The Threat Intelligence Handbook
Contributors
Table of Contents
Foreword to the Second Edition
Introduction
Moving Toward a Security Intelligence Program
Chapters at a Glance
Helpful Icons
Section 1: What Is Threat Intelligence?
Chapter 1: What Is Threat Intelligence?
What Have You Heard About Threat Intelligence?
Why Is Threat Intelligence Important?
Who Can Benefit From Threat Intelligence?
Data and Information Are Not Intelligence
Two Types of Threat Intelligence
Operational Threat Intelligence
Strategic Threat Intelligence
The Role of Threat Data Feeds
The Role of Private Channels and the Dark Web
Chapter 2:The Threat Intelligence Lifecycle
The Six Phases of the Threat Intelligence Lifecycle
Direction
Collection
Processing
Analysis
Dissemination
Feedback
Tools and People
Section 2: Applications of Threat Intelligence
Chapter 3: Threat Intelligence for Security Operations
Responsibilities of the SOC Team
The Overwhelming Volume of Alerts
Context Is King
Triage requires lots of context
Use case: Correlating and enriching alerts
Improving the โTime to Noโ
Beyond Triage
Chapter 4: Threat Intelligence for Incident Response
Continuing Challenges
A skills gap
Too many alerts, too little time
Time to response is rising
A piecemeal approach
The Reactivity Problem
Minimizing Reactivity in Incident Response
Identification of probable threats
Prioritization
Strengthening Incident Response With Threat Intelligence
Threat Intelligence in Action
Use case: Prepare processes in advance
Use case: Scope and contain incidents
Use case: Remediate data exposure and stolen assets
Abuse case: Half measures are worse than nothing
Essential Characteristics of Threat Intelligence for Incident Response
Comprehensive
Relevant
Contextualized
Integrated
Chapter 5: Threat Intelligence for Vulnerability Management
The Vulnerability Problem by the Numbers
Zero day does not mean top priority
Time is of the essence
Assess Risk Based on Exploitability
Severity ratings can be misleading
The Genesis of Threat Intelligence: Vulnerability Databases
Exploitability versus exploitation
Next week versus now
Threat Intelligence and Real Risk
Internal vulnerability scanning
Risk milestones for vulnerabilities
Understanding the adversary
Sources of Intelligence
Use Case: Cross-Referencing Intelligence
Bridging the Risk Gaps Between Security, Operations, and Business Leadership
Chapter 6: Threat Intelligence for Security Leaders
Risk Management
Internal data is not enough
Sharpening the focus
Mitigation: People, Processes, and Tools
Early warnings
Investment
Communication
Supporting Security Leaders
The Security Skills Gap
Intelligence to Manage Better
Chapter 7: Threat Intelligence for Risk Analysis
The FAIR Risk Model
Measurements and transparency are key
Threat Intelligence and Threat Probabilities
Threat Intelligence and the Cost of Attacks
Chapter 8: Threat Intelligence for Fraud Prevention
Stand and Deliver!
Know Your Enemy
Criminal Communities and the Dark Web
Gated communities
A strength โ and a weakness
Connecting the Dots for Fraud Prevention
Use case: Payment fraud
Use case: Compromised data
Use case: Typosquatting and fraudulent domains
Chapter 9: Threat Intelligence for Reducing Third-Party Risk
Third-Party Risk Looms Large
Traditional Risk Assessments Fall Short
Three Things to Look for in Threat Intelligence
Automation and machine learning
Real-time updates to risk scores
Transparent risk assessments
Responding to High Third-Party Risk Scores
Chapter 10: Threat Intelligence for Digital Risk Protection
Being Online Is Being at Risk
Types of Digital Risk
Uncovering Evidence of Breaches on the Web
Uncovering Evidence of Brand Impersonation and Abuse
Critical Qualities for Threat Intelligence Solutions
Section 3: Your Threat Intelligence Program
Chapter 11: Analytical Frameworks for Threat Intelligence
The Lockheed Martin Cyber Kill Chainยฎ
Limitations of the Cyber Kill Chain
The Diamond Model
Flexibility
Challenges with the Diamond Model
The MITRE ATT&CKโข Framework
Categories of attacker behavior
Chapter 12: Your Threat Intelligence Journey
Donโt Start With Threat Feeds
Clarify Your Threat Intelligence Needs and Goals
Answer these questions
Identify teams that can benefit most from threat intelligence
Key Success Factors
Generating quick wins with monitoring
Automating as much as possible
Integrating threat intelligence with processes and infrastructure
Getting expert help to nurture internal experts
Start Simple and Scale Up
Chapter 13: Developing the Core Threat Intelligence Team
Dedicated, but Not Necessarily Separate
A dedicated team is best
Its location depends on your organization
Core Competencies
Collecting and Enriching Threat Data
The human edge
Additional sources
Combining sources
The role of intelligent machines
Engaging With Threat Intelligence Communities
Conclusion: Moving Toward a Security Intelligence Program
Key Takeaways From the Book
Appendix