Cyber Threat Intelligence

CYBER THREAT INTELLIGENCE

“Martin takes a thorough and focused approach to the processes that rule threat intelligence, but he doesn’t just cover gathering, processing and distributing intelligence. He explains why you should care who is trying to hack you, and what you can do about it when you know.”—SIMON EDWARDS, Security Testing Expert, CEO SE Labs Ltd., Chair AMTSO EFFECTIVE INTRODUCTION TO CYBER THREAT INTELLIGENCE, SUPPLEMENTED WITH DETAILED CASE STUDIES AND AFTER ACTION REPORTS OF INTELLIGENCE ON REAL ATTACKSCyber Threat Intelligence introduces the history, terminology, and techniques to be applied within cyber security, offering an overview of the current state of cyberattacks and stimulating readers to consider their own issues from a threat intelligence point of view. The author takes a systematic, system-agnostic, and holistic view to generating, collecting, and applying threat intelligence. The text covers the threat environment, malicious attacks, collecting, generating, and applying intelligence and attribution, as well as legal and ethical considerations. It ensures readers know what to look out for when considering a potential cyber attack and imparts how to prevent attacks early on, explaining how threat actors can exploit a system’s vulnerabilities. It also includes analysis of large scale attacks such as WannaCry, NotPetya, Solar Winds, VPNFilter, and the Target breach, looking at the real intelligence that was available before and after the attack. Topics covered in Cyber Threat Intelligence include:

* The constant change of the threat environment as capabilities, intent, opportunities, and defenses change and evolve
* Different business models of threat actors, and how these dictate the choice of victims and the nature of their attacks
* Planning and executing a threat intelligence programme to improve an organistation’s cyber security posture
* Techniques for attributing attacks and holding perpetrators to account for their actions

Cyber Threat Intelligence describes the intelligence techniques and models used in cyber threat intelligence. It provides a survey of ideas, views and concepts, rather than offering a hands-on practical guide. It is intended for anyone who wishes to learn more about the domain, particularly if they wish to develop a career in intelligence, and as a reference for those already working in the area. MARTIN LEE is Technical Lead of Security Research within Talos, Cisco’s threat intelligence and research organization. Martin started his career researching the genetics of human viruses, but soon switched paths to follow a career in IT. With over 20 years of experience within the cyber security industry, he is CISSP certified, a Chartered Engineer, and holds degrees from the Universities of Bristol, Cambridge, Paris-Sud and Oxford. Preface

About the Author

Abbreviations

1. Introduction

Definitions

History of Threat Intelligence

Utility of Threat Intelligence

Summary

2. Threat Environment

Threat

Risk and Vulnerability

Threat Actors

TTPs - Tactics, Techniques and Procedures

Victimology

Threat Landscape

Attack Vectors, Vulnerabilities and Exploits

Untargeted vs Targeted Attacks

Persistence

Thinking Like a Threat Actor

Summary

3. Applying Intelligence

Planning Intelligence Gathering

The Intelligence Cycle

Situational Awarenesss

Goal Oriented Security and Threat Modelling

Strategic, Operational and Tactical Intelligence

Incident Preparedness and Response

Summary

4. Collecting Intelligence

Hierarchy of Evidence

Understanding Intelligence

Third Party Intelligence Reports

Internal Incident Reports

Active Intelligence Gathering

Summary

5. Generating Intelligence

The Intelligence Cycle in Practice

Applying the Intelligence Cycle

Sources of Data

Searching Data

Threat Hunting

Transforming Data into Intelligence

Sharing Intelligence

Measuring the Effectiveness of Generated Intelligence

Summary

6. Attribution

Holding Perpetrators to Account

Standards of Proof

Mechanisms of Attribution

Anti-Attribution Techniques

Third Party Attribution

Using Attribution

Summary

7. Professionalism

Notions of Professionalism

Developing a New Profession

Behaving Ethically

Legal and Ethical Environment

Managing the Unexpected

Continuous Improvement

Summary

8. Future Threats and Conclusions

Emerging Technologies

Emerging Attacks

Emerging Workforce

Conclusion

9. Case Studies

Target Compromise 2013

WannaCry 2017

NotPetya 2017

VPNFilter 2018

SUNBURST and SUNSPOT 2020

Macron Leaks 2017

Index