|
Table of Contents |
5 |
|
|
About the Author |
11 |
|
|
Acknowledgments |
12 |
|
|
Introduction |
13 |
|
|
Chapter 1: The Cybersecurity Wild West |
21 |
|
|
Identifying the Wheat from the Chaff |
21 |
|
|
What Kinds of Vendors Are There? |
24 |
|
|
Where Do You Even Begin? Always Start with Intelligence Requirements |
26 |
|
|
What Sectors Is Your Business Operating In? |
27 |
|
|
What Systems and Services Do You Use and Want to Monitor for Threats? |
28 |
|
|
What Are the Threats You’re Worried About As a Business? |
29 |
|
|
What Other Security Vendors Do You Use? |
30 |
|
|
What Is Your Business Planning to Do in the Next X Years? |
31 |
|
|
Further Considerations for IRs |
32 |
|
|
What Do You Get for Your Money? |
33 |
|
|
Key Takeaways |
35 |
|
|
Chapter 2: Cyber Threat Intelligence – What Does It Even Mean? |
37 |
|
|
The Intelligence Cycle |
39 |
|
|
1. Planning and Direction |
39 |
|
|
2. Collection |
40 |
|
|
3. Processing and Exploitation |
41 |
|
|
4. Analysis |
41 |
|
|
5. Dissemination |
42 |
|
|
6. Feedback |
43 |
|
|
The Diamond Model |
44 |
|
|
Diamond Model – Adversary |
45 |
|
|
Diamond Model – Victim |
46 |
|
|
Diamond Model – Infrastructure |
47 |
|
|
Diamond Model – Capabilities/TTPs |
49 |
|
|
How Do We Apply Intelligence to Existing Security? The Cyber Kill-Chain and MITRE ATT&CK Framework |
50 |
|
|
Human Behavior Doesn’t Change |
51 |
|
|
The IOC Is Dead. Long Live the IOC |
52 |
|
|
Security Products Are Evolving – So Should You |
53 |
|
|
The Cyber Kill-Chain |
54 |
|
|
Key Takeaways |
56 |
|
|
Chapter 3: Structured Intelligence – What Does It Even Mean? |
57 |
|
|
OpenIOC |
58 |
|
|
MITRE ATT&CK |
59 |
|
|
Using MITRE ATT&CK |
60 |
|
|
STIX – Why It’s Important |
64 |
|
|
Aligning STIX with ATT&CK – Where the Magic Happens |
67 |
|
|
Threat Actor |
70 |
|
|
Campaign |
71 |
|
|
Attack Pattern |
71 |
|
|
Malware |
73 |
|
|
Vulnerability |
74 |
|
|
Course of Action |
75 |
|
|
Victim |
75 |
|
|
Report |
76 |
|
|
Indicators |
77 |
|
|
The Remaining STIX 2.1 Objects |
78 |
|
|
Grouping |
79 |
|
|
Identity |
79 |
|
|
Infrastructure |
79 |
|
|
Location |
79 |
|
|
Malware Analysis |
79 |
|
|
Note |
80 |
|
|
Observed Data |
80 |
|
|
Opinion |
80 |
|
|
Tool |
80 |
|
|
Relationship |
81 |
|
|
Sighting |
81 |
|
|
What About the Kill-Chain? |
81 |
|
|
Key Takeaways |
83 |
|
|
Chapter 4: Determining What Your Business Needs |
85 |
|
|
Who Are Your Customers? |
87 |
|
|
Intelligence Reporting |
90 |
|
|
Tactical Intelligence |
90 |
|
|
Operational Intelligence |
91 |
|
|
Strategic Intelligence |
92 |
|
|
Other Types of Intelligence Reporting |
93 |
|
|
Awareness Reporting |
93 |
|
|
Executive/VIP Profile Reporting |
94 |
|
|
Spot/Flash Reporting |
94 |
|
|
Summary Reporting |
95 |
|
|
Intelligence Report Structure |
96 |
|
|
Key Points |
96 |
|
|
Summary |
97 |
|
|
Details |
97 |
|
|
Recommendations |
97 |
|
|
Appendices |
97 |
|
|
I Have Requirements! I Have Report Templates! Now What? |
98 |
|
|
Business Needs |
98 |
|
|
Automation – Can This Help? |
99 |
|
|
What If the Business Doesn’t Know What It Wants? |
101 |
|
|
Key Takeaways |
102 |
|
|
Chapter 5: How Do I Implement This? (Regardless of Budget) |
104 |
|
|
Threat Feeds |
105 |
|
|
News Reports/Blogs |
106 |
|
|
Social Media |
107 |
|
|
Data Breach Notifications |
109 |
|
|
Patch and Vulnerability Notifications |
110 |
|
|
Geopolitical Affairs |
111 |
|
|
Industry Events |
113 |
|
|
Personal Contacts |
114 |
|
|
Sharing Groups |
115 |
|
|
Requirements, Check. Basic Collection Sources, Check. Now, What? |
116 |
|
|
Prioritizing Areas for Funding |
118 |
|
|
Intelligence Analysts – How to Use Them |
119 |
|
|
Different Analysts for Different Things? |
120 |
|
|
Key Takeaways |
122 |
|
|
Chapter 6: Things to Consider When Implementing CTI |
123 |
|
|
Your Organization’s Footprint |
124 |
|
|
Big Game or Small Fry? |
124 |
|
|
Territories |
126 |
|
|
Digital Footprint |
127 |
|
|
The Risks Associated to Your Organization |
129 |
|
|
Risks Outside Your Control |
131 |
|
|
The Gaps Left Behind by Funding/Vendor/IT Black Holes |
133 |
|
|
Funding Gaps |
133 |
|
|
Vendor Gaps |
135 |
|
|
IT Black Holes |
137 |
|
|
The Human Factor |
138 |
|
|
What Is an Analyst? |
139 |
|
|
Curiosity |
139 |
|
|
Critical Thinking |
140 |
|
|
Self-Awareness |
141 |
|
|
Analysis |
142 |
|
|
Data Validation |
142 |
|
|
Inductive/Deductive Reasoning |
142 |
|
|
5WH – Who, What, Where, When, Why, and How |
143 |
|
|
Structured Analytical Techniques |
143 |
|
|
Cyber Specific |
143 |
|
|
Computer Literacy |
144 |
|
|
Information Security Fundamentals |
144 |
|
|
External Influences |
145 |
|
|
Key Takeaways |
146 |
|
|
Chapter 7: The Importance of OSINT |
148 |
|
|
What Is OSINT? |
148 |
|
|
Different Types of OSINT Data Platforms |
149 |
|
|
Threat Feeds |
149 |
|
|
Research Platforms |
151 |
|
|
Social Media |
152 |
|
|
Messenger Platforms |
153 |
|
|
Platforms Are Good, But How Do I Research Data Using OSINT? |
154 |
|
|
OSINT – Technologies |
154 |
|
|
OSINT – Threat Actors |
155 |
|
|
OSINT – Data |
156 |
|
|
What Does an OSINT Investigator Need? |
160 |
|
|
Sockpuppets – What? |
161 |
|
|
A New Old Phone |
163 |
|
|
A New Face |
163 |
|
|
Password Manager |
164 |
|
|
Maintaining Accounts |
164 |
|
|
So If I’m Undercover, Should I Contact People for Information? |
166 |
|
|
Combining OSINT with Other Sources |
167 |
|
|
Key Takeaways |
168 |
|
|
Chapter 8: I Already Pay for Vendor X – Should I Bother with CTI? |
170 |
|
|
Establishing What Your Existing Vendor(s) Do Well |
170 |
|
|
The Humble Conversation |
171 |
|
|
Establishing What Your Vendors Don’t Do Well (or at All) |
173 |
|
|
How Can You Improve the Existing Processes? |
174 |
|
|
What Sort of Things Should You Adopt In-House? |
176 |
|
|
What About Open Source Solutions? |
177 |
|
|
CTI Starting Block – What to Prioritize? |
179 |
|
|
The Benefits of Finding a Good Vendor |
181 |
|
|
Key Takeaways |
184 |
|
|
Chapter 9: Summary |
185 |
|
|
The Main Themes Discussed in This Book |
186 |
|
|
How You Can Follow Up with Me |
190 |
|
|
Chapter 10: Useful Resources |
192 |
|
|
Online Resources |
194 |
|
|
Domains |
195 |
|
|
IP Addresses |
199 |
|
|
File Hashes and Documents |
202 |
|
|
Web Technologies |
203 |
|
|
Email Addresses and Data Breaches |
204 |
|
|
Usernames |
206 |
|
|
Cryptocurrency |
208 |
|
|
Paste Sites |
209 |
|
|
Social Media |
211 |
|
|
Facebook |
211 |
|
|
Twitter |
212 |
|
|
Instagram |
214 |
|
|
Other Social Media and Messenger Apps |
214 |
|
|
Index |
217 |
|