1

Advanced Cyber Threat Intelligence Report

CYB-670

Student Name:

Instructor Name:
 2

Section 1: Incorporating Threat Intelligence into Incident Responses

Incorporating threat intelligence into incident response is essential for strengthening an organization’s
cybersecurity posture and enhancing the effectiveness of its response to security incidents. Threat
intelligence provides contextual information about threats, attackers, techniques, indicators of
compromise (IOCs), and vulnerabilities, enabling teams to detect, analyze, and respond more efficiently.

Importance of Incorporating Threat Intelligence

1. Proactive Defense: Threat intelligence allows organizations to anticipate threats before they
materialize, helping identify vulnerabilities and mitigate them in advance.

2. Faster Detection and Response: With up-to-date threat data, security teams can quickly
recognize known attack patterns and IOCs, reducing response time.

3. Informed Decision-Making: Analysts and incident responders can prioritize incidents based on
threat intelligence about adversary tactics and potential impact.

4. Improved Attribution and Root Cause Analysis: Threat intelligence supports understanding of
attacker motives, targets, and techniques, which aids in identifying the root cause and applying
effective countermeasures.

5. Continuous Improvement: Post-incident analysis with threat intelligence feeds back into the
security lifecycle, improving future incident detection and response strategies.

Where and How to Apply Threat Intelligence in Incident Response:

1. Preparation
o Integrate threat feeds, perform threat modeling, and update response plans.
o Goal: Anticipate threats and strengthen defenses.
2. Identification
o Correlate alerts with IOCs and threat actor tactics.
o Goal: Quickly detect and prioritize real threats.
3. Containment
o Use intel to understand and limit attacker movement.
o Goal: Contain the incident effectively and minimize damage.
4. Eradication
o Ensure complete removal using updated threat data and known exploits.
o Goal: Clean the environment thoroughly.
5. Recovery
o Monitor for re-infection using threat patterns.
 3

o Goal: Safely restore operations.

6. Lessons Learned
o Document findings and share relevant intelligence.
o Goal: Improve future responses and contribute to collective defense.
Section 2: Alien Vault OTX Exercise Results

Using the lab instructions for the Alient Vault OTX exercise, respond to each of the following questions:

1a. What is the name, category, count, and feature count of the malware with largest circle in the
dashboard view?

1b. Pick one of the related pulses for the malware you selected and list the ID of the pulse, the total
number of IOCS and type and count for each. Also, provide a screenshot of the results.

1c. For the same pulse you selected in part b, show the threat infrastructure screenshot along with the
ID of pulse, and a table with the specific breakdown of counts for each country.

1d. Use the Browse->Indicators tab to provide a count for the IPv4 and IPv6 IOCs. In your response
provide the exact count of IPv4 and IPv6 IOCs at the time of your query. Which count is larger between
the IPv4 and IPv6? Explain why one has significantly more counts than the other.

1e. Use the Browse->Indicators tab to search the role of Ransomware. What IOC type makes up most of
the Ransomware IOCs for this query?

f1. How many pulses has the user MetaDefender contributed? (Hint: /api/v1/pulses/user/{username},
You will need to use your OTX-API-KEY to retrieve this result.)

f2. What is the slug string for the Bitcoin Address indicator type. (Hint: the API will list the indicator,
types, descriptions, slugs and other information)

f3. Have there been any malware samples analyzed by AlienVault Labs which have been observed
connecting to microsoft.com? If yes, then list one malware detected and the date of the detection. (Hint:
/api/v1/indicators/domain/{domain}/{section}, Use malware for the section).

f4. When does the SSL certificate for webapps.umgc.edu expire? (Hint:
api/v1/indicators/domain/{domain}/http_scans, Look for “443 Certificate Notafter”)

2. Summarize in 2-3 paragraphs, how you would use Alien Vault OTX as part of a cybersecurity program
you managed or were part of. Discuss how it might integrate with other development tools and inform
and be part of strategic, operational and tactical threat intelligence.

Section 3: Use Threat Intelligence Tools

3.1 Cisco Talos

a. Which continent has the least amount of email reports? List the continent’s name and provide a
screen capture of that continent.
 4

b. Use the zoom feature to zoom into the closest malware report to the area in which you live.
Provide a screenshot showing the IP address, domain name, last day volume and email type.

c. From the main talos page, search for mail.umgc.edu. Using the results answer these questions:

1. Who is the network owner for mail.umgc.edu?

2. What is the current web reputation for mail.umgc.edu?
3. When does the domain expire for umgc.edu (Hint: use the WhoIs tab)

d. Use the email & spam filter to determine which 3 countries send out the most spam. (Hint:
select top 100 countries and the spam option.

e. Use the Vulnerability reports option to select recent (within the last 12 months) vulnerability
that has a CVSS score of 10. Drill down into the data and provide the name of the vulnerability,
the CVE-number, and the summary. Study the vulnerability and summarize how you would use
this information to attack an organization if they hadn’t patched or updated their system.

3.2 Nmap exercise

a. What were the IP addresses for each of the sites you scanned?
 umgc-tomcat9.azurewebsites.net -
 umgc-juiceshop.azurewebsites.net -
 umgc-web-dvwa.azurewebsites.net -
 Your UMGC VLE Windows Desktop -
 Your UMGC VLE Kali Desktop -

b. How many ports were scanned for each site?

 umgc-tomcat9.azurewebsites.net -
 umgc-juiceshop.azurewebsites.net -
 umgc-web-dvwa.azurewebsites.net -
 Your UMGC VLE Windows Desktop -
 Your UMGC VLE Kali Desktop -

c. Which ports were discovered as being open for each site?

 umgc-tomcat9.azurewebsites.net -
 umgc-juiceshop.azurewebsites.net -
 umgc-web-dvwa.azurewebsites.net -
 Your UMGC VLE Windows Desktop -
 Your UMGC VLE Kali Desktop -
 5

d. For the ports that were discovered to be open, what service runs on each port. Note, you only
need to list each port once since the service will be same.

e. What were the names of the operating system for each site scanned?

 umgc-tomcat9.azurewebsites.net -
 umgc-juiceshop.azurewebsites.net -
 umgc-web-dvwa.azurewebsites.net -
 Your UMGC VLE Windows Desktop -
 Your UMGC VLE Kali Desktop -

f. Share a screenshot of the topology map resulting from the scans. Use the fishhook display.

g. What advantages do you see from a Cybersecurity defensive perspective for running an Nmap
scan on your networked assets? Explain why scans should be run on a regular basis.

3.3 Kali Linux exercise

Note this is a group project. Be sure to record which members completed each question. Also, be sure to
discuss the results with your team before submitting so everyone is on board with the results.

In all cases, you will be using the umgc.edu domain or associated subdomains as your information
gathering target.

a. dnsenum tool questions

1. How many MX servers were discovered? What were the IPV4 addresses for each of the MX
servers you discovered?

2. What specific name servers were discovered? List both the IPv4 address and the full domain?

3. What is the purpose of a name server?

4. What is the purpose of an MX server?

5. How many umgc.edu IP blocks were discovered?

6. How many IPv4 addresses are available in the 131.171.0.0/32 umgc.edu CIDR range?

7. Describe differences between A, NS, MX and CNAME DNS record?

8. What is the IPv4 address associated with vpn.europe.umgc.edu?

 6

b. dnsmap tool questions

1. How many subdomains were found for umgc.edu?

2. What specific IPv4 addresses are associated with library.umgc.edu?

3. Were any internal IP addresses disclosed? If so, which ones? How could this information be
used in an offensive cyber operations campaign?

4. What IPv4 addresses are associated with kb.umgc.edu?

5. Describe the differences between IPv4 and IPv6 addresses.

6. Which IPv4 addresses are listed in more than one subdomain? Prepare a table that lists the
IPv4 address and the associated subdomain. For example, 151.101.67.10 is associated with at
least my.umgc.edu and help.umgc.edu.

7. What is the IPv4 address for the sf.umgc.edu subdomain?

8. Comparing the dnsenum and dnsmap results, some subdomains seem missing. For example,
asia.umgc.edu and europe.umgc.edu weren’t discovered. What option could you use in dnsmap
to force these two subdomains to discovered? Be specific and show your results.

c. dnsrecon tool questions

1. What is the Apple domain verification ID for umgc.edu?

2. Do the number of MX servers and their corresponding values match when comparing
dnsrecon and dnsenum tools? Show the results.

3. How many google site verification IDs were discovered for umgc.edu?

4. How many Name Servers (NS) were discovered with IPv4 addresses?

5. Can the IPv6 addresses discovered be converted to IPV4 addresses? Why or why not?

6. Can the IPv4 addresses discovered be converted to IPv6 address? Why or why not?

7. What command would you use to provide a reverse lookup for the CIDR range/mask of
151.101.67.0/24 for umgc.edu? Show the command and execute it. What results were
returned?

8. What does the -t option provide in the dnsrecon tool? What is the difference between -t std,
-t zonewalk in terms of output for the umgc.edu domain. Show and explain the differences
through the output of your commands.
 7

d. fierce tool questions

1. What IPv4 address is associated with mars.umgc.edu?

2. List the subdomains discovered using the fierce tool.

3. What Name Servers (NS) were discovered?

4. Were there any subdomains found using fierce that weren’t discovered using the other tools?
List any specific subdomains not found in the other tools.

5. What domains were discovered as being nearby to the careers.umgc.edu subdomain?

6. What domains were discovered as being nearby to the phones.umgc.edu subdomain?

7. What is the IPv4 address of the SOA for umgc.edu?

8. What is the IPv4 address associated with asia.umgc.edu?

e. OS-INT website questions

1. Using dns lookup tool list the name servers (ns) for umgc.edu.

2. What are the IPv4 addresses for the A records for umgc.edu?

3. How many MX records are discovered for the umgc.edu domain?

4. What is the TXT docusign ID value? Does this match the docusign ID value discovered using
dnsrecon tool?

5. What is the TTL value in the output? Compare the values for the NS, A and TXT records. Why
would they be different?

6. Using the technology lookup for learn.umgc.edu, what server-side language was
discovered? What client-side language was discovered?

7. Using the subdomain finder, how many subdomains were discovered for umgc.edu?

8. Who is the provider for the asia.umgc.edu subdomain?

 8

f. IP GEO Location questions

1. Using the IP GEO Location Lookup tool, find the Latitude and Longitude for 3 subdomains of
umgc.edu. List the subdomain and the Latitude and Longitude values in a table.

Subdomain Latitude Longitude

2. Using a Lat/Long display of your choice (e.g. maps.google.com) , plot the locations of each of
the umgc.edu subdomains you selected. Include a screenshot of each at a zoom level that
clearly shows the proximity to the closest city.

3.4 VirusTotal exercise

a. Use the results from the Cisco Talos web site to cross check a URL and IP address that was shown
as malware. List the URL and IP address. Describe your test case and show screen shots of the
Talos and the VirusTotal website results. Do the two sources provide the same results? If not,
what do you think might have caused the discrepancy?

b. Pick a random file with no sensitive information in it on your Desktop and use a tool to generate
its SHA-256 hash. Note, you can use powershell on Windows with the command Get-FileHash
pathto/filename, or you can upload the file to https://md5file.com/calculator to generate the
hash. Enter the resulting file hash into the Search window of the VirusTotal web site. Provide a
screenshot of the results. Were the results as expected?

c. Run domain checks for three (3) different vendors of your choice into the VirusTotal web site.
Show screenshots of the results. Look carefully at the categories and popularity score in the
details section of the report. Compare and contrast the 3 vendors you selected on this
information. The report details may be useful to describe some of the data and information
displayed in the output.

d. Using the Relations tab on the output from the umgc.edu domain to compare the subdomains
listed in VirusTotal to those listed in the community edition of Maltego. How many total domains
does umgc.edu have listed in VirusTotal? Note, you can display additional subdomains in
VirusTotal by clicking on the … option at the end of the subdomains section.
 9

3.5 Google Dorks exercise

a. Another useful Google Dork is the map: command. Use it to find maps Tangier Sound and Camp
Camp Arifjan? Show screenshots of the results of your Dorking for each map search. Where is
Tangier Sound located? In what country is Camp Arifjan located? Is there a Food Court Zone in
Camp Arifjan? If so, how did you determine this?

b. Set a timer on your desktop for 10 minutes using Google Dorks. Show the screenshot of your
timer. What happens when the time expires?

c. The default web page for an initial web page for Apache2 running on Ubuntu has the following
text in the title: "Apache2 Ubuntu Default Page: It works". How would you use this information
to provide a list of sites that are using Ubuntu and have the default Web site for Apache2 still
running. Show your Google Dork command and the results of running your command with a
screenshot. How is this information useful in an ethical hacking or OS-INT gathering situation?

d. Use the Google Dorking command “define:” to compare definitions of “Google Dorking” from 3
different sites. Based on the site results, provide a paraphrased definition for “Google Dorking”
using the results from your query.

e. Use Google Dork commands to search the umgc.edu for xlsx extensions. Are xlsx documents
present on the website? Show the command you used to search and the results in a screenshot
for your report.

Section 4: Final IOC Exercise

a. A department in your organization has asked permission to have access to several web sites
that currently appear to be blocked. The sites include: mars.umgc.edu, linuxhint.com,
financereports.co, creativebookmark.com. Use Threat Intelligence tools to make a
recommendation for each site. Be sure to justify using data and screenshots from the tools
your decision.

b. An employee in your organization has had issues with their computer and is concerned if
they may have a virus. Several files were uploaded to a safe sandbox for processing and
analysis. The following SHA-256 hashes were submitted. Use appropriate tools to determine
if any of the files should be quarantined.

 b4bd56a2aebe3f5e020c5421e01c2d16804c25da673ecb125b074a94581cecfe
 d893a28a885344f46e74f3131d5ae3b3ecd2f5d29571afb124f556db86da40f3
 5dc84570905973f2719578179596e36b4e29f2343ca360aeff730aacf7e37ed0
 D94BB76D6A8FBA54D6579A6265F6EAE66E905B8667D1B33080D28A2F7D068C0D
 10

 456A194F501984067435393729294ECC02E75973C011F1E765EEB3FC6C23CBE4

For any hashes that are flagged as malware or malicious, provide more details to include a
description of the specific threat, the virus or threat name, and the most recent attack date.

c. Your IT staff is short-staffed and need some assistance generating SHA-256 hashes for several
files. This work is to verify the safety of the files in terms of malware but also for downloads
processes so those using your organization’s data can confirm the hashes are identical. Use
appropriate SHA-256 tools to generate the hashes for the following attached files:
 2022-2023catalog.pdf
 courseplanner.pdf
 samplecoverletter.pdf

After you generate the SHA-256 hashes, use a threat intelligence tool to verify there are no
issues with malware.

For your report, list the SHA-256 results for each file along with a note stating if any issues were
reported from the hash analysis. Provide screenshots verifying your malware analysis for each
hash analysis.

d. Finally, in 4-6 paragraphs summarize your experience using threat intelligence tools. From
your experience, discuss strengths and weaknesses for each tool used. Discuss your future
envisioned use and tools that might be considered. For example, does it make sense to
invest in commercial threat intelligence tool that uses multiple OS-INT and other sources,
providing real-time alerts and visualization capabilities? If so, which tools might be good
choices and why?