Mastering Cyber Intelligence by Jean Nestor M. Dahj is the best cyber threat intel book I’ve read so far. It’s comprehensive and detailed, explaining theory and providing practical instructions and tools. It covers all steps of the CTI cycle.
My notes follow.
This page contains one or more affiliate links. As an Amazon Associate, I earn from qualifying purchases.
Requirements and Intelligence Team Implementation
Intelligence requirements questions
- Have attacks been attempted?
- How did attacks happen?
- How did organization detect or prevent attack?
- What useful information did organization extract from threat or attack?
- Has organization been hacked before?
- How did hack happen?
- What information was targeted?
- Who was main threat actor? Was attack automated or manually executed?
- What vulnerabilities are currently being exploited globally and in industry?
- Have there been breaches on a global scale? Industry-specific? How recently and to what extent?
- What vulnerabilities and breaches can organization defend against or detect?
- What prospective threats and vulnerabilities are currently under research?
- What indicators are available in organization’s security system?
- Can those indicators prevent existing common threats or past breaches?
- Is there need for more indicators to strengthen current security?
- Was organization’s security protocol effective at detecting or preventing past attacks?
- Was protocol accurately followed to mitigate attack or respond to past incidents?
- Were there security measures that were not followed during incident?
Prioritizing intelligence requirements
- Short-term: identify threat actors targeting org; evaluate their intent, capability, opportunity; select indicators to monitor; implement action plan
- Mid-term: continuously monitor TTP changes of threat actor(s) to avoid security surprises
- Long-term: identify potential future threats; identify internal threats; identify threats against related industries
Intelligence requirement types
- Prioritized Intelligence Requirements (PIRs): high priority of threat actor(s) targeting org
- Specific Intelligence Requirements (SIRs): continuously monitoring TTP changes of particular threat actor(s)
CTI analyst requirements
- Know all intelligence types (strategic, operational, tactical).
- Be familiar with most industry-leading intelligence tools, platforms, methodologies.
- Have data acquisition and collection capabilities.
- Be able to analyze internal and external data and produce useful intelligence to help organization make business decisions; have analytical skills.
- Be able to convey intelligence through transparent and professional reports; have writing skills.
- Be able to inform organization of any threats; have research and independent work skills.
CTI team skills
- Theoretical: resources, tech, data sources
- Hands-on: solve intel use cases, perform data analysis, collect data
- Reporting: technical writing, non-technical writing
- Strategic: High-level, non-technical. Works with executives. Has global understanding of threats, adversaries, impact on defenses. Understands cost of data breach.
- Operational: Focused on understanding, replicating, analyzing adversaries, threats, attacks. Isolate threats and attacks, detail courses of actions, orchestrate operations. Includes threat hunting, vulnerability and risk assessment, IR, pen testing.
- Tactical: Examine TTPs and IOCs of selected threats and adversaries. Includes malware analysis, indicator enrichment. Works with SOC, SIEM, IDS/IPS, endpoints, firewalls, etc.
Cyber Threat Intelligence Frameworks
- Preparation: adversary recons, plans attack, develops capabilities.
- Engagement: adversary exploits vulnerabilities, gains full or partial control of target.
- Presence: adversary gains full control, hides tracks, likely establishes persistence.
- Consequence/effect: deny access, steal info, access data, modify info, shut down system, etc.
Goal Setting, Procedures for CTI Strategy, and Practical Use Cases
- Paid threat intelligence (PTI): commercial TIPs; provide more IOCs, earlier threat detection, better analytics than open and shared (IBX X-Force Exchange, FireEye iSIGHT, CrowdStrike Falcon-X, Recorded Future, Anomali ThreatStream, AlienVault USM)
- Open threat intelligence (OTI or OSINT): open-source TIPs (MISP, OpenCTI)
- Shared threat intelligence (STI) (closed TI): TIPs that include crowdsourced TI (MISP, OpenCTI)
A study by Xander Bouwman, et al. showed almost no overlap between commercial and open-source or shared TIPs.
Cyber Threat Modeling and Adversary Analysis
Vector-surface matrix: maps attack surfaces on Y axis, threat vectors on X axis, and marks intersections to understand attack surface.
Attack tree: hierarchical diagrams showing potential paths that lead to asset attack.
Threat modeling methodologies: STRIDE, DREAD, PASTA, TRIKE, VAST, OCTAVE, CVSS (NIST).
Threat Intelligence Data Sources
Threat feed evaluation
- Data feed’s source (external IoCs, counterintel, HUMINT, etc.)
- Data period (short, medium, long-term)
- Source authentication (authenticity, transparency)
- Percentage of unique data
- Potential ROI
Threat data quality assessment
- Coverage (true positives, false negatives, true negatives, false positives)
- Ease of automation
- Dark web (and/or sites that report on it, such as https://www.darkreading.com, https://www.bleepingcomputer.com, https://thehackernews.com)
- Search engines ( https://www.shodan.io, https://www.zoomeye.org, https://search.censys.io, https://hunter.io, https://www.greynoise.io, https://wigle.net, https://pipl.com)
- Social media
- Malware portals ( https://www.virustotal.com/gui/, https://virusshare.com, https://any.run, https://www.intezer.com)
Benefits of paid TI
- Data period (timeliness)
- Processing and integration
- Alignment with org’s requirements
- Information protection (doesn’t publicly reveal TI)
- Extra services
- Wide coverage
- Customer support
Paid TI: AT&T AlienVault, FireEye CTI, CrowdStrike Intelligence Exchange, RecordedFuture, HackSurfer, Symantec DeepSight, ThreatConnect, IBM X-Force, SecureWorks, Vipre, Kaspersky TI, Microsoft Graph Security, Cisco openVuln API, WildFire, Anomali, PhishLabs, DeCYFIR, Flashpoint Collab. See https://www.gartner.com/reviews/market/security-threat-intelligence-services
Effective Defense Tactics and Data Protection
Enforce Strict Transport Security (STS) on all relevant applications to prevent TLS downgrade attacks.
AI Applications in Cyber Threat Analytics
AI-powered SIEMs: IBM QRadar, Securonix, Splunk, AlienVault USM
Threat Modeling and Analysis — Practical Use Cases
CTI analysis tools
Threat Intelligence Metrics, Indicators of Compromise, and the Pyramid of Pain
- Network-based: IP addresses, domain names and application protocols, URLs
- Host-based: file names and hashes, process names and IDs, mutex, registry keys
- Email-based: email headers, email content
- Behavioral: remote command execution, suspicious activities from uncommon sources, multiple requests or attempts, DDoS and other availability-affecting attacks, abnormal outbound traffic
Key indicators of attack/breach
- Unusual outbound network traffic
- Multiple login failures
- Increase in data volume
- Multiple requests on a specific asset
- Geographical anomalies
- Unusual user account activity
- Unusual HTML response size
- Unusual DNS requests
- Mismatched port-application traffic
- Suspicious registry or system file changes
- Unexpected system patching
Course of Action (CoA) matrix: table that shows the defensive capabilities available at each phase of the Cyber Kill Chain. On the y-axis, you put the Cyber Kill Chain steps (the adversary’s actions). On the x-axis, you put the defensive actions: Discover, Detect, Deny, Disrupt, Degrade, Deceive, and Destroy. In each cell within the matrix, you put the defensive capabilities relevant to the intersecting kill chain step and defensive action.
Intelligence gain/loss (IGL): determine gain or loss of a CoA, to decide whether to take an active CoA against a specific adversary, given intel about them. For example, denying access to adversary may cause loss of intel you could’ve gathered during intrusion.
IoAs vs. IoCs
- IoAs focus on proactive security by detecting adversary’s intent.
- IoCs represent pieces of evidence of an attack or breach; IoAs relate to steps and actions that adversary must take to compromise system.
- IoAs are real-time indicators at tactics and techniques level of TTPs.
- IoCs focus on procedures used by adversaries; IoAs focus on adversary’s behavior.
Threat Intelligence Reporting and Dissemination
TI report types
- Threat landscape reports: global threat awareness; comprehensive understanding, insight, alerts regarding cyber threats affecting org, industry, users in a specific period.
- Threat analysis reports: provide details of threat analyses; comprehensive analysis of threats, attacks, breaches.
Threat landscape report
- Business risk evaluation
- Cyber threats affecting industry
- Threat actors and their profiles
- Security priorities
Threat analysis report
- Threat actor
- Attack history and location
- Threat actor’s intent
- Target and victim profile
- Attack impact and business risks
- TTPs used by threat actors
- Similarities in TTPs with other attacks
- Details of indicators and events
- Countermeasures and mitigation steps
- Probability of recurrence
TI report template
- Report Details: analyst full names, designation, company name, reporting date.
- Client Details: company or individual full names, industry, organization type, location.
- Test Details: start and end dates of test, duration, test type, number of people who performed test, assets analyzed.
- Executive summary: summary of threats and business impact.
- TLP designation
- Analysis Methodology: details of analytic processes used; steps taken during each phase of CTI cycle.
- Threat Details: technical details of each threat/intrusion.
- IoCs: details of all IoCs and IoAs identified.
- Recommended Actions: steps to mitigate each threat identified; explanation of how current security controls do or don’t mitigate.
Campaign building and tracking
- Past intelligence analysis
- External intelligence analysis
- Past indicators and data
- Future intrusion attributes (predict threat actors and TTPs based on past TTPs)
Strategic, tactical, operational intel sharing
- Strategic: provide insight on security landscape and contribution of CTI to global security posture; highlight benefits from CTI program and justify ROI.
- Operational: provide technical details (IoCs, attacks, campaigns); can share in form of APIs, YARA rules, STIX, TAXII, OpenIOC, CSV.
- Tactical: provide detailed TTPs and mitigation steps; can share in reports or feeds.
Commercial TIPs: IBM X-Force Exchange, McAfee Threat Intelligence Exchange, ThreatConnect, ThreatExchange, YaraShare.
Threat Intelligence Sharing and Cyber Activity Attribution — Practical Use Cases
- High: strong evidence, no contradicting facts
- Moderate: enough evidence, with some room for debate
- Low: little evidence, valid statements and hypotheses to challenge assessment
Use ACH only where there is no or less technical evidence to support a threat intelligence analysis or scenario.
- Formulate hypotheses
- Identify evidence to support hypotheses
- Classify evidence as intent, opportunity, or capability
- Perform diagnostics for evidence provided
- Set credibility and relevance of each piece of evidence
- View and evaluate generated inconsistency score
This article’s author, Chad Warner, is seeking a cybersecurity job, preferably in cyber threat intelligence (CTI) or OSINT. Please contact him if you know of any openings.