Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletter Hub
Free Learning
Arrow right icon
timer SALE ENDS IN
0 Days
:
00 Hours
:
00 Minutes
:
00 Seconds
Operationalizing Threat Intelligence
Operationalizing Threat Intelligence

Operationalizing Threat Intelligence: A guide to developing and operationalizing cyber threat intelligence programs

eBook
$33.99 $37.99
Paperback
$46.99
Audiobook
$46.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
OR
Modal Close icon
Payment Processing...
tick Completed

Billing Address

Table of content icon View table of contents Preview book icon Preview Book

Operationalizing Threat Intelligence

Chapter 1: Why You Need a Threat Intelligence Program

Today, almost every organization has a digital footprint, and this alone makes any organization a target of opportunity for threat actors who have malicious intent.

So, something happened, right? Ransomware? Supply chain attack? Ransomware because of a supply chain attack? Something worse? Often, individuals and organizations experience a revelation during times of concern or crisis that causes them to explore other options. Through the process of discovery, if you have come across the term threat intelligence and want to know more about how it can assist in maturing your security posture or protecting your organization, great! We're glad you made it here because we're here to help.

Threat intelligence, a mystery to many, is a science to some. The how, where, when, and why of technical threat intelligence collection and enrichment is a complex topic, with many facets to explore. The objective of this chapter is to introduce core concepts related to technical threat intelligence, including the motivation, models, and methods by which threat intelligence can be collected and enriched.

Specifically, in this chapter, we are going to cover the following topics:

  • What is Cyber Threat Intelligence (CTI), and why is it important?
  • Tactical, strategic, operational, and technical CTI
  • The uses and benefits of CTI
  • How to get CTI
  • What is good CTI?
  • Intelligence life cycles
  • Threat intelligence maturity, detection, and hunting models
  • What to do with threat intelligence

What is CTI, and why is it important?

The concept of CTI is as old as war. Understanding a threat actor's intentions, capabilities, objectives, resources, and thought process leads to a better-informed defender. Ultimately, the end result of intelligence could be as simple as updating a firewall block policy with a feed of known malware Command & Control (C2) infrastructure. Additionally, it could be a dossier on threat actors targeting your organizational industry vertical. Ultimately, a better-informed defender can make actionable changes in an organization's risk profile by better directing all lines of business within an organization.

Ask any IT security professional what CTI is, and you'll likely get different definitions. The definition of threat intelligence almost always varies from organization to organization. This is often due to the differing motivations within each organization for having a threat intelligence program. We're not going to wax poetic about the differing threat intelligence definitions, so instead, we'll focus on the definition as it relates to this book.

If we were to distill down what CTI is, simply put, it is data and information that is collected, processed, and analyzed in order to determine a threat actor's motives, intents, and capabilities; all with the objective of focusing on an event or trends to better inform and create an advantage for defenders. Many organizations face challenges regarding CTI functions – such as a flood of alerts generated from an automated API feed. A properly executed CTI collection and enrichment program can help assist with those challenges.

Data, information, and intelligence

When talking about CTI, it's important to differentiate between data, information, and intelligence. It's important to understand the distinct differences between data, information, and intelligence so that you can store, analyze, and determine patterns more efficiently. As an example, a URL is a piece of data that contains a domain – the registrant data for that domain is information, and the registrant being commonly associated infrastructure with the Threat Actor Group (TAG) APT29 would be considered intelligence.

Important Note

This is the first time we've used the acronym of TAG. To clarify our vernacular, a threat actor is a person or entity responsible for malicious cyber activity. A group of threat actors working in unison is called a TAG and, often, is identified directly through naming conventions such as APT29, which was referenced earlier. We'll be covering more on TAG naming conventions in Chapter 2, Threat Actors, Campaigns, and Tooling.

Data is a piece of information, such as an IP address, malware hash, or domain name. Information is vetted data, but often lacks the context that is needed for strategic action, such as an IP address with no malicious/benign categorization or contextualization. And finally, intelligence is adding a layer of analysis and context to that information and data and, therefore, making the intelligence actionable, such as a feed of malware hashes associated with cybercrime actors operating out of Europe.

To help in adding context, examples of each can be found in Table 1.1:

Table 1.1 – Table demonstrating data, information, and intelligence

Table 1.1 – Table demonstrating data, information, and intelligence

The process of converting data into threat intelligence includes a combination of collection, processing, analyzing, and production, which will be explored later in the chapter.

Understanding the importance of threat intelligence and the differentiation of data, information, and intelligence is paramount to a structurally sound CTI program. Now that we've looked at those important aspects, we're going to dive into understanding the difference between the different types of intelligence: tactical, strategic, operational, and technical.

Tactical, strategic, operational, and technical threat intelligence

When thinking about CTI, it's easy to assume that it is one discipline. On the surface, an analyst collects data from several sources, analyzes that data, and synthesizes intelligence, which, ultimately, helps the organization take action. However, closer inspection reveals there are really four distinct types of CTI.

Tactical CTI

Tactical CTI is the data and information related to the Tactics, Techniques, and Procedures (TTPs) used by threat actors to achieve their objective. Ultimately, tactical CTI is intended to inform defenders, threat detection and response engineers, incident responders, and other technical teams throughout the organization in order to motivate an action of some sort. Unlike strategic CTI, tactical CTI is almost exclusively used by technical resources. Usually, tactical CTI is consumed directly by those responsible for defending an organization.

The most common deliverables include targeted reports, threat feeds, and API feeds of malicious observables. Many of the reports that are generated focus on the technical details pertaining to a malware family, threat group, or campaign of activity. Some examples of what might be included in tactical CTI reports include the following:

  • Targeted industries
  • The infection vector of the threat actor
  • The infrastructure used by the attacker
  • Tools and techniques employed by the threat actor

To produce tactical CTI, a combination of open source and vendor-provided intelligence and data is most often used. To create tactical threat intelligence, the producer should employ an active collection and enrichment process. Some examples of sources of tactical CTI include the following:

  • Malware analysis details
  • Honeypot log analysis
  • Internal telemetry data
  • Scan data (such as Shodan.io)

Next comes strategic CTI.

Strategic CTI

Strategic CTI is often non-technical threat landscape information that is related to risk-based intelligence and, typically, includes relevant industry vertical intelligence. Strategic CTI is most often used by senior decision-makers throughout organizations.

The most common deliverables include reports or briefings. It's common for the data sources for strategic CTI to be open source and include a wide variety of sources. Take a look at the following:

  • Local and national media
  • Government policy documents
  • Industry reporting
  • Content produced by industry organizations
  • Social media activity

Let's move on to operational CTI.

Operational CTI

In an ideal world, CTI would enable preventative action to be taken before a threat actor compromises an organization. Operational CTI is intelligence unearthed about possible incoming attacks on an organization. Operational intelligence is typically technical and strategic in nature and includes information pertaining to the intent, capabilities, and timing of impending attacks. This provides insight into the sophistication of the threat actor or group, helping dictate an organization's next steps. Operational CTI helps enable defenders to block activity before the activity even takes place, but due to this, operational CTI is, most often, some of the hardest to generate.

The most common deliverable for operational CTI is spot reports with technical indicators and context extracted from other strategic intelligence. There are many sources that can generate this type of CTI, including the following:

  • Intercepting the chat logs of threat actor coordination
  • Social media
  • Chat rooms and instant messaging rooms (such as Discord or Telegram)
  • Underground forums and marketplaces
  • Public and private forums and message boards

Next, let's take a look at technical CTI.

Technical CTI

Technical CTI is exactly what it sounds like – technical indicators related to an actor's tools, malware, infrastructure, and more are used to conduct their activities. Technical CTI differs from tactical CTI because technical CTI most commonly focuses on Indicators Of Compromise (IOCs), and tactical CTI relies on analyzing TTPs.

For example, say tactical threat intelligence indicates that the financially motivated criminal group FIN7 has attacked the banking industry in the United States and Europe. Technical threat intelligence would provide the specific hashes, infrastructure, and other details pertaining to the specific attack.

Ultimately, technical CTI is intended to inform defenders, threat detection and response engineers, incident responders, and other technical teams throughout the organization. The most common deliverables include the following:

  • Feeds or reports including malicious hashes, infrastructure, and other file attributes
  • Changes to a system infected with specific malware; for example, registry modifications
  • Confirmed C2 infrastructure
  • Email subject lines
  • Filenames or file hashes

Sourcing technical threat intelligence comes from a litany of locations, for example, consider the following:

  • Information security industry blogs and white papers
  • Malware analysis
  • Industry trust groups
  • Threat feeds

To wrap up, in the following table, let's examine the distinct differences when comparing and contrasting each intelligence type, their respective audiences, and length of intelligence value:

Table 1.2 – A table comparing intelligence types

Table 1.2 – A table comparing intelligence types

Within each of the CTI types, there is often a conversation about Subject Matter Expertise (SME) and relative team function. In the following section, we're going to explore the concept of SME within each CTI type.

Subject matter expertise

The concept of SME is a common conversation among threat intelligence circles. When setting up a threat intelligence program, it's important to consider the possible positives and negatives associated with dividing relative team functions among three broad SME focus areas: vulnerability and exploitation, cyber (criminal and nation-state), and brand:

Table 1.3 – Intelligence SME types

Table 1.3 – Intelligence SME types

While CTI functions employing subject matter experts don't fit every team structure, it's an important consideration to take into account when constructing a team focused on CTI. In the following section, we're going to dive into the importance of CTI and its relative uses and benefits to an enterprise.

The uses and benefits of CTI

I think it can wholeheartedly be stated anywhere within this industry that CTI is important to everyone as it provides contextual information that allows for strategic decision-making. This context allows it to be used by almost any level of analyst or researcher throughout any organization. Its use is not limited to some elite subset of intelligence analysts who claims to know every move of a TAG. Key judgments can be formed from contextual intelligence at any level of employment; from a Security Operations Center (SOC) analyst implementing a firewall policy change after receiving intelligence that a URL is serving a web shell that is known to be associated with several TAGs or even a C-level executive making informed strategic decisions to improve the security posture of their organization.

However, to utilize threat intelligence, several key factors need to exist for it to be useful. First, it needs to be timely in the sense that the delivery of information is provided to a key decision-maker before a key event so that a judgment can be formed around its context. Second, the intelligence must be actionable, that is, the intelligence provided should allow for that key judgment to be realized and a decision made that allows the individual or organization to make a decision based on its delivery. Third, intelligence should be relevant. By actionable, we're referring to the ability to take any action based on the intelligence itself. Finally, intelligence must be delivered in a format that has the lowest barrier to entry for consumption by an organization. This means that any individual or organization that wishes to benefit the most from the existence of CTI must incorporate it into their processes and procedures or even develop security automations around it.

The context of the threat provided by the intelligence is where its value truly lies, as it assists any individual or organization with prioritization, which is one of the most important benefits of threat intelligence. No matter what security role you play in an organization, your role will benefit from the context that threat intelligence provides, as this will allow you to prioritize your key decision-making around the data your organization is consuming.

For example, let's consider this paradigm. Organizations that are only now beginning to look at implementing some form of threat intelligence program into their security organization often start by identifying free data feeds or online services that contain some form of security information, usually in the form of a threat data indicator or IOC. While this is a great start in the collection of data and information that could be used to create threat intelligence, without the context surrounding this information and the appropriate indoctrination by people, processes, and technologies, this approach usually leads to just more information and the encumberment of your human workforce.

With all of this extra information, the burden is just added to your analyst to decide what to review and prioritize and what to ignore. This approach can lead to operational misses, such as incidents that could have been prevented if the appropriate prioritization were placed on the information you were receiving from your threat data feed. CTI can assist in providing context around this information that you receive and give you key insights into the TAG's TTPs. This will assist in informing your decision-making and help you prioritize your actions based on the contextual intelligence provided.

Now that you're aware of the uses and benefits of CTI, let's explore how to get CTI.

Left arrow icon Right arrow icon

Key benefits

  • Develop and implement a threat intelligence program from scratch
  • Discover techniques to perform cyber threat intelligence, collection, and analysis using open-source tools
  • Leverage a combination of theory and practice that will help you prepare a solid foundation for operationalizing threat intelligence programs

Description

We’re living in an era where cyber threat intelligence is becoming more important. Cyber threat intelligence routinely informs tactical and strategic decision-making throughout organizational operations. However, finding the right resources on the fundamentals of operationalizing a threat intelligence function can be challenging, and that’s where this book helps. In Operationalizing Threat Intelligence, you’ll explore cyber threat intelligence in five fundamental areas: defining threat intelligence, developing threat intelligence, collecting threat intelligence, enrichment and analysis, and finally production of threat intelligence. You’ll start by finding out what threat intelligence is and where it can be applied. Next, you’ll discover techniques for performing cyber threat intelligence collection and analysis using open source tools. The book also examines commonly used frameworks and policies as well as fundamental operational security concepts. Later, you’ll focus on enriching and analyzing threat intelligence through pivoting and threat hunting. Finally, you’ll examine detailed mechanisms for the production of intelligence. By the end of this book, you’ll be equipped with the right tools and understand what it takes to operationalize your own threat intelligence function, from collection to production.

Who is this book for?

This book is for cybersecurity professionals, security analysts, security enthusiasts, and anyone who is just getting started and looking to explore threat intelligence in more detail. Those working in different security roles will also be able to explore threat intelligence with the help of this security book.

What you will learn

  • Discover types of threat actors and their common tactics and techniques
  • Understand the core tenets of cyber threat intelligence
  • Discover cyber threat intelligence policies, procedures, and frameworks
  • Explore the fundamentals relating to collecting cyber threat intelligence
  • Understand fundamentals about threat intelligence enrichment and analysis
  • Understand what threat hunting and pivoting are, along with examples
  • Focus on putting threat intelligence into production
  • Explore techniques for performing threat analysis, pivoting, and hunting

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Jun 17, 2022
Length: 460 pages
Edition : 1st
Language : English
ISBN-13 : 9781801818667
Category :
Concepts :
Tools :

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
OR
Modal Close icon
Payment Processing...
tick Completed

Billing Address

Product Details

Publication date : Jun 17, 2022
Length: 460 pages
Edition : 1st
Language : English
ISBN-13 : 9781801818667
Category :
Concepts :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 137.97
Operationalizing Threat Intelligence
$46.99
The Foundations of Threat Hunting
$41.99
Mastering Cyber Intelligence
$48.99
Total $ 137.97 Stars icon

Table of Contents

17 Chapters
Section 1: What Is Threat Intelligence? Chevron down icon Chevron up icon
Chapter 1: Why You Need a Threat Intelligence Program Chevron down icon Chevron up icon
Chapter 2: Threat Actors, Campaigns, and Tooling Chevron down icon Chevron up icon
Chapter 3: Guidelines and Policies Chevron down icon Chevron up icon
Chapter 4: Threat Intelligence Frameworks, Standards, Models, and Platforms Chevron down icon Chevron up icon
Section 2: How to Collect Threat Intelligence Chevron down icon Chevron up icon
Chapter 5: Operational Security (OPSEC) Chevron down icon Chevron up icon
Chapter 6: Technical Threat Intelligence – Collection Chevron down icon Chevron up icon
Chapter 7: Technical Threat Analysis – Enrichment Chevron down icon Chevron up icon
Chapter 8: Technical Threat Analysis – Threat Hunting and Pivoting Chevron down icon Chevron up icon
Chapter 9: Technical Threat Analysis – Similarity Analysis Chevron down icon Chevron up icon
Section 3: What to Do with Threat Intelligence Chevron down icon Chevron up icon
Chapter 10: Preparation and Dissemination Chevron down icon Chevron up icon
Chapter 11: Fusion into Other Enterprise Operations Chevron down icon Chevron up icon
Chapter 12: Overview of Datasets and Their Practical Application Chevron down icon Chevron up icon
Chapter 13: Conclusion Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.6
(14 Ratings)
5 star 78.6%
4 star 14.3%
3 star 0%
2 star 7.1%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




Amazon User Jun 25, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book is the closest you're going to get to a step-by-step guide on how to establish a full-fledged cyber threat intelligence apparatus in a methodical, scalable, cost-effective, and impactful way. It thoroughly explores both strategic and tactical elements of cyber threat intelligence work and demystifies the "aura" around it that has been pervasively parroted by industry marketing for nearly a decade. No matter what position you hold at your organization (individual contributor, manager, or executive), if you're interested in Cyber Threat Intelligence, this book is for you.
Amazon Verified review Amazon
Michael Sep 18, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Evolving an intel program from ideation to operationalization can be difficult; and this book is an excellent resource to help make the journey easier for practitioners and planners alike.It captures the foundational concepts necessary to jumpstart or enhance an intelligence program using stakeholder requirements as a baseline - an absolute MUST for any successful intelligence program. The authors are effective translating concept into practice using practical examples of tools and methodologies that can be used and tweaked in any environment.A welcome addition to any CTI library. Well done Joe and Kyle!
Amazon Verified review Amazon
J Sep 06, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This plainly worded but comprehensive book is a fantastic guide to building structure in operations that work with digital threats and abuse mitigation.
Amazon Verified review Amazon
Amazon Customer Jun 18, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
The book can be rather dry and in my opinion should be used more as a supplementary reference guide when self-studying for cyber threat intelligence concepts as opposed to reading it cover-to-cover.What I like about the book is that it allowed me to get my brain juices flowing and as such gave me ideas and tools that I could apply in my day-to-day as a relatively novice CTI analyst.Overall, I highly recommend this book. It can be a great entry point into threat intelligence for cybersecurity professionals.
Amazon Verified review Amazon
Eddie W. Jun 27, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This is a good deep dive into cyber threat intelligence including how to establish a program. The overview of the fundamentals of CTI along with some of the counter Intel measures can give a good start to designing a good cyber threat program.With a few tweaks and personalization and perhaps a little more of the tactical level advice. The book will be able to help the practicioners themselves align with a good strategy.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

How do I buy and download an eBook? Chevron down icon Chevron up icon

Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.

If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.

Please Note: Packt eBooks are non-returnable and non-refundable.

Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:

  • You may make copies of your eBook for your own use onto any machine
  • You may not pass copies of the eBook on to anyone else
How can I make a purchase on your website? Chevron down icon Chevron up icon

If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:

  1. Register on our website using your email address and the password.
  2. Search for the title by name or ISBN using the search option.
  3. Select the title you want to purchase.
  4. Choose the format you wish to purchase the title in; if you order the Print Book, you get a free eBook copy of the same title. 
  5. Proceed with the checkout process (payment to be made using Credit Card, Debit Cart, or PayPal)
Where can I access support around an eBook? Chevron down icon Chevron up icon
  • If you experience a problem with using or installing Adobe Reader, the contact Adobe directly.
  • To view the errata for the book, see www.packtpub.com/support and view the pages for the title you have.
  • To view your account details or to download a new copy of the book go to www.packtpub.com/account
  • To contact us directly if a problem is not resolved, use www.packtpub.com/contact-us
What eBook formats do Packt support? Chevron down icon Chevron up icon

Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.

You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.

What are the benefits of eBooks? Chevron down icon Chevron up icon
  • You can get the information you need immediately
  • You can easily take them with you on a laptop
  • You can download them an unlimited number of times
  • You can print them out
  • They are copy-paste enabled
  • They are searchable
  • There is no password protection
  • They are lower price than print
  • They save resources and space
What is an eBook? Chevron down icon Chevron up icon

Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.

When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.

For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.