“Cyber Threat Intelligence: The No-Nonsense Guide for CISOs and Security Managers” Notes
Cyber Threat Intelligence: The No-Nonsense Guide for CISOs and Security Managers by Aaron Roberts is a very informative guide to cyber threat intelligence (CTI), useful to those looking to become CTI analysts and those who work with them. It’s about CTI core concepts and methodologies rather than a step-by-step guide to performing CTI tasks. It tells how to take intel requirements and turn them into something tangible for business, and explains the ATT&CK framework and structured intelligence. It shows how to make intel actionable. It describes how to get more value from existing security systems and what features to consider in adding to your security. It has plenty of specific advice and tool recommendations.
My notes follow.
This page contains one or more affiliate links. As an Amazon Associate, I earn from qualifying purchases.
The Cybersecurity Wild West
Free, open-source Threat Intelligence Platforms (TIPs): Malware Information Sharing Platform (MISP), OpenCTI.
A lot of CTI is figuring out which things are threats or relevant and what to do about it. Most of the time, CTI is providing IOCs and TTPs to the threat hunting team and the SOC. Sometimes it involves reporting on trends or new attack types. Sometimes everything is “on fire” after a hack.
Cyber Threat Intelligence — What Does It Even Mean?
The Intelligence Cycle
- Planning and Direction
- Processing and Exploitation
It’s better to focus on TTPs than IOCs because it’s harder for attackers to change TTPs, and chasing IOCs is whack-a-mole. IOCs are still useful because they’re quantifiable, and execs love numbers.
Industry has moved away from Kill Chain and ATT&CK is becoming standard.
Structured Intelligence — What Does It Even Mean?
OpenIOC has been superseded by ATT&CK because industry has moved away from pure IOC detection and mitigation.
STIX observables show where else that same atomic piece of info exists within data. You can use this to identify what malware you may be investigating.
You can path-walk from an incident to a known cluster of TTPs, then lead this back to other incidents and possibly all the way to the threat actor.
You can use actor attribution to understand real-world risks based on their previous campaigns, malware use, and TTPs. This helps to plan mitigations and brief SOC or IR team.
MITRE Shield provides proactive defense techniques.
Tactical reports are a collection of IOCs that should be monitored or blocked. Operational reports are a write-up of a specific threat or campaign and include info useful to security operations and analysts. Strategic reports take a broader, more holistic view of a particular threat or technique for senior management.
Enriching indicators and observables in STIX allows finding contextual info to align to ATT&CK, which you can structure into your research to identify TTPs instead of just blocking IOCs.
Determining What Your Business Needs
Data types required by different customers
- SOC: reporting, IOCs, TTPs, Courses of Action (CoA)
- Threat hunting: IOCs, TTPs, Yara rules, detection signatures
- CISO: Reporting
- Threat and vulnerability management: reporting, CVEs, CoAs
- Executives: reporting
- Broader security team: reporting
- Fraud: reporting, indicators
- Product owners: reporting, CVEs, CoAs
- Wider staff: awareness reporting
Recommended: Intel471’s free General Intelligence Requirements (GIR) handbook.
- Focused on strengths and vulnerabilities of organization’s network defense and adversary TTPs.
- About short-term, daily moments. Content can be highly technical, often involves sharing IOCs.
- Reporting often contains details about malware, what it does, and indicators and TTPs to look for.
- Next step up from tactical intelligence.
- Reports are usually long-form and include detailed breakdowns of particular threats (specific malware, campaigns, threat actors, incidents, etc.); more detailed than tactical reports.
- Goal of report is to give a more detailed and rounded view of a specific threat to enable the organization to respond appropriately and swiftly.
- Designed to take a broader, more holistic view of overall landscape and trends and provide contextualized intelligence. Usually aimed at more senior leaders.
- Reports can cover wide variety of topics, but usually broad threats (phishing, ransomware), industry sectors (finance, telecommunications, etc.), geopolitical events. Point is to provide overview of subject, why it matters to organization, high-level potential impact.
Awareness reporting: report to broad audience a current or emerging threat for which you don’t have enough info to provide a tactical or operational report.
Executive/VIP Profile Reporting: research executive leadership to help them be more secure online.
Spot or flash reporting: providing quick heads-up information on an emerging threat, usually sent to executives and SOC.
Most popular open source free TIPs
- Malware Information Sharing Platform (MISP)
- ThreatConnect Open
- Anomali STAXX
How Do I Implement This? (Regardless of Budget)
Threat analysis tools
- Hybrid Analysis
- Joe Sandbox
Reasons for CTI
- Requests for information (RFIs): about particular malware, threat, actor, etc.
- Incident response (IR): study IOCs or TTPs to give team intel to understand and remediate immediate risk
- Proactive research: info on business priorities
Things to Consider When Implementing CTI
Most people in CTI call themselves analysts.
Traits of good intel analysts
- Critical Thinking
- Self-Awareness: awareness of your conscious and unconscious biases
- Data Validation: consider source reliability, info accuracy
- Inductive/Deductive Reasoning
- 5WH (Who, What, Where, When, Why, How)
- Structured Analytical Techniques: pattern analysis (emerging trends, common characteristics, etc.), network/link analysis (visualization of common data points such as people, infrastructure, IOCs, etc.), analysis of competing hypotheses (ACH), red teaming
- Information Security Fundamentals: at minimum, comfortability with core cybersecurity concepts; malware analysis and threat hunting are hugely beneficial
Roles from which to move into CTI: IR, SOC, vulnerability analyst, pen tester.
The Importance of OSINT
Free threat feeds are a useful starting point, but probably aren’t enough to provide the best protection.
OSINT platforms (all with free or community versions)
- Hybrid Analysis
- Joe Sandbox
Maltego: one of the most popular link analysis tools; has community edition for researchers.
TweetDeck and Slack webhooks can create a semicoherent feed.
OSINT books: Open Source Intelligence Techniques by Bazzell, Open Source Intelligence Methods and Tools by Hassan and Jijazi.
Analyze adversary infrastructure & tech with VirusTotal, BuiltWith.
You can discover the tech an org is using by finding forum posts where employees discuss tech, and checking employees’ LinkedIn profiles to see what tech they’re proficient in.
- Dedicated hardware or VM
- Burner device if accessing dark web, underground forums
- VPN or 4G/5G connection
Volunteer OSINT opportunities: Locate International, Trace Labs.
Sockpuppet creation & use
- Create account using phone, to look more legit. Don’t use a VM, VPN, or Tor.
- Use uniquely generated/edited profile pictures.
- Use account as a normal person would (browse, like, comment, search, etc.).
I Already Pay for Vendor X — Should I Bother with CTI?
Commercial TIPs: EclecticIQ, Anomali, ThreatConnect.
FireEye ThreatPursuit is a CTI & threat hunting VM.
FireEye Mandiant Advantage is a freemium CTI source.
Author’s top takeaway: adopt a formalized intel requirements process to ensure you’re providing info business needs.
CTI next steps
- Identify where to get value from existing tools, and find vendors to meet additional needs.
- Ensure org adopts standardization; use ATT&CK mappings in reports and provide mitigation and prevention advice.
- Consider using STIX/TAXII when sharing threat data to promote standardization.
- Use OSINT as much as possible, in addition to commercial and closed sources.
Concepts CTI analysts must understand
- Intelligence cycle
- Intelligence requirements
- Intelligence writing
- Ways of classifying intelligence (confidentiality, source evaluation, etc.)
- Structured analytical techniques (analysis of competing hypotheses, cone of plausibility, contrarian/imaginative techniques, etc.)
- Conscious/unconscious bias
- CTI-specific concepts (diamond model, ATT&CK, STIX/TAXII)
- Collection and analysis specifics (infrastructure pivoting, link analysis, OSINT tooling)
- Yara rules, other basic hunting methods (adversary use of DNS, domain registrations, metadata)
- Using different infrastructure (virtual machines, cloud service providers, third-party tools, etc.)
- otx.alienvault.com: Community-driven threat information, available as a feed
- threatcrowd.org: search engine for threat data; has a Maltego Transform
- threatintelligenceplatform.com: TIP providing threat information on a given threat (domain/IP/hash etc.)
- exchange.xforce.ibmcloud.com: threat intel reporting, IOC feed, sharing platform
- threatminer.org: search engine for threat data; has a Maltego Transform
- hybrid-analysis.com: malware analysis service
- whatsmyname.app: searches ~285 resources for a matching username
- boardreader.com: aggregates data from several social sites and forums
- social-searcher.com: social media search engine