendation('Conduct phishing awareness training')

Generate outputs

Generate outputs

print(report.generate()) print(report.generate_executive_brief())
undefined
print(report.generate()) print(report.generate_executive_brief())
undefined

Configuration

配置

Environment Variables

环境变量

VariableDescriptionRequiredDefault
CTI_FEED_API_KEY
API key for threat feedsNoNone
CTI_OUTPUT_DIR
Output directory for reportsNo
./output
变量名描述是否必填默认值
CTI_FEED_API_KEY
威胁源API密钥None
CTI_OUTPUT_DIR
报告输出目录
./output

Supported IOC Types

支持的IOC类型

  • ip - IPv4 and IPv6 addresses
  • domain - Domain names
  • url - Full URLs
  • hash - MD5, SHA1, SHA256 hashes
  • email - Email addresses
  • cve - CVE identifiers
  • ip - IPv4和IPv6地址
  • domain - 域名
  • url - 完整URL
  • hash - MD5、SHA1、SHA256哈希值
  • email - 邮箱地址
  • cve - CVE标识符

Limitations

限制

  • No Live Feeds: Feed fetching requires manual configuration
  • Offline ATT&CK: Uses embedded technique data
  • No Enrichment APIs: External enrichment not included
  • 无实时威胁源:威胁源获取需手动配置
  • 离线ATT&CK:使用内置的技术数据
  • 无外部丰富API:不包含外部情报丰富功能

Troubleshooting

故障排除

Invalid IOC Format

无效IOC格式

IOC validation uses standard regex patterns:
python
undefined
IOC验证使用标准正则表达式:
python
undefined

Valid

Valid

extractor.validate_ioc('ip', '192.168.1.1') # True
extractor.validate_ioc('ip', '192.168.1.1') # True

Invalid

Invalid

extractor.validate_ioc('ip', '192.168.1.256') # False
undefined
extractor.validate_ioc('ip', '192.168.1.256') # False
undefined

Defanging Issues

指标脱敏问题

Use consistent defanging format:
python
undefined
使用统一的脱敏格式:
python
undefined

Standard defanging

Standard defanging

extractor.defang('http://evil.com')
extractor.defang('http://evil.com')

Returns: hxxp://evil[.]com

Returns: hxxp://evil[.]com

undefined
undefined

Related Skills

相关技能

  • incident-response: Apply CTI during incidents
  • soc-operations: CTI-informed detection
  • research: General research capabilities
  • incident-response: 在事件响应中应用CTI
  • soc-operations: 基于CTI的威胁检测
  • research: 通用研究能力

References

参考资料