Mastering Cyber Intelligence: Gain comprehensive knowledge and skills to conduct threat intelligence for effective system defense
5/5
()
About this ebook
The sophistication of cyber threats, such as ransomware, advanced phishing campaigns, zero-day vulnerability attacks, and advanced persistent threats (APTs), is pushing organizations and individuals to change strategies for reliable system protection. Cyber Threat Intelligence converts threat information into evidence-based intelligence that uncovers adversaries' intents, motives, and capabilities for effective defense against all kinds of threats.
This book thoroughly covers the concepts and practices required to develop and drive threat intelligence programs, detailing the tasks involved in each step of the CTI lifecycle. You'll be able to plan a threat intelligence program by understanding and collecting the requirements, setting up the team, and exploring the intelligence frameworks. You'll also learn how and from where to collect intelligence data for your program, considering your organization level. With the help of practical examples, this book will help you get to grips with threat data processing and analysis. And finally, you'll be well-versed with writing tactical, technical, and strategic intelligence reports and sharing them with the community.
By the end of this book, you'll have acquired the knowledge and skills required to drive threat intelligence operations from planning to dissemination phases, protect your organization, and help in critical defense decisions.
Related to Mastering Cyber Intelligence
Related ebooks
10 Machine Learning Blueprints You Should Know for Cybersecurity: Protect your systems and boost your defenses with cutting-edge AI techniques Rating: 0 out of 5 stars0 ratingsThreat Hunting with Elastic Stack: Solve complex security challenges with integrated prevention, detection, and response Rating: 0 out of 5 stars0 ratingsNext-Gen Cybersecurity Rating: 0 out of 5 stars0 ratingsWireshark Network Security Rating: 3 out of 5 stars3/5CYBER SECURITY HANDBOOK Part-2: Lock, Stock, and Cyber: A Comprehensive Security Handbook Rating: 0 out of 5 stars0 ratingsAgile Security Operations: Engineering for agility in cyber defense, detection, and response Rating: 0 out of 5 stars0 ratingsCompTIA CySA+ Certification The Ultimate Study Guide to Practice Questions With Answers and Master the Cybersecurity Analyst Exam Rating: 0 out of 5 stars0 ratingsMastering Defensive Security: Effective techniques to secure your Windows, Linux, IoT, and cloud infrastructure Rating: 0 out of 5 stars0 ratingsCC Certified in Cybersecurity The Complete ISC2 Certification Study Guide Rating: 0 out of 5 stars0 ratingsIndustrial Cybersecurity: Efficiently monitor the cybersecurity posture of your ICS environment Rating: 5 out of 5 stars5/5Mitigating Supply Chain Attacks in the Digital Age Rating: 0 out of 5 stars0 ratingsAdvanced Penetration Testing with Kali Linux: Unlocking industry-oriented VAPT tactics (English Edition) Rating: 0 out of 5 stars0 ratingsCySA+ Study Guide: IT Security For Vulnerability And Threat Intelligence Analysts Rating: 0 out of 5 stars0 ratings"Careers in Information Technology: Cybersecurity Analyst": GoodMan, #1 Rating: 0 out of 5 stars0 ratingsMalware Analysis: Digital Forensics, Cybersecurity, And Incident Response Rating: 0 out of 5 stars0 ratingsAI and ML Applications for Decision-Making in Zero Trust Cyber Security Rating: 0 out of 5 stars0 ratingsThe Cybersecurity Playbook for Modern Enterprises: An end-to-end guide to preventing data breaches and cyber attacks Rating: 0 out of 5 stars0 ratingsMalware Analysis Techniques: Tricks for the triage of adversarial software Rating: 0 out of 5 stars0 ratingsCyberSecure™: An Essential Guide to Protecting Your Digital World Rating: 0 out of 5 stars0 ratingsThe Digital Shield: AI in Cyber Defense Rating: 0 out of 5 stars0 ratingsCybersecurity Challenges and Strategies for Protection. Rating: 0 out of 5 stars0 ratingsFascination: Honeypots and Cybercrime Rating: 0 out of 5 stars0 ratings
Intelligence (AI) & Semantics For You
Midjourney Mastery - The Ultimate Handbook of Prompts Rating: 5 out of 5 stars5/5Summary of Super-Intelligence From Nick Bostrom Rating: 5 out of 5 stars5/5ChatGPT For Dummies Rating: 4 out of 5 stars4/5Mastering ChatGPT: 21 Prompts Templates for Effortless Writing Rating: 5 out of 5 stars5/52084: Artificial Intelligence and the Future of Humanity Rating: 4 out of 5 stars4/5ChatGPT For Fiction Writing: AI for Authors Rating: 5 out of 5 stars5/5Artificial Intelligence: A Guide for Thinking Humans Rating: 4 out of 5 stars4/5The Algorithm of the Universe (A New Perspective to Cognitive AI) Rating: 5 out of 5 stars5/5Dark Aeon: Transhumanism and the War Against Humanity Rating: 5 out of 5 stars5/5THE CHATGPT MILLIONAIRE'S HANDBOOK: UNLOCKING WEALTH THROUGH AI AUTOMATION Rating: 5 out of 5 stars5/5The Secrets of ChatGPT Prompt Engineering for Non-Developers Rating: 5 out of 5 stars5/5101 Midjourney Prompt Secrets Rating: 3 out of 5 stars3/5Chat-GPT Income Ideas: Pioneering Monetization Concepts Utilizing Conversational AI for Profitable Ventures Rating: 3 out of 5 stars3/5Creating Online Courses with ChatGPT | A Step-by-Step Guide with Prompt Templates Rating: 4 out of 5 stars4/5Enterprise AI For Dummies Rating: 3 out of 5 stars3/5Make Money with ChatGPT: Your Guide to Making Passive Income Online with Ease using AI: AI Wealth Mastery Rating: 0 out of 5 stars0 ratingsAI for Educators: AI for Educators Rating: 5 out of 5 stars5/5Writing AI Prompts For Dummies Rating: 0 out of 5 stars0 ratingsThe Roadmap to AI Mastery: A Guide to Building and Scaling Projects Rating: 0 out of 5 stars0 ratingsHow To Become A Data Scientist With ChatGPT: A Beginner's Guide to ChatGPT-Assisted Programming Rating: 5 out of 5 stars5/5MidJourney Magnified: Crafting Visual Magic – The Novice to Pro Playbook Rating: 0 out of 5 stars0 ratings
Reviews for Mastering Cyber Intelligence
1 rating0 reviews
Book preview
Mastering Cyber Intelligence - Jean Nestor M. Dahj
BIRMINGHAM—MUMBAI
Mastering Cyber Intelligence
Copyright © 2022 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author(s), nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Group Product Manager: Vijin Boricha
Publishing Product Manager: Shrilekha Malpani
Senior Editor: Arun Nadar
Content Development Editor: Yasir Ali Khan
Technical Editor: Rajat Sharma
Copy Editor: Safis Editing
Project Coordinator: Ajesh Devavaram
Proofreader: Safis Editing
Indexer: Hemangini Bari
Production Designer: Joshua Misquitta
Marketing Coordinator: Hemangi Lotlikar
First published: April 2022
Production reference: 1010422
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-80020-940-4
www.packt.com
To my father, Muwawa Salam Tjoppen, and my mother, Isamanga Olwey Therese, for their sacrifices and values instilled in me. In loving memory of my youngest brother, Muwawa Legi Yao Bob. To my family for their support. To God for the gift of life, which allows me to keep working hard, hoping, and dreaming.
– Jean Nestor M. Dahj
Contributors
About the author
Jean Nestor M. Dahj is an experienced data scientist, cybersecurity researcher and analyst, and telecom professional with wide technical and scientific abilities. His skills have led him to work in the areas of data science, network probing, penetration testing and hacking, threat intelligence, and network analytics. He has built a wide range of skill sets through experience, training, and consultancy, including skills in cryptography, computer forensics, malware design and analysis, and data product development.
Jean Nestor holds a master's degree (M-Tech) in electrical engineering from the University of South Africa. He is currently pursuing a Ph.D. in the same field at the University of Johannesburg, South Africa. His work history includes the likes of Huawei Technologies, Commprove Technologies, Siftcon Forensic Services, Metro Teleworks, and Nanofritech Consulting & Research Lab – an organization he co-founded. He is currently a full stack data scientist at Rain Networks, part of a dynamic team providing and developing various data solutions.
He currently lives in Pretoria, South Africa, and is originally from Kikwit, a small city in the Democratic Republic of Congo.
Special thanks to everyone who has supported me through the journey of writing this amazing book.
About the reviewer
Max van Kralingen is a cyber threat intelligence consultant with particular expertise in threat actor profiling, cyber fusion centers, OSINT investigations, MITRE's ATT&CK framework, social engineering, and breach and attack simulation. He holds a BA in political science, an MA in security and intelligence studies, and a PGDip in advanced security and digital forensics.
I would like to thank my wonderful parents. My mother, for giving me a love of investigations, conversation, philosophy, psychology, and Lord of The Rings. My father, who gave me a love of history, politics, and Dire Straits. Finally, to the two most influential teachers in my life, who saw in me a spark of what I would become. John Carnegie, for the stories, code, and Star Trek. Julian Richards, for the art and science of intelligence analysis.
Table of Contents
Preface
Section 1: Cyber Threat Intelligence Life Cycle, Requirements, and Tradecraft
Chapter 1: Cyber Threat Intelligence Life Cycle
Technical requirements
Cyber threat intelligence – a global overview
Characteristics of a threat
Threat intelligence and data security challenges
Importance and benefits of threat intelligence
Planning, objectives, and direction
Intelligence data collection
Intelligence data processing
Analysis and production
Threat intelligence dissemination
Threat intelligence feedback
Summary
Chapter 2: Requirements and Intelligence Team Implementation
Technical requirements
Threat intelligence requirements and prioritization
Prioritizing intelligence requirements
Requirements development
Operational environment definition
Network defense impact description
Current cyber threats – evaluation
Developing a course of action
Intelligence preparation for intelligence requirements
Intelligence team layout and prerequisites
Intelligence team implementation
Intelligence team structuring
Intelligence team application areas
Summary
Chapter 3: Cyber Threat Intelligence Frameworks
Technical requirements
Intelligence frameworks – overview
Why cyber threat frameworks?
Cyber threat framework architecture and operating model
Lockheed Martin's Cyber Kill Chain framework
Use case – Lockheed Martin's Cyber Kill Chain model mapping
Integrating the Cyber Kill Chain model into an intelligence project
Benefits of the Cyber Kill Chain framework
MITRE's ATT&CK knowledge-based framework
How it works
Use case – ATT&CK model mapping
Integrating the MITRE ATT&CK framework
Benefits of the ATT&CK framework
Diamond model of intrusion analysis framework
How it works
Use case – Diamond model of intrusion analysis
Integrating the Diamond model into intelligence projects
Benefits of the Diamond model
Summary
Chapter 4: Cyber Threat Intelligence Tradecraft and Standards
Technical requirements
The baseline of intelligence analytic tradecraft
Note 1 – Addressing CTI consumers' interests
Note 2 – Access and credibility
Note 3 – Articulation of assumptions
Note 4 – Outlook
Note 5 – Facts and sourcing
Note 6 – Analytic expertise
Note 7 – Effective summary
Note 8 – Implementation analysis
Note 9 – Conclusions
Note 10 – Tradecraft and counterintelligence
Understanding and adapting ICD 203 to CTI
Understanding the STIX standard
Using STIX for cyber threat analysis
Specifying threat indicator patterns using STIX
Using the STIX standard for threat response management
Threat intelligence information sharing
Understanding the STIX v2 standard
Understanding the TAXII standard
How TAXII standard works
AFI14-133 tradecraft standard for CTI
Analytic skills and tradecraft
Additional topics covered in AFI14-133
Summary
Chapter 5: Goal Setting, Procedures for CTI Strategy, and Practical Use Cases
Technical requirements
The threat intelligence strategy map and goal setting
Objective 1 – Facilitate and support real-time security operations
Objective 2 – Facilitate an effective response to cyber threats
Objective 3 – Facilitate and support the proactive tracking of cyber threats
Objective 4 – Facilitate and support the updating and implementation of security governance
TIPs – an overview
Commercial TIPs
Open-source TIPs
Case study 1 – CTI for Level 1 organizations
Objective
Strategy
Example
Case study 2 – CTI for Level 2 organizations
Objective
Strategy
Example
Case study 3 – CTI for Level 3 organizations
Objective
Strategy
Example
Installing the MISP platform (optional)
Summary
Section 2: Cyber Threat Analytical Modeling and Defensive Mechanisms
Chapter 6: Cyber Threat Modeling and Adversary Analysis
Technical requirements
The strategic threat modeling process
Identifying and decomposing assets
Adversaries and threat analysis
Attack surfaces and threat vectors
Adversary analysis use case – Twisted Spider
Identifying countermeasures
System re-evaluation
Threat modeling methodologies
Threat modeling with STRIDE
Threat modeling with NIST
Threat modeling use case
Equifax data breach summary
Threat modeling for ABCompany
Advanced threat modeling with SIEM
User behavior logic
Benefits of UBA
UBA selection guide – how it works
Adversary analysis techniques
Adversary attack preparation
Attack preparation countermeasures
Adversary attack execution
Attack execution mitigation procedures
Summary
Chapter 7: Threat Intelligence Data Sources
Technical requirements
Defining the right sources for threat intelligence
Internal threat intelligence sources
External threat intelligence sources
Organization intelligence profile
Threat feed evaluation
Threat data quality assessment
Open Source Intelligence Feeds (OSINT)
Benefits of open source intelligence
Open source intelligence portals
OSINT platform data insights (OSINT framework)
OSINT limitations and drawbacks
Malware data for threat intelligence
Benefits of malware data collection
Malware components
Malware data core parameters
Other non-open source intelligence sources
Benefits of paid intelligence
Paid threat intelligence challenges
Some paid intelligence portals
Intelligence data structuring and storing
CTI data structuring
CTI data storing requirements
Intelligence data storing strategies
Summary
Chapter 8: Effective Defense Tactics and Data Protection
Technical requirements
Enforcing the CIA triad – overview
Enforcing and maintaining confidentiality
Enforcing and maintaining integrity
Enforcing and maintaining availability
Challenges and pitfalls of threat defense mechanisms
Data security top challenges
Threat defense mechanisms' pitfalls
Data monitoring and active analytics
Benefits of system monitoring
High-level architecture
Characteristics of a reliable monitoring system
Vulnerability assessment and data risk analysis
Vulnerability assessment methodology
Vulnerability assessment process
Vulnerability assessment tools
Vulnerability and data risk assessment
Encryption, tokenization, masking and quarantining
Encryption as a defense mechanism
Tokenization as a defense mechanism
Masking and quarantining
Endpoint management
Reliable endpoint management requirements
Mobile endpoint management
Endpoint data breach use case – point of sale
Summary
Chapter 9: AI Applications in Cyber Threat Analytics
Technical requirements
AI and CTI
Cyber threat hunting
How adversaries can leverage AI
AI's position in the CTI program and security stack
AI integration – the IBM QRadar Advisor approach
QRadar simplified architecture
Deploying QRadar
What's in it for you or your organization?
Summary
Chapter 10: Threat Modeling and Analysis – Practical Use Cases
Technical requirements
Understanding the analysis process
Intrusion analysis case – how to proceed
Indicator gathering and contextualization
Pivoting through available sources
Classifying the intelligence according to CTI frameworks
Memory and disk analysis
Malware data gathering
Malware analysis and reverse engineering
Analyzing the exfiltrated data and building adversary persona
Analyzing the malicious files
Gathering early indicators – Reconnaissance
The Cyber Kill Chain and Diamond model
MISP for automated threat analysis and storing
MISP feed management
MISP event analysis
Summary
Section 3: Integrating Cyber Threat Intelligence Strategy to Business processes
Chapter 11: Usable Security: Threat Intelligence as Part of the Process
Technical requirements
Threat modeling guidelines for secured operations
Usable security guidelines
Software application security guidelines
Data privacy in modern business
Importance of usable privacy in modern society
Threat intelligence and data privacy
Social engineering and mental models
Social engineering and threat intelligence
Mental models for usability
Intelligence-based DevSecOps high-level architecture
Summary
Chapter 12: SIEM Solutions and Intelligence-Driven SOCs
Technical requirements
Integrating threat intelligence into SIEM tools – Reactive and proactive defense through SIEM tools
System architecture and components of a SIEM tool
SIEM for security – OTX and OSSIM use case
Making SOCs intelligent – Intelligence-driven SOCs
Security operations key challenges
Intelligence into security operations
Threat intelligence and IR
IR key challenges
Integrating intelligence in IR
Integrating threat intelligence into SIEM systems
Summary
Chapter 13: Threat Intelligence Metrics, Indicators of Compromise, and the Pyramid of Pain
Technical requirements
Understanding threat intelligence metrics
Threat intelligence metrics requirements
Threat intelligence metrics baseline
IOCs, the CTI warhead
The importance of IOCs
Categories of IOCs
Recognizing IOCs
PoP, the adversary padlock
PoP indicators
Understanding the PoP
Understanding the seven Ds of the kill chain action
Understanding IOAs
Summary
Chapter 14: Threat Intelligence Reporting and Dissemination
Technical requirements
Understanding threat intelligence reporting
Types of threat intelligence reports
Making intelligence reports valuable
An example of a threat intelligence report template
Threat intelligence report writing tools
Building and understanding adversaries' campaigns
Naming adversary campaigns
Advanced persistent threats (APTs) – a quick overview
Tracking threat actors and groups
Retiring threat intelligence and adversary campaigns
Disseminating threat intelligence
Challenges to intelligence dissemination
Strategic, tactical, and operational intelligence sharing
Threat intelligence sharing architectures
YARA rules and threat intelligence sharing formats
Some information sharing and collaboration platforms
The threat intelligence feedback loop
Understanding the benefits of CTI feedback loop
Methods for collecting threat intelligence feedback
The threat intelligence feedback cycle – use case
Summary
Chapter 15: Threat Intelligence Sharing and Cyber Activity Attribution – Practical Use Cases
Technical requirements
Creating and sharing IOCs
Use case one – developing IOCs using YARA
Use case two – sharing intelligence using Anomali STAXX
Use case three – sharing intelligence through a platform
Understanding and performing threat attribution
Use case four – building activity groups from threat analysis
Use case five – associating analysis with activity groups
Use case six – an ACH and attributing activities to nation-state groups
Summary
Other Books You May Enjoy
Preface
The increase in security breaches and attacks in the last two decades indicates that the traditional security defense methods are falling short. The sophistication of attacks – such as the Advanced Persistent Threats (APTs) – leaves organizations with more worries despite the heavy investment in security tools, which often work in silos. The lack of analytics skills, the struggle to incorporate security into processes, and the gap in structured security analytics are the main concern in the fight against augmented cyber threats.
Cyber Threat Intelligence (CTI) is a collaborative security program that uses advanced analysis of data collected from several sources (internal and external) to discover, detect, deny, disrupt, degrade, deceive, or destroy adversaries' activities. Because it is actionable and encourages information sharing between community members, individuals, and so on, it is becoming the de facto method to fight against APTs. However, many organizations are still struggling to embrace and integrate CTI in their existing security solutions and extract value from it.
This book, Mastering Cyber Intelligence, provides the knowledge required to dive into the CTI world. It equips you with the theoretical and practical skills to conduct a threat intelligence program from planning to dissemination and feedback processing. It details strategies you can use to integrate CTI into an organization's security stack from the ground up, allowing you to effectively deal with cyber threats.
Through step-by-step explanations and examples, you learn how to position CTI in the organization strategy and plan, and set objectives for your CTI program, collect the appropriate data for your program, process and format the collected data, perform threat modeling and conduct threat analysis, and share intelligence output internally (with the strategic, tactical, and operational security teams) and externally (with the community). By the end of the book, you will master CTI and be confident to help organizations implement it to protect revenue, assets, and sensitive information (and data).
Who this book is for
This book is for organizations that have basic security monitoring and intend to adopt cyber threat intelligence from scratch but do not know where to start, have good security infrastructure and intend to integrate threat intelligence in the security stack for optimal security posture, or have a good threat intelligence program and intend to enhance TTP prioritization, defense techniques, and threat tracking.
It is also useful for security professionals who want to learn and master cyber threat intelligence and help organizations in developing CTI strategies, possess theoretical knowledge and want to add some practical CTI skills, or want to enhance their career by preparing for professional CTI certifications such as the SANS FOR578 CTI and the EC-Council CTIA – this book is the perfect start as it covers most of the topics in those courses' curriculums.
What this book covers
Chapter 1, Cyber Threat Intelligence Life Cycle, discusses the steps involved in a CTI program implementation which include planning, objective, and direction; data collection; data processing; analysis and production; dissemination; and feedback. It provides a high-level overview of each step with some examples to help you understand what needs to be done. The chapter highlights the benefits of threat intelligence and its role in the defense against modern, sophisticated attacks such as APTs. It equips you with the knowledge required to plan and set directions for your program.
Chapter 2, Requirements and Intelligence Team Implementation, discusses threat intelligence requirement generation and task prioritization. It shows you how to generate sound intelligence requirements for your program by using advanced methods used in the military and warfare. As part of the planning phase of the CTI life cycle, the chapter discusses the team layout and how to acquire the right skill set to kick off your program. And finally, through the chapter, you learn how CTI relates to other units of the security stack.
Chapter 3, Cyber Threat Intelligence Frameworks, introduces the different frameworks that you, as a CTI analyst, can use for your threat intelligence program. It highlights their benefits and discusses the three most popular threat intelligence frameworks – the Cyber Kill Chain, MITRE ATT&CK, and the Diamond Model of intrusion analysis frameworks. Using examples, the chapter also shows how each framework applies to threat and intrusion analyses.
Chapter 4, Cyber Threat Intelligence Tradecraft and Standards, discusses analytic tradecraft and standards that analysts can apply to CTI programs. It highlights the benefits of using common languages and processes in threat intelligence. The chapter teaches you how to apply already established analytic tradecraft and standards to your CTI program to increase its chance of success. Some of the analytics tradecraft and standards discussed in this chapter include the United States Central Intelligence Agency's (CIA) compendium of analytic tradecraft notes, the Intelligence Community Directive (ICD) 203, the Air Force Instruction (AFI) 14-133, and their applications to CTI. Two important collaborative standards are practically described in the chapter, the Structured Threat Information eXpression (STIX) and the Trusted Automated eXchange of Indicator Information (TAXII).
Chapter 5, Goal Setting, Procedures for CTI Strategy, and Practical Use Cases, demonstrates how to integrate CTI into an organization's security profile from a practical standpoint. It introduces threat intelligence platforms (TIPs) (an essential tool for CTI) and provides guidelines for selecting the right TIP. You learn about open source and paid intelligence platforms, and which one would benefit you. The chapter uses practical case studies to show you how level 1, level 2, and level 3 organizations (those new to CTI, those with specific CTI knowledge, and those with a CTI program) can effectively embrace CTI and set goals. As an analyst or part of the CTI team, you can use the methods described in this chapter to kick-start a CTI program in your organization.
Chapter 6, Cyber Threat Modeling and Adversary Analysis, discusses strategic modeling of threats and analytics of the adversary's behavior. It gives you the theoretical and practical knowledge required to perform manual and automated threat modeling. You learn the different threat modeling methodologies with examples, user behavior logic (UBA), and adversary analysis techniques. At the end of the chapter, you will be able to perform threat modeling for your organization.
Chapter 7, Threat Intelligence Data Sources, discusses different threat intelligence sources and where to find the data. To conduct CTI, you need data and a lot of data most of the time. The chapter covers the three data source types: open source (OSINT or OTI), shared (STI), and paid (PTI) threat intelligence sources. It equips you with the knowledge to select the suitable data sources for your program based on the CTI requirements, the organization budget, and operational strategy. You learn about data source selection and evaluation, malware data sources, parsing, and analysis for CTI. You also learn the benefits of shared and paid threat feeds. Finally, you learn intelligence data structuring and storing.
Chapter 8, Effective Defense Tactics and Data Protection, discusses how to build a robust defense system to prevent and contain cyber-attacks. It details the best practices to achieve reliable data protection. In the chapter, you learn about enforcing the Confidentiality, Integrity, and Availability (CIA) by evaluating the loopholes in current cyber threat defense infrastructures and applying the appropriate tactics for defense; data monitoring and active analytics in CTI; vulnerability assessment and risk management in modern system protection; using encryption, tokenization, masking, and other obfuscation methods to make it difficult for adversaries; and finally, endpoint management.
Chapter 9, AI Applications in Cyber Threat Analytics, discusses how Artificial Intelligence (AI) can help transit from reactive to proactive threat intelligence programs to stay ahead of adversaries. This chapter teaches you AI-fueled CTI and how it makes a difference in security. You learn cyber threat hunting and how you perform it and integrate it into your security operations to anticipate attacks and ensure effective defense. You understand the benefits of combining threat hunting and threat intelligence for reliable protection. You learn AI's impact on adversaries' attack and procedures' enhancements. Finally, you acquire the knowledge and skills to position AI in CTI and your organization's security stack to maximize its value. We use the IBM QRadar as an example of how AI can enhance security functions and tools.
Chapter 10, Threat Modeling and Analysis - Practical Use Cases, is a hands-on, practical chapter that teaches you how to use CTI to perform intrusion analysis manually and automatically. It shows you how CTI analysts go from a received or discovered indicator of compromise (IOC) to understanding the extent of the intrusion. In this chapter, you learn how to gather and contextualize IOCs. You also learn to pivot through data sources and use intelligence frameworks for analysis. You gain the skills to perform basic memory and disk analysis to extract pieces of evidence to solve cybercrimes. You acquire the skills to gather malware data, perform basic malware analysis for your case, fill the Cyber Kill Chain matrix, and extract adversaries' tactics, techniques, and procedures (TTPs). Finally, you learn to use the open-source Malware Information Sharing Platform (MISP) for analysis and intelligence data storage.
Chapter 11, Usable Security: Threat Intelligence as Part of the Process, discusses how threat intelligence can be applied to business operations and system (software and hardware) development's security. As an analyst, this chapter equips you with the required knowledge to assess, advise, and assist in incorporating CTI into products and services that your organization develops from the conception phase. You learn how to use threat analysis output in authentication applications, use threat modeling to enforce sound policies into system development and business operations, apply mental models to improve threat defense, and finally, implement secured system architectures considering cyber threats.
Chapter 12, SIEM Solutions and Intelligence-Driven SOCs, discusses the importance of CTI in SIEM tools and SOCs. It explains the process of integrating intelligence in a SIEM solution. The chapter demonstrates how SIEM tools include and correlate data from multiple feeds and sources to provide automated intelligence. This chapter shows you how to automate and unify SOC operations for reactive and proactive defense. You learn how to optimize a SOC team's performance using threat intelligence. You also learn how to integrate threat analytics models to Incident Response (IR) to minimize the Mean-Time-To-Respond (MTTR). You gain the practical knowledge to use open source SIEMs and intelligence sharing platforms such as the AlienVault Open Threat Exchange (OTX) and Open-Source Security Information and Event Management (OSSIM) as a starting point. You learn intelligence-led penetration testing and incident response. Finally, you learn how to make your organization's SOC intelligent.
Chapter 13, Threat Intelligence Metrics, Indicators of Compromise, and the Pyramid of Pain, discusses security metrics for intelligence evaluation and program effectiveness. It also shows you how to evaluate your CTI team based on intelligence programs' output. The chapter then explains IOCs, the pyramid of pain, and their respective importance in a CTI analyst profile. In this chapter, you learn about CTI metrics and how they can be used to define the program success criteria. You learn the importance of IOCs, their categories, and how you recognize them in a system. You gain effective knowledge on the pyramid of pain and its application to CTI. You also learn how to apply the seven Ds (courses of action) of the Kill Chain in a threat analysis use case. Finally, you learn about the indicators of attack (IOAs) and how they differ from or relate to IOCs.
Chapter 14, Threat Intelligence Reporting and Dissemination, discusses threat intelligence reporting and sharing. It shows you how to write effective documentation for the strategic, operational, and tactical teams. It also shows you how to extract threat intelligence report elements such as adversary campaigns and malware families. In this chapter, you learn how to write threat intelligence reports, build adversary groups and campaigns, share intelligence using best practices, and finally, collect threat intelligence feedback.
Chapter 15, Threat Intelligence Sharing and Cyber Activity Attribution – Practical Use Cases, is a hands-on chapter that focuses on threat intelligence sharing and demonstrates how to attribute cyber activities to campaigns, threat groups, or threat actors. It provides you with the skills necessary to develop and share IOCs for internal security enhancement and external dissemination. In this chapter, you learn how to develop IOCs using YARA rules and use them to detect and stop attacks. You also learn how to set up a STIX/TAXII platform for intelligence dissemination using Anomali STAXX as an example. You learn how to use a threat intelligence sharing platform for intelligence dissemination. You gain the practical skills to build activity groups from threat analyses and associate analyses to each group (activity tracking). Finally, you learn how to conduct an Analysis of Competing Hypotheses (ACH) to attribute cyber activities to state-sponsored groups and actors.
To get the most out of this book
You need a basic knowledge of cybersecurity and networking to get the most out of this book. For practical exercises, you need the SANS SIFT workstation installed as a virtual machine or in any UNIX-based operating system, such as Ubuntu or Kali Linux. SIFT workstation comes with the necessary tools for security analysis. You need the MISP virtual machine and the Anomali STAXX platform to do the practicals in Chapter 15, Threat Intelligence Sharing and Cyber Activity Attribution - Practical Use Cases.
All the commands are executed directly on the guest platforms mentioned here or the host environment terminal. We have used a Windows 10 host environment.
Note that the book also explains the steps required to get you ready for practical exercises.
Download the color images
We also provide a PDF file with color images of the screenshots and diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781800209404_ColorImages.pdf.
Conventions used
There are a number of text conventions used throughout this book.
Code in text: Indicates code words in the text, indicators of compromise, port number, folder names, filenames, file extensions, and pathnames. Here is an example: We pivot through the proxy logs, searching for /sys/files/ patterns in all web transactions, not in the 125.19.103.198 IP communication.
A block of code is set as follows:
{
title: CTI TAXII server
,
description: This TAXII server contains a listing of ATT&CK domain collections expressed as STIX, including PRE-ATT&CK, ATT&CK for Enterprise, and ATT&CK Mobile.
,
contact
: [email protected]
,
default
: https://cti-taxii.mitre.org/stix/
,
api_roots
: [
https://cti-taxii.mitre.org/stix/
]
}
When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:
raw_data.scan.port:554
raw_data.ja3.fingerprint:795bc7ce13f60d61e9ac03611dd36d90
Any command-line input or output is written as follows:
$ mkdir css
$ cd css
Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: Select System info from the Administration panel.
Tips or important notes
Appear like this.
Get in touch
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.
Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Share your thoughts
Once you've read Mastering Cyber Intelligence, we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.
Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.
Section 1: Cyber Threat Intelligence Life Cycle, Requirements, and Tradecraft
The section introduces the concept of Cyber Threat Intelligence (CTI) and breaks down its life cycle, explaining the main building blocks of threat intelligence life cycle and strategy. It also discusses intelligence requirements and their importance in a CTI program's success. The section, then, covers standards and tradecraft that analysts can apply to CTI programs. Finally, it concludes with practical use cases to help organizations and individuals adopt CTI. Upon completion of this section, you should have mastered the CTI life cycle, acquiring a global idea of what is required at each stage of the cycle; understand how to generate requirements and build an effective team for your CTI program; understand and use threat intelligence frameworks for threat and intrusion analyses; be familiar with different standards and tradecrafts adopted by the cybersecurity community, military, and intelligence agencies to conduct intelligence and apply them to your CTI program; be able to start a CTI program in an organization, whether it is new to CTI or has experience in the matter; and finally, select the appropriate threat intelligence platform for your program.
This section contains the following chapters:
Chapter 1, Cyber Threat Intelligence Life Cycle
Chapter 2, Requirements and Intelligent Team Implementation
Chapter 3, Cyber Threat Intelligence Frameworks
Chapter 4, Cyber Threat Intelligence Tradecraft and Standards
Chapter 5, Goal Setting, Procedures for CTI Strategy, and Practical Use Cases
Chapter 1: Cyber Threat Intelligence Life Cycle
This chapter will explain the steps of the threat intelligence life cycle. We will provide a high-level description of each step while looking at some practical examples to help you understand what each step entails. By the end of the chapter, you will be able to explain each stage of the intelligence life cycle and join the practical with the theoretical. This chapter forms the baseline of this book, and various intelligence strategies and processes will be built on top of this knowledge.
By the end of this chapter, you should be able to do the following:
Clearly explain what cyber threat intelligence is, why organizations must integrate it into the business and security team, who benefits from it, and be able to define its scope.
Understand the challenges related to threat intelligence and cybersecurity in general.
Know and understand the required components to effectively plan and set directions for a threat intelligence project.
Know and understand the data required to build an intelligence project and how to acquire it globally.
Understand intelligence data processing, why it is essential in integrating a CTI project, and justify the need for automating the processing step.
Understand the analysis step, its application, and its impact on the entire CTI project. In this step, you will also learn about intelligence analysis bias and different techniques that can be used to avoid a biased intelligence analysis.
Explain the cycle's dissemination step and how to share an intelligence product with the relevant stakeholders. You should also understand the importance of the audience when consuming the product.
Understand and explain the feedback phase of the cycle and state why it is critical in the project.
In this chapter, we are going to cover the following main topics:
Cyber threat intelligence – a global overview
Planning, objectives, and direction
Intelligence data collection
Intelligence data processing
Intelligence analysis and production
Threat intelligence dissemination
Threat intelligence feedback
Technical requirements
For this chapter, no special technical requirements have been highlighted. Most of the use cases will make use of web applications if necessary.
Cyber threat intelligence – a global overview
Many businesses and organizations aim for maximum digital presence to augment and optimize visibility (effectively reach the desired customers), as well as maximize it from the current digitalization age. For that, they are regularly exposed to cyber threats and attacks based on the underlying attack surface – the organization's size, architecture, applications, operating systems, and more.
Threat intelligence allows businesses to collect and process information in such a way as to mitigate cyberattacks. Hence, businesses and organizations have to protect themselves against threats, especially human threats. Cyber threat intelligence (CTI), as approached in this book, consists of intelligent information collection and processing to help organizations develop a proactive security infrastructure for effective decision making. When engaging in a CTI project, the main threats to consider are humans, referred to as adversaries or threat actors. Therefore, it is essential to understand and master adversaries' methodologies to conduct cyberattacks and uncover intrusions. Tactics, techniques, and procedures (TTPs) are used by threat actors. By doing so, organizations aim for cyber threats from the source rather than the surface. CTI works on evidence, and that evidence is the foundation of the knowledge required to build an effective cyber threat response unit for any organization.
Many organizations regard threat intelligence as a product that allows them to implement protective cyber fences. While this is true, note that threat intelligence hides an effective process behind the scenes to get to the finished package. As the intelligence team implements mechanisms to protect against existing and potential threats, adversaries change tactics and techniques. It becomes crucial for the intelligence team to implement measures that allow new threats to be analyzed and collected. Hence, the process becomes a cycle that is continually looked at to ensure that the organizations are not only reactive but proactive as well. The term threat intelligence life cycle is used to define the process required to implement an efficient cyber threat intelligence project in an organization. The following diagram shows this process:
Figure 1.1 – Threat intelligence life cycleFigure 1.1 – Threat intelligence life cycle
Threat intelligence is an ongoing process because adversaries update their methods, and so should organizations. The CTI product's feedback is used to enrich and generate new requirements for the next intelligence cycle.
Characteristics of a threat
Understanding what a threat is helps organizations avoid focusing on security alerts and cyber events that may not be a problem to the system. For example, a company running Linux servers discovers a .exe trojan in the system through the incident management tool. Although dangerous by nature, this trojan cannot compromise the company's structure. Therefore, it is not a threat. As a security intelligence analyst, it is vital to notify the system manager about the file's low priority level and its inability to infect the network. Secondly, government agencies are one of the highest adopters and owners of cyber projects. Governments have the tools and the knowledge necessary to attack each other. However, to avoid a cyberwar and ruin their friendship, the Canadian and American governments have no intention of attacking each other. Thus, they are not a threat to each other. If one party announces a spying tool's design, that does not mean that it wants to use it against another. Although there is the capability of spying, there might be no intent to do so. Therefore, one is not always a threat to another. Lastly, you can have the capability and the intent, but would need the opportunity to compromise a system.
Therefore, we can summarize a threat as everything or everyone with the capability, the intent, and the opportunity to attack and compromise a system, independent of the resource level. When the intelligence team performs threat analysis, any alert that does not meet these three conditions is not considered a threat. If any of these three elements is missing, the adversary is unlikely to be considered a threat.
Threat intelligence and data security challenges
Organizations face a lot of challenges when it comes to data protection and cybersecurity in general. Those challenges are located in all the functional levels of the organization. There are several challenges, but the most common ones include the following:
The threat landscape: In most cases, cyberattacks are orchestrated by professionals and teams that have the necessary resources and training at their disposal. This includes state-sponsored attacks. However, with access to specific tools and training, private groups have developed sophisticated ways to conduct destructive cyberattacks. The landscape of threats is growing and changing as adversaries rely on new exploits and advanced social engineering techniques. McAfee Labs reported an average of 588 threats per minute (a 40% increase) in the third quarter of 2020, while Q3 to Q4 2020 saw more than a 100% increase in vulnerabilities and more than a 43% increase in malware.
Targeted attacks such as ransomware were the main concern for organizations in 2020, with more than a 40% increase by the end of the year (https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-apr-2021.pdf). Approximately 17,447 vulnerabilities (CVEs) were recorded in 2020, with more than 4,000 high-severity ones (https://www.darkreading.com/threat-intelligence/us-cert-reports-17447-vulnerabilities-recorded-in-2020/d/d-id/1339741). Thus, the threat landscape presents a dangerous parameter for organizations that have most of their resources, assets, services, and products on the internet. And understanding the threat landscape facilitates the risk mitigation process. Personal information is one of the most targeted components on the internet – Personally Identifiable Information (PII), payment card data, and HIPAA data, to name a few.
Security alerts and data growth: Organizations are acquiring different security platforms and technologies to address security concerns and challenges – sandbox, firewalls, incident response, threat hunting, fraud detection, intrusion detection, network scanners, and more. According to an IBM study, an average IT company possesses 85 general security tools from at least 25 vendors. In most cases, those tools are not integrated across all teams. They have different security requirements. Each tool generates security alerts of different levels, and in most cases, security professionals rely on manual processes or external automation tools (with limited functionalities) to aggregate, clean, correlate, analyze, and interpret the data. The more tools an organization has, the more data is being collected, and the more exhausted and overwhelmed the security analysts become when having to mine the voluminous data. There is then a high chance of not using data effectively, thereby missing out on critical alerts. Having a high volume of alerts and data makes it difficult, if not impossible. for a human to handle correctly. This is known as visibility loss.
Operational complexity: The core business components may involve several organizational departments that interact with different applications to reach their goals. The embrace of big data and the adoption of cloud technologies have facilitated the management of IT infrastructures. However, it has also opened doors to more attack points as cloud security is becoming a hot topic. This is because many third-party tools, resources, and suppliers (which also have their own vulnerabilities) are used to address the security problem. Third-party tools are somehow not transparent to the organization where they are installed because most of the processes happening in the backend are not exposed to the consumers. Therefore, they increase operational complexity, especially regarding ownership of each security aspect (such as incident management, intrusion detection, traffic filtering, and inspection). Policies and procedures must be set if organizations wish to have useful data security solutions. Organizations must find ways to regulate the authority of third-party and other external tools internally.
New privacy regulations: New requirements are frequently put in place to address data security and privacy concerns worldwide. Regulations are used to enforce the law. However, as the number of regulations increases for different industries – medical, financial, transportation, retails, and so on – them overlapping becomes a challenge as organizations must comply with all policies. Should an organization fail to comply with regulations, penalties could be imposed independently of a breach's presence or absence. This is why it's important to have security solutions that are regulation-compliant.
Nevertheless, different regions and agencies have different security policies that need to be followed. A typical example is the European Union's General Data Protection Regulation (GDPR), which is used to protect EU citizens' privacy and personal information. The GDPR applies to the EU space, which means any organization (independent of its origin, EU or not EU) operating or rendering services in the EU region needs to comply with the GDPR. Tradecrafts and standards will be explained in Chapter 4, Cyber Threat Intelligence Tradecraft and Standards. Another example is the South African Protection of Personal Information (POPI) Act, which protects South African citizens' privacy and how their personal information is handled. Complying with such policies can be challenging, and organizations need to ensure compliance with regulations.
Cybersecurity skills gap: As organizations grow, manual processes become a challenge, and the lack of a workforce manifests. According to the ISC2 2019 report (https://bit.ly/2Lvw7tr), approximately 65% of organizations have a shortage of cybersecurity professionals. Although the gap is being reduced over the years, the demand for cybersecurity professionals remains high. And that is a big concern. The job concerns relating to cybersecurity professionals, as reported by ISC2, are shown in the following diagram:
Figure 1.2 – ISC2 job concerns among cybersecurity professionalsFigure 1.2 – ISC2 job concerns among cybersecurity professionals
Organizations spend more time dealing with security threats than training or equipping the team with the necessary knowledge. Adversaries keep on attacking and breaking through conventional security systems daily. This is why there is a great demand for cybersecurity professionals worldwide who are compliant with the industry standards and methods who are dependable, adaptable, and, most importantly, resilient. Organizations need to invest in empowering and training individuals in the field of cybersecurity and threat intelligence.
Importance and benefits of threat intelligence
Cyber threat intelligence (CTI) addresses the aforementioned challenges by collecting and processing data from multiple data sources and providing actionable, evidence-based results that support business decisions. Using a single platform (for correlation, aggregation, normalization, analysis, and distribution) or a centralized environment, CTI analyzes data and uncovers the essential patterns of threats – any piece of data that has the capability, the intent, and the opportunity to compromise a system.
CTI consolidates an organization's existing tools and platforms, integrates different data sources, and