You're reading from Mastering Cyber Intelligence Gain comprehensive knowledge and skills to conduct threat intelligence for effective system defense

Product type Paperback

Published in Apr 2022

Publisher Packt

ISBN-13 9781800209404

Length 528 pages

Edition 1st Edition

Concepts

Cybersecurity

Author (1):

Jean Nestor M. Dahj

View More author details

Table of Contents (20) Chapters

Preface

1. Section 1: Cyber Threat Intelligence Life Cycle, Requirements, and Tradecraft

2. Chapter 1: Cyber Threat Intelligence Life Cycle FREE CHAPTER

3. Chapter 2: Requirements and Intelligence Team Implementation

4. Chapter 3: Cyber Threat Intelligence Frameworks

5. Chapter 4: Cyber Threat Intelligence Tradecraft and Standards

6. Chapter 5: Goal Setting, Procedures for CTI Strategy, and Practical Use Cases

7. Section 2: Cyber Threat Analytical Modeling and Defensive Mechanisms

8. Chapter 6: Cyber Threat Modeling and Adversary Analysis

9. Chapter 7: Threat Intelligence Data Sources

10. Chapter 8: Effective Defense Tactics and Data Protection

11. Chapter 9: AI Applications in Cyber Threat Analytics

12. Chapter 10: Threat Modeling and Analysis – Practical Use Cases

13. Section 3: Integrating Cyber Threat Intelligence Strategy to Business processes

14. Chapter 11: Usable Security: Threat Intelligence as Part of the Process

15. Chapter 12: SIEM Solutions and Intelligence-Driven SOCs

16. Chapter 13: Threat Intelligence Metrics, Indicators of Compromise, and the Pyramid of Pain

17. Chapter 14: Threat Intelligence Reporting and Dissemination

18. Chapter 15: Threat Intelligence Sharing and Cyber Activity Attribution – Practical Use Cases

19. Other Books You May Enjoy

Threat intelligence dissemination

A successful intelligence project should not be kept to yourself – it should be shared with others. Threat intelligence is performed to secure others. Hence, the CTI team or the analyst needs to distribute the intelligence product to the consumers. An organization only initiates actions if the result has reached the relevant personnel.

The dissemination step must be tracked to ensure continuity between intelligence cycles in a project. This sharing must be done in a transparent way using ticketing systems, for example. Let's assume that an intelligence request has been logged in the system. A ticket should be created, reviewed, updated, answered, and shared with the relevant parties. However, the CTI team must know how to share the output with different audiences by considering their backgrounds. Therefore, understanding the consumers of the product is capital. The consumers are the ones that define the dissemination process. What differentiates the consumers is parameters such as the intelligence background, the intelligence needs, the team in question, and how the results will be presented.

At the operational level, the intelligence output can be presented technically (we will detail why in the next chapter). The target audience in this group includes cybersecurity analysts, malware analysts, SOC analysts, and others. At the strategic level, the intelligence output should be less technical and focus on business-level indicators. At the tactical level, the outcome must clearly show the tactics and techniques of adversaries. The format's technicality must be profound at this level as it includes professionals such as incident response engineers, network defense engineers, and others. It is essential to know the consumer or the target audience and tailor the output accordingly. Intelligence dissemination must match the requirements and objectives that were set in the planning and direction phase.

The dissemination phase overlooks the reporting phase because the intelligence result is distributed and shared in the form of reports, blogs, news, and so on. The CTI team or analyst must write valuable reports that convey an honest message with the appropriate metrics and indicators to support the output (or the conclusion that was made). Reporting and intelligence documentation will be covered in Chapter 14, Threat Intelligence Reporting and Dissemination. However, it is essential to outline the findings clearly and concisely. Interesting topics must always be covered first to give the audience the desire to continue reading. Should there be actions to take, they should be highlighted at the beginning of the report. The CTI analyst must also be able to assess the entire process and the presented result. They must always be confident enough to defend everything included in the intelligence report using evidence and by quoting the different sources that were used. We will provide a template for documentation and reporting in Chapter 14, Threat Intelligence Reporting and Dissemination.