Threat Intelligence & TTPs for SOC Analysts: Harnessing MITRE ATT&CK, IoCs, and IoAs to Inform Detection and Hunting

CT
CyberDefenders Team
Share this post:
Threat Intelligence & TTPs for SOC Analysts: Harnessing MITRE ATT&CK, IoCs, and IoAs to Inform Detection and Hunting

Threat Intelligence & TTPs for SOC Analysts: Harnessing MITRE ATT&CK, IoCs, and IoAs to Inform Detection and Hunting

In the relentless arms race between defenders and adversaries, the ability for SOC analysts to turn threat intelligence into actionable detection and hunting strategies is a defining advantage. Modern Security Operations Centers (SOCs) are flooded with data, logs, alerts, and threat feeds, but only those who can contextualize, correlate, and operationalize this intelligence can consistently outpace advanced threats. This comprehensive, highly technical guide explores how threat intelligence, TTPs (Tactics, Techniques, and Procedures), MITRE ATT&CK, IoCs (Indicators of Compromise), and IoAs (Indicators of Attack) empower SOC analysts to build robust detection and proactive hunting capabilities.

The Role of Threat Intelligence in the SOC

Threat intelligence is not just a feed of malicious IPs or hashes; it’s the contextual knowledge that empowers SOC analysts to detect, respond to, and anticipate adversary actions. Effective use of threat intelligence bridges the gap between high-level strategic awareness and hands-on detection engineering, informing everything from SIEM rule design to threat hunting hypotheses.

For SOC analysts, the challenge is to operationalize this intelligence:

What are the adversaries doing? āžœ (TTPs)

How do we detect them? āžœ (Detection logic, rules)

How do we hunt for stealthy or novel activity? āžœ (Proactive hunting, hypothesis-driven searches)

āž¤ Before diving deep into Threat Intelligence tactics, check this blog for threat intelligence fundamentals.

Threat Intelligence: Foundations and Types

  1. Strategic Intelligence: High-level trends, motivations, and intent (e.g., APT group targeting critical infrastructure).
  2. Operational Intelligence: Campaign-specific details, timelines, targeting (e.g., new phishing campaign targeting the financial sector).
  3. Tactical Intelligence: Specific TTPs, tools, and techniques used by adversaries (e.g., use of Cobalt Strike for lateral movement).
  4. Technical Intelligence: Concrete indicators (IP addresses, domains, file hashes, YARA signatures).

Sources and Collection

āžœ Open Source Intelligence (OSINT): Public feeds, blogs, GitHub repos, social media.

āžœ Commercial Feeds: Vendor-provided threat intelligence platforms (TIPs), paid feeds.

āžœ ISACs/ISAOs: Sector-specific sharing communities (e.g., FS-ISAC for finance).

āžœ Internal Intelligence: Findings from past incidents, red team exercises, and honeypots.

SOC analysts must evaluate source reliability, timeliness, and relevance. Automated ingestion, normalization, and deduplication are critical for handling large volumes of threat data.

threat intelligence workflows for SOC

TTPs: Understanding Adversary Behavior

Tactics, Techniques, and Procedures (TTPs) describe how adversaries think, operate, and achieve their objectives. They shift detection from chasing indicators to understanding attacker behavior.

  1. Tactics: The adversary’s tactical goals, the “why” (e.g., credential access, persistence).
  2. Techniques: The “how” methods to achieve tactics (e.g., credential dumping, scheduled task creation).
  3. Procedures: Specific implementations (e.g., using Mimikatz to dump LSASS memory).

TTPs transcend static indicators. While IoCs are ephemeral, TTPs reflect underlying attacker behavior and methodology, harder to evade and more durable for detection.

Why TTPs Matter More Than Just IoCs?

Indicators change fast; adversary behavior does not. TTPs provide durable detection opportunities that persist across infrastructure and tooling changes.

āžœ Attackers can easily change IPs, domains, and hashes.

āžœ TTPs reveal behavior patterns that persist across campaigns.

āžœ Detection based on TTPs is more resilient to evasion.

A mature SOC leverages TTPs to build behavioral detections, map coverage, and prioritize hunts.

MITRE ATT&CK: The Universal Language of Adversary Behavior

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally-accessible knowledge base of adversary TTPs, mapped across the attack lifecycle.

  • Matrices: Enterprise, Mobile, Cloud, ICS.
  • Tactics: Columns (e.g., Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, etc.)
  • Techniques/Sub-techniques: Rows (e.g., Spearphishing Attachment, PowerShell, Pass-the-Hash).

āž¤ Here’s how this really fits into daily SOC operations. Check this Guide Covers all about MITRE ATT&CK.

ATT&CK Matrices and Use Cases for SOCs

  1. Detection Engineering: Map existing rules to ATT&CK, identify gaps.
  2. Threat Hunting: Develop hypotheses based on tactics/techniques.
  3. Threat Intelligence Mapping: Align intelligence reports to ATT&CK for structured sharing.Threat Hunting
  4. Purple Teaming: Validate detection and response coverage.

Mapping Threat Intelligence to ATT&CK

When ingesting threat intel, map observed TTPs to ATT&CK techniques. This enables:

āžœ Coverage mapping (what’s detected, what’s not).

āžœ Prioritization of detection engineering.

āžœ Consistent language for reporting and collaboration.

Example: 

Threat report: “Adversary used PowerShell to download a payload and establish persistence via a scheduled task.”
Mapped to:

  • T1059.001: PowerShell (Execution)
  • T1053.005: Scheduled Task/Job: Scheduled Task (Persistence)

Indicators of Compromise (IoCs): Value, Limitations & Usage

IoCs represent known malicious artifacts observed during attacks. While useful for rapid response, they are inherently short-lived and reactive.

Types of IoCs

  1. Network: IP addresses, domains, URLs.
  2. File: Hashes (MD5, SHA1, SHA256), file names, paths.
  3. Host-based: Registry keys, mutexes, process names.
  4. Email: Subject lines, sender addresses, attachments.

IoC Lifecycle and Management

Effective IoC usage requires continuous collection, validation, enrichment, and retirement. Without lifecycle management, IoCs quickly become noise.

āžœ Collection: Ingest from feeds, internal sources.

āžœ Validation: Test for false positives/negatives.

āžœ Contextualization: Link to threat actors, campaigns, TTPs.

āžœ Expiry: IoCs have a short lifespan; track validity.

Integrating IoCs into Detection

Automation helps reduce reaction time but should not replace behavioral detection.

  • SIEM Rules: Correlate logs with known IoCs.
  • EDR/NDR: Block or alert on matching indicators.
  • Automated Response: Quarantine endpoints, block at perimeter.

Pitfall:

Overreliance on IoCs leads to missed threats as adversaries rotate infrastructure. IoC-based detection should be complemented by behavioral/TTP-based analytics.

Indicators of Attack (IoAs): Beyond Static Indicators

IoAs focus on attacker intent and behavior rather than specific artifacts. They enable early detection of novel or previously unseen threats.

The Concept of IoAs

IoAs focus on the intent and behavior of the attacker, not just the artifacts left behind. They are patterns or sequences of events that indicate an attack is in progress, even if the specific IoCs are unknown or new.

Behavioral Detection and Use Cases

Behavioral detections analyze sequences, anomalies, and abuse patterns. These methods are harder for attackers to evade than signature-based rules.

  • Sequence-based: Unusual process chains (e.g., Word → PowerShell → Network connection)
  • Anomaly-based: Lateral movement outside of normal patterns
  • TTP-based: Use of living-off-the-land binaries (LOLBins), credential dumping, privilege escalation attempts

Example:
A new binary spawning from a Microsoft Office process, making an outbound connection to a rare domain, this sequence, regardless of the hash or domain, may indicate an attack.

IoAs are more durable and future-proof than IoCs, but require mature logging, baselining, and analytics.

Turning Threat Intelligence & TTPs into Detection Logic

Threat intelligence becomes valuable only when translated into actionable detections. This process bridges intelligence, telemetry, and operational defense.

Detection Engineering with ATT&CK

  1. Map Threats to ATT&CK: For every relevant threat, map observed TTPs to ATT&CK techniques.
  2. Review Existing Detections: Inventory SIEM, EDR, and NDR rules mapped to those techniques.
  3. Identify Gaps: Where there’s no coverage, prioritize rule development.
  4. Develop Detection Logic: Write rules that detect behaviors, not just artifacts.

Rule Development (SIEM, EDR, NDR)

Each security control observes different parts of the attack surface. Effective detection engineering aligns logic with the strengths of each platform.

  • SIEM: Correlate logs for suspicious sequences (e.g., login from a new location, followed by privilege escalation).
  • EDR: Monitor process creation, command-line arguments, and parent-child relationships.
  • NDR: Analyze network flows for C2 patterns, data exfiltration, and lateral movement.

āž¤ Curious how detection engineering works in real SOCs? Read this blog about Detection Engineering Vs Logic. 

Example Detection Rule (SIEM):

Detect PowerShell execution with suspicious command-line flags:

EventID=4688 AND ProcessName="powershell.exe" AND CommandLine CONTAINS ("-enc" OR "-nop" OR "-w hidden"

Example: Building a Detection Pipeline

  1. Ingest Threat Intel: Parse feeds, normalize, map to ATT&CK.
  2. Enrich Events: Add context (threat actor, campaign, technique).
  3. Correlate: Match logs and telemetry to SIEM rule developments, IoAs, and TTP patterns.
  4. Alert: Trigger on matches, escalate for analyst review.
  5. Automate Response: Quarantine, block, or further investigate.

Threat Hunting: Proactive Defense Using Threat Intelligence

Threat hunting uses intelligence to proactively search for adversary activity. It assumes compromise and focuses on uncovering hidden or missed attacks.

Hypothesis-Driven Hunting

Hunting starts with an informed assumption about adversary behavior. ATT&CK helps translate that hypothesis into targeted queries.

āžœ Formulate a hypothesis based on threat intelligence (e.g., “Adversary X uses RDP for lateral movement”)

āžœ Map to ATT&CK (T1021.001: Remote Services: Remote Desktop Protocol)

āžœ Query logs for evidence (e.g., anomalous RDP sessions)

Hunt Team Workflows

  1. Intel Review: Understand current threats and TTPs.
  2. Hypothesis Generation: Select relevant ATT&CK techniques.
  3. Data Collection: Gather logs, EDR, NDR, and cloud telemetry.
  4. Analysis: Search for patterns, outliers, and matches.
  5. Investigation: Deep dive into suspicious findings.
  6. Reporting: Document findings, improve detection logic.

āž¤ Learn how SOC teams hunt using ATT&CK and TTPs. Read this full article about all about SOC Threat Hunting.

Practical Hunting with MITRE ATT&CK

ATT&CK operationalizes hunting by prioritizing high-risk techniques. It helps teams focus efforts where attackers are most likely to operate.

āžœ Use ATT&CK Navigator to visualize coverage and hunt focus areas.

āžœ Develop hunt queries for high-risk techniques (e.g., credential dumping, lateral movement).

āžœ Validate and tune detection rules based on hunt findings.

Automation and Integration

Automation reduces response time and analyst fatigue. When integrated correctly, it enhances -not replaces- human decision-making.

Threat Intelligence Platforms (TIPs)

TIPs centralize, enrich, and score threat intelligence at scale. They act as the bridge between raw intel feeds and detection systems.

āžœ Aggregate and normalize threat intel feeds.

āžœ De-duplicate, score, and contextualize indicators.

āžœ Integrate with SIEM, SOAR, and EDR.

SOAR and Automated Enrichment

SOAR platforms automate investigation and response workflows. They allow analysts to focus on complex decision-making instead of repetitive tasks.

āžœ Automate indicator enrichment (reputation checks, passive DNS, sandboxing).

āžœ Orchestrate response actions (block, isolate, notify).

āžœ Auto-generate tickets for high-confidence detections.

Threat Intel and SIEM/EDR Workflows

Real-time integration ensures intelligence is immediately actionable. Continuous feedback loops improve prioritization and detection accuracy over time.

  1. Real-time ingestion and correlation of threat intel with live telemetry.
  2. Dynamic updating of detection rules and blocklists.
  3. Automated threat scoring and prioritization.

Case Studies: Real-World Applications

Case Study 1: Ransomware Campaign

Threat Intel:

āžœ TTPs: Phishing for initial access, PowerShell for payload delivery, lateral movement via SMB, data encryption

āžœ IoCs: Known C2 IPs, ransomware hashes

SOC Actions:

Map TTPs to ATT&CK: T1566 (Phishing), T1059.001 (PowerShell), T1021.002 (SMB/Windows Admin Shares), T1486 (Data Encrypted for Impact).

  1. Develop SIEM rules for suspicious SMB traffic and PowerShell use.
  2. Hunt for anomalous file encryption patterns.
  3. Integrate IoCs into EDR for blocking and alerting.

Case Study 2: APT Lateral Movement

Threat Intel:

āžœ TTPs: Credential dumping, pass-the-hash, remote service creation

āžœ IoAs: Unusual process creation (lsass.exe access), new services on endpoints

SOC Actions:

Map to ATT&CK: T1003 (Credential Dumping), T1075 (Pass-the-Hash), T1053.005 (Scheduled Task).

  1. EDR rules for process injection and credential dumping.
  2. Hunt for new service creation events correlated with administrative logins.

Case Study 3: Supply Chain Attack

Threat Intel:

āžœ TTPs: Compromised software update, code execution via trusted application, C2 over HTTPS

āžœ IoCs: Malicious update hashes, C2 domains

SOC Actions:

Map to ATT&CK: T1195 (Supply Chain Compromise), T1105 (Ingress Tool Transfer), T1071.001 (Web Protocols).

  1. SIEM rules for software installation events and unusual outbound HTTPS connections.
  2. Hunt for rare parent-child process relationships (e.g., update.exe spawning cmd.exe).

Best Practices for SOC Analysts

āžœ Map Everything to ATT&CK: Use it as the common language for detection, hunting, and reporting

āžœ Balance IoC and IoA/TTP Detection: Use IoCs for quick wins, TTPs for resilience

āžœ Automate Ingestion and Enrichment: Let machines handle the noise, and analysts focus on analysis

āžœ Continuously Tune Rules: Use hunting and incident reviews to improve detection logic

āžœ Share Intelligence: Contribute to ISACs/ISAOs and internal knowledge bases

āžœ Stay Current: Monitor emerging threats, update mappings and rules regularly

āžœ Document Workflows: Ensure repeatability and auditability of detection and response

Future Trends in Threat Intelligence and Detection

  1. AI/ML-Driven Threat Intelligence: Automated clustering, anomaly detection, and predictive analytics.
  2. Cloud-Native Threat Intelligence: Focus on SaaS/IaaS/PaaS environments, cloud-specific TTPs.
  3. Automated Threat Hunting: Machine-driven hypothesis generation and hunting.
  4. Threat Intelligence as Code: Version-controlled, automated deployment of detection logic.
  5. Deeper Integration with DevSecOps: Threat intelligence informing CI/CD and supply chain security.

Conclusion

Threat intelligence is only effective when it drives detection and response. While IoCs enable fast reaction, they expire quickly and offer limited insight on their own. TTPs and IoAs provide the behavioral context needed to detect attacks that evolve beyond static indicators.

By using MITRE ATT&CK, SOC teams can systematically translate intelligence into resilient detection logic, identify coverage gaps, and prioritize threat hunting. Combining IoCs, IoAs, and TTPs allows defenders to move from reactive alerting to proactive, behavior-based defense, where understanding attacker tradecraft matters more than chasing indicators.

āž¤ Ready to level up your blue team skills? Train on the platform SOC analysts trust - explore the CyberDefenders BlueYard Cyber Range.

Tags:Detection engineeringMITRE ATT&CKDFIRThreat HuntingSOC analystsCybersecuritythreat intelligenceincident responseSIEMlateral Movement