|
Cover |
1 |
|
|
Title Page |
5 |
|
|
Copyright Page |
6 |
|
|
Contents |
7 |
|
|
Preface |
13 |
|
|
About the Author |
15 |
|
|
Abbreviations |
17 |
|
|
Endorsements for Martin Lee’s Book |
21 |
|
|
Chapter 1 Introduction |
23 |
|
|
1.1 Definitions |
23 |
|
|
1.1.1 Intelligence |
24 |
|
|
1.1.2 Cyber Threat |
25 |
|
|
1.1.3 Cyber Threat Intelligence |
26 |
|
|
1.2 History of Threat Intelligence |
27 |
|
|
1.2.1 Antiquity |
27 |
|
|
1.2.2 Ancient Rome |
29 |
|
|
1.2.3 Medieval and Renaissance Age |
30 |
|
|
1.2.4 Industrial Age |
32 |
|
|
1.2.5 World War I |
33 |
|
|
1.2.6 World War II |
35 |
|
|
1.2.7 Post War Intelligence |
36 |
|
|
1.2.8 Cyber Threat Intelligence |
37 |
|
|
1.2.9 Emergence of Private Sector Intelligence Sharing |
41 |
|
|
1.3 Utility of Threat Intelligence |
43 |
|
|
1.3.1 Developing Cyber Threat Intelligence |
45 |
|
|
Summary |
46 |
|
|
References |
46 |
|
|
Chapter 2 Threat Environment |
53 |
|
|
2.1 Threat |
53 |
|
|
2.1.1 Threat Classification |
55 |
|
|
2.2 Risk and Vulnerability |
57 |
|
|
2.2.1 Human Vulnerabilities |
60 |
|
|
2.2.1.1 Example – Business Email Compromise |
61 |
|
|
2.2.2 Configuration Vulnerabilities |
61 |
|
|
2.2.2.1 Example – Misconfiguration of Cloud Storage |
62 |
|
|
2.2.3 Software Vulnerabilities |
63 |
|
|
2.2.3.1 Example – Log4j Vulnerabilities |
65 |
|
|
2.3 Threat Actors |
65 |
|
|
2.3.1 Example – Operation Payback |
68 |
|
|
2.3.2 Example – Stuxnet |
69 |
|
|
2.3.3 Tracking Threat Actors |
69 |
|
|
2.4 TTPs – Tactics, Techniques, and Procedures |
71 |
|
|
2.5 Victimology |
75 |
|
|
2.5.1 Diamond Model |
77 |
|
|
2.6 Threat Landscape |
78 |
|
|
2.6.1 Example – Ransomware |
79 |
|
|
2.7 Attack Vectors, Vulnerabilities, and Exploits |
80 |
|
|
2.7.1 Email Attack Vectors |
81 |
|
|
2.7.2 Web-Based Attacks |
82 |
|
|
2.7.3 Network Service Attacks |
83 |
|
|
2.7.4 Supply Chain Attacks |
83 |
|
|
2.8 The Kill Chain |
84 |
|
|
2.9 Untargeted versus Targeted Attacks |
86 |
|
|
2.10 Persistence |
87 |
|
|
2.11 Thinking Like a Threat Actor |
88 |
|
|
Summary |
88 |
|
|
References |
89 |
|
|
Chapter 3 Applying Intelligence |
97 |
|
|
3.1 Planning Intelligence Gathering |
97 |
|
|
3.1.1 The Intelligence Programme |
99 |
|
|
3.1.2 Principles of Intelligence |
100 |
|
|
3.1.3 Intelligence Metrics |
103 |
|
|
3.2 The Intelligence Cycle |
104 |
|
|
3.2.1 Planning, Requirements, and Direction |
105 |
|
|
3.2.2 Collection |
106 |
|
|
3.2.3 Analysis and Processing |
106 |
|
|
3.2.4 Production |
107 |
|
|
3.2.5 Dissemination |
107 |
|
|
3.2.6 Review |
107 |
|
|
3.3 Situational Awareness |
108 |
|
|
3.3.1 Example – 2013 Target Breach |
110 |
|
|
3.4 Goal Oriented Security and Threat Modelling |
111 |
|
|
3.5 Strategic, Operational, and Tactical Intelligence |
113 |
|
|
3.5.1 Strategic Intelligence |
113 |
|
|
3.5.1.1 Example – Lazarus Group |
114 |
|
|
3.5.2 Operational Intelligence |
115 |
|
|
3.5.2.1 Example – SamSam |
115 |
|
|
3.5.3 Tactical Intelligence |
116 |
|
|
3.5.3.1 Example – WannaCry |
116 |
|
|
3.5.4 Sources of Intelligence Reports |
116 |
|
|
3.5.4.1 Example – Shamoon |
117 |
|
|
3.6 Incident Preparedness and Response |
118 |
|
|
3.6.1 Preparation and Practice |
121 |
|
|
Summary |
122 |
|
|
References |
122 |
|
|
Chapter 4 Collecting Intelligence |
127 |
|
|
4.1 Hierarchy of Evidence |
127 |
|
|
4.1.1 Example – Smoking Tobacco Risk |
129 |
|
|
4.2 Understanding Intelligence |
130 |
|
|
4.2.1 Expressing Credibility |
131 |
|
|
4.2.2 Expressing Confidence |
132 |
|
|
4.2.3 Understanding Errors |
136 |
|
|
4.2.3.1 Example – the WannaCry Email |
136 |
|
|
4.2.3.2 Example – the Olympic Destroyer False Flags |
136 |
|
|
4.3 Third Party Intelligence Reports |
137 |
|
|
4.3.1 Tactical and Operational Reports |
138 |
|
|
4.3.1.1 Example – Heartbleed |
139 |
|
|
4.3.2 Strategic Threat Reports |
140 |
|
|
4.4 Internal Incident Reports |
140 |
|
|
4.5 Root Cause Analysis |
141 |
|
|
4.6 Active Intelligence Gathering |
142 |
|
|
4.6.1 Example – the Nightingale Floor |
144 |
|
|
4.6.2 Example – the Macron Leaks |
144 |
|
|
Summary |
145 |
|
|
References |
145 |
|
|
Chapter 5 Generating Intelligence |
149 |
|
|
5.1 The Intelligence Cycle in Practice |
150 |
|
|
5.1.1 See it, Sense it, Share it, Use it |
150 |
|
|
5.1.2 F3EAD Cycle |
151 |
|
|
5.1.3 D3A Process |
153 |
|
|
5.1.4 Applying the Intelligence Cycle |
154 |
|
|
5.1.4.1 Planning and Requirements |
154 |
|
|
5.1.4.2 Collection, Analysis, and Processing |
155 |
|
|
5.1.4.3 Production and Dissemination |
156 |
|
|
5.1.4.4 Feedback and Improvement |
157 |
|
|
5.1.4.5 The Intelligence Cycle in Reverse |
157 |
|
|
5.2 Sources of Data |
158 |
|
|
5.3 Searching Data |
159 |
|
|
5.4 Threat Hunting |
160 |
|
|
5.4.1 Models of Threat Hunting |
161 |
|
|
5.4.2 Analysing Data |
162 |
|
|
5.4.3 Entity Behaviour Analytics |
165 |
|
|
5.5 Transforming Data into Intelligence |
166 |
|
|
5.5.1 Structured Geospatial Analytical Method |
166 |
|
|
5.5.2 Analysis of Competing Hypotheses |
168 |
|
|
5.5.3 Poor Practices |
168 |
|
|
5.6 Sharing Intelligence |
169 |
|
|
5.6.1 Machine Readable Intelligence |
172 |
|
|
5.7 Measuring the Effectiveness of Generated Intelligence |
173 |
|
|
Summary |
174 |
|
|
References |
174 |
|
|
Chapter 6 Attribution |
177 |
|
|
6.1 Holding Perpetrators to Account |
177 |
|
|
6.1.1 Punishment |
178 |
|
|
6.1.2 Legal Frameworks |
178 |
|
|
6.1.3 Cyber Crime Legislation |
179 |
|
|
6.1.4 International Law |
180 |
|
|
6.1.5 Crime and Punishment |
180 |
|
|
6.2 Standards of Proof |
180 |
|
|
6.2.1 Forensic Evidence |
181 |
|
|
6.3 Mechanisms of Attribution |
182 |
|
|
6.3.1 Attack Attributes |
183 |
|
|
6.3.1.1 Attacker TTPs |
183 |
|
|
6.3.1.2 Example – HAFNIUM |
184 |
|
|
6.3.1.3 Attacker Infrastructure |
184 |
|
|
6.3.1.4 Victimology |
185 |
|
|
6.3.1.5 Malicious Code |
185 |
|
|
6.3.2 Asserting Attribution |
187 |
|
|
6.4 Anti-Attribution Techniques |
188 |
|
|
6.4.1 Infrastructure |
188 |
|
|
6.4.2 Malicious Tools |
188 |
|
|
6.4.3 False Attribution |
189 |
|
|
6.4.4 Chains of Attribution |
189 |
|
|
6.5 Third Party Attribution |
189 |
|
|
6.6 Using Attribution |
190 |
|
|
Summary |
192 |
|
|
References |
193 |
|
|
Chapter 7 Professionalism |
197 |
|
|
7.1 Notions of Professionalism |
198 |
|
|
7.1.1 Professional Ethics |
199 |
|
|
7.2 Developing a New Profession |
200 |
|
|
7.2.1 Professional Education |
200 |
|
|
7.2.2 Professional Behaviour and Ethics |
201 |
|
|
7.2.2.1 Professionalism in Medicine |
201 |
|
|
7.2.2.2 Professionalism in Accountancy |
203 |
|
|
7.2.2.3 Professionalism in Engineering |
205 |
|
|
7.2.3 Certifications and Codes of Ethics |
208 |
|
|
7.3 Behaving Ethically |
210 |
|
|
7.3.1 The Five Philosophical Approaches |
210 |
|
|
7.3.2 The Josephson Model |
211 |
|
|
7.3.3 PMI Ethical Decision Making Framework |
212 |
|
|
7.4 Legal and Ethical Environment |
213 |
|
|
7.4.1 Planning |
214 |
|
|
7.4.1.1 Responsible Vulnerability Disclosure |
215 |
|
|
7.4.1.2 Vulnerability Hoarding |
216 |
|
|
7.4.2 Collection, Analysis, and Processing |
216 |
|
|
7.4.2.1 PRISM Programme |
217 |
|
|
7.4.2.2 Open and Closed Doors |
218 |
|
|
7.4.3 Dissemination |
218 |
|
|
7.4.3.1 Doxxing |
219 |
|
|
7.5 Managing the Unexpected |
220 |
|
|
7.6 Continuous Improvement |
221 |
|
|
Summary |
221 |
|
|
References |
222 |
|
|
Chapter 8 Future Threats and Conclusion |
229 |
|
|
8.1 Emerging Technologies |
229 |
|
|
8.1.1 Smart Buildings |
230 |
|
|
8.1.1.1 Software Errors |
231 |
|
|
8.1.1.2 Example – Maroochy Shire Incident |
232 |
|
|
8.1.2 Health Care |
233 |
|
|
8.1.2.1 Example – Conti Attack Against Irish Health Sector |
234 |
|
|
8.1.3 Transport Systems |
235 |
|
|
8.2 Emerging Attacks |
236 |
|
|
8.2.1 Threat Actor Evolutions |
236 |
|
|
8.2.1.1 Criminal Threat Actors |
236 |
|
|
8.2.1.2 Nation State Threat Actors |
238 |
|
|
8.2.1.3 Other Threat Actors |
242 |
|
|
8.3 Emerging Workforce |
243 |
|
|
8.3.1 Job Roles and Skills |
243 |
|
|
8.3.2 Diversity in Hiring |
247 |
|
|
8.3.3 Growing the Profession |
249 |
|
|
8.4 Conclusion |
250 |
|
|
References |
251 |
|
|
Chapter 9 Case Studies |
259 |
|
|
9.1 Target Compromise 2013 |
260 |
|
|
9.1.1 Background |
260 |
|
|
9.1.2 The Attack |
263 |
|
|
9.2 WannaCry 2017 |
265 |
|
|
9.2.1 Background |
266 |
|
|
9.2.1.1 Guardians of Peace |
266 |
|
|
9.2.1.2 The Shadow Brokers |
267 |
|
|
9.2.1.3 Threat Landscape – Worms and Ransomware |
269 |
|
|
9.2.2 The Attack |
269 |
|
|
9.2.2.1 Prelude |
269 |
|
|
9.2.2.2 Malware |
271 |
|
|
9.3 NotPetya 2017 |
273 |
|
|
9.3.1 Background |
273 |
|
|
9.3.2 The Attack |
274 |
|
|
9.3.2.1 Distribution |
275 |
|
|
9.3.2.2 Payload |
275 |
|
|
9.3.2.3 Spread and Consequences |
276 |
|
|
9.4 VPNFilter 2018 |
277 |
|
|
9.4.1 Background |
277 |
|
|
9.4.2 The Attack |
278 |
|
|
9.5 SUNBURST and SUNSPOT 2020 |
279 |
|
|
9.5.1 Background |
280 |
|
|
9.5.2 The Attack |
281 |
|
|
9.6 Macron Leaks 2017 |
282 |
|
|
9.6.1 Background |
282 |
|
|
9.6.2 The Attack |
283 |
|
|
References |
284 |
|
|
Index |
299 |
|
|
EULA |
307 |
|