What this book covers
Chapter 1, Cyber Threat Intelligence Life Cycle, discusses the steps involved in a CTI program implementation which include planning, objective, and direction; data collection; data processing; analysis and production; dissemination; and feedback. It provides a high-level overview of each step with some examples to help you understand what needs to be done. The chapter highlights the benefits of threat intelligence and its role in the defense against modern, sophisticated attacks such as APTs. It equips you with the knowledge required to plan and set directions for your program.
Chapter 2, Requirements and Intelligence Team Implementation, discusses threat intelligence requirement generation and task prioritization. It shows you how to generate sound intelligence requirements for your program by using advanced methods used in the military and warfare. As part of the planning phase of the CTI life cycle, the chapter discusses the team layout and how to acquire the right skill set to kick off your program. And finally, through the chapter, you learn how CTI relates to other units of the security stack.
Chapter 3, Cyber Threat Intelligence Frameworks, introduces the different frameworks that you, as a CTI analyst, can use for your threat intelligence program. It highlights their benefits and discusses the three most popular threat intelligence frameworks – the Cyber Kill Chain, MITRE ATT&CK, and the Diamond Model of intrusion analysis frameworks. Using examples, the chapter also shows how each framework applies to threat and intrusion analyses.
Chapter 4, Cyber Threat Intelligence Tradecraft and Standards, discusses analytic tradecraft and standards that analysts can apply to CTI programs. It highlights the benefits of using common languages and processes in threat intelligence. The chapter teaches you how to apply already established analytic tradecraft and standards to your CTI program to increase its chance of success. Some of the analytics tradecraft and standards discussed in this chapter include the United States Central Intelligence Agency's (CIA) compendium of analytic tradecraft notes, the Intelligence Community Directive (ICD) 203, the Air Force Instruction (AFI) 14-133, and their applications to CTI. Two important collaborative standards are practically described in the chapter, the Structured Threat Information eXpression (STIX) and the Trusted Automated eXchange of Indicator Information (TAXII).
Chapter 5, Goal Setting, Procedures for CTI Strategy, and Practical Use Cases, demonstrates how to integrate CTI into an organization's security profile from a practical standpoint. It introduces threat intelligence platforms (TIPs) (an essential tool for CTI) and provides guidelines for selecting the right TIP. You learn about open source and paid intelligence platforms, and which one would benefit you. The chapter uses practical case studies to show you how level 1, level 2, and level 3 organizations (those new to CTI, those with specific CTI knowledge, and those with a CTI program) can effectively embrace CTI and set goals. As an analyst or part of the CTI team, you can use the methods described in this chapter to kick-start a CTI program in your organization.
Chapter 6, Cyber Threat Modeling and Adversary Analysis, discusses strategic modeling of threats and analytics of the adversary's behavior. It gives you the theoretical and practical knowledge required to perform manual and automated threat modeling. You learn the different threat modeling methodologies with examples, user behavior logic (UBA), and adversary analysis techniques. At the end of the chapter, you will be able to perform threat modeling for your organization.
Chapter 7, Threat Intelligence Data Sources, discusses different threat intelligence sources and where to find the data. To conduct CTI, you need data and a lot of data most of the time. The chapter covers the three data source types: open source (OSINT or OTI), shared (STI), and paid (PTI) threat intelligence sources. It equips you with the knowledge to select the suitable data sources for your program based on the CTI requirements, the organization budget, and operational strategy. You learn about data source selection and evaluation, malware data sources, parsing, and analysis for CTI. You also learn the benefits of shared and paid threat feeds. Finally, you learn intelligence data structuring and storing.
Chapter 8, Effective Defense Tactics and Data Protection, discusses how to build a robust defense system to prevent and contain cyber-attacks. It details the best practices to achieve reliable data protection. In the chapter, you learn about enforcing the Confidentiality, Integrity, and Availability (CIA) by evaluating the loopholes in current cyber threat defense infrastructures and applying the appropriate tactics for defense; data monitoring and active analytics in CTI; vulnerability assessment and risk management in modern system protection; using encryption, tokenization, masking, and other obfuscation methods to make it difficult for adversaries; and finally, endpoint management.
Chapter 9, AI Applications in Cyber Threat Analytics, discusses how Artificial Intelligence (AI) can help transit from reactive to proactive threat intelligence programs to stay ahead of adversaries. This chapter teaches you AI-fueled CTI and how it makes a difference in security. You learn cyber threat hunting and how you perform it and integrate it into your security operations to anticipate attacks and ensure effective defense. You understand the benefits of combining threat hunting and threat intelligence for reliable protection. You learn AI's impact on adversaries' attack and procedures' enhancements. Finally, you acquire the knowledge and skills to position AI in CTI and your organization's security stack to maximize its value. We use the IBM QRadar as an example of how AI can enhance security functions and tools.
Chapter 10, Threat Modeling and Analysis - Practical Use Cases, is a hands-on, practical chapter that teaches you how to use CTI to perform intrusion analysis manually and automatically. It shows you how CTI analysts go from a received or discovered indicator of compromise (IOC) to understanding the extent of the intrusion. In this chapter, you learn how to gather and contextualize IOCs. You also learn to pivot through data sources and use intelligence frameworks for analysis. You gain the skills to perform basic memory and disk analysis to extract pieces of evidence to solve cybercrimes. You acquire the skills to gather malware data, perform basic malware analysis for your case, fill the Cyber Kill Chain matrix, and extract adversaries' tactics, techniques, and procedures (TTPs). Finally, you learn to use the open-source Malware Information Sharing Platform (MISP) for analysis and intelligence data storage.
Chapter 11, Usable Security: Threat Intelligence as Part of the Process, discusses how threat intelligence can be applied to business operations and system (software and hardware) development's security. As an analyst, this chapter equips you with the required knowledge to assess, advise, and assist in incorporating CTI into products and services that your organization develops from the conception phase. You learn how to use threat analysis output in authentication applications, use threat modeling to enforce sound policies into system development and business operations, apply mental models to improve threat defense, and finally, implement secured system architectures considering cyber threats.
Chapter 12, SIEM Solutions and Intelligence-Driven SOCs, discusses the importance of CTI in SIEM tools and SOCs. It explains the process of integrating intelligence in a SIEM solution. The chapter demonstrates how SIEM tools include and correlate data from multiple feeds and sources to provide automated intelligence. This chapter shows you how to automate and unify SOC operations for reactive and proactive defense. You learn how to optimize a SOC team's performance using threat intelligence. You also learn how to integrate threat analytics models to Incident Response (IR) to minimize the Mean-Time-To-Respond (MTTR). You gain the practical knowledge to use open source SIEMs and intelligence sharing platforms such as the AlienVault Open Threat Exchange (OTX) and Open-Source Security Information and Event Management (OSSIM) as a starting point. You learn intelligence-led penetration testing and incident response. Finally, you learn how to make your organization's SOC intelligent.
Chapter 13, Threat Intelligence Metrics, Indicators of Compromise, and the Pyramid of Pain, discusses security metrics for intelligence evaluation and program effectiveness. It also shows you how to evaluate your CTI team based on intelligence programs' output. The chapter then explains IOCs, the pyramid of pain, and their respective importance in a CTI analyst profile. In this chapter, you learn about CTI metrics and how they can be used to define the program success criteria. You learn the importance of IOCs, their categories, and how you recognize them in a system. You gain effective knowledge on the pyramid of pain and its application to CTI. You also learn how to apply the seven Ds (courses of action) of the Kill Chain in a threat analysis use case. Finally, you learn about the indicators of attack (IOAs) and how they differ from or relate to IOCs.
Chapter 14, Threat Intelligence Reporting and Dissemination, discusses threat intelligence reporting and sharing. It shows you how to write effective documentation for the strategic, operational, and tactical teams. It also shows you how to extract threat intelligence report elements such as adversary campaigns and malware families. In this chapter, you learn how to write threat intelligence reports, build adversary groups and campaigns, share intelligence using best practices, and finally, collect threat intelligence feedback.
Chapter 15, Threat Intelligence Sharing and Cyber Activity Attribution – Practical Use Cases, is a hands-on chapter that focuses on threat intelligence sharing and demonstrates how to attribute cyber activities to campaigns, threat groups, or threat actors. It provides you with the skills necessary to develop and share IOCs for internal security enhancement and external dissemination. In this chapter, you learn how to develop IOCs using YARA rules and use them to detect and stop attacks. You also learn how to set up a STIX/TAXII platform for intelligence dissemination using Anomali STAXX as an example. You learn how to use a threat intelligence sharing platform for intelligence dissemination. You gain the practical skills to build activity groups from threat analyses and associate analyses to each group (activity tracking). Finally, you learn how to conduct an Analysis of Competing Hypotheses (ACH) to attribute cyber activities to state-sponsored groups and actors.