“Cyber Threat Intelligence” by Martin Lee Notes

Chad Warner
4 min readAug 10, 2023

Cyber Threat Intelligence by Martin Lee is an informational cyber threat intelligence primer explaining the fundamentals and providing plenty of examples of cyberattacks and threat intelligence. It doesn’t go very deep into CTI, but that doesn’t seem to be its purpose; it’s intended as an intro to the discipline.

Lee says about the book,

It provides a survey of ideas, views, and concepts, rather than offering a hands‐on practical guide. … The day‐to‐day tools and analyses performed by threat intelligence teams may change frequently, but the theory and frameworks in which these activities take place are well developed. It is these mature, evolved disciplines that this book seeks to describe.

My notes follow.

Cyber Threat Intelligence by Martin Lee

This page contains one or more affiliate links. As an Amazon Associate, I earn from qualifying purchases.

Introduction

COMSEC: Communications Secrecy

Threat Environment

Classification of security threats in information systems by Jouini and Aissa

  • External
    - Human (Malicious or Non-malicious, each having subcategories of Accidental or Intentional)
    - Environmental (Non-malicious, Accidental)
    - Technological (Non-malicious, Accidental)
  • Internal
    - Human (Malicious or Non-malicious, each having subcategories of Accidental or Intentional)
    - Environmental (Non-malicious, Accidental)
    - Technological (Non-malicious, Accidental)

ENISA Threat Taxonomy

  • Physical attack (deliberate/intentional)
  • Unintentional damage / loss of information or IT assets
  • Disaster (natural, environmental)
  • Failures/Malfunction
  • Outages
  • Eavesdropping/Interception/Hijacking
  • Nefarious Activity/Abuse
  • Legal

STRIDE taxonomy

  • Spoofing
  • Tampering
  • Repudiation
  • Information disclosure
  • Denial of service
  • Elevation of privilege

Intel Threat Agent Library: agents

  • Hostile: anarchist, civil activist, competitor, corrupt government official, cyber vandal, data miner, employee (disgruntled), government spy, government cyberwarrior, internal spy, irrational individual, legal adversary, mobster, radical activist, sensationalist, terrorist, thief, vendor
  • Non-hostile: employee (reckless), employee (untrained), information partner

Intel Threat Agent Library: agent attributes

  • Intent
  • Access (level of system access)
  • Limits (adherence to laws or or ethics)
  • Resource level
  • Skill level
  • Objective
  • Visibility

Threat actor categories

  • Script kiddie
  • Hacktivist
  • Criminal
  • State-sponsored
  • APT
  • Insider

David Wall’s threat actor classification by behavior

  • Cyber‐trespass or hacking: intruding in spaces owned by others
  • Cyber‐deceptions/thefts: unauthorized acquisition of money or digital property
  • Cyber‐pornography/obscenity
  • Cyber‐violence: using networked systems to inflict psychological harm (e.g., hate speech, cyberstalking)

ATT&CK Model Relationship

  • Threat actor uses software
  • Software implements technique
  • Threat actor uses technique
  • Technique accomplishes tactic
  • Mitigation prevents technique

Cyber Kill Chain weaknesses

  • Not all attacks include all steps
  • Model was developed for targeted APT attacks, and doesn’t fit all attacks
  • Some attacks include multiple instances of kill chain

Applying Intelligence

CROSSCAT principles of intelligence

  • Centralized
  • Responsive
  • Objective
  • Systematic: methodical handling of info
  • Sharing: shared according to markings
  • Continuous review: test assessments against new info; collect info throughout cycle
  • Accessible: designed for audience
  • Timely

2 types of intelligence metrics: team productivity, intelligence utility

Flashpoint intelligence metrics categories

  • Operational: describe speed and efficiency of teams, as intel enables teams to process threats faster, or discover relevant threats with less effort
  • Tactical: describe efficacy of intel (e.g., false negative rate, false positive rate)
  • Strategic: describe how intel program has helped org achieve goals (e.g., reduced risk, saved money by detecting or resolving threats faster)

Focus on metrics that are directly affected by intel team (inputs to team, analysis performed, output, impact of intel on cybersecurity function).

There’s a point where a decision-maker has all the info they’re able to process, and adding more info decreases their ability to make decisions.

Generating Intelligence

Some criticize F3EAD because it has limited scope for decision-making.

D3A (Decide, Detect, Deliver, Assess)

Similar to F3EAD, with more emphasis on planning and decision-making.

  1. Decide: determine various types of possible targets, their priorities, how to detect
  2. Detect: identify priority threats
  3. Deliver: remediate threat
  4. Assess: determine if these were correct targets to remediate, and if operation proceeded smoothly and accurately; integrate feedback into next Decide phase

MoSCoW to describe and rank requirements

  • Must Have: necessary
  • Should Have: important; will add value
  • Could Have: useful, but of little impact
  • Will Not Have: will not be implemented

Intel reports

  • Summary: BLUF (Bottom Line Up Front)
  • Separate facts from analysis
  • Be actionable: provide instructions to implement conclusions
  • Ensure traceability: clearly state date, source, version; cite references
  • Keep it brief: avoid unnecessary detail; use graphs and diagrams as appropriate
  • Provide IoCs in accessible or machine readable format; include separate section of IoCs
  • Indicate distribution: clearly mark audience and constraints, using TLP or other method

Attribution

Attack attributes for attribution

  • Attacker TTPs
  • Attacker infrastructure
  • Victimology (nature of victim, how they were selected by threat actor, final steps of attack)
  • Malicious code

Software use by threat actors

  • Abuse legitimate software
  • Use dual‐use software which can have legitimate or illegitimate use
  • Use malicious software used by multiple threat actors
  • Develop custom malicious software

Professionalism

CTI certifications

  • CREST Practitioner Threat Intelligence Analyst
  • CREST Registered Threat Intelligence Analyst
  • CREST Certified Threat Intelligence Manager
  • EC‐Council Certified Threat Intelligence Analyst
  • GIAC Cyber Threat Intelligence (GCTI)
  • McAfee Institute Certified Cyber Intelligence Investigator (CCII)
  • McAfee Institute Certified Cyber Intelligence Professional (CCIP)

Future Threats and Conclusion

CTI pro traits

  • Systemic thinker: consider big picture
  • Team player
  • Technical and social skills: understand cybersecurity issues from different perspectives, especially those of users
  • Civic duty: sense of responsibility to society, desire to do the right thing
  • Continued learning
  • Communication: able to convey complex information in understandable way

--

--

Chad Warner

Web Strategist at OptimWise. Cybersecurity & privacy enthusiast. Bookworm. Fan of Tolkien & LEGO.