cti-guide

Definitive Guide to Cyber Threat Intelligence

Authors and Contributions

• Jon Friedman and Mark Bouchard, CISSP

• Foreword by John P. Watters

• Additional contributions by Jonathan Couch and Matt Hartley

Publisher Information

• Published by: CyberEdge Group, LLC, Annapolis, MD

• Copyright: © 2015, CyberEdge Group, LLC

• ISBN: 978-0-9961827-0-6 (paperback); 978-0-9961827-1-3 (eBook)

About iSIGHT Partners

• Leading Provider: Global cyber threat intelligence.

• Key Offerings:

  • Deep analyses of adversaries and their tactics.

  • Rich threat context for security teams to counter advanced attacks.

  • Narrative reports and detailed threat data delivered through customer portal and API.

• Research Team:

  • Distributed across 16 countries with local expertise.

  • Supported by 20+ technical data collection systems: sensors, honeypots, etc.

• Customer Base: Includes top U.S. and global brands, government entities, and various industries.

Introduction to Cyber Threat Intelligence

• Definition: Knowledge about adversaries and their motivations, intentions, and methods, aimed at protecting critical assets.

• Importance: Nowadays, headlines focus on major cyber threats; therefore, understanding cyber threat intelligence is crucial for IT professionals.

• Goal of the Guide: Address critical questions regarding cyber threat intelligence and offer structured guidelines for implementing programs.

Chapters Overview

• Chapter 1: Defining Cyber Threat Intelligence

  • Reasons for necessity, key characteristics, and benefits.

• Chapter 2: Developing Cyber Threat Intelligence Requirements

  • Importance of asset and adversary prioritization.

• Chapter 3: Collecting Cyber Threat Information

  • Types of threat indicators and data collection methods.

• Chapter 4: Analyzing and Disseminating Intelligence

  • Validation, prioritization, and dissemination methods.

• Chapter 5: Utilizing Cyber Threat Intelligence

  • Applications at tactical, operational, and strategic levels.

• Chapter 6: Implementing an Intelligence Program

  • Strategic roadmap and best practices for enhancement.

• Chapter 7: Selecting Cyber Threat Intelligence Partners

  • Criteria and types of partners available.

Helpful Icons

• TIP: Practical advice for application.

• DON’T FORGET: Key information highlights.

• CAUTION: Warnings for potential pitfalls.

• TECH TALK: Technical content for IT practitioners.

• ON THE WEB: URLs for additional resources.

Chapter 1: Defining Cyber Threat Intelligence

Importance of Cyber Threat Intelligence

• The shift from mass attacks to targeted attacks necessitates advanced threat intelligence.

Characterizing Cyber Threat Intelligence

• Adversary-based: Focuses on specific actors (criminals, state actors).

• Risk-focused: Prioritizes risks to critical assets.

• Process-oriented: Structured collection and analysis methods.

• Diverse Consumer Tailoring: Information tailored for various consumers like SOC analysts and executives.

Benefits

• Improves situational awareness and prioritization of security efforts across levels.

Chapter 2: Developing Cyber Threat Intelligence Requirements

Essential Asset Prioritization

• Assets: Includes personal information, intellectual property, and credentials.

• Risk Assessment: Assessing the impact of potential information loss and determining adversaries targeting these assets.

Types of Adversaries

• Cybercriminals, cyber espionage agents, and hacktivists each with distinct targets and methodologies.

Chapter 3: Collecting Cyber Threat Information

Levels of Information Collection

1. Threat Indicators: Initial signs of compromise (e.g., file hashes, domain reputation).

2. Threat Data Feeds: Detailed correlation of indicators for patterns and trends.

3. Strategic Intelligence: Insights on motivations, intents, and methods from underground sources.

Collection Sources

• Combining internal data with external feeds and reports for a robust intelligence picture.

Chapter 4: Analyzing and Disseminating Cyber Threat Intelligence

Transitioning from Information to Intelligence

• Key Steps: Validating and prioritizing data, ensuring relevance.

Reporting Formats

• Customizing intelligence output to meet the needs of different stakeholders.

Chapter 5: Using Cyber Threat Intelligence

Tactical Level Applications

• Enhances operational techniques across IT operations, incident response, and management communications.

• Functionality: Helps prioritize actions, improve screening protocols, and assess threats.

Chapter 6: Implementing an Intelligence Program

Development Stages

1. Develop Strategic Roadmaps: Aligning intelligence activities with business risks.

2. Perform Gap Analysis: Identifying and mitigating vulnerabilities in defenses.

3. Create a Knowledge Base: Store and manage intelligence for correlation and historical data.

Chapter 7: Selecting Cyber Threat Intelligence Partners

Types of Partners

• Providers of threat indicators, threat data feeds, and comprehensive intelligence.

Selection Criteria

• Critical factors include global reach, the extent of service, and historical data management.

Glossary of Terms

• APT: Advanced Persistent Threat - an ongoing malicious threat targeting a specific entity.

• IOC: Indicator of Compromise - artifacts indicating possible breaches.

• PII: Personally Identifiable Information - information that identifies individuals.

• TTPs: Tactics, Techniques, and Procedures used by adversaries for attacks.