“Practical Cyber Intelligence” Notes
Practical Cyber Intelligence by Wilson Bautista Jr. is a decent set of instructions on integrating cyber threat intelligence (CTI) with an organization’s IT operations and IT security operations. Much of the book is structured around a CTI capability maturity model, emphasizing that CTI must provide actionable intel for the organization to be worthwhile, and IT teams must communicate with each other to properly defend the organization. Unfortunately, much of the book reads like a dry, informational textbook; it would benefit from more examples showing how the concepts would play out in real life.
Here’s a summary from the end of the book:
- You and adversary each have a decision-making cycle (OODA loop). Make your OODA loop smaller and faster by establishing priority intelligence requirements (PIRs). Be one step ahead of adversaries.
- Use what you know (threat intel) to disrupt adversary’s decision-making cycle by understanding their Cyber Kill Chain. Create chaos (use active defense) and make attacking not worth their time.
- Develop intelligence process throughout your organization, develop PIRs, enable communication channels back to key stakeholders using F3EAD.
- Find weaknesses in your end-to-end processes, decrease potential attack vectors by prioritizing organization projects and using F3EAD (OODA loop and OPSEC).
- Create a visualization (using custom dashboards) of processes and identified risks for key stakeholders; let people know if they’re good, need improvement, or bad.
- Establish custom reports that take in data from your different teams to provide prioritized, actionable items to fix, based on analysis of risk to organization.
My notes follow.
This page contains one or more affiliate links. As an Amazon Associate, I earn from qualifying purchases.
The Need For Cyber Intelligence
OODA Loop
- Observe: situational awareness of yourself, environment, adversaries
- Orient: develop a mental image of the situation; diagnose, recognize, analyze changes the environment
- Decide: determine course of action with an acceptable degree of risk; communicate decision to those who need to know
- Act: act in a timely, tactically sound way
Integrating Cyber Intel, Security, And Operations
OPSEC process
- Identification of critical information
- Analysis of threats
- Analysis of vulnerabilities
- Assessment of risks
- Application of appropriate countermeasures
Using Cyber Intelligence To Enable Active Defense
Active Defense principles
- Annoyance
- Attribution
- Attack (illegal without authorization)
Goal of active defense is to block or deceive attacker into believing their attack is succeeding, by deflecting them to where you want them to go, until they decide continuing to attack isn’t worth the effort.
F3EAD For You And For Me
F3EAD is a variant of and/or subprocess within intelligence cycle that takes inputs from tactical level collection priorities and outputs to tactical level analysis step.
Integrating Threat Intelligence And Operations
Threat Intelligence Platforms (TIPs)
- Cisco GOSINT
- Malware Information Sharing Platform (MISP)
The Security Stack
Defining the purpose of CTI integration
- What’s the mission of the InfoSec program?
- What are the core services that are required in a security program that will enable me to understand and improve my security posture?
- What’s been defined as the most important to the least important system, application, and data?
- How is risk defined in the organization, so I know what good and bad look like?
- Who needs to talk to who in order to get things done?
- How do I need to share info with those who need to know?
Driving Cyber Intel
Event: abnormal occurrence. Incident: occurrence that has happened or is threatening to happen to an information system’s confidentiality, integrity, and/or availability.
