Mastering Cyber Intelligence: Gain comprehensive knowledge and skills to conduct threat intelligence for effective system defense

BIRMINGHAM—MUMBAI

Mastering Cyber Intelligence

Copyright © 2022 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author(s), nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Vijin Boricha

Publishing Product Manager: Shrilekha Malpani

Senior Editor: Arun Nadar

Content Development Editor: Yasir Ali Khan

Technical Editor: Rajat Sharma

Copy Editor: Safis Editing

Project Coordinator: Ajesh Devavaram

Proofreader: Safis Editing

Indexer: Hemangini Bari

Production Designer: Joshua Misquitta

Marketing Coordinator: Hemangi Lotlikar

First published: April 2022

Production reference: 1010422

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80020-940-4

www.packt.com

To my father, Muwawa Salam Tjoppen, and my mother, Isamanga Olwey Therese, for their sacrifices and values instilled in me. In loving memory of my youngest brother, Muwawa Legi Yao Bob. To my family for their support. To God for the gift of life, which allows me to keep working hard, hoping, and dreaming.

– Jean Nestor M. Dahj

Contributors

About the author


Jean Nestor M. Dahj is an experienced data scientist, cybersecurity researcher and analyst, and telecom professional with wide technical and scientific abilities. His skills have led him to work in the areas of data science, network probing, penetration testing and hacking, threat intelligence, and network analytics. He has built a wide range of skill sets through experience, training, and consultancy, including skills in cryptography, computer forensics, malware design and analysis, and data product development.

Jean Nestor holds a master's degree (M-Tech) in electrical engineering from the University of South Africa. He is currently pursuing a Ph.D. in the same field at the University of Johannesburg, South Africa. His work history includes the likes of Huawei Technologies, Commprove Technologies, Siftcon Forensic Services, Metro Teleworks, and Nanofritech Consulting & Research Lab – an organization he co-founded. He is currently a full stack data scientist at Rain Networks, part of a dynamic team providing and developing various data solutions.

He currently lives in Pretoria, South Africa, and is originally from Kikwit, a small city in the Democratic Republic of Congo.

Special thanks to everyone who has supported me through the journey of writing this amazing book.

About the reviewer

Max van Kralingen is a cyber threat intelligence consultant with particular expertise in threat actor profiling, cyber fusion centers, OSINT investigations, MITRE's ATT&CK framework, social engineering, and breach and attack simulation. He holds a BA in political science, an MA in security and intelligence studies, and a PGDip in advanced security and digital forensics.

I would like to thank my wonderful parents. My mother, for giving me a love of investigations, conversation, philosophy, psychology, and Lord of The Rings. My father, who gave me a love of history, politics, and Dire Straits. Finally, to the two most influential teachers in my life, who saw in me a spark of what I would become. John Carnegie, for the stories, code, and Star Trek. Julian Richards, for the art and science of intelligence analysis.

Table of Contents

Preface

Section 1: Cyber Threat Intelligence Life Cycle, Requirements, and Tradecraft

Chapter 1: Cyber Threat Intelligence Life Cycle

Technical requirements

Cyber threat intelligence – a global overview

Characteristics of a threat

Threat intelligence and data security challenges

Importance and benefits of threat intelligence

Planning, objectives, and direction

Intelligence data collection

Intelligence data processing

Analysis and production

Threat intelligence dissemination

Threat intelligence feedback

Summary

Chapter 2: Requirements and Intelligence Team Implementation

Technical requirements

Threat intelligence requirements and prioritization

Prioritizing intelligence requirements

Requirements development

Operational environment definition

Network defense impact description

Current cyber threats – evaluation

Developing a course of action

Intelligence preparation for intelligence requirements

Intelligence team layout and prerequisites

Intelligence team implementation

Intelligence team structuring

Intelligence team application areas

Summary

Chapter 3: Cyber Threat Intelligence Frameworks

Technical requirements

Intelligence frameworks – overview

Why cyber threat frameworks?

Cyber threat framework architecture and operating model

Lockheed Martin's Cyber Kill Chain framework

Use case – Lockheed Martin's Cyber Kill Chain model mapping

Integrating the Cyber Kill Chain model into an intelligence project

Benefits of the Cyber Kill Chain framework

MITRE's ATT&CK knowledge-based framework

How it works

Use case – ATT&CK model mapping

Integrating the MITRE ATT&CK framework

Benefits of the ATT&CK framework

Diamond model of intrusion analysis framework

How it works

Use case – Diamond model of intrusion analysis

Integrating the Diamond model into intelligence projects

Benefits of the Diamond model

Summary

Chapter 4: Cyber Threat Intelligence Tradecraft and Standards

Technical requirements

The baseline of intelligence analytic tradecraft

Note 1 – Addressing CTI consumers' interests

Note 2 – Access and credibility

Note 3 – Articulation of assumptions

Note 4 – Outlook

Note 5 – Facts and sourcing

Note 6 – Analytic expertise

Note 7 – Effective summary

Note 8 – Implementation analysis

Note 9 – Conclusions

Note 10 – Tradecraft and counterintelligence

Understanding and adapting ICD 203 to CTI

Understanding the STIX standard

Using STIX for cyber threat analysis

Specifying threat indicator patterns using STIX

Using the STIX standard for threat response management

Threat intelligence information sharing

Understanding the STIX v2 standard

Understanding the TAXII standard

How TAXII standard works

AFI14-133 tradecraft standard for CTI

Analytic skills and tradecraft

Additional topics covered in AFI14-133

Summary

Chapter 5: Goal Setting, Procedures for CTI Strategy, and Practical Use Cases

Technical requirements

The threat intelligence strategy map and goal setting

Objective 1 – Facilitate and support real-time security operations

Objective 2 – Facilitate an effective response to cyber threats

Objective 3 – Facilitate and support the proactive tracking of cyber threats

Objective 4 – Facilitate and support the updating and implementation of security governance

TIPs – an overview

Commercial TIPs

Open-source TIPs

Case study 1 – CTI for Level 1 organizations

Objective

Strategy

Example

Case study 2 – CTI for Level 2 organizations

Objective

Strategy

Example

Case study 3 – CTI for Level 3 organizations

Objective

Strategy

Example

Installing the MISP platform (optional)

Summary

Section 2: Cyber Threat Analytical Modeling and Defensive Mechanisms

Chapter 6: Cyber Threat Modeling and Adversary Analysis

Technical requirements

The strategic threat modeling process

Identifying and decomposing assets

Adversaries and threat analysis

Attack surfaces and threat vectors

Adversary analysis use case – Twisted Spider

Identifying countermeasures

System re-evaluation

Threat modeling methodologies

Threat modeling with STRIDE

Threat modeling with NIST

Threat modeling use case

Equifax data breach summary

Threat modeling for ABCompany

Advanced threat modeling with SIEM

User behavior logic

Benefits of UBA

UBA selection guide – how it works

Adversary analysis techniques

Adversary attack preparation

Attack preparation countermeasures

Adversary attack execution

Attack execution mitigation procedures

Summary

Chapter 7: Threat Intelligence Data Sources

Technical requirements

Defining the right sources for threat intelligence

Internal threat intelligence sources

External threat intelligence sources

Organization intelligence profile

Threat feed evaluation

Threat data quality assessment

Open Source Intelligence Feeds (OSINT)

Benefits of open source intelligence

Open source intelligence portals

OSINT platform data insights (OSINT framework)

OSINT limitations and drawbacks

Malware data for threat intelligence

Benefits of malware data collection

Malware components

Malware data core parameters

Other non-open source intelligence sources

Benefits of paid intelligence

Paid threat intelligence challenges

Some paid intelligence portals

Intelligence data structuring and storing

CTI data structuring

CTI data storing requirements

Intelligence data storing strategies

Summary

Chapter 8: Effective Defense Tactics and Data Protection

Technical requirements

Enforcing the CIA triad – overview

Enforcing and maintaining confidentiality

Enforcing and maintaining integrity

Enforcing and maintaining availability

Challenges and pitfalls of threat defense mechanisms

Data security top challenges

Threat defense mechanisms' pitfalls

Data monitoring and active analytics

Benefits of system monitoring

High-level architecture

Characteristics of a reliable monitoring system

Vulnerability assessment and data risk analysis

Vulnerability assessment methodology

Vulnerability assessment process

Vulnerability assessment tools

Vulnerability and data risk assessment

Encryption, tokenization, masking and quarantining

Encryption as a defense mechanism

Tokenization as a defense mechanism

Masking and quarantining

Endpoint management

Reliable endpoint management requirements

Mobile endpoint management

Endpoint data breach use case – point of sale

Summary

Chapter 9: AI Applications in Cyber Threat Analytics

Technical requirements

AI and CTI

Cyber threat hunting

How adversaries can leverage AI

AI's position in the CTI program and security stack

AI integration – the IBM QRadar Advisor approach

QRadar simplified architecture

Deploying QRadar

What's in it for you or your organization?

Summary

Chapter 10: Threat Modeling and Analysis – Practical Use Cases

Technical requirements

Understanding the analysis process

Intrusion analysis case – how to proceed

Indicator gathering and contextualization

Pivoting through available sources

Classifying the intelligence according to CTI frameworks

Memory and disk analysis

Malware data gathering

Malware analysis and reverse engineering

Analyzing the exfiltrated data and building adversary persona

Analyzing the malicious files

Gathering early indicators – Reconnaissance

The Cyber Kill Chain and Diamond model

MISP for automated threat analysis and storing

MISP feed management

MISP event analysis

Summary

Section 3: Integrating Cyber Threat Intelligence Strategy to Business processes

Chapter 11: Usable Security: Threat Intelligence as Part of the Process

Technical requirements

Threat modeling guidelines for secured operations

Usable security guidelines

Software application security guidelines

Data privacy in modern business

Importance of usable privacy in modern society

Threat intelligence and data privacy

Social engineering and mental models

Social engineering and threat intelligence

Mental models for usability

Intelligence-based DevSecOps high-level architecture

Summary

Chapter 12: SIEM Solutions and Intelligence-Driven SOCs

Technical requirements

Integrating threat intelligence into SIEM tools – Reactive and proactive defense through SIEM tools

System architecture and components of a SIEM tool

SIEM for security – OTX and OSSIM use case

Making SOCs intelligent – Intelligence-driven SOCs

Security operations key challenges

Intelligence into security operations

Threat intelligence and IR

IR key challenges

Integrating intelligence in IR

Integrating threat intelligence into SIEM systems

Summary

Chapter 13: Threat Intelligence Metrics, Indicators of Compromise, and the Pyramid of Pain

Technical requirements

Understanding threat intelligence metrics

Threat intelligence metrics requirements

Threat intelligence metrics baseline

IOCs, the CTI warhead

The importance of IOCs

Categories of IOCs

Recognizing IOCs

PoP, the adversary padlock

PoP indicators

Understanding the PoP

Understanding the seven Ds of the kill chain action

Understanding IOAs

Summary

Chapter 14: Threat Intelligence Reporting and Dissemination

Technical requirements

Understanding threat intelligence reporting

Types of threat intelligence reports

Making intelligence reports valuable

An example of a threat intelligence report template

Threat intelligence report writing tools

Building and understanding adversaries' campaigns

Naming adversary campaigns

Advanced persistent threats (APTs) – a quick overview

Tracking threat actors and groups

Retiring threat intelligence and adversary campaigns

Disseminating threat intelligence

Challenges to intelligence dissemination

Strategic, tactical, and operational intelligence sharing

Threat intelligence sharing architectures

YARA rules and threat intelligence sharing formats

Some information sharing and collaboration platforms

The threat intelligence feedback loop

Understanding the benefits of CTI feedback loop

Methods for collecting threat intelligence feedback

The threat intelligence feedback cycle – use case

Summary

Chapter 15: Threat Intelligence Sharing and Cyber Activity Attribution – Practical Use Cases

Technical requirements

Creating and sharing IOCs

Use case one – developing IOCs using YARA

Use case two – sharing intelligence using Anomali STAXX

Use case three – sharing intelligence through a platform

Understanding and performing threat attribution

Use case four – building activity groups from threat analysis

Use case five – associating analysis with activity groups

Use case six – an ACH and attributing activities to nation-state groups

Summary

Other Books You May Enjoy

Preface

The increase in security breaches and attacks in the last two decades indicates that the traditional security defense methods are falling short. The sophistication of attacks – such as the Advanced Persistent Threats (APTs) – leaves organizations with more worries despite the heavy investment in security tools, which often work in silos. The lack of analytics skills, the struggle to incorporate security into processes, and the gap in structured security analytics are the main concern in the fight against augmented cyber threats.

Cyber Threat Intelligence (CTI) is a collaborative security program that uses advanced analysis of data collected from several sources (internal and external) to discover, detect, deny, disrupt, degrade, deceive, or destroy adversaries' activities. Because it is actionable and encourages information sharing between community members, individuals, and so on, it is becoming the de facto method to fight against APTs. However, many organizations are still struggling to embrace and integrate CTI in their existing security solutions and extract value from it.

This book, Mastering Cyber Intelligence, provides the knowledge required to dive into the CTI world. It equips you with the theoretical and practical skills to conduct a threat intelligence program from planning to dissemination and feedback processing. It details strategies you can use to integrate CTI into an organization's security stack from the ground up, allowing you to effectively deal with cyber threats.

Through step-by-step explanations and examples, you learn how to position CTI in the organization strategy and plan, and set objectives for your CTI program, collect the appropriate data for your program, process and format the collected data, perform threat modeling and conduct threat analysis, and share intelligence output internally (with the strategic, tactical, and operational security teams) and externally (with the community). By the end of the book, you will master CTI and be confident to help organizations implement it to protect revenue, assets, and sensitive information (and data).

Who this book is for

This book is for organizations that have basic security monitoring and intend to adopt cyber threat intelligence from scratch but do not know where to start, have good security infrastructure and intend to integrate threat intelligence in the security stack for optimal security posture, or have a good threat intelligence program and intend to enhance TTP prioritization, defense techniques, and threat tracking.

It is also useful for security professionals who want to learn and master cyber threat intelligence and help organizations in developing CTI strategies, possess theoretical knowledge and want to add some practical CTI skills, or want to enhance their career by preparing for professional CTI certifications such as the SANS FOR578 CTI and the EC-Council CTIA – this book is the perfect start as it covers most of the topics in those courses' curriculums.

What this book covers

Chapter 1, Cyber Threat Intelligence Life Cycle, discusses the steps involved in a CTI program implementation which include planning, objective, and direction; data collection; data processing; analysis and production; dissemination; and feedback. It provides a high-level overview of each step with some examples to help you understand what needs to be done. The chapter highlights the benefits of threat intelligence and its role in the defense against modern, sophisticated attacks such as APTs. It equips you with the knowledge required to plan and set directions for your program.

Chapter 2, Requirements and Intelligence Team Implementation, discusses threat intelligence requirement generation and task prioritization. It shows you how to generate sound intelligence requirements for your program by using advanced methods used in the military and warfare. As part of the planning phase of the CTI life cycle, the chapter discusses the team layout and how to acquire the right skill set to kick off your program. And finally, through the chapter, you learn how CTI relates to other units of the security stack.

Chapter 3, Cyber Threat Intelligence Frameworks, introduces the different frameworks that you, as a CTI analyst, can use for your threat intelligence program. It highlights their benefits and discusses the three most popular threat intelligence frameworks – the Cyber Kill Chain, MITRE ATT&CK, and the Diamond Model of intrusion analysis frameworks. Using examples, the chapter also shows how each framework applies to threat and intrusion analyses.

Chapter 4, Cyber Threat Intelligence Tradecraft and Standards, discusses analytic tradecraft and standards that analysts can apply to CTI programs. It highlights the benefits of using common languages and processes in threat intelligence. The chapter teaches you how to apply already established analytic tradecraft and standards to your CTI program to increase its chance of success. Some of the analytics tradecraft and standards discussed in this chapter include the United States Central Intelligence Agency's (CIA) compendium of analytic tradecraft notes, the Intelligence Community Directive (ICD) 203, the Air Force Instruction (AFI) 14-133, and their applications to CTI. Two important collaborative standards are practically described in the chapter, the Structured Threat Information eXpression (STIX) and the Trusted Automated eXchange of Indicator Information (TAXII).

Chapter 5, Goal Setting, Procedures for CTI Strategy, and Practical Use Cases, demonstrates how to integrate CTI into an organization's security profile from a practical standpoint. It introduces threat intelligence platforms (TIPs) (an essential tool for CTI) and provides guidelines for selecting the right TIP. You learn about open source and paid intelligence platforms, and which one would benefit you. The chapter uses practical case studies to show you how level 1, level 2, and level 3 organizations (those new to CTI, those with specific CTI knowledge, and those with a CTI program) can effectively embrace CTI and set goals. As an analyst or part of the CTI team, you can use the methods described in this chapter to kick-start a CTI program in your organization.

Chapter 6, Cyber Threat Modeling and Adversary Analysis, discusses strategic modeling of threats and analytics of the adversary's behavior. It gives you the theoretical and practical knowledge required to perform manual and automated threat modeling. You learn the different threat modeling methodologies with examples, user behavior logic (UBA), and adversary analysis techniques. At the end of the chapter, you will be able to perform threat modeling for your organization.

Chapter 7, Threat Intelligence Data Sources, discusses different threat intelligence sources and where to find the data. To conduct CTI, you need data and a lot of data most of the time. The chapter covers the three data source types: open source (OSINT or OTI), shared (STI), and paid (PTI) threat intelligence sources. It equips you with the knowledge to select the suitable data sources for your program based on the CTI requirements, the organization budget, and operational strategy. You learn about data source selection and evaluation, malware data sources, parsing, and analysis for CTI. You also learn the benefits of shared and paid threat feeds. Finally, you learn intelligence data structuring and storing.

Chapter 8, Effective Defense Tactics and Data Protection, discusses how to build a robust defense system to prevent and contain cyber-attacks. It details the best practices to achieve reliable data protection. In the chapter, you learn about enforcing the Confidentiality, Integrity, and Availability (CIA) by evaluating the loopholes in current cyber threat defense infrastructures and applying the appropriate tactics for defense; data monitoring and active analytics in CTI; vulnerability assessment and risk management in modern system protection; using encryption, tokenization, masking, and other obfuscation methods to make it difficult for adversaries; and finally, endpoint management.

Chapter 9, AI Applications in Cyber Threat Analytics, discusses how Artificial Intelligence (AI) can help transit from reactive to proactive threat intelligence programs to stay ahead of adversaries. This chapter teaches you AI-fueled CTI and how it makes a difference in security. You learn cyber threat hunting and how you perform it and integrate it into your security operations to anticipate attacks and ensure effective defense. You understand the benefits of combining threat hunting and threat intelligence for reliable protection. You learn AI's impact on adversaries' attack and procedures' enhancements. Finally, you acquire the knowledge and skills to position AI in CTI and your organization's security stack to maximize its value. We use the IBM QRadar as an example of how AI can enhance security functions and tools.

Chapter 10, Threat Modeling and Analysis - Practical Use Cases, is a hands-on, practical chapter that teaches you how to use CTI to perform intrusion analysis manually and automatically. It shows you how CTI analysts go from a received or discovered indicator of compromise (IOC) to understanding the extent of the intrusion. In this chapter, you learn how to gather and contextualize IOCs. You also learn to pivot through data sources and use intelligence frameworks for analysis. You gain the skills to perform basic memory and disk analysis to extract pieces of evidence to solve cybercrimes. You acquire the skills to gather malware data, perform basic malware analysis for your case, fill the Cyber Kill Chain matrix, and extract adversaries' tactics, techniques, and procedures (TTPs). Finally, you learn to use the open-source Malware Information Sharing Platform (MISP) for analysis and intelligence data storage.

Chapter 11, Usable Security: Threat Intelligence as Part of the Process, discusses how threat intelligence can be applied to business operations and system (software and hardware) development's security. As an analyst, this chapter equips you with the required knowledge to assess, advise, and assist in incorporating CTI into products and services that your organization develops from the conception phase. You learn how to use threat analysis output in authentication applications, use threat modeling to enforce sound policies into system development and business operations, apply mental models to improve threat defense, and finally, implement secured system architectures considering cyber threats.

Chapter 12, SIEM Solutions and Intelligence-Driven SOCs, discusses the importance of CTI in SIEM tools and SOCs. It explains the process of integrating intelligence in a SIEM solution. The chapter demonstrates how SIEM tools include and correlate data from multiple feeds and sources to provide automated intelligence. This chapter shows you how to automate and unify SOC operations for reactive and proactive defense. You learn how to optimize a SOC team's performance using threat intelligence. You also learn how to integrate threat analytics models to Incident Response (IR) to minimize the Mean-Time-To-Respond (MTTR). You gain the practical knowledge to use open source SIEMs and intelligence sharing platforms such as the AlienVault Open Threat Exchange (OTX) and Open-Source Security Information and Event Management (OSSIM) as a starting point. You learn intelligence-led penetration testing and incident response. Finally, you learn how to make your organization's SOC intelligent.

Chapter 13, Threat Intelligence Metrics, Indicators of Compromise, and the Pyramid of Pain, discusses security metrics for intelligence evaluation and program effectiveness. It also shows you how to evaluate your CTI team based on intelligence programs' output. The chapter then explains IOCs, the pyramid of pain, and their respective importance in a CTI analyst profile. In this chapter, you learn about CTI metrics and how they can be used to define the program success criteria. You learn the importance of IOCs, their categories, and how you recognize them in a system. You gain effective knowledge on the pyramid of pain and its application to CTI. You also learn how to apply the seven Ds (courses of action) of the Kill Chain in a threat analysis use case. Finally, you learn about the indicators of attack (IOAs) and how they differ from or relate to IOCs.

Chapter 14, Threat Intelligence Reporting and Dissemination, discusses threat intelligence reporting and sharing. It shows you how to write effective documentation for the strategic, operational, and tactical teams. It also shows you how to extract threat intelligence report elements such as adversary campaigns and malware families. In this chapter, you learn how to write threat intelligence reports, build adversary groups and campaigns, share intelligence using best practices, and finally, collect threat intelligence feedback.

Chapter 15, Threat Intelligence Sharing and Cyber Activity Attribution – Practical Use Cases, is a hands-on chapter that focuses on threat intelligence sharing and demonstrates how to attribute cyber activities to campaigns, threat groups, or threat actors. It provides you with the skills necessary to develop and share IOCs for internal security enhancement and external dissemination. In this chapter, you learn how to develop IOCs using YARA rules and use them to detect and stop attacks. You also learn how to set up a STIX/TAXII platform for intelligence dissemination using Anomali STAXX as an example. You learn how to use a threat intelligence sharing platform for intelligence dissemination. You gain the practical skills to build activity groups from threat analyses and associate analyses to each group (activity tracking). Finally, you learn how to conduct an Analysis of Competing Hypotheses (ACH) to attribute cyber activities to state-sponsored groups and actors.

To get the most out of this book

You need a basic knowledge of cybersecurity and networking to get the most out of this book. For practical exercises, you need the SANS SIFT workstation installed as a virtual machine or in any UNIX-based operating system, such as Ubuntu or Kali Linux. SIFT workstation comes with the necessary tools for security analysis. You need the MISP virtual machine and the Anomali STAXX platform to do the practicals in Chapter 15, Threat Intelligence Sharing and Cyber Activity Attribution - Practical Use Cases.

All the commands are executed directly on the guest platforms mentioned here or the host environment terminal. We have used a Windows 10 host environment.

Note that the book also explains the steps required to get you ready for practical exercises.

Download the color images

We also provide a PDF file with color images of the screenshots and diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781800209404_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in the text, indicators of compromise, port number, folder names, filenames, file extensions, and pathnames. Here is an example: We pivot through the proxy logs, searching for /sys/files/ patterns in all web transactions, not in the 125.19.103.198 IP communication.

A block of code is set as follows:

{

title: CTI TAXII server,

description: This TAXII server contains a listing of ATT&CK domain collections expressed as STIX, including PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK Mobile.,

contact: [email protected],

default: https://cti-taxii.mitre.org/stix/,

api_roots: [

https://cti-taxii.mitre.org/stix/

]

}

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

raw_data.scan.port:554

raw_data.ja3.fingerprint:795bc7ce13f60d61e9ac03611dd36d90

Any command-line input or output is written as follows:

$ mkdir css

$ cd css

Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: Select System info from the Administration panel.

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share your thoughts

Once you've read Mastering Cyber Intelligence, we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.

Section 1: Cyber Threat Intelligence Life Cycle, Requirements, and Tradecraft

The section introduces the concept of Cyber Threat Intelligence (CTI) and breaks down its life cycle, explaining the main building blocks of threat intelligence life cycle and strategy. It also discusses intelligence requirements and their importance in a CTI program's success. The section, then, covers standards and tradecraft that analysts can apply to CTI programs. Finally, it concludes with practical use cases to help organizations and individuals adopt CTI. Upon completion of this section, you should have mastered the CTI life cycle, acquiring a global idea of what is required at each stage of the cycle; understand how to generate requirements and build an effective team for your CTI program; understand and use threat intelligence frameworks for threat and intrusion analyses; be familiar with different standards and tradecrafts adopted by the cybersecurity community, military, and intelligence agencies to conduct intelligence and apply them to your CTI program; be able to start a CTI program in an organization, whether it is new to CTI or has experience in the matter; and finally, select the appropriate threat intelligence platform for your program.

This section contains the following chapters:

Chapter 1, Cyber Threat Intelligence Life Cycle

Chapter 2, Requirements and Intelligent Team Implementation

Chapter 3, Cyber Threat Intelligence Frameworks

Chapter 4, Cyber Threat Intelligence Tradecraft and Standards

Chapter 5, Goal Setting, Procedures for CTI Strategy, and Practical Use Cases

Chapter 1: Cyber Threat Intelligence Life Cycle

This chapter will explain the steps of the threat intelligence life cycle. We will provide a high-level description of each step while looking at some practical examples to help you understand what each step entails. By the end of the chapter, you will be able to explain each stage of the intelligence life cycle and join the practical with the theoretical. This chapter forms the baseline of this book, and various intelligence strategies and processes will be built on top of this knowledge.

By the end of this chapter, you should be able to do the following:

Clearly explain what cyber threat intelligence is, why organizations must integrate it into the business and security team, who benefits from it, and be able to define its scope.

Understand the challenges related to threat intelligence and cybersecurity in general.

Know and understand the required components to effectively plan and set directions for a threat intelligence project.

Know and understand the data required to build an intelligence project and how to acquire it globally.

Understand intelligence data processing, why it is essential in integrating a CTI project, and justify the need for automating the processing step.

Understand the analysis step, its application, and its impact on the entire CTI project. In this step, you will also learn about intelligence analysis bias and different techniques that can be used to avoid a biased intelligence analysis.

Explain the cycle's dissemination step and how to share an intelligence product with the relevant stakeholders. You should also understand the importance of the audience when consuming the product.

Understand and explain the feedback phase of the cycle and state why it is critical in the project.

In this chapter, we are going to cover the following main topics:

Cyber threat intelligence – a global overview

Planning, objectives, and direction

Intelligence data collection

Intelligence data processing

Intelligence analysis and production

Threat intelligence dissemination

Threat intelligence feedback

Technical requirements

For this chapter, no special technical requirements have been highlighted. Most of the use cases will make use of web applications if necessary.

Cyber threat intelligence – a global overview

Many businesses and organizations aim for maximum digital presence to augment and optimize visibility (effectively reach the desired customers), as well as maximize it from the current digitalization age. For that, they are regularly exposed to cyber threats and attacks based on the underlying attack surface – the organization's size, architecture, applications, operating systems, and more.

Threat intelligence allows businesses to collect and process information in such a way as to mitigate cyberattacks. Hence, businesses and organizations have to protect themselves against threats, especially human threats. Cyber threat intelligence (CTI), as approached in this book, consists of intelligent information collection and processing to help organizations develop a proactive security infrastructure for effective decision making. When engaging in a CTI project, the main threats to consider are humans, referred to as adversaries or threat actors. Therefore, it is essential to understand and master adversaries' methodologies to conduct cyberattacks and uncover intrusions. Tactics, techniques, and procedures (TTPs) are used by threat actors. By doing so, organizations aim for cyber threats from the source rather than the surface. CTI works on evidence, and that evidence is the foundation of the knowledge required to build an effective cyber threat response unit for any organization.

Many organizations regard threat intelligence as a product that allows them to implement protective cyber fences. While this is true, note that threat intelligence hides an effective process behind the scenes to get to the finished package. As the intelligence team implements mechanisms to protect against existing and potential threats, adversaries change tactics and techniques. It becomes crucial for the intelligence team to implement measures that allow new threats to be analyzed and collected. Hence, the process becomes a cycle that is continually looked at to ensure that the organizations are not only reactive but proactive as well. The term threat intelligence life cycle is used to define the process required to implement an efficient cyber threat intelligence project in an organization. The following diagram shows this process:

Figure 1.1 – Threat intelligence life cycle

Threat intelligence is an ongoing process because adversaries update their methods, and so should organizations. The CTI product's feedback is used to enrich and generate new requirements for the next intelligence cycle.

Characteristics of a threat

Understanding what a threat is helps organizations avoid focusing on security alerts and cyber events that may not be a problem to the system. For example, a company running Linux servers discovers a .exe trojan in the system through the incident management tool. Although dangerous by nature, this trojan cannot compromise the company's structure. Therefore, it is not a threat. As a security intelligence analyst, it is vital to notify the system manager about the file's low priority level and its inability to infect the network. Secondly, government agencies are one of the highest adopters and owners of cyber projects. Governments have the tools and the knowledge necessary to attack each other. However, to avoid a cyberwar and ruin their friendship, the Canadian and American governments have no intention of attacking each other. Thus, they are not a threat to each other. If one party announces a spying tool's design, that does not mean that it wants to use it against another. Although there is the capability of spying, there might be no intent to do so. Therefore, one is not always a threat to another. Lastly, you can have the capability and the intent, but would need the opportunity to compromise a system.

Therefore, we can summarize a threat as everything or everyone with the capability, the intent, and the opportunity to attack and compromise a system, independent of the resource level. When the intelligence team performs threat analysis, any alert that does not meet these three conditions is not considered a threat. If any of these three elements is missing, the adversary is unlikely to be considered a threat.

Threat intelligence and data security challenges

Organizations face a lot of challenges when it comes to data protection and cybersecurity in general. Those challenges are located in all the functional levels of the organization. There are several challenges, but the most common ones include the following:

The threat landscape: In most cases, cyberattacks are orchestrated by professionals and teams that have the necessary resources and training at their disposal. This includes state-sponsored attacks. However, with access to specific tools and training, private groups have developed sophisticated ways to conduct destructive cyberattacks. The landscape of threats is growing and changing as adversaries rely on new exploits and advanced social engineering techniques. McAfee Labs reported an average of 588 threats per minute (a 40% increase) in the third quarter of 2020, while Q3 to Q4 2020 saw more than a 100% increase in vulnerabilities and more than a 43% increase in malware.

Targeted attacks such as ransomware were the main concern for organizations in 2020, with more than a 40% increase by the end of the year (https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-apr-2021.pdf). Approximately 17,447 vulnerabilities (CVEs) were recorded in 2020, with more than 4,000 high-severity ones (https://www.darkreading.com/threat-intelligence/us-cert-reports-17447-vulnerabilities-recorded-in-2020/d/d-id/1339741). Thus, the threat landscape presents a dangerous parameter for organizations that have most of their resources, assets, services, and products on the internet. And understanding the threat landscape facilitates the risk mitigation process. Personal information is one of the most targeted components on the internet – Personally Identifiable Information (PII), payment card data, and HIPAA data, to name a few.

Security alerts and data growth: Organizations are acquiring different security platforms and technologies to address security concerns and challenges – sandbox, firewalls, incident response, threat hunting, fraud detection, intrusion detection, network scanners, and more. According to an IBM study, an average IT company possesses 85 general security tools from at least 25 vendors. In most cases, those tools are not integrated across all teams. They have different security requirements. Each tool generates security alerts of different levels, and in most cases, security professionals rely on manual processes or external automation tools (with limited functionalities) to aggregate, clean, correlate, analyze, and interpret the data. The more tools an organization has, the more data is being collected, and the more exhausted and overwhelmed the security analysts become when having to mine the voluminous data. There is then a high chance of not using data effectively, thereby missing out on critical alerts. Having a high volume of alerts and data makes it difficult, if not impossible. for a human to handle correctly. This is known as visibility loss.

Operational complexity: The core business components may involve several organizational departments that interact with different applications to reach their goals. The embrace of big data and the adoption of cloud technologies have facilitated the management of IT infrastructures. However, it has also opened doors to more attack points as cloud security is becoming a hot topic. This is because many third-party tools, resources, and suppliers (which also have their own vulnerabilities) are used to address the security problem. Third-party tools are somehow not transparent to the organization where they are installed because most of the processes happening in the backend are not exposed to the consumers. Therefore, they increase operational complexity, especially regarding ownership of each security aspect (such as incident management, intrusion detection, traffic filtering, and inspection). Policies and procedures must be set if organizations wish to have useful data security solutions. Organizations must find ways to regulate the authority of third-party and other external tools internally.

New privacy regulations: New requirements are frequently put in place to address data security and privacy concerns worldwide. Regulations are used to enforce the law. However, as the number of regulations increases for different industries – medical, financial, transportation, retails, and so on – them overlapping becomes a challenge as organizations must comply with all policies. Should an organization fail to comply with regulations, penalties could be imposed independently of a breach's presence or absence. This is why it's important to have security solutions that are regulation-compliant.

Nevertheless, different regions and agencies have different security policies that need to be followed. A typical example is the European Union's General Data Protection Regulation (GDPR), which is used to protect EU citizens' privacy and personal information. The GDPR applies to the EU space, which means any organization (independent of its origin, EU or not EU) operating or rendering services in the EU region needs to comply with the GDPR. Tradecrafts and standards will be explained in Chapter 4, Cyber Threat Intelligence Tradecraft and Standards. Another example is the South African Protection of Personal Information (POPI) Act, which protects South African citizens' privacy and how their personal information is handled. Complying with such policies can be challenging, and organizations need to ensure compliance with regulations.

Cybersecurity skills gap: As organizations grow, manual processes become a challenge, and the lack of a workforce manifests. According to the ISC2 2019 report (https://bit.ly/2Lvw7tr), approximately 65% of organizations have a shortage of cybersecurity professionals. Although the gap is being reduced over the years, the demand for cybersecurity professionals remains high. And that is a big concern. The job concerns relating to cybersecurity professionals, as reported by ISC2, are shown in the following diagram:

Figure 1.2 – ISC2 job concerns among cybersecurity professionals

Organizations spend more time dealing with security threats than training or equipping the team with the necessary knowledge. Adversaries keep on attacking and breaking through conventional security systems daily. This is why there is a great demand for cybersecurity professionals worldwide who are compliant with the industry standards and methods who are dependable, adaptable, and, most importantly, resilient. Organizations need to invest in empowering and training individuals in the field of cybersecurity and threat intelligence.

Importance and benefits of threat intelligence

Cyber threat intelligence (CTI) addresses the aforementioned challenges by collecting and processing data from multiple data sources and providing actionable, evidence-based results that support business decisions. Using a single platform (for correlation, aggregation, normalization, analysis, and distribution) or a centralized environment, CTI analyzes data and uncovers the essential patterns of threats – any piece of data that has the capability, the intent, and the opportunity to compromise a system.

CTI consolidates an organization's existing tools and platforms, integrates different data sources, and