Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletter Hub
Free Learning
Arrow right icon
timer SALE ENDS IN
0 Days
:
00 Hours
:
00 Minutes
:
00 Seconds
Arrow up icon
GO TO TOP
Mastering Cyber Intelligence

You're reading from   Mastering Cyber Intelligence Gain comprehensive knowledge and skills to conduct threat intelligence for effective system defense

Arrow left icon
Product type Paperback
Published in Apr 2022
Publisher Packt
ISBN-13 9781800209404
Length 528 pages
Edition 1st Edition
Arrow right icon
Author (1):
Arrow left icon
Jean Nestor M. Dahj Jean Nestor M. Dahj
Author Profile Icon Jean Nestor M. Dahj
Jean Nestor M. Dahj
Arrow right icon
View More author details
Toc

Table of Contents (20) Chapters Close

Preface 1. Section 1: Cyber Threat Intelligence Life Cycle, Requirements, and Tradecraft
2. Chapter 1: Cyber Threat Intelligence Life Cycle FREE CHAPTER 3. Chapter 2: Requirements and Intelligence Team Implementation 4. Chapter 3: Cyber Threat Intelligence Frameworks 5. Chapter 4: Cyber Threat Intelligence Tradecraft and Standards 6. Chapter 5: Goal Setting, Procedures for CTI Strategy, and Practical Use Cases 7. Section 2: Cyber Threat Analytical Modeling and Defensive Mechanisms
8. Chapter 6: Cyber Threat Modeling and Adversary Analysis 9. Chapter 7: Threat Intelligence Data Sources 10. Chapter 8: Effective Defense Tactics and Data Protection 11. Chapter 9: AI Applications in Cyber Threat Analytics 12. Chapter 10: Threat Modeling and Analysis – Practical Use Cases 13. Section 3: Integrating Cyber Threat Intelligence Strategy to Business processes
14. Chapter 11: Usable Security: Threat Intelligence as Part of the Process 15. Chapter 12: SIEM Solutions and Intelligence-Driven SOCs 16. Chapter 13: Threat Intelligence Metrics, Indicators of Compromise, and the Pyramid of Pain 17. Chapter 14: Threat Intelligence Reporting and Dissemination 18. Chapter 15: Threat Intelligence Sharing and Cyber Activity Attribution – Practical Use Cases 19. Other Books You May Enjoy

Intelligence data collection

There is no intelligence without data. After carefully planning and directing the intelligence team, the next step is to access the data. Data is collected to fulfill the requirements that have been assembled in the planning phase. It is recommended to collect data from different sources to have a rich arsenal of information and an effective intelligence product. Intelligence data sources can be divided into internal and external sources (detailed in Chapter 7, Threat Intelligence Data Sources):

  • Internal sources: Internal sources constitute, or should constitute, the foundation of the data. It is essential to have an idea of the internal information first before looking at external sources. This data source includes network element logs and records of past incident responses. The most common internal data source collection could consist of intrusion analysis data by using the Lockheed Martin Kill Chain, such as internal malware analysis data (one of the most valuable data sources of threat intelligence), domain information, and TLS/SSL certificates.
  • External sources: External sources are mandatory data collection points as they bring new visibility to threats. Those sources include external malware analysis and online sandbox tools, technical blogs and magazines, the dark web, and other resourceful sources such as open source and counterintelligence data. Malware zoos are also an essential part of external sources. By using and accessing an online sandbox system or using a malware analysis tool, intelligence analysts can collect useful information about adversaries' signatures to enrich the intelligence database.

As we will see in Chapter 7, Threat Intelligence Data Sources, collected data is placed into lists of indicators of compromise (IOC). Those indicators include, but are not limited to, domain information, IP addresses, SSL/TLS certificate information, file hashes, network scanning information, vulnerability assessment information, malware analysis results, packet inspection information, social media news (in raw format), email addresses, email senders, email links, and attachments. The more data that's collected, the richer the intelligence's repository and the more effective the intelligence product.

Suppose an attacker sends an email to a person in the organization who downloads and opens an attachment. A trojan is installed on the system and creates a communication link with an adversary. The relevant data needs to be available to detect and react to such an incident. For example, the threat intelligence analyst can use the network, domain, and certain protocol information to detect and prevent the trojan from infecting the system.

Therefore, collecting the right data is critical. We can directly create a link to the first step. If the intelligence framework's choice was poorly conducted, it would take time and a lot of effort to react to such a threat (adversary). Therefore, when selecting a framework, a CTI analyst should project the amount of data sources they intend to integrate into the system. They must also choose a platform that can accommodate big data.

You have been reading a chapter from
Mastering Cyber Intelligence
Published in: Apr 2022
Publisher: Packt
ISBN-13: 9781800209404
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image