Cover
Title Page
Copyright Page
Contents
Preface
About the Author
Abbreviations
Endorsements for Martin Leeβs Book
Chapter 1 Introduction
1.1 Definitions
1.1.1 Intelligence
1.1.2 Cyber Threat
1.1.3 Cyber Threat Intelligence
1.2 History of Threat Intelligence
1.2.1 Antiquity
1.2.2 Ancient Rome
1.2.3 Medieval and Renaissance Age
1.2.4 Industrial Age
1.2.5 World War I
1.2.6 World War II
1.2.7 Post War Intelligence
1.2.8 Cyber Threat Intelligence
1.2.9 Emergence of Private Sector Intelligence Sharing
1.3 Utility of Threat Intelligence
1.3.1 Developing Cyber Threat Intelligence
Summary
References
Chapter 2 Threat Environment
2.1 Threat
2.1.1 Threat Classification
2.2 Risk and Vulnerability
2.2.1 Human Vulnerabilities
2.2.1.1 Example β Business Email Compromise
2.2.2 Configuration Vulnerabilities
2.2.2.1 Example β Misconfiguration of Cloud Storage
2.2.3 Software Vulnerabilities
2.2.3.1 Example β Log4j Vulnerabilities
2.3 Threat Actors
2.3.1 Example β Operation Payback
2.3.2 Example β Stuxnet
2.3.3 Tracking Threat Actors
2.4 TTPs β Tactics, Techniques, and Procedures
2.5 Victimology
2.5.1 Diamond Model
2.6 Threat Landscape
2.6.1 Example β Ransomware
2.7 Attack Vectors, Vulnerabilities, and Exploits
2.7.1 Email Attack Vectors
2.7.2 Web-Based Attacks
2.7.3 Network Service Attacks
2.7.4 Supply Chain Attacks
2.8 The Kill Chain
2.9 Untargeted versus Targeted Attacks
2.10 Persistence
2.11 Thinking Like a Threat Actor
Summary
References
Chapter 3 Applying Intelligence
3.1 Planning Intelligence Gathering
3.1.1 The Intelligence Programme
3.1.2 Principles of Intelligence
3.1.3 Intelligence Metrics
3.2 The Intelligence Cycle
3.2.1 Planning, Requirements, and Direction
3.2.2 Collection
3.2.3 Analysis and Processing
3.2.4 Production
3.2.5 Dissemination
3.2.6 Review
3.3 Situational Awareness
3.3.1 Example β 2013 Target Breach
3.4 Goal Oriented Security and Threat Modelling
3.5 Strategic, Operational, and Tactical Intelligence
3.5.1 Strategic Intelligence
3.5.1.1 Example β Lazarus Group
3.5.2 Operational Intelligence
3.5.2.1 Example β SamSam
3.5.3 Tactical Intelligence
3.5.3.1 Example β WannaCry
3.5.4 Sources of Intelligence Reports
3.5.4.1 Example β Shamoon
3.6 Incident Preparedness and Response
3.6.1 Preparation and Practice
Summary
References
Chapter 4 Collecting Intelligence
4.1 Hierarchy of Evidence
4.1.1 Example β Smoking Tobacco Risk
4.2 Understanding Intelligence
4.2.1 Expressing Credibility
4.2.2 Expressing Confidence
4.2.3 Understanding Errors
4.2.3.1 Example β the WannaCry Email
4.2.3.2 Example β the Olympic Destroyer False Flags
4.3 Third Party Intelligence Reports
4.3.1 Tactical and Operational Reports
4.3.1.1 Example β Heartbleed
4.3.2 Strategic Threat Reports
4.4 Internal Incident Reports
4.5 Root Cause Analysis
4.6 Active Intelligence Gathering
4.6.1 Example β the Nightingale Floor
4.6.2 Example β the Macron Leaks
Summary
References
Chapter 5 Generating Intelligence
5.1 The Intelligence Cycle in Practice
5.1.1 See it, Sense it, Share it, Use it
5.1.2 F3EAD Cycle
5.1.3 D3A Process
5.1.4 Applying the Intelligence Cycle
5.1.4.1 Planning and Requirements
5.1.4.2 Collection, Analysis, and Processing
5.1.4.3 Production and Dissemination
5.1.4.4 Feedback and Improvement
5.1.4.5 The Intelligence Cycle in Reverse
5.2 Sources of Data
5.3 Searching Data
5.4 Threat Hunting
5.4.1 Models of Threat Hunting
5.4.2 Analysing Data
5.4.3 Entity Behaviour Analytics
5.5 Transforming Data into Intelligence
5.5.1 Structured Geospatial Analytical Method
5.5.2 Analysis of Competing Hypotheses
5.5.3 Poor Practices
5.6 Sharing Intelligence
5.6.1 Machine Readable Intelligence
5.7 Measuring the Effectiveness of Generated Intelligence
Summary
References
Chapter 6 Attribution
6.1 Holding Perpetrators to Account
6.1.1 Punishment
6.1.2 Legal Frameworks
6.1.3 Cyber Crime Legislation
6.1.4 International Law
6.1.5 Crime and Punishment
6.2 Standards of Proof
6.2.1 Forensic Evidence
6.3 Mechanisms of Attribution
6.3.1 Attack Attributes
6.3.1.1 Attacker TTPs
6.3.1.2 Example β HAFNIUM
6.3.1.3 Attacker Infrastructure
6.3.1.4 Victimology
6.3.1.5 Malicious Code
6.3.2 Asserting Attribution
6.4 Anti-Attribution Techniques
6.4.1 Infrastructure
6.4.2 Malicious Tools
6.4.3 False Attribution
6.4.4 Chains of Attribution
6.5 Third Party Attribution
6.6 Using Attribution
Summary
References
Chapter 7 Professionalism
7.1 Notions of Professionalism
7.1.1 Professional Ethics
7.2 Developing a New Profession
7.2.1 Professional Education
7.2.2 Professional Behaviour and Ethics
7.2.2.1 Professionalism in Medicine
7.2.2.2 Professionalism in Accountancy
7.2.2.3 Professionalism in Engineering
7.2.3 Certifications and Codes of Ethics
7.3 Behaving Ethically
7.3.1 The Five Philosophical Approaches
7.3.2 The Josephson Model
7.3.3 PMI Ethical Decision Making Framework
7.4 Legal and Ethical Environment
7.4.1 Planning
7.4.1.1 Responsible Vulnerability Disclosure
7.4.1.2 Vulnerability Hoarding
7.4.2 Collection, Analysis, and Processing
7.4.2.1 PRISM Programme
7.4.2.2 Open and Closed Doors
7.4.3 Dissemination
7.4.3.1 Doxxing
7.5 Managing the Unexpected
7.6 Continuous Improvement
Summary
References
Chapter 8 Future Threats and Conclusion
8.1 Emerging Technologies
8.1.1 Smart Buildings
8.1.1.1 Software Errors
8.1.1.2 Example β Maroochy Shire Incident
8.1.2 Health Care
8.1.2.1 Example β Conti Attack Against Irish Health Sector
8.1.3 Transport Systems
8.2 Emerging Attacks
8.2.1 Threat Actor Evolutions
8.2.1.1 Criminal Threat Actors
8.2.1.2 Nation State Threat Actors
8.2.1.3 Other Threat Actors
8.3 Emerging Workforce
8.3.1 Job Roles and Skills
8.3.2 Diversity in Hiring
8.3.3 Growing the Profession
8.4 Conclusion
References
Chapter 9 Case Studies
9.1 Target Compromise 2013
9.1.1 Background
9.1.2 The Attack
9.2 WannaCry 2017
9.2.1 Background
9.2.1.1 Guardians of Peace
9.2.1.2 The Shadow Brokers
9.2.1.3 Threat Landscape β Worms and Ransomware
9.2.2 The Attack
9.2.2.1 Prelude
9.2.2.2 Malware
9.3 NotPetya 2017
9.3.1 Background
9.3.2 The Attack
9.3.2.1 Distribution
9.3.2.2 Payload
9.3.2.3 Spread and Consequences
9.4 VPNFilter 2018
9.4.1 Background
9.4.2 The Attack
9.5 SUNBURST and SUNSPOT 2020
9.5.1 Background
9.5.2 The Attack
9.6 Macron Leaks 2017
9.6.1 Background
9.6.2 The Attack
References
Index
EULA