Skill Guide

Threat intelligence fusion and identity graph analysis

The systematic process of correlating disparate cyber threat data with entity relationship mapping to proactively identify threat actors, infrastructure, and attack patterns.

This skill enables security teams to move from reactive alert handling to proactive threat hunting, significantly reducing mean time to detect (MTTD) and respond (MTTR). It directly impacts business outcomes by lowering breach costs and protecting digital assets through predictive intelligence.

1 Careers

1 Categories

9.2 Avg Demand

18% Avg AI Risk

How to Learn Threat intelligence fusion and identity graph analysis

1. Master the fundamentals of Cyber Threat Intelligence (CTI) lifecycle and frameworks like MITRE ATT&CK. 2. Understand core identity types: IP addresses, domains, email addresses, usernames, and device fingerprints. 3. Study basic graph theory concepts (nodes, edges, properties) and relational database schemas.

1. Practice with real-world datasets: Ingest and normalize threat feeds (e.g., from AlienVault OTX, Abuse.ch) into a SIEM or SOAR platform. 2. Implement basic identity graph construction by linking indicators (IoCs) to observed threat actor profiles using tools like Neo4j or TigerGraph. 3. Common mistake: Failing to validate and enrich data before fusion, leading to false positive graphs. Focus on data hygiene and confidence scoring.

1. Architect enterprise-grade fusion platforms that integrate internal telemetry (EDR, NDR) with external intel and dark web monitoring. 2. Develop automated graph analytics algorithms (e.g., community detection, centrality analysis) to identify hidden threat clusters. 3. Align intelligence output with business risk frameworks (e.g., FAIR) to prioritize investigation based on financial impact, not just severity scores.

Practice Projects

Beginner

Project

Build a Basic IOC-to-Actor Correlation Graph

Scenario

You have a list of malicious IPs from a public feed and a set of email addresses involved in phishing campaigns reported by the SOC.

How to Execute

1. Extract unique IoCs (IPs, emails) from sample data. 2. Use a free graph database (e.g., Neo4j Community Edition) to create nodes for each IoC and entity (e.g., 'PhishingCampaign_A'). 3. Manually create edges based on observed co-occurrence in log files. 4. Query the graph to find which IPs are linked to multiple campaigns.

Intermediate

Project

Automated Fusion Pipeline for Phishing Infrastructure

Scenario

Build a semi-automated pipeline that ingests new phishing domain reports and enriches them with historical WHOIS, certificate transparency logs, and passive DNS data.

How to Execute

1. Set up a scripting environment (Python) to pull data from APIs (e.g., SecurityTrails, VirusTotal). 2. Normalize data into a unified schema (e.g., Stix2). 3. Load into a graph database, creating automatic edges between domains sharing registrant emails, name servers, or SSL certificate hashes. 4. Write a query to flag domains that are part of a larger, previously identified infrastructure cluster.

Advanced

Case Study/Exercise

Disrupting a Ransomware-as-a-Service (RaaS) Affiliate Network

Scenario

Intelligence indicates a new ransomware strain is spreading. Your fusion graph from previous incidents shows links to a specific initial access broker (IAB) forum, cryptocurrency wallets, and VPN exit nodes.

How to Execute

1. Cross-reference new victim data (file hashes, ransom notes) with existing graph clusters to identify the affiliate. 2. Apply temporal analysis to the graph to map the attack lifecycle stages. 3. Use centrality measures to identify the most critical nodes (e.g., a payment processor or C2 domain) for strategic takedown recommendations. 4. Prepare a high-confidence report for leadership and law enforcement detailing the network's structure, key players, and potential pressure points.

Tools & Frameworks

Software & Platforms

Neo4jTigerGraphMaltegoOpenCTITheHive/Cortex

Neo4j and TigerGraph are native graph databases for storing and querying identity graphs. Maltego provides visual link analysis for investigations. OpenCTI is an open-source platform for structured threat intelligence management. TheHive/Cortex is for case management and automated enrichment.

Standards & Frameworks

MITRE ATT&CKSTIX/TAXIIDiamond Model of Intrusion AnalysisTraffic Light Protocol (TLP)

MITRE ATT&CK provides a common language for adversary tactics. STIX/TAXII enables standardized intel sharing. The Diamond Model helps structure the relationship between adversary, capability, infrastructure, and victim. TLP governs the appropriate sharing and handling of sensitive intelligence.

Interview Questions

Answer Strategy

The interviewer is testing for methodological rigor and an understanding of data enrichment. Use the Diamond Model as a framework. Start by enriching the IPs (geolocation, AS info, passive DNS). Then, correlate the target usernames against known data breach dumps to find reused emails. Link the IPs to any associated domains via passive DNS, and check those domains against certificate transparency logs for shared registrant info. The sample answer should outline these enrichment steps to create edges between the initial entities and reveal a unified actor profile.

Answer Strategy

This tests strategic prioritization under pressure. The candidate should demonstrate using the graph to assess exposure. Key steps: 1) Query the graph to find all internal assets (nodes) that depend on the vulnerable library (edge). 2) Cross-reference those assets with their business criticality (another node property) and their exposure level (internet-facing vs. internal). 3) Overlay real-time attack data from intel feeds onto the graph to see if any of your specific asset IPs or domains are being targeted. The answer should conclude with a risk-scored patching order that goes beyond simple CVSS score.