Develop the analytical skills to effectively safeguard your organization by enhancing defense mechanisms, and become a proficient threat intelligence analyst to help strategic teams in making informed decisions Key Features Build the analytics skills and practices you need for analyzing, detecting, and preventing cyber threats Learn how to perform intrusion analysis using the cyber threat intelligence (CTI) process Integrate threat intelligence into your current security infrastructure for enhanced protection Book Description The sophistication of cyber threats, such as ransomware, advanced phishing campaigns, zero-day vulnerability attacks, and advanced persistent threats (APTs), is pushing organizations and individuals to change strategies for reliable system protection. Cyber Threat Intelligence converts threat information into evidence-based intelligence that uncovers adversaries' intents, motives, and capabilities for effective defense against all kinds of threats. This book thoroughly covers the concepts and practices required to develop and drive threat intelligence programs, detailing the tasks involved in each step of the CTI lifecycle. You'll be able to plan a threat intelligence program by understanding and collecting the requirements, setting up the team, and exploring the intelligence frameworks. You'll also learn how and from where to collect intelligence data for your program, considering your organization level. With the help of practical examples, this book will help you get to grips with threat data processing and analysis. And finally, you'll be well-versed with writing tactical, technical, and strategic intelligence reports and sharing them with the community. By the end of this book, you'll have acquired the knowledge and skills required to drive threat intelligence operations from planning to dissemination phases, protect your organization, and help in critical defense decisions. What you will learn Understand the CTI lifecycle which makes the foundation of the study Form a CTI team and position it in the security stack Explore CTI frameworks, platforms, and their use in the program Integrate CTI in small, medium, and large enterprises Discover intelligence data sources and feeds Perform threat modelling and adversary and threat analysis Find out what Indicators of Compromise (IoCs) are and apply the pyramid of pain in threat detection Get to grips with writing intelligence reports and sharing intelligence Who this book is for This book is for security professionals, researchers, and individuals who want to gain profound knowledge of cyber threat intelligence and discover techniques to prevent varying types of cyber threats. Basic knowledge of cybersecurity and network fundamentals is required to get the most out of this book.

• Cover
• Title Page
• Copyright
• Dedication
• Contributors
• Table of Contents
• Preface
• Section 1: Cyber Threat Intelligence Life Cycle, Requirements, and Tradecraft
• Chapter 1: Cyber Threat Intelligence Life Cycle
  • Technical requirements
  • Cyber threat intelligence – a global overview
    • Characteristics of a threat
    • Threat intelligence and data security challenges
    • Importance and benefits of threat intelligence
    • Planning, objectives, and direction
  • Intelligence data collection
  • Intelligence data processing
  • Analysis and production
  • Threat intelligence dissemination
  • Threat intelligence feedback
  • Summary
• Chapter 2: Requirements and Intelligence Team Implementation
  • Technical requirements
  • Threat intelligence requirements and prioritization
    • Prioritizing intelligence requirements
  • Requirements development
    • Operational environment definition
    • Network defense impact description
    • Current cyber threats – evaluation
    • Developing a course of action
    • Intelligence preparation for intelligence requirements
  • Intelligence team layout and prerequisites
  • Intelligence team implementation
    • Intelligence team structuring
    • Intelligence team application areas
  • Summary
• Chapter 3: Cyber Threat Intelligence Frameworks
  • Technical requirements
  • Intelligence frameworks – overview
    • Why cyber threat frameworks?
    • Cyber threat framework architecture and operating model
  • Lockheed Martin's Cyber Kill Chain framework
    • Use case – Lockheed Martin's Cyber Kill Chain model mapping
    • Integrating the Cyber Kill Chain model into an intelligence project
    • Benefits of the Cyber Kill Chain framework
  • MITRE's ATT&CK knowledge-based framework
    • How it works
    • Use case – ATT&CK model mapping
    • Integrating the MITRE ATT&CK framework
    • Benefits of the ATT&CK framework
  • Diamond model of intrusion analysis framework
    • How it works
    • Use case – Diamond model of intrusion analysis
    • Integrating the Diamond model into intelligence projects
    • Benefits of the Diamond model
  • Summary
• Chapter 4: Cyber Threat Intelligence Tradecraft and Standards
  • Technical requirements
  • The baseline of intelligence analytic tradecraft
    • Note 1 – Addressing CTI consumers' interests
    • Note 2 – Access and credibility
    • Note 3 – Articulation of assumptions
    • Note 4 – Outlook
    • Note 5 – Facts and sourcing
    • Note 6 – Analytic expertise
    • Note 7 – Effective summary
    • Note 8 – Implementation analysis
    • Note 9 – Conclusions
    • Note 10 – Tradecraft and counterintelligence
  • Understanding and adapting ICD 203 to CTI
  • Understanding the STIX standard
    • Using STIX for cyber threat analysis
    • Specifying threat indicator patterns using STIX
    • Using the STIX standard for threat response management
    • Threat intelligence information sharing
    • Understanding the STIX v2 standard
  • Understanding the TAXII standard
    • How TAXII standard works
  • AFI14-133 tradecraft standard for CTI
    • Analytic skills and tradecraft
    • Additional topics covered in AFI14-133
  • Summary
• Chapter 5: Goal Setting, Procedures for CTI Strategy, and Practical Use Cases
  • Technical requirements
  • The threat intelligence strategy map and goal setting
    • Objective 1 – Facilitate and support real-time security operations
    • Objective 2 – Facilitate an effective response to cyber threats
    • Objective 3 – Facilitate and support the proactive tracking of cyber threats
    • Objective 4 – Facilitate and support the updating and implementation of security governance
  • TIPs – an overview
    • Commercial TIPs
    • Open-source TIPs
  • Case study 1 – CTI for Level 1 organizations
    • Objective
    • Strategy
    • Example
  • Case study 2 – CTI for Level 2 organizations
    • Objective
    • Strategy
    • Example
  • Case study 3 – CTI for Level 3 organizations
    • Objective
    • Strategy
    • Example
  • Installing the MISP platform (optional)
  • Summary
• Section 2: Cyber Threat Analytical Modeling and Defensive Mechanisms
• Chapter 6: Cyber Threat Modeling and Adversary Analysis
  • Technical requirements
  • The strategic threat modeling process
    • Identifying and decomposing assets
    • Adversaries and threat analysis
    • Attack surfaces and threat vectors
    • Adversary analysis use case – Twisted Spider
    • Identifying countermeasures
    • System re-evaluation
  • Threat modeling methodologies
    • Threat modeling with STRIDE
    • Threat modeling with NIST
  • Threat modeling use case
    • Equifax data breach summary
    • Threat modeling for ABCompany
    • Advanced threat modeling with SIEM
  • User behavior logic
    • Benefits of UBA
    • UBA selection guide – how it works
  • Adversary analysis techniques
    • Adversary attack preparation
    • Attack preparation countermeasures
    • Adversary attack execution
    • Attack execution mitigation procedures
  • Summary
• Chapter 7: Threat Intelligence Data Sources
  • Technical requirements
  • Defining the right sources for threat intelligence
    • Internal threat intelligence sources
    • External threat intelligence sources
    • Organization intelligence profile
    • Threat feed evaluation
    • Threat data quality assessment
  • Open Source Intelligence Feeds (OSINT)
    • Benefits of open source intelligence
    • Open source intelligence portals
    • OSINT platform data insights (OSINT framework)
    • OSINT limitations and drawbacks
  • Malware data for threat intelligence
    • Benefits of malware data collection
    • Malware components
    • Malware data core parameters
  • Other non-open source intelligence sources
    • Benefits of paid intelligence
    • Paid threat intelligence challenges
    • Some paid intelligence portals
  • Intelligence data structuring and storing
    • CTI data structuring
    • CTI data storing requirements
    • Intelligence data storing strategies
  • Summary
• Chapter 8: Effective Defense Tactics and Data Protection
  • Technical requirements
  • Enforcing the CIA triad – overview
    • Enforcing and maintaining confidentiality
    • Enforcing and maintaining integrity
    • Enforcing and maintaining availability
  • Challenges and pitfalls of threat defense mechanisms
    • Data security top challenges
    • Threat defense mechanisms' pitfalls
  • Data monitoring and active analytics
    • Benefits of system monitoring
    • High-level architecture
    • Characteristics of a reliable monitoring system
  • Vulnerability assessment and data risk analysis
    • Vulnerability assessment methodology
    • Vulnerability assessment process
    • Vulnerability assessment tools
    • Vulnerability and data risk assessment
  • Encryption, tokenization, masking and quarantining
    • Encryption as a defense mechanism
    • Tokenization as a defense mechanism
    • Masking and quarantining
  • Endpoint management
    • Reliable endpoint management requirements
    • Mobile endpoint management
    • Endpoint data breach use case – point of sale
  • Summary
• Chapter 9: AI Applications in Cyber Threat Analytics
  • Technical requirements
  • AI and CTI
    • Cyber threat hunting
    • How adversaries can leverage AI
  • AI's position in the CTI program and security stack
  • AI integration – the IBM QRadar Advisor approach
    • QRadar simplified architecture
    • Deploying QRadar
    • What's in it for you or your organization?
  • Summary
• Chapter 10: Threat Modeling and Analysis – Practical Use Cases
  • Technical requirements
  • Understanding the analysis process
  • Intrusion analysis case – how to proceed
    • Indicator gathering and contextualization
    • Pivoting through available sources
    • Classifying the intelligence according to CTI frameworks
    • Memory and disk analysis
    • Malware data gathering
    • Malware analysis and reverse engineering
    • Analyzing the exfiltrated data and building adversary persona
    • Analyzing the malicious files
    • Gathering early indicators – Reconnaissance
    • The Cyber Kill Chain and Diamond model
  • MISP for automated threat analysis and storing
    • MISP feed management
    • MISP event analysis
  • Summary
• Section 3: Integrating Cyber Threat Intelligence Strategy to Business processes
• Chapter 11: Usable Security: Threat Intelligence as Part of the Process
  • Technical requirements
  • Threat modeling guidelines for secured operations
    • Usable security guidelines
    • Software application security guidelines
  • Data privacy in modern business
    • Importance of usable privacy in modern society
    • Threat intelligence and data privacy
  • Social engineering and mental models
    • Social engineering and threat intelligence
    • Mental models for usability
  • Intelligence-based DevSecOps high-level architecture
  • Summary
• Chapter 12: SIEM Solutions and Intelligence-Driven SOCs
  • Technical requirements
  • Integrating threat intelligence into SIEM tools – Reactive and proactive defense through SIEM tools
    • System architecture and components of a SIEM tool
    • SIEM for security – OTX and OSSIM use case
  • Making SOCs intelligent – Intelligence-driven SOCs
    • Security operations key challenges
    • Intelligence into security operations
  • Threat intelligence and IR
    • IR key challenges
    • Integrating intelligence in IR
  • Integrating threat intelligence into SIEM systems
  • Summary
• Chapter 13: Threat Intelligence Metrics, Indicators of Compromise, and the Pyramid of Pain
  • Technical requirements
  • Understanding threat intelligence metrics
    • Threat intelligence metrics requirements
    • Threat intelligence metrics baseline
  • IOCs, the CTI warhead
    • The importance of IOCs
    • Categories of IOCs
    • Recognizing IOCs
  • PoP, the adversary padlock
    • PoP indicators
    • Understanding the PoP
    • Understanding the seven Ds of the kill chain action
  • Understanding IOAs
  • Summary
• Chapter 14: Threat Intelligence Reporting and Dissemination
  • Technical requirements
  • Understanding threat intelligence reporting
    • Types of threat intelligence reports
    • Making intelligence reports valuable
    • An example of a threat intelligence report template
    • Threat intelligence report writing tools
  • Building and understanding adversaries' campaigns
    • Naming adversary campaigns
    • Advanced persistent threats (APTs) – a quick overview
    • Tracking threat actors and groups
    • Retiring threat intelligence and adversary campaigns
  • Disseminating threat intelligence
    • Challenges to intelligence dissemination
    • Strategic, tactical, and operational intelligence sharing
    • Threat intelligence sharing architectures
    • YARA rules and threat intelligence sharing formats
    • Some information sharing and collaboration platforms
  • The threat intelligence feedback loop
    • Understanding the benefits of CTI feedback loop
    • Methods for collecting threat intelligence feedback
    • The threat intelligence feedback cycle – use case
  • Summary
• Chapter 15: Threat Intelligence Sharing and Cyber Activity Attribution – Practical Use Cases
  • Technical requirements
  • Creating and sharing IOCs
    • Use case one – developing IOCs using YARA
    • Use case two – sharing intelligence using Anomali STAXX
    • Use case three – sharing intelligence through a platform
  • Understanding and performing threat attribution
    • Use case four – building activity groups from threat analysis
    • Use case five – associating analysis with activity groups
    • Use case six – an ACH and attributing activities to nation-state groups
  • Summary
• Index
• About Packt
• Other Books You May Enjoy