Open in app

Sign in

Write

Sign in

“The Intelligence Handbook” Notes

Chad Warner
4 min readMay 13, 2022

--

The Intelligence Handbook: A Roadmap for Building an Intelligence-Led Security Program, Fourth Edition by Recorded Future is an excellent, comprehensive overview of security intelligence (with a focus on cyber threat intelligence) from Recorded Future, a leader in that space. It’s accessible, able to be understood by very technical and less-technical readers.

You can download the ebook for free (some info required).

My notes follow.

“The Intelligence Handbook”

Introduction

Terms “threat intelligence” and “security intelligence” are usually associated with info about threats to traditional IT systems. Terms “intelligence for security teams” or simply “intelligence”are broader, including third-party risk, brand protection, geopolitical risk, fraud intelligence, identity intelligence, etc., in addition to threat intel.

What Is Security Intelligence?

Data, information, intelligence

  • Data: Discrete facts and stats gathered for analysis (e.g., IP addresses, URLs, hashes).
  • Information: Multiple data points combined to answer specific questions (e.g., answer to question, “How many times has my organization been mentioned on social media this month?”).
  • Intelligence: Result of analyzing data and info to uncover patterns and provide context for decision-making. It must point toward specific decisions or actions, and be tailored for easy use by a specific person, group, system that will use it to decide or act.

Characteristics of successful security intel processes

  1. Collaborative process and framework (sharing across departments)
  2. 360-degree visibility (scanning wide variety and quantity of sources)
  3. Extensive automation and integration (reduce manual effort; integrate with various security solutions)
  4. Alignment with organization and security use cases (collect and process only info that’s relevant to organization’s priorities; make intel easy to use)

Types and Sources

Operational (or technical) intel

  • Knowledge about active attacks, events, campaigns
  • Used by defenders
  • Usually sourced from machines

Strategic intel

  • Broad overview of organization’s entire threat landscape
  • Business-oriented content for decision-making executives
  • Presented through reports or briefings
  • Must be created by humans
  • Sources: trends and research reports from security companies, policy documents from governments or NGOs, news, published articles, SMEs

The Intelligence Life Cycle

Intelligence Life Cycle

  1. Direction: set goals for intel program
  2. Collection: gather info to address most important intel requirements
  3. Processing: transform collected info into usable format
  4. Analysis: turn info into intel to inform decisions
  5. Dissemination: get finished intel output to places it’s needed
  6. Feedback: understand requirements and priorities of consumers of intel, adjust your process accordingly

Reports to non-technical leaders

  • Be concise (1-page memo or a few slides)
  • Avoid confusing terms and tech jargon
  • Articulate issues in business terms
  • Recommend course of action

SecOps Intelligence Part 1 — Triage

Organizations can only investigate 48% of security alerts they receive, and of those investigated, only 26% are legitimate.

Vulnerability Intelligence

Most zero days are just variations on a theme, exploiting old vulnerabilities in slightly different ways. So rather than focusing on zero days, identify and patch vulnerabilities in software your organization uses.

If a vulnerability isn’t exploited within 2 weeks to 3 months after it’s announced, it’s unlikely that it will ever be exploited. So it’s not a priority to patch old vulnerabilities.

Your goal should not be to patch the most vulnerabilities, or even the most zero-day threats, but rather to identify and address the vulnerabilities most likely to be exploited against your organization.

The value of vulnerability databases is limited by their focus on technical exploitability rather than active exploitation, and that they’re updated too slowly to warn against rapidly-spreading threats.

By cross-referencing info from multiple sources, you can focus on vulnerabilities that present the greatest actual risk, rather than racing to patch everything.

Threat Intelligence Part 1 — Knowing Attackers

Dark web communities

  • Low-tier underground forums
  • Higher-tier dark web forums
  • Dark web markets
  • Many actors post in both low-tier and higher-tier forums, but markets are largely disconnected from forums

Third-Party Intelligence

55% of organizations have had a breach originating with a 3rd party. 29% believe their partners would notify them of compromise.

3rd-party risks to monitor

  • Ransomware
  • Data breaches
  • Malicious network activity
  • Exposed credentials
  • Plotting on dark web

Analytical Frameworks for Security Intelligence

Cyber Kill Chain

  • Describes 7 stages of attack: reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives (exfiltration).
  • Doesn’t account for many modern attacks (e.g., phishing skips exploitation phase).

Diamond Model

  • Used to track attack groups over time, not progress of individual attacks.
  • The diamond for an attacker isn’t static; it evolves as attacker adjusts TTPs and changes infrastructure and targets.
  • Tracks adversary (attacker), capability, infrastructure (used by attacker), victim. Can also track phase, result, direction, methodology, resources.
  • Diamonds require a lot of maintenance, as aspects can change rapidly.

MITRE frameworks

  • Trusted Automatic Exchange of Intelligence Information (TAXII): transport protocol that enables organizations to share intel and use API commands to extract intel.
  • Structured Threat Information eXpression (STIX): standard format for presenting intel.
  • Cyber Observable eXpression (CybOX): method for tracking observables from cybersecurity incidents.

MITRE ATT&CK

  • Tracks adversary behavior over time.
  • Describes indicators and tactics associated with specific adversaries.
  • 14 tactic categories: reconnaissance, resource development, initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, command and control, exfiltration, impact.

Intelligence Data Sources and Types: A Framework

DWINT: dark web intelligence

Rules

  • YARA rules describe unique strings and byte patterns in files, so security products can identify, classify, and block malware.
  • Sigma rules are threat signatures for SIEMs, to identify log events associated with attacks.
  • Snort rules help IDS/IPS systems identify malicious network activity (scans, probes, etc.).

Your Intelligence Journey

Intelligence report contents

  • Probable threat actor(s)
  • TTPs
  • Likely targets in org
  • Whether threat represents real danger to org
  • Likelihood that existing security controls can mitigate threat
  • Recommended actions

Developing Your Core Security Intelligence Team

Intel team skills

  • Correlating external data with internal telemetry
  • Reverse-engineering malware and reconstructing attacks (forensics)
  • Providing threat situational awareness and recommendations for security controls
  • Proactively hunting internal threats
  • Data engineering and signature detection for YARA, Sigma, etc.
  • Educating employees and customers about cyber threats
  • Engaging with wider intel community
  • Identifying and managing info sources
Threat Intelligence
Cyber Threat Intelligence
Cti
Cybersecurity
Information Security

--

--

Chad Warner
Chad Warner

Written by Chad Warner

1.1K Followers
0 Following

Web Strategist at OptimWise. Cybersecurity & privacy enthusiast. Bookworm. Fan of Tolkien & LEGO.

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams