Threat Intelligence Analysis Playbook

December 17, 20233 min read

Playbook Objectives:

  • To enhance the threat intelligence and analysis capabilities of the security team within a corporate environment.
  • To simulate a realistic cyber-attack scenario allowing the team to practice their response to such threats.
  • To identify potential security gaps within the current infrastructure and improve upon incident detection, handling, and response.
  • To provide a hands-on experience where analysts can apply threat intelligence to real-world situations.
  • To evaluate the effectiveness of current security controls and procedures.

Difficulty Level:

  • Advanced: This exercise is aimed at professionals who have a solid understanding of network infrastructure, cyber threats, and security protocols.


  • Global Finances Inc., a multinational financial services firm, has been under a sustained cyber-espionage campaign. Sasha Rodriguez, the CSO, has noticed unusual network traffic patterns and an increase in phishing attempts targeting the finance department. The company’s sensitive financial data and intellectual property are at risk.
  • A stealthy Advanced Persistent Threat (APT) group, “SilentWraith,” is behind this sophisticated and coordinated attack. The IT infrastructure comprises 200 workstations and 50 servers, including mail servers, database servers, and the company’s private cloud environment.
  • The company needs this exercise to test their preparedness against sophisticated cyber threats, to train their staff in threat intelligence analysis, and to tighten their security measures. By simulating the attack, the team can identify weaknesses and reinforce their defense mechanisms to protect against future incidents.


  • Threat Intelligence and Analysis

Exercise Attack Steps:

  • Intelligence Gathering:
    • Collect baseline network traffic data.
    • Gather intelligence on “SilentWraith” group from threat intelligence feeds.
    • Identify common indicators of compromise (IoCs) associated with “SilentWraith.”
  • Active Monitoring and Detection:
    • Monitor network traffic for signs of IoCs.
    • Set up alerts for any suspicious behavior resembling the attackers’ known tactics, techniques, and procedures (TTPs).
    • Conduct regular sweeps of the system for unexpected changes or anomalies.
  • Incident Response Preparation:
    • Assemble an incident response team and assign roles.
    • Prepare sandbox environments to isolate and analyze suspicious files.
    • Develop a communication plan for internal teams and external stakeholders.
  • Threat Hunting:
    • Proactively search the network for signs of breach or SilentWraith activity that may have evaded initial detection.
    • Employ user and entity behavior analytics (UEBA) to spot anomalies.
  • Containment Strategy:
    • Plan network segmentation and access control list (ACL) updates to contain the spread of an attack.
    • Prepare procedures to take critical systems offline without affecting business continuity.
  • Eradication and Recovery:
    • Develop a plan for malware removal and system restoration.
    • Document the process for evidence preservation in case of legal follow-up.
  • Post-Exercise Analysis:
    • Review the entire exercise to identify which strategies and tactics were successful.
    • Update the incident response plan and threat intelligence playbook based on exercise outcomes.
    • Create a lessons-learned document and communicate findings to the broader team.