Cyber Threat Intelligence (eBook)
XXII, 221 Seiten
Apress (Verlag)
978-1-4842-7220-6 (ISBN)
Understand the process of setting up a successful cyber threat intelligence (CTI) practice within an established security team. This book shows you how threat information that has been collected, evaluated, and analyzed is a critical component in protecting your organization's resources. Adopting an intelligence-led approach enables your organization to nimbly react to situations as they develop. Security controls and responses can then be applied as soon as they become available, enabling prevention rather than response.
There are a lot of competing approaches and ways of working, but this book cuts through the confusion. Author Aaron Roberts introduces the best practices and methods for using CTI successfully. This book will help not only senior security professionals, but also those looking to break into the industry. You will learn the theories and mindset needed to be successful in CTI.This book covers the cybersecurity wild west, the merits and limitations of structured intelligence data, and how using structured intelligence data can, and should, be the standard practice for any intelligence team. You will understand your organizations' risks, based on the industry and the adversaries you are most likely to face, the importance of open-source intelligence (OSINT) to any CTI practice, and discover the gaps that exist with your existing commercial solutions and where to plug those gaps, and much more.
What You Will Learn
- Know the wide range of cybersecurity products and the risks and pitfalls aligned with blindly working with a vendor
- Understand critical intelligence concepts such as the intelligence cycle, setting intelligence requirements, the diamond model, and how to apply intelligence to existing security information
- Understand structured intelligence (STIX) and why it's important, and aligning STIX to ATT&CK and how structured intelligence helps improve final intelligence reporting
- Know how to approach CTI, depending on your budget
- Prioritize areas when it comes to funding and the best approaches to incident response, requests for information, or ad hoc reporting
- Critically evaluate services received from your existing vendors, including what they do well, what they don't do well (or at all), how you can improve on this, the things you should consider moving in-house rather than outsourcing, and the benefits of finding and maintaining relationships with excellent vendors
Who This Book Is For
Senior security leaders in charge of cybersecurity teams who are considering starting a threat intelligence team, those considering a career change into cyber threat intelligence (CTI) who want a better understanding of the main philosophies and ways of working in the industry, and security professionals with no prior intelligence experience but have technical proficiency in other areas (e.g., programming, security architecture, or engineering)
Aaron Roberts is an intelligence professional specializing in Cyber Threat Intelligence (CTI) and Open-Source Intelligence (OSINT). He is focused on building intelligence-led cyber capabilities in large enterprises and conducting online investigations and research. He has worked within several the public and private sectors as well as the British Military. As such he understands how intelligence can and should be utilized within a range of environments and the fundamental approach that businesses must take to get the maximum value out of their cyber threat intelligence program.
Table of Contents 5
About the Author 11
Acknowledgments 12
Introduction 13
Chapter 1: The Cybersecurity Wild West 21
Identifying the Wheat from the Chaff 21
What Kinds of Vendors Are There? 24
Where Do You Even Begin? Always Start with Intelligence Requirements 26
What Sectors Is Your Business Operating In? 27
What Systems and Services Do You Use and Want to Monitor for Threats? 28
What Are the Threats You’re Worried About As a Business? 29
What Other Security Vendors Do You Use? 30
What Is Your Business Planning to Do in the Next X Years? 31
Further Considerations for IRs 32
What Do You Get for Your Money? 33
Key Takeaways 35
Chapter 2: Cyber Threat Intelligence – What Does It Even Mean? 37
The Intelligence Cycle 39
1. Planning and Direction 39
2. Collection 40
3. Processing and Exploitation 41
4. Analysis 41
5. Dissemination 42
6. Feedback 43
The Diamond Model 44
Diamond Model – Adversary 45
Diamond Model – Victim 46
Diamond Model – Infrastructure 47
Diamond Model – Capabilities/TTPs 49
How Do We Apply Intelligence to Existing Security? The Cyber Kill-Chain and MITRE ATT& CK Framework
Human Behavior Doesn’t Change 51
The IOC Is Dead. Long Live the IOC 52
Security Products Are Evolving – So Should You 53
The Cyber Kill-Chain 54
Key Takeaways 56
Chapter 3: Structured Intelligence – What Does It Even Mean? 57
OpenIOC 58
MITRE ATT& CK
Using MITRE ATT& CK
STIX – Why It’s Important 64
Aligning STIX with ATT& CK – Where the Magic Happens
Threat Actor 70
Campaign 71
Attack Pattern 71
Malware 73
Vulnerability 74
Course of Action 75
Victim 75
Report 76
Indicators 77
The Remaining STIX 2.1 Objects 78
Grouping 79
Identity 79
Infrastructure 79
Location 79
Malware Analysis 79
Note 80
Observed Data 80
Opinion 80
Tool 80
Relationship 81
Sighting 81
What About the Kill-Chain? 81
Key Takeaways 83
Chapter 4: Determining What Your Business Needs 85
Who Are Your Customers? 87
Intelligence Reporting 90
Tactical Intelligence 90
Operational Intelligence 91
Strategic Intelligence 92
Other Types of Intelligence Reporting 93
Awareness Reporting 93
Executive/VIP Profile Reporting 94
Spot/Flash Reporting 94
Summary Reporting 95
Intelligence Report Structure 96
Key Points 96
Summary 97
Details 97
Recommendations 97
Appendices 97
I Have Requirements! I Have Report Templates! Now What? 98
Business Needs 98
Automation – Can This Help? 99
What If the Business Doesn’t Know What It Wants? 101
Key Takeaways 102
Chapter 5: How Do I Implement This? (Regardless of Budget) 104
Threat Feeds 105
News Reports/Blogs 106
Social Media 107
Data Breach Notifications 109
Patch and Vulnerability Notifications 110
Geopolitical Affairs 111
Industry Events 113
Personal Contacts 114
Sharing Groups 115
Requirements, Check. Basic Collection Sources, Check. Now, What? 116
Prioritizing Areas for Funding 118
Intelligence Analysts – How to Use Them 119
Different Analysts for Different Things? 120
Key Takeaways 122
Chapter 6: Things to Consider When Implementing CTI 123
Your Organization’s Footprint 124
Big Game or Small Fry? 124
Territories 126
Digital Footprint 127
The Risks Associated to Your Organization 129
Risks Outside Your Control 131
The Gaps Left Behind by Funding/Vendor/IT Black Holes 133
Funding Gaps 133
Vendor Gaps 135
IT Black Holes 137
The Human Factor 138
What Is an Analyst? 139
Curiosity 139
Critical Thinking 140
Self-Awareness 141
Analysis 142
Data Validation 142
Inductive/Deductive Reasoning 142
5WH – Who, What, Where, When, Why, and How 143
Structured Analytical Techniques 143
Cyber Specific 143
Computer Literacy 144
Information Security Fundamentals 144
External Influences 145
Key Takeaways 146
Chapter 7: The Importance of OSINT 148
What Is OSINT? 148
Different Types of OSINT Data Platforms 149
Threat Feeds 149
Research Platforms 151
Social Media 152
Messenger Platforms 153
Platforms Are Good, But How Do I Research Data Using OSINT? 154
OSINT – Technologies 154
OSINT – Threat Actors 155
OSINT – Data 156
What Does an OSINT Investigator Need? 160
Sockpuppets – What? 161
A New Old Phone 163
A New Face 163
Password Manager 164
Maintaining Accounts 164
So If I’m Undercover, Should I Contact People for Information? 166
Combining OSINT with Other Sources 167
Key Takeaways 168
Chapter 8: I Already Pay for Vendor X – Should I Bother with CTI? 170
Establishing What Your Existing Vendor(s) Do Well 170
The Humble Conversation 171
Establishing What Your Vendors Don’t Do Well (or at All) 173
How Can You Improve the Existing Processes? 174
What Sort of Things Should You Adopt In-House? 176
What About Open Source Solutions? 177
CTI Starting Block – What to Prioritize? 179
The Benefits of Finding a Good Vendor 181
Key Takeaways 184
Chapter 9: Summary 185
The Main Themes Discussed in This Book 186
How You Can Follow Up with Me 190
Chapter 10: Useful Resources 192
Online Resources 194
Domains 195
IP Addresses 199
File Hashes and Documents 202
Web Technologies 203
Email Addresses and Data Breaches 204
Usernames 206
Cryptocurrency 208
Paste Sites 209
Social Media 211
Facebook 211
Twitter 212
Instagram 214
Other Social Media and Messenger Apps 214
Index 217
| Erscheint lt. Verlag | 9.8.2021 |
|---|---|
| Zusatzinfo | XXII, 207 p. 4 illus. |
| Sprache | englisch |
| Themenwelt | Informatik ► Netzwerke ► Sicherheit / Firewall |
| Schlagworte | CTI • Cyber Investigation • cybersecurity • Cyber threat intelligence • indicators of compromise • IOCs • Mitre ATT&CK • open-source intelligence • OSINT • Stix • TAXII • Threat Intelligence Platforms |
| ISBN-10 | 1-4842-7220-X / 148427220X |
| ISBN-13 | 978-1-4842-7220-6 / 9781484272206 |
| Haben Sie eine Frage zum Produkt? |
PDF (Wasserzeichen)Größe: 2,4 MB
DRM: Digitales Wasserzeichen
Dieses eBook enthält ein digitales Wasserzeichen und ist damit für Sie personalisiert. Bei einer missbräuchlichen Weitergabe des eBooks an Dritte ist eine Rückverfolgung an die Quelle möglich.
Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen dafür einen PDF-Viewer - z.B. den Adobe Reader oder Adobe Digital Editions.
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen dafür einen PDF-Viewer - z.B. die kostenlose Adobe Digital Editions-App.
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich
