Phase 5: Threat Intelligence & IOC Enrichment

This phase focuses on enriching raw indicators of compromise (IOCs)—such as IPs, URLs, domains, file hashes, and email addresses—with contextual threat intelligence. The goal is to determine whether the artifacts found in a phishing message are:

• Known in existing threat databases

• Associated with specific TTPs (Tactics, Techniques, and Procedures)

• Part of a larger campaign or threat actor group

By performing this enrichment, you turn technical evidence into insight that can support broader detection, prevention, and attribution efforts.

What is IOC Enrichment?

It’s the process of answering questions like:

• Has this IP or domain been used in other phishing or malware attacks?

• What malware family is associated with this file hash?

• Is this domain linked to a known threat actor or group?

• Are there similar phishing campaigns being reported by other organizations?

The following is a high-level guide on how to enrich IOCs.

1. Identify and Categorize Collected IOCs

   • Organize and aggregate the artifacts/IOCs collected from the previous phases.

   • This should include IP addresses, domain names, URLs, email addresses, file hashes, file extensions/types, and file names.

2. Identify and Categorize Collected IOCs

   • Use free and commercial threat intelligence platforms to investigate known associations and risk scores.

3. Correlate Indicators Across Data Sources

1. • Perform cross-source correlation to identify patterns:

     • Does this IP show up across multiple samples on VirusTotal?

     • Does the domain resolve to an IP that’s on spam blocklists?

     • Are similar emails listed in PhishTank or other open-source reporting tools?

     • Is this hash tied to known malware families like Emotet, AgentTesla, or Remcos?

   • For example, VirusTotal links the file with  SHA256 d4fa...a1f7 to a known AgentTesla variant; the payload is associated with credential-stealing malware.

4. Attribute to Known Campaigns or Threat Actors (Optional)

1. • If multiple enriched IOCs match known threat actors, infrastructure or techniques:

     • Use MITRE ATT&CK to map TTPs

     • Check threat actor profiles (e.g., TA505, APT28) if attribution is relevant

     • Reference campaign names (e.g., “IceID”, “BazarLoader”, “Ducktail”) in your report

   • Attribution is not always necessary for action, but it is valuable for strategic insights.

5. Assess Confidence and Risk Level

1. • After enrichment, assign a confidence score to each IOC:

     • High - IOC is clearly linked to malicious activity

     • Medium -  Suspicious but not widely reported; needs monitoring

     • Low -  No known associations or inconclusive context

   • This will assist the security team in prioritizing blocking, alerting, and monitoring.

6. Use Enriched IOCs for Threat Hunting and Detection

1. • Once IOCs are enriched, security teams can use them to:

     • Create SIEM detection rules

     • Add blocklists to proxies, firewalls, and email gateways

     • Launch threat hunts to identify past or current compromises

     • Update playbooks with observed TTPs

   • For example, Splunk can be searched:

| search index=email_logs url="phishingpage[.]com"

| stats count by user, timestamp

7. Document IOC Metadata in the Report

5. • Always include in the report:

     • IOC type and value

     • Enrichment results (risk scores, linked malware, etc.)

     • Source(s) used for verification

     • Confidence level

     • Recommended action (block, monitor, allow)

TIP: Avoid the following:

• Don’t block an IP or domain without checking for false positives

• Don’t rely solely on one platform for enrichment

• Don’t assume “clean” results mean “safe” — attackers constantly rotate infrastructure