Chapter I Introduction To Cyber Intelligence

Definition
The Need for Cyber Intelligence: The menace of targeted attacks
The monitor- and-respond strategy
Why the strategy is failing
Cyber Threat Intelligence Defined
Key Characteristics: Adversary based
Risk focused
Process oriented
Tailored for diverse consumers
The Benefits of Cyber Threat Intelligence
Definition Cyber intelligence
• Cyber intelligence, also known as cyber threat intelligence (CTI), is the process
of collecting, analyzing, and disseminating data about cyber threats to help
organizations prevent and respond to cyberattacks:
• Purpose
• To help organizations anticipate, prevent, and respond to cyberattacks by
understanding the behavior of threat actors, their tactics, and the
vulnerabilities they exploit
• Data sources
• Includes open source intelligence, social media intelligence, human
intelligence, technical intelligence, device log files, and more
• Benefits
• Helps organizations make informed decisions about how to defend against the
most damaging attacks
• Role in an organization
• A crucial component of an organization's overall security architecture
The Need for Cyber Intelligence
The Need for Cyber Intelligence
• Cyber intelligence is important because it helps organizations prevent or
mitigate cyber attacks, which can be costly.
• Cyber intelligence can help organizations:
• Reduce recovery costs
• By preventing or mitigating attacks, organizations can spend fewer resources
recovering from them
• Improve preparedness
• Cyber intelligence can help organizations improve their cyber incident plans by
providing real-time analysis and insights into attack patterns and techniques.
• Identify threats
• Cyber intelligence can help organizations identify threats they are exposed to,
their motives, and how they operate.
• Prepare for threats
• Cyber intelligence can help organizations prepare for cyber threats by
providing information about them.
The monitor- and-respond strategy
• The monitor-and-respond strategy in cyber intelligence involves continuously monitoring a
computer network or system to identify and respond to cyber threats. This strategy can help
organizations minimize damage and reduce downtime by allowing them to respond to
incidents faster.
• Here are some key aspects of the monitor-and-respond strategy:
• Cyber threat monitoring
• This process involves analyzing data from various sources, such as network devices, web
applications, and user accounts. It also includes checking for known vulnerabilities in
software or hardware.
• Cyber threat intelligence
• This involves collecting, processing, and disseminating data to create actionable
intelligence. Cyber threat intelligence can be categorized as strategic, tactical, or
operational. Each type has its own purpose and uses, but when used together, they can
provide a comprehensive overview of threats.
• Threat detection and response
• This is a critical function that helps organizations find and address cyber threats before they
cause harm.
• Tools
• Tools like intrusion detection systems, firewalls, and antivirus software can be used to detect
and respond to security threats in real-time.
Why the strategy is failing
• A cybersecurity strategy can fail for a number of reasons, including:
• Insufficient investment
• Companies may not invest enough in the latest technology and expertise to stay ahead of
hackers.
• Lack of awareness
• A reduced level of awareness can lead to compromised systems and networks, and the disclosure
of sensitive data.
• Lack of education
• A lack of IT&C security education can contribute to cybersecurity failures.
• Weak security controls
• Weak security controls and practices, such as unpatched software, can allow attackers to gain
access to sensitive information.
• Insider threats
• Individuals within an organization may intentionally or unintentionally compromise security. This
could be through malicious actions or carelessness, such as using weak passwords or falling for
phishing scams.
• A cybersecurity strategy is a plan that involves selecting and implementing best practices to
protect a business from internal and external threats. It helps organizations to better understand
their current environment and profile, and to identify inadequacies and vulnerabilities.
Cyber Threat Intelligence Defined
• Cyber threat intelligence (CTI) is a collection of information that helps
organizations understand and defend against current and future cyber
threats. CTI is a crucial component of security architecture that uses data
from threat history to block and remediate malicious attacks.
• CTI involves the following steps:
• Data collection: Gathering raw data from various sources, such as internal
logs, open-source intelligence (OSINT), and threat feeds
• Data processing: Filtering, correlating, and analyzing the raw data to create
actionable intelligence
• Data dissemination: Sharing the intelligence
• Some examples of threat intelligence include: Attacker identifiers, Common
indicators of compromise (IoCs), Malicious IP addresses, and TTPs
Cyber Threat Intelligence Defined
• Threat intelligence can be divided into three categories:
• Strategic Threat Intelligence
• Strategic threat intelligence provides an overview of the organization’s
threat landscape.
• It is less technical is mainly for executive-level security professionals to drive
high-level organizational strategy based on the findings in the reports.
• Ideally, strategic threat intelligence provides insights like vulnerabilities and
risks associated with the organization’s threat landscape with preventive
actions, threat actors, their goals, and the severity of the potential attacks.
Cyber Threat Intelligence Defined
• Threat intelligence can be divided into three categories:
• Strategic Threat Intelligence
Cyber Threat Intelligence Defined
• Threat intelligence can be divided into three categories:
• Tactical intelligence:
• Tactical threat intelligence consists of more specific details on threat actors
TTP and is mainly for the security team to understand the attack vectors.
• Intelligence gives them insights on how to build a defense strategy to
mitigate those attacks.
• The report includes the vulnerabilities in the security systems that attackers
could take advantage of and how to identify such attacks.

• The finding is used to strengthen the existing security controls/defense

mechanism and helps to remove the vulnerabilities in the network.
Cyber Threat Intelligence Defined
• Threat intelligence can be divided into three categories:
• Operational intelligence:
• Operational threat intelligence focuses on knowledge about the attacks.
• It gives detailed insights on factors like nature, motive, timing, and how an
attack is carried out.
• Ideally, the information is gathered from hacker chat rooms or their
discussion online through infiltration, which makes it difficult to obtain.
• Challenges in gathering operational Intelligence:
• Threats usually communicate over encrypted or private chat rooms, and
access to these channels is not easy.
• It is not easy to manually gather relevant intelligence from huge data of chat
rooms or other communication channels.
• Threat groups may use confusing and ambiguous language so that no one
can understand their conversation.
Key Characteristics
• Cyber threat intelligence (CTI) has several key characteristics, including:
• Timely: CTI should be available in time to be translated into action.
• Relevant: CTI should be applicable to the target environment.
• Accurate: CTI should be accurate and have a low number of false positives.
• Specific: Detailed and specific CTI can help defenders choose appropriate
countermeasures.
• Actionable: CTI should identify actions to take to ensure the necessary data
to respond to threats.
• CTI can take many forms, including written reports, observations of IP
addresses, domains, file hashes, and other artifacts. Data can be presented
in charts and graphs to help analysts gather information more efficiently and
reduce the risk of overlooking critical information.
Key Characteristics
 Adversary Intelligence
• Adversary intelligence is information about cyber attackers and their capabilities.
• It can help security professionals identify and stop cyber attacks.
What is adversary intelligence used for?
• It can be used to: Detect and respond to threats faster, Confuse and misdirect attackers,
Map adversary behavior and objectives, and Gather data on multiple threat types.
• Identifying threats: Adversary intelligence can help identify threats, such as the methods an
attacker uses to launch an attack
• Stopping attacks: Adversary intelligence can help stop attacks by providing information on
how to identify and respond to them
• Protecting assets: Adversary intelligence can help protect digital assets from cyber attacks
• Adversary-generated threat intelligence can include: IOCs(indicators of compromise),
Malicious IP addresses, and TTPs.
• Adversary-generated threat intelligence can be fed into tools such as: SIEMs(Security
Information and Event Management ), EDR(Endpoint Detection and Response ), and
XDR(Extended Detection and Response).
 Adversary Intelligence
• Indicators of compromise (IoCs) are technical signs that malicious actors have gained unauthorized access to a
system.
• Some examples of IoCs include:
• Unusual network traffic: An increase in outbound traffic from a specific server, or traffic from an unknown IP
address
• Privileged account irregularities: Unexpected use of admin accounts, or changes to access settings
• Geographical anomalies: An increase in traffic from a region that doesn't normally generate a lot of traffic
• Increase in database reads: A large volume of database reads, especially for sensitive files, could indicate an
intruder
• High authentication failures: Repeated failed login attempts, or a successful login after multiple failed attempts
• Registry and system changes: Suspicious changes to settings, the Windows Registry, or files
• Unusual DNS requests: Anomalous request traffic to a domain name server (DNS)
• Malicious hashes: Values that can help identify viruses and breach attempts
• Tactics, techniques, and procedures (TTPs): Examples include malware, cryptojacking, and confidential data
exfiltration
• Network artifacts: Examples include user accounts, logs, and misconfigurations
Risk-based
• Risk-based cybersecurity is a strategy that helps organizations identify security gaps
and fill them in.
• Here are some ways that risk-based cybersecurity and CTI can help organizations:
• Identify gaps
• A risk-based approach can help organizations identify gaps in their security strategy.
• Prevent attacks
• CTI can help organizations prevent or mitigate attacks by providing knowledge about who is
attacking, why, and how to spot signs of a compromise.
• Analyze threat data
• CTI analyzes threat data to reveal patterns and predict the behavior of cyber attackers.
Share and manage intelligence
• Protocols like STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated
eXchange of Intelligence Information) help organizations share, correlate, and manage cyber threat
intelligence.
• Some common cyber threats include: Ransomware, Phishing, Data leakage, Hacking,
and Insider threat
Process oriented

• From spying, to law enforcement, to competitive analysis, all successful

intelligence programs follow the same basic process (Figure 1).
The Benefits of Cyber Threat Intelligence
• Cyber threat intelligence (CTI) can provide a number of benefits to organizations,
including:
• Incident response
• CTI can help incident response teams make informed decisions and contain threats,
reducing downtime and damage.
• Cost savings
• CTI can help prevent cybercrimes and reduce the impact of future incidents, saving
money on recovery and remediation.
• Risk assessment
• CTI can help companies understand the threat landscape and assess the risks
associated with specific threats.
The Benefits of Cyber Threat Intelligence
• Security team efficiency
• CTI can help security teams achieve and maintain network security.
• Sharing of threat intelligence data
• Sharing threat intelligence data can help multiple organizations fortify their defenses
simultaneously.
• Threat detection
• CTI can help block malicious IP addresses and domains that have been detected in any
malicious activities.
• Enhanced security posture
• CTI can help organizations identify vulnerabilities and implement countermeasures.
• CTI can also help executive managers understand what threats are relevant to their
organization so they can make data-based budget recommendations.