Cyber Threat Intelligence

Martin Lee is Technical Lead of Security Research within Talos, Cisco's threat intelligence and research organization. Martin started his career researching the genetics of human viruses, but soon switched paths to follow a career in IT. With over 20 years of experience within the cyber security industry, he is CISSP certified, a Chartered Engineer, and holds degrees from the Universities of Bristol, Cambridge, Paris-Sud and Oxford.

CYBER THREAT INTELLIGENCE
 
"Martin takes a thorough and focused approach to the processes that rule threat intelligence, but he doesn't just cover gathering, processing and distributing intelligence. He explains why you should care who is trying to hack you, and what you can do about it when you know."
--Simon Edwards, Security Testing Expert, CEO SE Labs Ltd., Chair AMTSO
 
Effective introduction to cyber threat intelligence, supplemented with detailed case studies and after action reports of intelligence on real attacks
 
Cyber Threat Intelligence introduces the history, terminology, and techniques to be applied within cyber security, offering an overview of the current state of cyberattacks and stimulating readers to consider their own issues from a threat intelligence point of view. The author takes a systematic, system-agnostic, and holistic view to generating, collecting, and applying threat intelligence.
 
The text covers the threat environment, malicious attacks, collecting, generating, and applying intelligence and attribution, as well as legal and ethical considerations. It ensures readers know what to look out for when considering a potential cyber attack and imparts how to prevent attacks early on, explaining how threat actors can exploit a system's vulnerabilities. It also includes analysis of large scale attacks such as WannaCry, NotPetya, Solar Winds, VPNFilter, and the Target breach, looking at the real intelligence that was available before and after the attack.
 
Topics covered in Cyber Threat Intelligence include:
* The constant change of the threat environment as capabilities, intent, opportunities, and defenses change and evolve
* Different business models of threat actors, and how these dictate the choice of victims and the nature of their attacks
* Planning and executing a threat intelligence programme to improve an organistation's cyber security posture
* Techniques for attributing attacks and holding perpetrators to account for their actions
 
Cyber Threat Intelligence describes the intelligence techniques and models used in cyber threat intelligence. It provides a survey of ideas, views and concepts, rather than offering a hands-on practical guide. It is intended for anyone who wishes to learn more about the domain, particularly if they wish to develop a career in intelligence, and as a reference for those already working in the area.

Preface xi
 
About the Author xiii
 
Abbreviations xv
 
Endorsements for Martin Lee's Book xix
 
1 Introduction 1
 
1.1 Definitions 1
 
1.1.1 Intelligence 2
 
1.1.2 Cyber Threat 3
 
1.1.3 Cyber Threat Intelligence 4
 
1.2 History of Threat Intelligence 5
 
1.2.1 Antiquity 5
 
1.2.2 Ancient Rome 7
 
1.2.3 Medieval and Renaissance Age 8
 
1.2.4 Industrial Age 10
 
1.2.5 World War I 11
 
1.2.6 World War II 13
 
1.2.7 Post War Intelligence 14
 
1.2.8 Cyber Threat Intelligence 15
 
1.2.9 Emergence of Private Sector Intelligence Sharing 19
 
1.3 Utility of Threat Intelligence 21
 
1.3.1 Developing Cyber Threat Intelligence 23
 
Summary 24
 
References 24
 
2 Threat Environment 31
 
2.1 Threat 31
 
2.1.1 Threat Classification 33
 
2.2 Risk and Vulnerability 35
 
2.2.1 Human Vulnerabilities 38
 
2.2.1.1 Example - Business Email Compromise 39
 
2.2.2 Configuration Vulnerabilities 39
 
2.2.2.1 Example - Misconfiguration of Cloud Storage 40
 
2.2.3 Software Vulnerabilities 41
 
2.2.3.1 Example - Log4j Vulnerabilities 43
 
2.3 Threat Actors 43
 
2.3.1 Example - Operation Payback 46
 
2.3.2 Example - Stuxnet 47
 
2.3.3 Tracking Threat Actors 47
 
2.4 TTPs - Tactics, Techniques, and Procedures 49
 
2.5 Victimology 53
 
2.5.1 Diamond Model 55
 
2.6 Threat Landscape 56
 
2.6.1 Example - Ransomware 57
 
2.7 Attack Vectors, Vulnerabilities, and Exploits 58
 
2.7.1 Email Attack Vectors 59
 
2.7.2 Web-Based Attacks 60
 
2.7.3 Network Service Attacks 61
 
2.7.4 Supply Chain Attacks 61
 
2.8 The Kill Chain 62
 
2.9 Untargeted versus Targeted Attacks 64
 
2.10 Persistence 65
 
2.11 Thinking Like a Threat Actor 66
 
Summary 66
 
References 67
 
3 Applying Intelligence 75
 
3.1 Planning Intelligence Gathering 75
 
3.1.1 The Intelligence Programme 77
 
3.1.2 Principles of Intelligence 78
 
3.1.3 Intelligence Metrics 81
 
3.2 The Intelligence Cycle 82
 
3.2.1 Planning, Requirements, and Direction 83
 
3.2.2 Collection 84
 
3.2.3 Analysis and Processing 84
 
3.2.4 Production 85
 
3.2.5 Dissemination 85
 
3.2.6 Review 85
 
3.3 Situational Awareness 86
 
3.3.1 Example - 2013 Target Breach 88
 
3.4 Goal Oriented Security and Threat Modelling 89
 
3.5 Strategic, Operational, and Tactical Intelligence 91
 
3.5.1 Strategic Intelligence 91
 
3.5.1.1 Example - Lazarus Group 92
 
3.5.2 Operational Intelligence 93
 
3.5.2.1 Example - SamSam 93
 
3.5.3 Tactical Intelligence 94
 
3.5.3.1 Example - WannaCry 94
 
3.5.4 Sources of Intelligence Reports 94
 
3.5.4.1 Example - Shamoon 95
 
3.6 Incident Preparedness and Response 96
 
3.6.1 Preparation and Practice 99
 
Summary 100
 
References 100
 
4 Collecting Intelligence 105
 
4.1 Hierarchy of Evidence 105
 
4.1.1 Example - Smoking Tobacco Risk 107
 
4.2 Understanding Intelligence 108
 
4.2.1 Expressing Credibility 109
 
4.2.2 Expressing Confidence 110
 
4.2.3 Understanding Errors 114
 
4.2.3.1 Example - the WannaCry Email 114
 
4.2.3.2 Example - the Olympic Destroyer False Flags 114
 
4.3 Third Party Intelligence Reports 115
 
4.3.1 Tac