“Practical Cyber Threat Intelligence” Notes

Practical Cyber Threat Intelligence: Gather, Process, and Analyze Threat Actor Motives, Targets, and Attacks with Cyber Intelligence Practices by Dr. Erdal Ozkaya

Basics of Threat Analysis and Modeling

Questions to answer when threat modeling

  • What system is the model for?
  • What can go wrong?
  • What are the potential solutions?
  • After cyberattack, were solutions successful?

Threat modeling methodologies

  • STRIDE (most mature)
  • Trike
  • VAST
  • Attack Tree
  • Common Vulnerability Scoring System (CVSS)
  • T-MAP
  • Quantitative Threat Modeling Method
  • Persona Non-Grata
  • HTMM
  • Security Cards

Formulate a Threat Intelligence Model

CTI categories

  • Technical: Info about a specific IoC. Usually consumed by SOC analysts, IR team. Short-term use.
  • Tactical: Info about attacker TTPs. Usually consumed by SOC analysts, IT service managers, NOC employees, administrators, architects, SecOps managers. Long-term use.
  • Operational: Details of malicious activities, recommended courses of action, warnings of emerging attacks trends. Specific to org. Usually consumed by blue team. Short-term use.
  • Strategic: High-level info about risk of attack, threat landscape, attack trends, biz impact. Usually consumed by executives, managers, security devices. Long-term use.

Adversary Data Collection Sources & Methods

Primary Indicators of Security Compromise

IoC disadvantages

  • They change often, so you need to be constantly checking for new ones.
  • Alerts need to be checked for false positives, often manually.
  • Detecting IoCs is reactive, after compromise.
  • Checking for IoCs will only detect known indicators, not unknown ones.

IoCs vs TTPs

  • IoCs describe detections; TTPs describe characteristics/behavior.
  • IoCs are reactive; TTPs are proactive.
  • IoCs are specific to 1 attack; TTPs cover entire attack family based on behavior patterns.
  • IoCs can trigger many false positives; TTPs trigger fewer.

Conduct Threat Assessments in Depth

Build Reliable & Robust Threat Intelligence System

CART: qualities of good CTI

  • Complete (sufficient detail to enable proper response)
  • Accurate
  • Relevant (address threats relevant to org; be delivered in consumable format)
  • Timely (delivered in time to act on)

Planning and Direction key considerations

  • How will CTI improve operational efficiency?
  • Which types of assets, processes, personnel are at risk?
  • What other systems and applications could benefit?

Collection and Processing key considerations

  • Where are current internal and external blind spots?
  • What technical and automated collection techniques can you use?
  • How well can you infiltrate cybercriminal forums and dark web closed sources?

Analysis key considerations

  • Which types of assets, processes, and personnel are at risk?
  • How will CTI improve operational efficiency?
  • What other systems and applications could benefit?

Production key considerations

  • What are most important findings of analysis? What’s best way to illustrate them?
  • With what degree of confidence is analysis reliable, relevant, and accurate?
  • Are there clear and concrete recommendations or next steps based on analysis?

Dissemination key considerations

  • Which stakeholders benefit from finished intel reporting?
  • What is best way to present intel? At what delivery frequency?
  • How valuable is the finished intel? How actionable is it? Does it enable org to make informed security decisions?
  • How can you improve going forward, in terms of finished intel and org’s intelligence cycle?

Learn Statistical Approaches for Threat Intelligence

Data preparation best practices

  • Understand data consumers and questions they’ll ask.
  • Know data source, how it was generated.
  • Save raw data. If you can, save processed data too.
  • Ensure data transforms are reproducible.
  • Future-proof data pipeline by versioning data, code that performs analysis, transformations.
  • Ensure consistency of data across all data sets.
  • Apply data governance and compliance early and throughout process.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chad Warner

Chad Warner


Cyber threat intelligence (CTI), OSINT, & cybersecurity enthusiast. Seeking a CTI job. Bookworm. Fan of Tolkien & LEGO.