Day 4: Threat Intelligence and MITRE ATT&CK

Today's Objective

IOC lifecycle, threat feeds, MITRE ATT&CK tactics and techniques, and the threat hunting workflow that finds attackers who have already bypassed your controls.

Incident Classification and Severity

Not every alert is a P1 incident. A severity framework: P1 (Critical) — active ransomware, ongoing data exfiltration, complete system compromise; P2 (High) — confirmed malware on multiple systems, compromised admin account; P3 (Medium) — single malware infection, policy violation; P4 (Low) — false positive, blocked attack attempt. Severity drives response time, staffing, and management notification requirements.

SOC Tools: SOAR and Case Management

SOAR (Security Orchestration, Automation, and Response) automates response actions triggered by SIEM alerts: isolating an infected host via EDR API, blocking a C2 IP in the firewall, and creating a ticket in the case management system. Platforms: Palo Alto XSOAR, Splunk SOAR, TheHive (open source). Case management tracks the full investigation lifecycle: evidence, timeline, analyst notes, and closure.

Communication During an Incident

Internal communication: IT leadership notified within 1 hour of P1 confirmation, senior management within 2 hours, legal/compliance within 4 hours. External communication: customers if PII is breached (GDPR 72-hour notification requirement, state breach notification laws). Law enforcement: FBI CyberDivision for nation-state/ransomware. Public statement: legal reviews before any external disclosure. Never confirm or deny to media during active incident.

yaml

# TheHive case creation via API
# POST /api/case
{
  "title": "P2: Suspected Cobalt Strike Beacon - WORKSTATION-42",
  "severity": 2,
  "tlp": 2,
  "tags": ["cobalt-strike", "lateral-movement", "T1059.001"],
  "description": "Sysmon detected powershell.exe network connection to "
                  "known Cobalt Strike team server 198.51.100.10:443. "
                  "Host isolated via CrowdStrike. Investigation ongoing.",
  "tasks": [
    {"title": "Isolate host", "status": "Completed"},
    {"title": "Memory acquisition", "status": "InProgress"},
    {"title": "Identify patient zero", "status": "Waiting"},
    {"title": "Scope lateral movement", "status": "Waiting"},
    {"title": "Draft stakeholder notification", "status": "Waiting"}
  ]
}

💡

Create case templates for common incident types (ransomware, BEC, data exfiltration) before you need them. When a real P1 hits at 2am, you want a checklist, not a blank page.

📝 Day 4 Exercise

Set Up TheHive for Case Management

Deploy TheHive using Docker: docker run -p 9000:9000 strangebee/thehive:latest
Create a case template for 'Malware Infection' with 8 standard tasks
Create a simulated P2 case using the Cobalt Strike scenario from the code example
Link observables (IP, domain, hash) to the case and mark severity
Practice the escalation flow: create the case, assign tasks, document findings, close with lessons learned

Day 4 Summary

Severity framework (P1-P4) determines response time and escalation path
SOAR platforms automate response actions triggered by SIEM alerts
TheHive provides open-source case management for the full IR lifecycle
GDPR requires breach notification within 72 hours — prepare templates in advance
Case templates prevent chaos during real P1 incidents

Challenge

Create a complete SOC runbook for a ransomware incident. Include: detection criteria, P1 declaration checklist, isolation steps, evidence preservation, stakeholder communication template, and recovery checklist.

← Previous

Day 3: Threat Hunting

Day 5: SOC Metrics, Playbooks & Career

→

What's Next

The foundations from today carry directly into Day 5. In the next session the focus shifts to Automation with SOAR and Python — building directly on everything covered here.

Supporting Videos & Reading

Go deeper with these external references.

YouTube

Threat Intelligence and MITRE ATT&CK — Video Walkthroughs Community tutorials and walkthroughs covering the concepts in this lesson.

→

YouTube

Threat Intelligence and MITRE ATT&CK Explained Deep-dive explanations and live-coding sessions from top educators.

→

Official Docs

Official Documentation Primary reference documentation for the technologies covered in this lesson.

→

GitHub

Open Source Examples Real-world codebases demonstrating the patterns taught in this lesson.

→

Day 4 Checkpoint

Before moving on, verify you can answer these without looking:

What is the core concept introduced in this lesson, and why does it matter?
What are the two or three most common mistakes practitioners make with this topic?
Can you explain the key code pattern from this lesson to a colleague in plain language?
What would break first if you skipped the safeguards or best practices described here?
How does today's topic connect to what comes in Day 5?

Live Bootcamp

Learn this in person — 2 days, 5 cities

Thu–Fri sessions in Denver, Los Angeles, New York, Chicago, and Dallas. $1,490 per seat. June–October 2026.

Reserve Your Seat →

Continue To Day 5

Day 5: SOC Metrics, Playbooks & Career

→