What do you think?
Rate this book
The Security Intelligence Handbook, Third Edition: How to Disrupt Adversaries and Reduce Risk with Security Intelligence
Security intelligence is the most powerful weapon defenders have against their adversaries.
The latest edition of our popular book paints a clear picture of security intelligence, as well as actionable guidance for disrupting the threat actors targeting your organization right now — and in the future.
The Security Intelligence Handbook is your definitive guide for proactive risk reduction. This edition has been updated to include a new foreword about the unprecedented state of cyber and physical security, a sharpened focus on six critical security functions, an expanded discussion of security intelligence’s applications for specific teams, and a new conclusion that explores the results you may achieve with security intelligence.
The latest edition of our popular book paints a clear picture of security intelligence, as well as actionable guidance for disrupting the threat actors targeting your organization right now — and in the future.
The Security Intelligence Handbook is your definitive guide for proactive risk reduction. This edition has been updated to include a new foreword about the unprecedented state of cyber and physical security, a sharpened focus on six critical security functions, an expanded discussion of security intelligence’s applications for specific teams, and a new conclusion that explores the results you may achieve with security intelligence.
- GenresNonfiction
Audible Audio
Published January 14, 2021
27 people are currently reading
61 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 4 of 4 reviews
May 6, 2022
Excellent, comprehensive overview of security intelligence (with a focus on cyber threat intelligence) from Recorded Future, a leader in that space. It's accessible, able to be understood by very technical and less-technical readers.
You can download the ebook for free (some info required).
Notes
Introduction
Terms "threat intelligence" and "security intelligence" are usually associated with info about threats to traditional IT systems. Terms "intelligence for security teams" or simply "intelligence"are broader, including third-party risk, brand protection, geopolitical risk, fraud intelligence, identity intelligence, etc., in addition to threat intel.
What Is Security Intelligence?
Data, information, intelligence
• Data: Discrete facts and stats gathered for analysis (e.g., IP addresses, URLs, hashes).
• Information: Multiple data points combined to answer specific questions (e.g., answer to question, "How many times has my organization been mentioned on social media this month?").
• Intelligence: Result of analyzing data and info to uncover patterns and provide context for decision-making. It must point toward specific decisions or actions, and be tailored for easy use by a specific person, group, system that will use it to decide or act.
Characteristics of successful security intel processes
1. Collaborative process and framework (sharing across departments)
2. 360-degree visibility (scanning wide variety and quantity of sources)
3. Extensive automation and integration (reduce manual effort; integrate with various security solutions)
4. Alignment with organization and security use cases (collect and process only info that's relevant to organization's priorities; make intel easy to use)
Types and Sources
Operational (or technical) intel
• Knowledge about active attacks, events, campaigns
• Used by defenders
• Usually sourced from machines
Strategic intel
• Broad overview of organization's entire threat landscape
• Business-oriented content for decision-making executives
• Presented through reports or briefings
• Must be created by humans
• Sources: trends and research reports from security companies, policy documents from governments or NGOs, news, published articles, SMEs
The Intelligence Life Cycle
Intelligence Life Cycle
1. Direction: set goals for intel program
2. Collection: gather info to address most important intel requirements
3. Processing: transform collected info into usable format
4. Analysis: turn info into intel to inform decisions
5. Dissemination: get finished intel output to places it's needed
6. Feedback: understand requirements and priorities of consumers of intel, adjust your process accordingly
Reports to non-technical leaders
• Be concise (1-page memo or a few slides)
• Avoid confusing terms and tech jargon
• Articulate issues in business terms
• Recommend course of action
SecOps Intelligence Part 1 – Triage
Organizations can only investigate 48% of security alerts they receive, and of those investigated, only 26% are legitimate.
Vulnerability Intelligence
Most zero days are just variations on a theme, exploiting old vulnerabilities in slightly different ways. So rather than focusing on zero days, identify and patch vulnerabilities in software your organization uses.
If a vulnerability isn't exploited within 2 weeks to 3 months after it's announced, it's unlikely that it will ever be exploited. So it's not a priority to patch old vulnerabilities.
"Your goal should not be to patch the most vulnerabilities, or even the most zero-day threats, but rather to identify and address the vulnerabilities most likely to be exploited against your organization."
The value of vulnerability databases is limited by their focus on technical exploitability rather than active exploitation, and that they're updated too slowly to warn against rapidly-spreading threats.
By cross-referencing info from multiple sources, you can focus on vulnerabilities that present the greatest actual risk, rather than racing to patch everything.
Threat Intelligence Part 1 - Knowing Attackers
Dark web communities
• Low-tier underground forums
• Higher-tier dark web forums
• Dark web markets
• Many actors post in both low-tier and higher-tier forums, but markets are largely disconnected from forums
Third-Party Intelligence
55% of organizations have had a breach originating with a 3rd party. 29% believe their partners would notify them of compromise.
3rd-party risks to monitor
• Ransomware
• Data breaches
• Malicious network activity
• Exposed credentials
• Plotting on dark web
Analytical Frameworks for Security Intelligence
Cyber Kill Chain
• Describes 7 stages of attack: reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives (exfiltration).
• Doesn't account for many modern attacks (e.g., phishing skips exploitation phase).
Diamond Model
• Used to track attack groups over time, not progress of individual attacks.
• The diamond for an attacker isn't static; it evolves as attacker adjusts TTPs and changes infrastructure and targets.
• Tracks adversary (attacker), capability, infrastructure (used by attacker), victim. Can also track phase, result, direction, methodology, resources.
• Diamonds require a lot of maintenance, as aspects can change rapidly.
MITRE frameworks
• Trusted Automatic Exchange of Intelligence Information (TAXII): transport protocol that enables organizations to share intel and use API commands to extract intel.
• Structured Threat Information eXpression (STIX): standard format for presenting intel.
• Cyber Observable eXpression (CybOX): method for tracking observables from cybersecurity incidents.
MITRE ATT&CK
• Tracks adversary behavior over time.
• Describes indicators and tactics associated with specific adversaries.
• 14 tactic categories: reconnaissance, resource development, initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, command and control, exfiltration, impact.
Intelligence Data Sources and Types: A Framework
DWINT: dark web intelligence
Rules
• YARA rules describe unique strings and byte patterns in files, so security products can identify, classify, and block malware.
• Sigma rules are threat signatures for SIEMs, to identify log events associated with attacks.
• Snort rules help IDS/IPS systems identify malicious network activity (scans, probes, etc.).
Your Intelligence Journey
Intelligence report contents
• Probable threat actor(s)
• TTPs
• Likely targets in org
• Whether threat represents real danger to org
• Likelihood that existing security controls can mitigate threat
• Recommended actions
Developing Your Core Security Intelligence Team
Intel team skills
• Correlating external data with internal telemetry
• Reverse-engineering malware and reconstructing attacks (forensics)
• Providing threat situational awareness and recommendations for security controls
• Proactively hunting internal threats
• Data engineering and signature detection for YARA, Sigma, etc.
• Educating employees and customers about cyber threats
• Engaging with wider intel community
• Identifying and managing info sources
You can download the ebook for free (some info required).
Notes
Introduction
Terms "threat intelligence" and "security intelligence" are usually associated with info about threats to traditional IT systems. Terms "intelligence for security teams" or simply "intelligence"are broader, including third-party risk, brand protection, geopolitical risk, fraud intelligence, identity intelligence, etc., in addition to threat intel.
What Is Security Intelligence?
Data, information, intelligence
• Data: Discrete facts and stats gathered for analysis (e.g., IP addresses, URLs, hashes).
• Information: Multiple data points combined to answer specific questions (e.g., answer to question, "How many times has my organization been mentioned on social media this month?").
• Intelligence: Result of analyzing data and info to uncover patterns and provide context for decision-making. It must point toward specific decisions or actions, and be tailored for easy use by a specific person, group, system that will use it to decide or act.
Characteristics of successful security intel processes
1. Collaborative process and framework (sharing across departments)
2. 360-degree visibility (scanning wide variety and quantity of sources)
3. Extensive automation and integration (reduce manual effort; integrate with various security solutions)
4. Alignment with organization and security use cases (collect and process only info that's relevant to organization's priorities; make intel easy to use)
Types and Sources
Operational (or technical) intel
• Knowledge about active attacks, events, campaigns
• Used by defenders
• Usually sourced from machines
Strategic intel
• Broad overview of organization's entire threat landscape
• Business-oriented content for decision-making executives
• Presented through reports or briefings
• Must be created by humans
• Sources: trends and research reports from security companies, policy documents from governments or NGOs, news, published articles, SMEs
The Intelligence Life Cycle
Intelligence Life Cycle
1. Direction: set goals for intel program
2. Collection: gather info to address most important intel requirements
3. Processing: transform collected info into usable format
4. Analysis: turn info into intel to inform decisions
5. Dissemination: get finished intel output to places it's needed
6. Feedback: understand requirements and priorities of consumers of intel, adjust your process accordingly
Reports to non-technical leaders
• Be concise (1-page memo or a few slides)
• Avoid confusing terms and tech jargon
• Articulate issues in business terms
• Recommend course of action
SecOps Intelligence Part 1 – Triage
Organizations can only investigate 48% of security alerts they receive, and of those investigated, only 26% are legitimate.
Vulnerability Intelligence
Most zero days are just variations on a theme, exploiting old vulnerabilities in slightly different ways. So rather than focusing on zero days, identify and patch vulnerabilities in software your organization uses.
If a vulnerability isn't exploited within 2 weeks to 3 months after it's announced, it's unlikely that it will ever be exploited. So it's not a priority to patch old vulnerabilities.
"Your goal should not be to patch the most vulnerabilities, or even the most zero-day threats, but rather to identify and address the vulnerabilities most likely to be exploited against your organization."
The value of vulnerability databases is limited by their focus on technical exploitability rather than active exploitation, and that they're updated too slowly to warn against rapidly-spreading threats.
By cross-referencing info from multiple sources, you can focus on vulnerabilities that present the greatest actual risk, rather than racing to patch everything.
Threat Intelligence Part 1 - Knowing Attackers
Dark web communities
• Low-tier underground forums
• Higher-tier dark web forums
• Dark web markets
• Many actors post in both low-tier and higher-tier forums, but markets are largely disconnected from forums
Third-Party Intelligence
55% of organizations have had a breach originating with a 3rd party. 29% believe their partners would notify them of compromise.
3rd-party risks to monitor
• Ransomware
• Data breaches
• Malicious network activity
• Exposed credentials
• Plotting on dark web
Analytical Frameworks for Security Intelligence
Cyber Kill Chain
• Describes 7 stages of attack: reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives (exfiltration).
• Doesn't account for many modern attacks (e.g., phishing skips exploitation phase).
Diamond Model
• Used to track attack groups over time, not progress of individual attacks.
• The diamond for an attacker isn't static; it evolves as attacker adjusts TTPs and changes infrastructure and targets.
• Tracks adversary (attacker), capability, infrastructure (used by attacker), victim. Can also track phase, result, direction, methodology, resources.
• Diamonds require a lot of maintenance, as aspects can change rapidly.
MITRE frameworks
• Trusted Automatic Exchange of Intelligence Information (TAXII): transport protocol that enables organizations to share intel and use API commands to extract intel.
• Structured Threat Information eXpression (STIX): standard format for presenting intel.
• Cyber Observable eXpression (CybOX): method for tracking observables from cybersecurity incidents.
MITRE ATT&CK
• Tracks adversary behavior over time.
• Describes indicators and tactics associated with specific adversaries.
• 14 tactic categories: reconnaissance, resource development, initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, command and control, exfiltration, impact.
Intelligence Data Sources and Types: A Framework
DWINT: dark web intelligence
Rules
• YARA rules describe unique strings and byte patterns in files, so security products can identify, classify, and block malware.
• Sigma rules are threat signatures for SIEMs, to identify log events associated with attacks.
• Snort rules help IDS/IPS systems identify malicious network activity (scans, probes, etc.).
Your Intelligence Journey
Intelligence report contents
• Probable threat actor(s)
• TTPs
• Likely targets in org
• Whether threat represents real danger to org
• Likelihood that existing security controls can mitigate threat
• Recommended actions
Developing Your Core Security Intelligence Team
Intel team skills
• Correlating external data with internal telemetry
• Reverse-engineering malware and reconstructing attacks (forensics)
• Providing threat situational awareness and recommendations for security controls
• Proactively hunting internal threats
• Data engineering and signature detection for YARA, Sigma, etc.
• Educating employees and customers about cyber threats
• Engaging with wider intel community
• Identifying and managing info sources
June 27, 2022
Excellent, comprehensive overview of cyber threat intelligence (CTI) from Recorded Future, a leader in that space. It's accessible, able to be understood by technical and non-technical readers.
You can download the ebook for free (some personal info required).
Notes
Foreword
Principles of effective security intelligence
1. Focus on disrupting the adversaries most likely to target you, and make their lives as challenging as possible using security intel.
2. Security intel must provide timely, clear, actionable context required to make fast, informed decisions and take effective action. Intel must get everyone in organization on same page.
3. People and machines work better together. Machines are better at processing and categorizing raw data. Humans are better at intuitive, big-picture analysis.
4. Security intel isn't a separate domain of security; it's the context required by every security role.
Introduction
Term "threat intelligence" is usually associated with info about threats to traditional IT systems. Term "security intelligence" is broader, including third-party risk, brand protection, geopolitical risk, etc. in addition to threat intel.
What Is Security Intelligence?
Data, information, intelligence
• "Data" is discrete facts and stats gathered for analysis (e.g., IP addresses, URLs, hashes).
• "Information" is multiple data points combined to answer specific questions (e.g., answer to question, "How many times has my organization been mentioned on social media this month?").
• "Intelligence" is result of analyzing data and info to uncover patterns and provide context for decision-making. It must point toward specific decisions or actions, and be tailored for easy use by a specific person, group, system that will use it to decide or act.
Characteristics of successful security intel processes
1. Collaborative process and framework (sharing across departments)
2. 360-degree visibility (scanning wide variety and quantity of sources)
3. Extensive automation and integration (reduce manual effort; integrate with various security solutions)
4. Alignment with organization and security use cases (collect and process only info that's relevant to organization's priorities; make intel easy to use)
Types and Sources
Operational (technical) intel
• Knowledge about active attacks, events, campaigns
• Used by defenders
• Usually sourced from machines
Strategic intel
• Broad overview of organization's entire threat landscape
• Business-oriented content for decision-making executives
• Presented through reports or briefings
• Must be created by humans
• Sources: policy documents, news, white papers, research reports
The Security Intelligence Lifecycle
Security Intelligence Lifecycle
1. Direction: set goals for security intel program
2. Collection: gather info to address most important intel requirements
3. Processing: transform collected info into usable format
4. Analysis: turn info into intel to inform decisions
5. Dissemination: get finished intel output to places it's needed
6. Feedback: understand requirements and priorities of consumers of intel, adjust your process accordingly
SecOps Intelligence Part 1 – Triage
Organizations can only investigate 48% of security alerts they receive, and of those investigated, only 26% are legitimate.
Vulnerability Intelligence
Most zero days are just variations on a theme, exploiting old vulnerabilities in slightly different ways. So rather than focusing on zero days, identify and patch vulnerabilities in software your organization uses.
If a vulnerability isn't exploited within 2 weeks to 3 months after it's announced, it's unlikely that it will ever be exploited. So it's not a priority to patch old vulnerabilities.
"Your goal should not be to patch the most vulnerabilities, or even the most zero-day threats, but rather to identify and address the vulnerabilities most likely to be exploited against your organization."
The value of vulnerability databases is limited by their focus on technical exploitability rather than active exploitation, and that they're updated too slowly to warn against rapidly-spreading threats.
By cross-referencing info from multiple sources, you can focus on vulnerabilities that present the greatest actual risk, rather than racing to patch everything.
Analytical Frameworks for Security Intelligence
Cyber Kill Chain
• Describes 7 stages of attack: reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives (exfiltration).
• Doesn't account for many modern attacks (e.g., phishing skips exploitation phase).
Diamond Model
• Used to track attack groups over time, not progress of individual attacks.
• The diamond for an attacker isn't static; it evolves as attacker adjusts TTPs and changes infrastructure and targets.
• Tracks adversary (attacker), capability, infrastructure (used by attacker), victim. Can also track phase, result, direction, methodology, resources.
• Diamonds require a lot of maintenance, as aspects can change rapidly.
MITRE frameworks
• Trusted Automatic Exchange of Intelligence Information (TAXII): transport protocol that enables organizations to share intel and use API commands to extract intel.
• Structured Threat Information eXpression (STIX): standard format for presenting intel.
• Cyber Observable eXpression (CybOX): method for tracking observables from cybersecurity incidents.
MITRE ATT&CK
• Describes indicators and tactics associated with specific adversaries.
• 12 tactic categories: initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, command and control, exfiltration, impact.
Developing Your Core Security Intelligence Team
Security intel team skills
• Correlating external data with internal telemetry
• Reverse-engineering malware and reconstructing attacks (forensics)
• Providing threat situational awareness and recommendations for security controls
• Proactively hunting internal threats
• Educating employees and customers about cyber threats
• Engaging with wider security intelligence community
• Identifying and managing information sources
You can download the ebook for free (some personal info required).
Notes
Foreword
Principles of effective security intelligence
1. Focus on disrupting the adversaries most likely to target you, and make their lives as challenging as possible using security intel.
2. Security intel must provide timely, clear, actionable context required to make fast, informed decisions and take effective action. Intel must get everyone in organization on same page.
3. People and machines work better together. Machines are better at processing and categorizing raw data. Humans are better at intuitive, big-picture analysis.
4. Security intel isn't a separate domain of security; it's the context required by every security role.
Introduction
Term "threat intelligence" is usually associated with info about threats to traditional IT systems. Term "security intelligence" is broader, including third-party risk, brand protection, geopolitical risk, etc. in addition to threat intel.
What Is Security Intelligence?
Data, information, intelligence
• "Data" is discrete facts and stats gathered for analysis (e.g., IP addresses, URLs, hashes).
• "Information" is multiple data points combined to answer specific questions (e.g., answer to question, "How many times has my organization been mentioned on social media this month?").
• "Intelligence" is result of analyzing data and info to uncover patterns and provide context for decision-making. It must point toward specific decisions or actions, and be tailored for easy use by a specific person, group, system that will use it to decide or act.
Characteristics of successful security intel processes
1. Collaborative process and framework (sharing across departments)
2. 360-degree visibility (scanning wide variety and quantity of sources)
3. Extensive automation and integration (reduce manual effort; integrate with various security solutions)
4. Alignment with organization and security use cases (collect and process only info that's relevant to organization's priorities; make intel easy to use)
Types and Sources
Operational (technical) intel
• Knowledge about active attacks, events, campaigns
• Used by defenders
• Usually sourced from machines
Strategic intel
• Broad overview of organization's entire threat landscape
• Business-oriented content for decision-making executives
• Presented through reports or briefings
• Must be created by humans
• Sources: policy documents, news, white papers, research reports
The Security Intelligence Lifecycle
Security Intelligence Lifecycle
1. Direction: set goals for security intel program
2. Collection: gather info to address most important intel requirements
3. Processing: transform collected info into usable format
4. Analysis: turn info into intel to inform decisions
5. Dissemination: get finished intel output to places it's needed
6. Feedback: understand requirements and priorities of consumers of intel, adjust your process accordingly
SecOps Intelligence Part 1 – Triage
Organizations can only investigate 48% of security alerts they receive, and of those investigated, only 26% are legitimate.
Vulnerability Intelligence
Most zero days are just variations on a theme, exploiting old vulnerabilities in slightly different ways. So rather than focusing on zero days, identify and patch vulnerabilities in software your organization uses.
If a vulnerability isn't exploited within 2 weeks to 3 months after it's announced, it's unlikely that it will ever be exploited. So it's not a priority to patch old vulnerabilities.
"Your goal should not be to patch the most vulnerabilities, or even the most zero-day threats, but rather to identify and address the vulnerabilities most likely to be exploited against your organization."
The value of vulnerability databases is limited by their focus on technical exploitability rather than active exploitation, and that they're updated too slowly to warn against rapidly-spreading threats.
By cross-referencing info from multiple sources, you can focus on vulnerabilities that present the greatest actual risk, rather than racing to patch everything.
Analytical Frameworks for Security Intelligence
Cyber Kill Chain
• Describes 7 stages of attack: reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives (exfiltration).
• Doesn't account for many modern attacks (e.g., phishing skips exploitation phase).
Diamond Model
• Used to track attack groups over time, not progress of individual attacks.
• The diamond for an attacker isn't static; it evolves as attacker adjusts TTPs and changes infrastructure and targets.
• Tracks adversary (attacker), capability, infrastructure (used by attacker), victim. Can also track phase, result, direction, methodology, resources.
• Diamonds require a lot of maintenance, as aspects can change rapidly.
MITRE frameworks
• Trusted Automatic Exchange of Intelligence Information (TAXII): transport protocol that enables organizations to share intel and use API commands to extract intel.
• Structured Threat Information eXpression (STIX): standard format for presenting intel.
• Cyber Observable eXpression (CybOX): method for tracking observables from cybersecurity incidents.
MITRE ATT&CK
• Describes indicators and tactics associated with specific adversaries.
• 12 tactic categories: initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, command and control, exfiltration, impact.
Developing Your Core Security Intelligence Team
Security intel team skills
• Correlating external data with internal telemetry
• Reverse-engineering malware and reconstructing attacks (forensics)
• Providing threat situational awareness and recommendations for security controls
• Proactively hunting internal threats
• Educating employees and customers about cyber threats
• Engaging with wider security intelligence community
• Identifying and managing information sources
October 26, 2020
A good introduction to how to build a Threat Intelligence capability with some useful frameworks one could use. Doesn't add much new, but consolidates a lot of things that are already publicly available. Good to have on-hand and probably a must-have if you are trying to build a nascent Threat Intelligence capability at a private sector organization.
March 19, 2019
This is a great book about Cyber à threat Intelligence and how it can help your organisation to better protect itself. It's not going deep but touches almost every important part of CTI, except for ACH (Analysis of Competing Hypothesis). It also references to a lot of Recorded future blogs and things the product can help with but that seems kind of normal for a book written by the CEO of the company. It does not anoy the reading or falsify the content though.
Displaying 1 - 4 of 4 reviews