Threat Intel Enrichment and ATT&CK

Purpose and Scope

Threat intelligence enrichment adds context to raw indicators, transforming hashes, IPs, and domains into actionable intelligence. This playbook covers enrichment workflows, threat intelligence platforms, and mapping activity to MITRE ATT&CK for standardized communication and detection coverage analysis.

Prerequisites

• Threat intelligence access: Commercial feeds (Recorded Future, Mandiant, CrowdStrike), open source (OTX, Abuse.ch, MISP)
• Enrichment tools: VirusTotal, urlscan.io, Shodan, PassiveTotal/RiskIQ
• MITRE ATT&CK Navigator: For technique mapping and coverage visualization
• SIEM or SOAR: Platform to integrate enrichment into workflows

Detection Goals

Enrichment helps answer:

• Is this indicator known to be malicious?
• What threat actors or campaigns use this indicator?
• What techniques does this activity represent?
• How should this finding be prioritized?
• What related indicators should we search for?

Indicator Types and Enrichment Sources

File Hashes (MD5, SHA1, SHA256)

• VirusTotal: AV detection rates, sandbox behavior, community comments
• Hybrid Analysis: Detailed sandbox reports
• MalwareBazaar: Malware sample database
• Commercial TI: Attribution to threat actors and campaigns

IP Addresses

• VirusTotal: Associated files, URLs, passive DNS
• Shodan/Censys: Open ports, services, banners
• AbuseIPDB: Abuse reports and confidence scores
• Geolocation: Country, ASN, hosting provider
• Blocklists: Spamhaus, Emerging Threats

Domains

• WHOIS: Registration date, registrant, registrar
• Passive DNS: Historical IP resolutions
• urlscan.io: Page screenshots and resource analysis
• Domain age: Newly registered domains are higher risk
• Certificate transparency: Related certificates and subdomains

URLs

• urlscan.io: Visual scan, DOM analysis, network requests
• VirusTotal: URL reputation across multiple engines
• PhishTank: Community verified phishing URLs
• Google Safe Browsing: Blocklist status

Enrichment Workflow

1. Normalize and Deduplicate

• Standardize indicator formats (defang, lowercase)
• Deduplicate indicators before querying
• Validate indicator format (valid IP, hash length)

2. Query Multiple Sources

• Start with high value, low cost sources
• Layer in commercial intelligence for priority indicators
• Cache results to reduce API calls
• Respect rate limits

3. Aggregate and Score

• Combine verdicts from multiple sources
• Weight sources by reliability
• Generate a confidence score
• Flag conflicting verdicts for manual review

4. Add Context

• Link to threat actor profiles
• Associate with known campaigns
• Map to MITRE ATT&CK techniques
• Add timestamps for indicator freshness

MITRE ATT&CK Mapping

Why Map to ATT&CK

• Standardized language for communicating threats
• Enables coverage gap analysis
• Supports detection engineering prioritization
• Facilitates threat hunting hypothesis generation
• Aligns with industry threat reports

Mapping Process

1. Identify the behavior or artifact observed
2. Determine which tactic applies (what the attacker is trying to achieve)
3. Select the most specific technique and sub technique
4. Document the data sources and detection logic
5. Link to the detection rule or hunt query

Common Mappings

• Phishing email: T1566 (Phishing)
• Malicious macro: T1204.002 (User Execution: Malicious File)
• PowerShell download: T1059.001 (Command and Scripting Interpreter: PowerShell) + T1105 (Ingress Tool Transfer)
• Scheduled task persistence: T1053.005 (Scheduled Task)
• Lateral movement via SMB: T1021.002 (SMB/Windows Admin Shares)

ATT&CK Navigator

Use the ATT&CK Navigator to:

• Visualize detection coverage
• Identify gaps in technique coverage
• Compare coverage against threat actor profiles
• Prioritize detection engineering efforts

Threat Intelligence Platforms

Open Source Options

• MISP: Threat intelligence sharing platform
• OpenCTI: Cyber threat intelligence platform
• AlienVault OTX: Community threat exchange

Commercial Options

• Recorded Future: Broad intelligence with predictive analytics
• Mandiant Advantage: Deep threat actor intelligence
• CrowdStrike Falcon X: Automated indicator analysis
• Anomali ThreatStream: TI aggregation and management

Integrating Enrichment into Operations

SIEM Integration

• Enrich alerts with TI context at ingestion or alert time
• Create lookup tables for known IOCs
• Tag alerts with ATT&CK techniques
• Prioritize alerts based on TI confidence

SOAR Playbooks

• Automate enrichment as first step in triage
• Route high confidence IOCs to blocking actions
• Escalate hits on priority threat actors
• Generate reports with enriched context

Investigation Workflow

1. Extract indicators from alert or hunt finding
2. Enrich indicators using multiple sources
3. Map observed behavior to ATT&CK techniques
4. Search for related indicators in TI platforms
5. Correlate with internal telemetry
6. Document findings with standardized mapping

Response Actions

• Block confirmed malicious indicators: Add to firewall, proxy, EDR blocklists
• Hunt for related activity: Search for associated indicators and techniques
• Update detection rules: Add new IOCs and behavioral patterns
• Share intelligence: Contribute to ISACs and community platforms

References

• MITRE ATT&CK: attack.mitre.org
• ATT&CK Navigator: mitre-attack.github.io/attack-navigator
• MISP Project: misp-project.org
• VirusTotal: virustotal.com
• urlscan.io: urlscan.io