Cover
Title Page
Copyright
Dedication
Contributors
Table of Contents
Preface
Section 1: Cyber Threat Intelligence Life Cycle, Requirements, and Tradecraft
Chapter 1: Cyber Threat Intelligence Life Cycle
Technical requirements
Cyber threat intelligence โ a global overview
Characteristics of a threat
Threat intelligence and data security challenges
Importance and benefits of threat intelligence
Planning, objectives, and direction
Intelligence data collection
Intelligence data processing
Analysis and production
Threat intelligence dissemination
Threat intelligence feedback
Summary
Chapter 2: Requirements and Intelligence Team Implementation
Technical requirements
Threat intelligence requirements and prioritization
Prioritizing intelligence requirements
Requirements development
Operational environment definition
Network defense impact description
Current cyber threats โ evaluation
Developing a course of action
Intelligence preparation for intelligence requirements
Intelligence team layout and prerequisites
Intelligence team implementation
Intelligence team structuring
Intelligence team application areas
Summary
Chapter 3: Cyber Threat Intelligence Frameworks
Technical requirements
Intelligence frameworks โ overview
Why cyber threat frameworks?
Cyber threat framework architecture and operating model
Lockheed Martin's Cyber Kill Chain framework
Use case โ Lockheed Martin's Cyber Kill Chain model mapping
Integrating the Cyber Kill Chain model into an intelligence project
Benefits of the Cyber Kill Chain framework
MITRE's ATT&CK knowledge-based framework
How it works
Use case โ ATT&CK model mapping
Integrating the MITRE ATT&CK framework
Benefits of the ATT&CK framework
Diamond model of intrusion analysis framework
How it works
Use case โ Diamond model of intrusion analysis
Integrating the Diamond model into intelligence projects
Benefits of the Diamond model
Summary
Chapter 4: Cyber Threat Intelligence Tradecraft and Standards
Technical requirements
The baseline of intelligence analytic tradecraft
Note 1 โ Addressing CTI consumers' interests
Note 2 โ Access and credibility
Note 3 โ Articulation of assumptions
Note 4 โ Outlook
Note 5 โ Facts and sourcing
Note 6 โ Analytic expertise
Note 7 โ Effective summary
Note 8 โ Implementation analysis
Note 9 โ Conclusions
Note 10 โ Tradecraft and counterintelligence
Understanding and adapting ICD 203 to CTI
Understanding the STIX standard
Using STIX for cyber threat analysis
Specifying threat indicator patterns using STIX
Using the STIX standard for threat response management
Threat intelligence information sharing
Understanding the STIX v2 standard
Understanding the TAXII standard
How TAXII standard works
AFI14-133 tradecraft standard for CTI
Analytic skills and tradecraft
Additional topics covered in AFI14-133
Summary
Chapter 5: Goal Setting, Procedures for CTI Strategy, and Practical Use Cases
Technical requirements
The threat intelligence strategy map and goal setting
Objective 1 โ Facilitate and support real-time security operations
Objective 2 โ Facilitate an effective response to cyber threats
Objective 3 โ Facilitate and support the proactive tracking of cyber threats
Objective 4 โ Facilitate and support the updating and implementation of security governance
TIPs โ an overview
Commercial TIPs
Open-source TIPs
Case study 1 โ CTI for Level 1 organizations
Objective
Strategy
Example
Case study 2 โ CTI for Level 2 organizations
Objective
Strategy
Example
Case study 3 โ CTI for Level 3 organizations
Objective
Strategy
Example
Installing the MISP platform (optional)
Summary
Section 2: Cyber Threat Analytical Modeling and Defensive Mechanisms
Chapter 6: Cyber Threat Modeling and Adversary Analysis
Technical requirements
The strategic threat modeling process
Identifying and decomposing assets
Adversaries and threat analysis
Attack surfaces and threat vectors
Adversary analysis use case โ Twisted Spider
Identifying countermeasures
System re-evaluation
Threat modeling methodologies
Threat modeling with STRIDE
Threat modeling with NIST
Threat modeling use case
Equifax data breach summary
Threat modeling for ABCompany
Advanced threat modeling with SIEM
User behavior logic
Benefits of UBA
UBA selection guide โ how it works
Adversary analysis techniques
Adversary attack preparation
Attack preparation countermeasures
Adversary attack execution
Attack execution mitigation procedures
Summary
Chapter 7: Threat Intelligence Data Sources
Technical requirements
Defining the right sources for threat intelligence
Internal threat intelligence sources
External threat intelligence sources
Organization intelligence profile
Threat feed evaluation
Threat data quality assessment
Open Source Intelligence Feeds (OSINT)
Benefits of open source intelligence
Open source intelligence portals
OSINT platform data insights (OSINT framework)
OSINT limitations and drawbacks
Malware data for threat intelligence
Benefits of malware data collection
Malware components
Malware data core parameters
Other non-open source intelligence sources
Benefits of paid intelligence
Paid threat intelligence challenges
Some paid intelligence portals
Intelligence data structuring and storing
CTI data structuring
CTI data storing requirements
Intelligence data storing strategies
Summary
Chapter 8: Effective Defense Tactics and Data Protection
Technical requirements
Enforcing the CIA triad โ overview
Enforcing and maintaining confidentiality
Enforcing and maintaining integrity
Enforcing and maintaining availability
Challenges and pitfalls of threat defense mechanisms
Data security top challenges
Threat defense mechanisms' pitfalls
Data monitoring and active analytics
Benefits of system monitoring
High-level architecture
Characteristics of a reliable monitoring system
Vulnerability assessment and data risk analysis
Vulnerability assessment methodology
Vulnerability assessment process
Vulnerability assessment tools
Vulnerability and data risk assessment
Encryption, tokenization, masking and quarantining
Encryption as a defense mechanism
Tokenization as a defense mechanism
Masking and quarantining
Endpoint management
Reliable endpoint management requirements
Mobile endpoint management
Endpoint data breach use case โ point of sale
Summary
Chapter 9: AI Applications in Cyber Threat Analytics
Technical requirements
AI and CTI
Cyber threat hunting
How adversaries can leverage AI
AI's position in the CTI program and security stack
AI integration โ the IBM QRadar Advisor approach
QRadar simplified architecture
Deploying QRadar
What's in it for you or your organization?
Summary
Chapter 10: Threat Modeling and Analysis โ Practical Use Cases
Technical requirements
Understanding the analysis process
Intrusion analysis case โ how to proceed
Indicator gathering and contextualization
Pivoting through available sources
Classifying the intelligence according to CTI frameworks
Memory and disk analysis
Malware data gathering
Malware analysis and reverse engineering
Analyzing the exfiltrated data and building adversary persona
Analyzing the malicious files
Gathering early indicators โ Reconnaissance
The Cyber Kill Chain and Diamond model
MISP for automated threat analysis and storing
MISP feed management
MISP event analysis
Summary
Section 3: Integrating Cyber Threat Intelligence Strategy to Business processes
Chapter 11: Usable Security: Threat Intelligence as Part of the Process
Technical requirements
Threat modeling guidelines for secured operations
Usable security guidelines
Software application security guidelines
Data privacy in modern business
Importance of usable privacy in modern society
Threat intelligence and data privacy
Social engineering and mental models
Social engineering and threat intelligence
Mental models for usability
Intelligence-based DevSecOps high-level architecture
Summary
Chapter 12: SIEM Solutions and Intelligence-Driven SOCs
Technical requirements
Integrating threat intelligence into SIEM tools โ Reactive and proactive defense through SIEM tools
System architecture and components of a SIEM tool
SIEM for security โ OTX and OSSIM use case
Making SOCs intelligent โ Intelligence-driven SOCs
Security operations key challenges
Intelligence into security operations
Threat intelligence and IR
IR key challenges
Integrating intelligence in IR
Integrating threat intelligence into SIEM systems
Summary
Chapter 13: Threat Intelligence Metrics, Indicators of Compromise, and the Pyramid of Pain
Technical requirements
Understanding threat intelligence metrics
Threat intelligence metrics requirements
Threat intelligence metrics baseline
IOCs, the CTI warhead
The importance of IOCs
Categories of IOCs
Recognizing IOCs
PoP, the adversary padlock
PoP indicators
Understanding the PoP
Understanding the seven Ds of the kill chain action
Understanding IOAs
Summary
Chapter 14: Threat Intelligence Reporting and Dissemination
Technical requirements
Understanding threat intelligence reporting
Types of threat intelligence reports
Making intelligence reports valuable
An example of a threat intelligence report template
Threat intelligence report writing tools
Building and understanding adversaries' campaigns
Naming adversary campaigns
Advanced persistent threats (APTs) โ a quick overview
Tracking threat actors and groups
Retiring threat intelligence and adversary campaigns
Disseminating threat intelligence
Challenges to intelligence dissemination
Strategic, tactical, and operational intelligence sharing
Threat intelligence sharing architectures
YARA rules and threat intelligence sharing formats
Some information sharing and collaboration platforms
The threat intelligence feedback loop
Understanding the benefits of CTI feedback loop
Methods for collecting threat intelligence feedback
The threat intelligence feedback cycle โ use case
Summary
Chapter 15: Threat Intelligence Sharing and Cyber Activity Attribution โ Practical Use Cases
Technical requirements
Creating and sharing IOCs
Use case one โ developing IOCs using YARA
Use case two โ sharing intelligence using Anomali STAXX
Use case three โ sharing intelligence through a platform
Understanding and performing threat attribution
Use case four โ building activity groups from threat analysis
Use case five โ associating analysis with activity groups
Use case six โ an ACH and attributing activities to nation-state groups
Summary
Index
About Packt
Other Books You May Enjoy