“Practical Cyber Threat Intelligence” Notes

Practical Cyber Threat Intelligence: Gather, Process, and Analyze Threat Actor Motives, Targets, and Attacks with Cyber Intelligence Practices by Dr. Erdal Ozkaya

Basics of Threat Analysis and Modeling

Questions to answer when threat modeling

  • What system is the model for?
  • What can go wrong?
  • What are the potential solutions?
  • After cyberattack, were solutions successful?

Threat modeling methodologies

  • STRIDE (most mature)
  • DREAD
  • PASTA
  • Trike
  • VAST
  • Attack Tree
  • Common Vulnerability Scoring System (CVSS)
  • T-MAP
  • OCTAVE
  • Quantitative Threat Modeling Method
  • LINDUNN
  • Persona Non-Grata
  • HTMM
  • Security Cards

Formulate a Threat Intelligence Model

CTI categories

  • Technical: Info about a specific IoC. Usually consumed by SOC analysts, IR team. Short-term use.
  • Tactical: Info about attacker TTPs. Usually consumed by SOC analysts, IT service managers, NOC employees, administrators, architects, SecOps managers. Long-term use.
  • Operational: Details of malicious activities, recommended courses of action, warnings of emerging attacks trends. Specific to org. Usually consumed by blue team. Short-term use.
  • Strategic: High-level info about risk of attack, threat landscape, attack trends, biz impact. Usually consumed by executives, managers, security devices. Long-term use.

Adversary Data Collection Sources & Methods

Primary Indicators of Security Compromise

IoC disadvantages

  • They change often, so you need to be constantly checking for new ones.
  • Alerts need to be checked for false positives, often manually.
  • Detecting IoCs is reactive, after compromise.
  • Checking for IoCs will only detect known indicators, not unknown ones.

IoCs vs TTPs

  • IoCs describe detections; TTPs describe characteristics/behavior.
  • IoCs are reactive; TTPs are proactive.
  • IoCs are specific to 1 attack; TTPs cover entire attack family based on behavior patterns.
  • IoCs can trigger many false positives; TTPs trigger fewer.

Conduct Threat Assessments in Depth

Build Reliable & Robust Threat Intelligence System

CART: qualities of good CTI

  • Complete (sufficient detail to enable proper response)
  • Accurate
  • Relevant (address threats relevant to org; be delivered in consumable format)
  • Timely (delivered in time to act on)

Planning and Direction key considerations

  • How will CTI improve operational efficiency?
  • Which types of assets, processes, personnel are at risk?
  • What other systems and applications could benefit?

Collection and Processing key considerations

  • Where are current internal and external blind spots?
  • What technical and automated collection techniques can you use?
  • How well can you infiltrate cybercriminal forums and dark web closed sources?

Analysis key considerations

  • Which types of assets, processes, and personnel are at risk?
  • How will CTI improve operational efficiency?
  • What other systems and applications could benefit?

Production key considerations

  • What are most important findings of analysis? What’s best way to illustrate them?
  • With what degree of confidence is analysis reliable, relevant, and accurate?
  • Are there clear and concrete recommendations or next steps based on analysis?

Dissemination key considerations

  • Which stakeholders benefit from finished intel reporting?
  • What is best way to present intel? At what delivery frequency?
  • How valuable is the finished intel? How actionable is it? Does it enable org to make informed security decisions?
  • How can you improve going forward, in terms of finished intel and org’s intelligence cycle?

Learn Statistical Approaches for Threat Intelligence

Data preparation best practices

  • Understand data consumers and questions they’ll ask.
  • Know data source, how it was generated.
  • Save raw data. If you can, save processed data too.
  • Ensure data transforms are reproducible.
  • Future-proof data pipeline by versioning data, code that performs analysis, transformations.
  • Ensure consistency of data across all data sets.
  • Apply data governance and compliance early and throughout process.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chad Warner

Chad Warner

579 Followers

Cyber threat intelligence (CTI), OSINT, & cybersecurity enthusiast. Seeking a CTI job. Bookworm. Fan of Tolkien & LEGO.