“Mastering Cyber Intelligence” Notes

Mastering Cyber Intelligence by Jean Nestor M. Dahj

Requirements and Intelligence Team Implementation

Intelligence requirements questions

  • Have attacks been attempted?
  • How did attacks happen?
  • How did organization detect or prevent attack?
  • What useful information did organization extract from threat or attack?
  • Has organization been hacked before?
  • How did hack happen?
  • What information was targeted?
  • Who was main threat actor? Was attack automated or manually executed?
  • What vulnerabilities are currently being exploited globally and in industry?
  • Have there been breaches on a global scale? Industry-specific? How recently and to what extent?
  • What vulnerabilities and breaches can organization defend against or detect?
  • What prospective threats and vulnerabilities are currently under research?
  • What indicators are available in organization’s security system?
  • Can those indicators prevent existing common threats or past breaches?
  • Is there need for more indicators to strengthen current security?
  • Was organization’s security protocol effective at detecting or preventing past attacks?
  • Was protocol accurately followed to mitigate attack or respond to past incidents?
  • Were there security measures that were not followed during incident?

Prioritizing intelligence requirements

  • Short-term: identify threat actors targeting org; evaluate their intent, capability, opportunity; select indicators to monitor; implement action plan
  • Mid-term: continuously monitor TTP changes of threat actor(s) to avoid security surprises
  • Long-term: identify potential future threats; identify internal threats; identify threats against related industries

Intelligence requirement types

  • Prioritized Intelligence Requirements (PIRs): high priority of threat actor(s) targeting org
  • Specific Intelligence Requirements (SIRs): continuously monitoring TTP changes of particular threat actor(s)

CTI analyst requirements

  • Know all intelligence types (strategic, operational, tactical).
  • Be familiar with most industry-leading intelligence tools, platforms, methodologies.
  • Have data acquisition and collection capabilities.
  • Be able to analyze internal and external data and produce useful intelligence to help organization make business decisions; have analytical skills.
  • Be able to convey intelligence through transparent and professional reports; have writing skills.
  • Be able to inform organization of any threats; have research and independent work skills.

CTI team skills

  • Theoretical: resources, tech, data sources
  • Hands-on: solve intel use cases, perform data analysis, collect data
  • Reporting: technical writing, non-technical writing

Intelligence types

  • Strategic: High-level, non-technical. Works with executives. Has global understanding of threats, adversaries, impact on defenses. Understands cost of data breach.
  • Operational: Focused on understanding, replicating, analyzing adversaries, threats, attacks. Isolate threats and attacks, detail courses of actions, orchestrate operations. Includes threat hunting, vulnerability and risk assessment, IR, pen testing.
  • Tactical: Examine TTPs and IOCs of selected threats and adversaries. Includes malware analysis, indicator enrichment. Works with SOC, SIEM, IDS/IPS, endpoints, firewalls, etc.

Cyber Threat Intelligence Frameworks

Cyber Threat Framework by US government

  1. Preparation: adversary recons, plans attack, develops capabilities.
  2. Engagement: adversary exploits vulnerabilities, gains full or partial control of target.
  3. Presence: adversary gains full control, hides tracks, likely establishes persistence.
  4. Consequence/effect: deny access, steal info, access data, modify info, shut down system, etc.

Goal Setting, Procedures for CTI Strategy, and Practical Use Cases

TIP types

  • Paid threat intelligence (PTI): commercial TIPs; provide more IOCs, earlier threat detection, better analytics than open and shared (IBX X-Force Exchange, FireEye iSIGHT, CrowdStrike Falcon-X, Recorded Future, Anomali ThreatStream, AlienVault USM)
  • Open threat intelligence (OTI or OSINT): open-source TIPs (MISP, OpenCTI)
  • Shared threat intelligence (STI) (closed TI): TIPs that include crowdsourced TI (MISP, OpenCTI)

Cyber Threat Modeling and Adversary Analysis

Threat Intelligence Data Sources

Threat feed evaluation

  • Data feed’s source (external IoCs, counterintel, HUMINT, etc.)
  • Data period (short, medium, long-term)
  • Source authentication (authenticity, transparency)
  • Percentage of unique data
  • Potential ROI

Threat data quality assessment

  • Coverage (true positives, false negatives, true negatives, false positives)
  • Accuracy
  • Latency
  • Ease of automation

OSINT portals

Benefits of paid TI

  • Accuracy
  • Data period (timeliness)
  • Processing and integration
  • Alignment with org’s requirements
  • Information protection (doesn’t publicly reveal TI)
  • Extra services
  • Wide coverage
  • Customer support

Effective Defense Tactics and Data Protection

AI Applications in Cyber Threat Analytics

Threat Modeling and Analysis — Practical Use Cases

CTI analysis tools

Threat Intelligence Metrics, Indicators of Compromise, and the Pyramid of Pain

IoC categories

  • Network-based: IP addresses, domain names and application protocols, URLs
  • Host-based: file names and hashes, process names and IDs, mutex, registry keys
  • Email-based: email headers, email content
  • Behavioral: remote command execution, suspicious activities from uncommon sources, multiple requests or attempts, DDoS and other availability-affecting attacks, abnormal outbound traffic

Key indicators of attack/breach

  • Unusual outbound network traffic
  • Multiple login failures
  • Increase in data volume
  • Multiple requests on a specific asset
  • Geographical anomalies
  • Unusual user account activity
  • Unusual HTML response size
  • Unusual DNS requests
  • Mismatched port-application traffic
  • Suspicious registry or system file changes
  • Unexpected system patching

IoAs vs. IoCs

  • IoAs focus on proactive security by detecting adversary’s intent.
  • IoCs represent pieces of evidence of an attack or breach; IoAs relate to steps and actions that adversary must take to compromise system.
  • IoAs are real-time indicators at tactics and techniques level of TTPs.
  • IoCs focus on procedures used by adversaries; IoAs focus on adversary’s behavior.

Threat Intelligence Reporting and Dissemination

TI report types

  • Threat landscape reports: global threat awareness; comprehensive understanding, insight, alerts regarding cyber threats affecting org, industry, users in a specific period.
  • Threat analysis reports: provide details of threat analyses; comprehensive analysis of threats, attacks, breaches.

Threat landscape report

  • Business risk evaluation
  • Cyber threats affecting industry
  • Threat actors and their profiles
  • Security priorities

Threat analysis report

  • Threat actor
  • Attack history and location
  • Threat actor’s intent
  • Target and victim profile
  • Attack impact and business risks
  • TTPs used by threat actors
  • Similarities in TTPs with other attacks
  • Details of indicators and events
  • Countermeasures and mitigation steps
  • Probability of recurrence

IT report template

  • Report Details: analyst full names, designation, company name, reporting date.
  • Client Details: company or individual full names, industry, organization type, location.
  • Test Details: start and end dates of test, duration, test type, number of people who performed test, assets analyzed.
  • Executive summary: summary of threats and business impact.
  • TLP designation
  • Analysis Methodology: details of analytic processes used; steps taken during each phase of CTI cycle.
  • Threat Details: technical details of each threat/intrusion.
  • IoCs: details of all IoCs and IoAs identified.
  • Recommended Actions: steps to mitigate each threat identified; explanation of how current security controls do or don’t mitigate.

Campaign building and tracking

  • Past intelligence analysis
  • External intelligence analysis
  • Past indicators and data
  • CoA
  • Future intrusion attributes (predict threat actors and TTPs based on past TTPs)

Strategic, tactical, operational intel sharing

  • Strategic: provide insight on security landscape and contribution of CTI to global security posture; highlight benefits from CTI program and justify ROI.
  • Operational: provide technical details (IoCs, attacks, campaigns); can share in form of APIs, YARA rules, STIX, TAXII, OpenIOC, CSV.
  • Tactical: provide detailed TTPs and mitigation steps; can share in reports or feeds.

Open-source TIPs

Threat Intelligence Sharing and Cyber Activity Attribution — Practical Use Cases

Confidence assessment

  • High: strong evidence, no contradicting facts
  • Moderate: enough evidence, with some room for debate
  • Low: little evidence, valid statements and hypotheses to challenge assessment


  1. Formulate hypotheses
  2. Identify evidence to support hypotheses
  3. Classify evidence as intent, opportunity, or capability
  4. Perform diagnostics for evidence provided
  5. Set credibility and relevance of each piece of evidence
  6. View and evaluate generated inconsistency score



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chad Warner

Chad Warner

Cyber threat intelligence (CTI), cybersecurity, & privacy enthusiast. Seeking a CTI job. Bookworm. Fan of Tolkien & LEGO.