Operationalizing Threat Intelligence: A guide to developing and operationalizing cyber threat intelligence programs

Cover
Title Page
Copyright and Credits
Dedication
Contributors
Table of Contents
Preface
Section 1: What Is Threat Intelligence?
Chapter 1: Why You Need a Threat Intelligence Program
What is CTI, and why is it important?
Data, information, and intelligence
Tactical, strategic, operational, and technical threat intelligence
Tactical CTI
Strategic CTI
Operational CTI
Technical CTI
Subject matter expertise
The uses and benefits of CTI
How to get CTI
What is good CTI?
The five traits of good CTI
Admiralty ratings
Source ratings
Data credibility ratings
Putting it together
Intelligence cycles
The threat intelligence life cycle
F3EAD life cycle
Threat intelligence maturity, detection, and hunting models
TIMM
The threat HMM
The detection maturity model
What to do with threat intelligence
Summary
Chapter 2: Threat Actors, Campaigns, and Tooling
Actor motivations
Bragging rights or for fun
Financial or for profit
Revenge
Ideological beliefs
Intelligence gathering and intellectual property theft
Terrorism
Warfare
Threat actors
Nation state attackers
Cybercriminals
Hacktivists
Terrorist groups
Thrill seekers
Insider threats
Threat campaigns
Vulnerabilities and malware
Vulnerabilities and exploits
Malware
Malware, campaigns, and actor naming
The act of naming
Actor, activity, and group naming
Malware naming
Campaign naming
Aliases
Tooling
System administrator tools
Open source tools
Hacking tools
Threat actor attribution
Summary
Chapter 3: Guidelines and Policies
The needs and benefits of guidelines, procedures, standards, and policies
Guidelines
Procedures
Standards
Policies
SIRs
PIRs
GIRs
Defining intelligence requirements
Evaluating the intelligence requirement
The prioritization of intelligence requirements
FCRs
Reevaluation
IERs
DIRs
Developing intelligence requirements
Attack surface versus threat actor focused
A GIR example
Summary
Chapter 4: Threat Intelligence Frameworks, Standards, Models, and Platforms
The importance of adopting frameworks and standards
Threat modeling methods and frameworks
Threat intelligence pyramid of pain
Cyber Kill Chain
Diamond model
MITRE ATT&CK
Threat intelligence and data sharing frameworks
Traffic light protocol
Structured Threat Information eXpression
Trusted Automated eXchange of Indicator Information (TAXII)
Storage platforms
OpenCTI
Malware Information Sharing Platform (MISP)
Summary
Section 2: How to Collect Threat Intelligence
Chapter 5: Operational Security (OPSEC)
What is OPSEC?
The OPSEC process
Types of OPSEC
Identity OPSEC
Personal protection
Online persona creation
Technical OPSEC types and concepts
Infrastructure and network
Hardware
Software and operating system
Actor engagement
Source protection
OPSEC monitoring
Personnel training and metrics
Summary
Chapter 6: Technical Threat Intelligence – Collection
The collection management process
The role of the collection manager
Prioritized collection requirements
The collection operations life cycle
Surveying your collection needs
Intelligence collection metrics
Prioritized intelligence requirements
Requests for information
Planning and administration
People
Process
Tools and technology
The collection operation
Collection types
Data types
Raw data
Analyzed data
Production data
The artifact and observable repositories
Intelligence collection metrics
Quantitative metrics
Qualitative metrics
Summary
Chapter 7: Technical Threat Analysis – Enrichment
The need and motivation for enrichment and analysis
Infrastructure-based IOCs
Domain Name System (DNS)
WHOIS
Passive DNS
File-based IOCs
File artifacts
Static tool analysis
Dynamic malware analysis
Setting up the environment
Dynamic malware analysis tools
Defeating system monitoring
Cuckoo sandbox
Online sandbox solutions
Reverse engineering
Summary
Chapter 8: Technical Threat Analysis – Threat Hunting and Pivoting
The motivation for hunting and pivoting
Hunting methods
Verdict determination
Threat expression
Translating IOCs to TTPs
Hunting and identification signatures
Pivot methods
Malicious infrastructure pivots
Malicious file pivots
Pivot and hunting tools and services
Maltego
AlienVault OTX
urlscan.io
Hybrid Analysis
VirusTotal graphing/hunting
RiskIQ PassiveTotal
Summary
Chapter 9: Technical Threat Analysis – Similarity Analysis
The motivations behind similarity analysis
What is similarity grouping?
Graph theory with similarity groups
Direction
Graphical structures
Similarity analysis tools
YARA
Graphing with STIX
Hashing and fingerprinting tools
Import hashing
Fuzzy and other hashing methods to enable similarity analysis
Useful fingerprinting tools
Summary
Section 3: What to Do with Threat Intelligence
Chapter 10: Preparation and Dissemination
Data interpretation and alignment
Data versus information versus intelligence
Critical thinking and reasoning in cyber threat intelligence
Cognitive biases
Foundations of analytic judgments
Motives and intentions
Analytic confidence
Metadata tagging in threat intelligence
Thoughts before dissemination
Summary
Chapter 11: Fusion into Other Enterprise Operations
SOC
IR
The IR life cycle
F3EAD
Red and blue teams
The red team
The blue team
Threat intelligence
Information security
Other departments to consider
Products and services
Marketing and public relations
Sales
Legal and organizational risks
Executive leadership
Summary
Chapter 12: Overview of Datasets and Their Practical Application
Planning and direction
Collection
Analysis
Infrastructure discovery
Production
Cyber Threat Intelligence Report – Ozark International Bank
Dissemination and feedback
Summary
Chapter 13: Conclusion
What Is Cyber Threat Intelligence?
How to Collect Cyber Threat Intelligence
What to Do with Cyber Threat Intelligence
Summary
Index
About Packt
Other Books You May Enjoy