TryHackMe: Intro to Cyber Threat Intelligence — Walkthrough (Lab 1)
- DFIRHive
- Oct 21
- 4 min read
I recently went through the Intro to Cyber Threat Intelligence room on TryHackMe. It’s not a flashy or tool-heavy lab, but it sets the base right — the kind of fundamentals that actually stick when you’re dealing with threat data or working an investigation.
Most of the questions are straightforward, but each one ties back to something we see regularly — the CTI lifecycle, frameworks like TAXII, or how the Kill Chain still fits in modern attacks.
Here’s a short walkthrough of the questions and answers, along with a bit of context where it matters.
Question 1 — What does CTI stand for?
Answer: Cyber Threat Intelligence
Explanation: Cyber Threat Intelligence refers to information about adversaries, their tools, motivations, and methods, analyzed to support defensive and investigative decisions. It gives meaning to isolated events — connecting them to attacker behavior and larger threat patterns. In essence, it turns data (like a hash or IP) into understanding — why it exists and what it means for your environment.
Question 2 — IP addresses, hashes, and other artefacts fall under which classification of Threat Intelligence?
Answer: Technical Intelligence
Reference: Threat Intelligence Classifications (Strategic, Operational, Tactical, Technical).
Explanation: Technical Intelligence includes short-term, atomic indicators such as IPs, URLs, domains, and file hashes. These are the artefacts analysts see daily — useful for detection and quick correlation but with limited lifespan. Attackers frequently change infrastructure, so while technical intel enables immediate blocking and triage, it must be continuously updated and enriched to retain value.
Question 3 — Which phase of the CTI lifecycle converts data into usable formats through sorting, correlation, and organization?
Answer: Processing
Reference: CTI Lifecycle — Direction → Collection → Processing → Analysis → Dissemination → Feedback.
Explanation: Processing is the stage that transforms raw data into structured, usable information. It involves cleaning, normalizing, and correlating indicators from multiple sources — for example, removing duplicates, aligning timestamps, and validating formats. This ensures consistency across datasets, allowing analysts to analyze and compare findings accurately.
Question 4 — During which phase do security analysts get the chance to define the questions to investigate incidents?
Answer: Direction
Reference: Intelligence Requirements phase of the CTI Lifecycle.
Explanation: Direction defines what needs to be understood or proven. Before collecting data, analysts clarify objectives — such as identifying an actor, mapping their infrastructure, or assessing potential impact. This phase anchors the investigation; without clear direction, analysis risks becoming scattered and unfocused.
Question 5 — What sharing models are supported by TAXII?
Answer: Collection and Channel
Reference: TAXII (Trusted Automated eXchange of Intelligence Information) Specification by OASIS.
Explanation: TAXII defines how STIX-formatted intelligence is shared between systems.
Collection model: Consumers pull threat data from repositories as needed.
Channel model: Producers push new intelligence automatically to subscribers. This automation supports structured, real-time information exchange between organizations — a critical part of coordinated defense.
Question 6 — When an adversary has obtained access to a network and is extracting data, what phase of the kill chain are they on?
Answer: Actions on Objectives
Reference: Lockheed Martin Cyber Kill Chain.
Explanation: “Actions on Objectives” is the final phase of an intrusion, where the attacker achieves their goal — data theft, encryption, or system disruption. By this point, earlier stages like delivery and exploitation have already succeeded. Identifying this phase indicates impact assessment and containment urgency.
Kill Chain — Stages & Practical Examples
Stage | Purpose | Examples |
Reconnaissance | Gather information about the target and the attack surface. | Harvesting emails, OSINT (LinkedIn, social media), network scanning. |
Weaponisation | Craft the malicious payload tailored to the target or objective. | Building a backdoored installer, malicious Office document with macro. |
Delivery | Deliver the payload to the victim environment. | Phishing email, malicious weblink, infected USB. |
Exploitation | Exploit a vulnerability or weakness to execute code on the target. | Exploits like EternalBlue, Zerologon; malicious macro execution. |
Installation | Establish foothold and persistence on the compromised system. | Install backdoors, deploy credential-dumping tools, create scheduled tasks/services. |
Command & Control (C2) | Maintain remote access, issue commands, and stage additional tools. | C2 frameworks and tooling (Empire, Cobalt Strike), HTTP/DNS beacons. |
Actions on Objectives | Carry out the attacker’s end goal — data theft, disruption, or financial gain. | Data exfiltration, ransomware encryption, defacement, espionage. |
Question 7 — What was the source email address?
Answer: vipivillain@badbank.com
Reference: Practical exercise
Question 8 — What was the name of the file downloaded?
Answer: flbpfuh.exe
Question 9 — After building the threat profile, what message do you receive?
Answer: THM{NOW_I_CAN_CTI}
Reference: Lab completion confirmation flag.
Appreciate you taking the time to read through!
If this helped you understand the TryHackMe CTI room a little better, feel free to share it with others or tag DFIRHive.
Every share helps us bring more practical content to the DFIR community.