“Learn to Build a Threat Intelligence Program in 1 Day” Notes

Learn to Build a Threat Intelligence Program in 1 Day by Kenneth Ho is a decent, short guide to forming a cyber threat intelligence program in an organization. It covers several CTI concepts, but isn’t comprehensive. Unfortunately, it’s riddled with grammatical and spelling errors, which distracts from the content.

My notes follow.

“Learn to Build a Threat Intelligence Program in 1 Day” by Kenneth Ho

This page contains one or more affiliate links. As an Amazon Associate, I earn from qualifying purchases.

Threat Intelligence Overview

CTI program creation

1. Planning: define threats, goals, requirements, team
2. Intelligence Collection: collect info on threats
3. Intelligence Analysis: analyze collected intel, to ensure it meets org’s requirements
4. Collaboration and Feedback: provide intel to org, and adjust CTI program as needed

Phase 1 — Planning

Assess organization’s security posture

• What data is most important to the biz?
• Where is the documentation for the IR process?
• Are current security controls working?
• What’s the most important thing missing from a security standpoint? Why?

Threat intelligence gap analysis

• Identify IT systems that are critical to biz ops (e.g., biz applications, public-facing servers, infrastructure, operational control systems).
• Identify internal assets of value.
• Identify threat actors, TTPs, campaigns targeting your industry.
• Evaluate effectiveness of current security systems.
• Assess employees’ abilities to monitor, detect, mitigate, prevent, remediate targeted attacks from likely adversaries.
• Identify supporting ops and teams in threat collaboration environment.
• Define ideal states and identify gaps.

Identifying organization’s intelligence needs and requirements

• What are your TI (threat intel) goals?
• What assets does your org need to safeguard?
• What threat actors and/or exploits are you watching for?
• What security concerns keep executive leaders up at night?

Areas of threat intel

• Malware analysis & reverse engineering
• Open source and deep web monitoring
• Intelligence dissemination
• Vendor management

CTI core functions

• Extracting IoCs
• Researching TI news
• Fusing internal and external TI into TTPs to provide context
• Participate in intel-sharing groups
• Threat analysis and IR support (e.g., digital forensics)
• Use analytics to detect attack patterns
• Populate threat knowledge portal
• Hunt threats on monitored networks
• Honeypot usage: luring, containing, observing threat in contained environment

Phase 2 — Intelligence Collection

CTI vendor evaluation criteria

• Supplies threat indicators, extensive context, malware analysis
• Can integrate various data types
• Customizable alerts, tags, reports
• Supplies nearly real-time updates
• Supports prioritization based on threats
• Integration with SIEM and other preventative controls
• Allows for real-time reaction to data

CTI source evaluation criteria

• Does source reference their sources?
• Who are authors? What’s their authority?
• Who’s responsible for data? What’s funded by another entity?
• Does source and/or funding entity have ulterior motives?
• How recently has data been published and updated?
• What’s the source’s quality?

Phase 4 — Collaboration and Feedback

Threat intel alert report template

1. Traffic light protocol
2. Intel type: category
3. Summary: 1–3 sentences describing impact to org, usually drawn from secondary research
4. Analysis: technical details
5. Recommendation: recommended action (block indicators, no action required, etc.)
6. Source: intel source
7. Feedback: allow consumer to rate and give feedback

LEARN to Build a Threat Intelligence Program in 1 Day: and LEARN IT WELL