What do you think?
Rate this book
Practical Cyber Intelligence: How action-based intelligence can be an effective response to incidents
Your one stop solution to implement a Cyber Defense Intelligence program in to your organisation.Key FeaturesIntelligence processes and procedures for response mechanismsMaster F3EAD to drive processes based on intelligenceThreat modeling and intelligent frameworksCase studies and how to go about building intelligent teamsBook DescriptionCyber intelligence is the missing link between your cyber defense operation teams, threat intelligence, and IT operations to provide your organization with a full spectrum of defensive capabilities. This book kicks off with the need for cyber intelligence and why it is required in terms of a defensive framework.Moving forward, the book provides a practical explanation of the F3EAD protocol with the help of examples. Furthermore, we learn how to go about threat models and intelligence products/frameworks and apply them to real-life scenarios. By the end of this book, you will be able to boot up an intelligence program in your organization based on the operation and tactical/strategic spheres of Cyber defense intelligence.What you will learnLearn about the Observe-Orient-Decide-Act (OODA) loop and it's applicability to securityUnderstand tactical view of Active defense concepts and their application in today's threat landscapeGet acquainted with an operational view of the F3EAD process to drive decision making within an organizationCreate a Framework and Capability Maturity Model that integrates inputs and outputs from key functions in an information security organizationUnderstand the idea of communicating with the Potential for Exploitability based on cyber intelligenceWho This Book Is ForThis book targets incident managers, malware analysts, reverse engineers, digital forensics specialists, and intelligence analysts; experience in, or knowledge of, security operations, incident responses or investigations is desirable so you can make the most of the subjects presented.Table of ContentsThe Need for Cyber IntelligenceIntelligence DevelopmentIntegrating Cyber Intel, Security, and OperationsUsing Cyber Intelligence to Enable Active DefenseF3EAD For You and For MeIntegrating Threat Intelligence and OperationsCreating the Collaboration CapabilityThe Security StackDriving Cyber IntelBaselines and AnomaliesPutting Out the FiresVulnerability ManagementRisky BusinessAssigning MetricsPutting It All Together
- GenresReference
324 pages, Kindle Edition
Published March 29, 2018
10 people are currently reading
52 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 2 of 2 reviews
January 12, 2022
A decent set of instructions on integrating cyber threat intelligence (CTI) with an organization's IT operations and IT security operations. Much of the book is structured around a CTI capability maturity model, emphasizing that CTI must provide actionable intel for the organization to be worthwhile, and IT teams must communicate with each other to properly defend the organization. Unfortunately, much of the book reads like a dry, informational textbook; it would benefit from more examples showing how the concepts would play out in real life.
Here's a summary from the end of the book:
1. You and adversary each have a decision-making cycle (OODA loop). Make your OODA loop smaller and faster by establishing priority intelligence requirements (PIRs). Be one step ahead of adversaries.
2. Use what you know (threat intel) to disrupt adversary's decision-making cycle by understanding their Cyber Kill Chain. Create chaos (use active defense) and make attacking not worth their time.
3. Develop intelligence process throughout your organization, develop PIRs, enable communication channels back to key stakeholders using F3EAD.
4. Find weaknesses in your end-to-end processes, decrease potential attack vectors by prioritizing organization projects and using F3EAD (OODA loop and OPSEC).
5. Create a visualization (using custom dashboards) of processes and identified risks for key stakeholders; let people know if they're good, need improvement, or bad.
6. Establish custom reports that take in data from your different teams to provide prioritized, actionable items to fix, based on analysis of risk to organization.
Notes
The Need For Cyber Intelligence
OODA Loop
1. Observe: situational awareness of yourself, environment, adversaries
2. Orient: develop a mental image of the situation; diagnose, recognize, analyze changes the environment
3. Decide: determine course of action with an acceptable degree of risk; communicate decision to those who need to know
4. Act: act in a timely, tactically sound way
Integrating Cyber Intel, Security, And Operations
OPSEC process
1. Identification of critical information
2. Analysis of threats
3. Analysis of vulnerabilities
4. Assessment of risks
5. Application of appropriate countermeasures
Using Cyber Intelligence To Enable Active Defense
Active Defense principles
• Annoyance
• Attribution
• Attack (illegal without authorization)
Goal of active defense is to block or deceive attacker into believing their attack is succeeding, by deflecting them to where you want them to go, until they decide continuing to attack isn't worth the effort.
F3EAD For You And For Me
F3EAD is a variant of and/or subprocess within intelligence cycle that takes inputs from tactical level collection priorities and outputs to tactical level analysis step.
Integrating Threat Intelligence And Operations
Threat Intelligence Platforms (TIPs)
• Cisco GOSINT
• Malware Information Sharing Platform (MISP)
The Security Stack
Defining the purpose of CTI integration
• What's the mission of the infosec program?
• What are the core services that are required in a security program that will enable me to understand and improve my security posture?
• What's been defined as the most important to the least important system, application, and data?
• How is risk defined in the organization, so I know what good and bad look like?
• Who needs to talk to who in order to get things done?
• How do I need to share info with those who need to know?
Driving Cyber Intel
Event: abnormal occurrence. Incident: occurrence that has happened or is threatening to happen to an information system's confidentiality, integrity, and/or availability.
Here's a summary from the end of the book:
1. You and adversary each have a decision-making cycle (OODA loop). Make your OODA loop smaller and faster by establishing priority intelligence requirements (PIRs). Be one step ahead of adversaries.
2. Use what you know (threat intel) to disrupt adversary's decision-making cycle by understanding their Cyber Kill Chain. Create chaos (use active defense) and make attacking not worth their time.
3. Develop intelligence process throughout your organization, develop PIRs, enable communication channels back to key stakeholders using F3EAD.
4. Find weaknesses in your end-to-end processes, decrease potential attack vectors by prioritizing organization projects and using F3EAD (OODA loop and OPSEC).
5. Create a visualization (using custom dashboards) of processes and identified risks for key stakeholders; let people know if they're good, need improvement, or bad.
6. Establish custom reports that take in data from your different teams to provide prioritized, actionable items to fix, based on analysis of risk to organization.
Notes
The Need For Cyber Intelligence
OODA Loop
1. Observe: situational awareness of yourself, environment, adversaries
2. Orient: develop a mental image of the situation; diagnose, recognize, analyze changes the environment
3. Decide: determine course of action with an acceptable degree of risk; communicate decision to those who need to know
4. Act: act in a timely, tactically sound way
Integrating Cyber Intel, Security, And Operations
OPSEC process
1. Identification of critical information
2. Analysis of threats
3. Analysis of vulnerabilities
4. Assessment of risks
5. Application of appropriate countermeasures
Using Cyber Intelligence To Enable Active Defense
Active Defense principles
• Annoyance
• Attribution
• Attack (illegal without authorization)
Goal of active defense is to block or deceive attacker into believing their attack is succeeding, by deflecting them to where you want them to go, until they decide continuing to attack isn't worth the effort.
F3EAD For You And For Me
F3EAD is a variant of and/or subprocess within intelligence cycle that takes inputs from tactical level collection priorities and outputs to tactical level analysis step.
Integrating Threat Intelligence And Operations
Threat Intelligence Platforms (TIPs)
• Cisco GOSINT
• Malware Information Sharing Platform (MISP)
The Security Stack
Defining the purpose of CTI integration
• What's the mission of the infosec program?
• What are the core services that are required in a security program that will enable me to understand and improve my security posture?
• What's been defined as the most important to the least important system, application, and data?
• How is risk defined in the organization, so I know what good and bad look like?
• Who needs to talk to who in order to get things done?
• How do I need to share info with those who need to know?
Driving Cyber Intel
Event: abnormal occurrence. Incident: occurrence that has happened or is threatening to happen to an information system's confidentiality, integrity, and/or availability.
November 30, 2018
Honestly, I found this book really dry to read. The concepts presented are good, but possibly only useful for very large businesses.
Displaying 1 - 2 of 2 reviews