What do you think?
Rate this book
Cyber Threat Intelligence
CYBER THREAT INTELLIGENCE "Martin takes a thorough and focused approach to the processes that rule threat intelligence, but he doesn't just cover gathering, processing and distributing intelligence. He explains why you should care who is trying to hack you, and what you can do about it when you know."
―Simon Edwards, Security Testing Expert, CEO SE Labs Ltd., Chair AMTSO Effective introduction to cyber threat intelligence, supplemented with detailed case studies and after action reports of intelligence on real attacks Cyber Threat Intelligence introduces the history, terminology, and techniques to be applied within cyber security, offering an overview of the current state of cyberattacks and stimulating readers to consider their own issues from a threat intelligence point of view. The author takes a systematic, system-agnostic, and holistic view to generating, collecting, and applying threat intelligence. The text covers the threat environment, malicious attacks, collecting, generating, and applying intelligence and attribution, as well as legal and ethical considerations. It ensures readers know what to look out for when considering a potential cyber attack and imparts how to prevent attacks early on, explaining how threat actors can exploit a system's vulnerabilities. It also includes analysis of large scale attacks such as WannaCry, NotPetya, Solar Winds, VPNFilter, and the Target breach, looking at the real intelligence that was available before and after the attack. Topics covered in Cyber Threat Intelligence Cyber Threat Intelligence describes the intelligence techniques and models used in cyber threat intelligence. It provides a survey of ideas, views and concepts, rather than offering a hands-on practical guide. It is intended for anyone who wishes to learn more about the domain, particularly if they wish to develop a career in intelligence, and as a reference for those already working in the area.
―Simon Edwards, Security Testing Expert, CEO SE Labs Ltd., Chair AMTSO Effective introduction to cyber threat intelligence, supplemented with detailed case studies and after action reports of intelligence on real attacks Cyber Threat Intelligence introduces the history, terminology, and techniques to be applied within cyber security, offering an overview of the current state of cyberattacks and stimulating readers to consider their own issues from a threat intelligence point of view. The author takes a systematic, system-agnostic, and holistic view to generating, collecting, and applying threat intelligence. The text covers the threat environment, malicious attacks, collecting, generating, and applying intelligence and attribution, as well as legal and ethical considerations. It ensures readers know what to look out for when considering a potential cyber attack and imparts how to prevent attacks early on, explaining how threat actors can exploit a system's vulnerabilities. It also includes analysis of large scale attacks such as WannaCry, NotPetya, Solar Winds, VPNFilter, and the Target breach, looking at the real intelligence that was available before and after the attack. Topics covered in Cyber Threat Intelligence Cyber Threat Intelligence describes the intelligence techniques and models used in cyber threat intelligence. It provides a survey of ideas, views and concepts, rather than offering a hands-on practical guide. It is intended for anyone who wishes to learn more about the domain, particularly if they wish to develop a career in intelligence, and as a reference for those already working in the area.
304 pages, Hardcover
Published April 7, 2023
4 people are currently reading
11 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 2 of 2 reviews
August 14, 2023
Informational cyber threat intelligence primer explaining the fundamentals and providing plenty of examples of cyberattacks and threat intelligence. It doesn't go very deep into CTI, but that doesn't seem to be its purpose; it's intended as an intro to the discipline.
Lee says about the book,
Introduction
COMSEC: Communications Secrecy
Threat Environment
Classification of security threats in information systems by Jouini and Aissa
• External
— Human (Malicious or Non-malicious, each having subcategories of Accidental or Intentional)
— Environmental (Non-malicious, Accidental)
— Technological (Non-malicious, Accidental)
• Internal
— Human (Malicious or Non-malicious, each having subcategories of Accidental or Intentional)
— Environmental (Non-malicious, Accidental)
— Technological (Non-malicious, Accidental)
ENISA Threat Taxonomy
• Physical attack (deliberate/intentional)
• Unintentional damage / loss of information or IT assets
• Disaster (natural, environmental)
• Failures/Malfunction
• Outages
• Eavesdropping/Interception/Hijacking
• Nefarious Activity/Abuse
• Legal
STRIDE taxonomy
• Spoofing
• Tampering
• Repudiation
• Information disclosure
• Denial of service
• Elevation of privilege
Intel Threat Agent Library: agents
• Hostile: anarchist, civil activist, competitor, corrupt government official, cyber vandal, data miner, employee (disgruntled), government spy, government cyberwarrior, internal spy, irrational individual, legal adversary, mobster, radical activist, sensationalist, terrorist, thief, vendor
• Non-hostile: employee (reckless), employee (untrained), information partner
Intel Threat Agent Library: agent attributes
• Intent
• Access (level of system access)
• Limits (adherence to laws or or ethics)
• Resource level
• Skill level
• Objective
• Visibility
Threat actor categories
• Script kiddie
• Hacktivist
• Criminal
• State-sponsored
• APT
• Insider
David Wall's threat actor classification by behavior
• Cyber‐trespass or hacking: intruding in spaces owned by others
• Cyber‐deceptions/thefts: unauthorized acquisition of money or digital property
• Cyber‐pornography/obscenity
• Cyber‐violence: using networked systems to inflict psychological harm (e.g., hate speech, cyberstalking)
ATT&CK Model Relationship
• Threat actor uses software
• Software implements technique
• Threat actor uses technique
• Technique accomplishes tactic
• Mitigation prevents technique
Cyber Kill Chain weaknesses
• Not all attacks include all steps
• Model was developed for targeted APT attacks, and doesn't fit all attacks
• Some attacks include multiple instances of kill chain
Applying Intelligence
CROSSCAT principles of intelligence
• Centralized
• Responsive
• Objective
• Systematic: methodical handling of info
• Sharing: shared according to markings
• Continuous review: test assessments against new info; collect info throughout cycle
• Accessible: designed for audience
• Timely
2 types of intelligence metrics: team productivity, intelligence utility
Flashpoint intelligence metrics categories
• Operational: describe speed and efficiency of teams, as intel enables teams to process threats faster, or discover relevant threats with less effort
• Tactical: describe efficacy of intel (e.g., false negative rate, false positive rate)
• Strategic: describe how intel program has helped org achieve goals (e.g., reduced risk, saved money by detecting or resolving threats faster)
Focus on metrics that are directly affected by intel team (inputs to team, analysis performed, output, impact of intel on cybersecurity function).
There's a point where a decision-maker has all the info they're able to process, and adding more info decreases their ability to make decisions.
Generating Intelligence
Some criticize F3EAD because it has limited scope for decision-making.
D3A (Decide, Detect, Deliver, Assess)
Similar to F3EAD, with more emphasis on planning and decision-making.
1. Decide: determine various types of possible targets, their priorities, how to detect
2. Detect: identify priority threats
3. Deliver: remediate threat
4. Assess: determine if these were correct targets to remediate, and if operation proceeded smoothly and accurately; integrate feedback into next Decide phase
MoSCoW to describe and rank requirements
• Must Have: necessary
• Should Have: important; will add value
• Could Have: useful, but of little impact
• Will Not Have: will not be implemented
Intel reports
• Summary: BLUF (Bottom Line Up Front)
• Separate facts from analysis
• Be actionable: provide instructions to implement conclusions
• Ensure traceability: clearly state date, source, version; cite references
• Keep it brief: avoid unnecessary detail; use graphs and diagrams as appropriate
• Provide IoCs in accessible or machine readable format; include separate section of IoCs
• Indicate distribution: clearly mark audience and constraints, using TLP or other method
Attribution
Attack attributes for attribution
• Attacker TTPs
• Attacker infrastructure
• Victimology (nature of victim, how they were selected by threat actor, final steps of attack)
• Malicious code
Software use by threat actors
• Abuse legitimate software
• Use dual‐use software which can have legitimate or illegitimate use
• Use malicious software used by multiple threat actors
• Develop custom malicious software
Professionalism
CTI certifications
• CREST Practitioner Threat Intelligence Analyst
• CREST Registered Threat Intelligence Analyst
• CREST Certified Threat Intelligence Manager
• EC‐Council Certified Threat Intelligence Analyst
• GIAC Cyber Threat Intelligence (GCTI)
• McAfee Institute Certified Cyber Intelligence Investigator (CCII)
• McAfee Institute Certified Cyber Intelligence Professional (CCIP)
Future Threats and Conclusion
CTI pro traits
• Systemic thinker: consider big picture
• Team player
• Technical and social skills: understand cybersecurity issues from different perspectives, especially those of users
• Civic duty: sense of responsibility to society, desire to do the right thing
• Continued learning
• Communication: able to convey complex information in understandable way
Lee says about the book,
It provides a survey of ideas, views, and concepts, rather than offering a hands‐on practical guide. … The day‐to‐day tools and analyses performed by threat intelligence teams may change frequently, but the theory and frameworks in which these activities take place are well developed. It is these mature, evolved disciplines that this book seeks to describe.Notes
Introduction
COMSEC: Communications Secrecy
Threat Environment
Classification of security threats in information systems by Jouini and Aissa
• External
— Human (Malicious or Non-malicious, each having subcategories of Accidental or Intentional)
— Environmental (Non-malicious, Accidental)
— Technological (Non-malicious, Accidental)
• Internal
— Human (Malicious or Non-malicious, each having subcategories of Accidental or Intentional)
— Environmental (Non-malicious, Accidental)
— Technological (Non-malicious, Accidental)
ENISA Threat Taxonomy
• Physical attack (deliberate/intentional)
• Unintentional damage / loss of information or IT assets
• Disaster (natural, environmental)
• Failures/Malfunction
• Outages
• Eavesdropping/Interception/Hijacking
• Nefarious Activity/Abuse
• Legal
STRIDE taxonomy
• Spoofing
• Tampering
• Repudiation
• Information disclosure
• Denial of service
• Elevation of privilege
Intel Threat Agent Library: agents
• Hostile: anarchist, civil activist, competitor, corrupt government official, cyber vandal, data miner, employee (disgruntled), government spy, government cyberwarrior, internal spy, irrational individual, legal adversary, mobster, radical activist, sensationalist, terrorist, thief, vendor
• Non-hostile: employee (reckless), employee (untrained), information partner
Intel Threat Agent Library: agent attributes
• Intent
• Access (level of system access)
• Limits (adherence to laws or or ethics)
• Resource level
• Skill level
• Objective
• Visibility
Threat actor categories
• Script kiddie
• Hacktivist
• Criminal
• State-sponsored
• APT
• Insider
David Wall's threat actor classification by behavior
• Cyber‐trespass or hacking: intruding in spaces owned by others
• Cyber‐deceptions/thefts: unauthorized acquisition of money or digital property
• Cyber‐pornography/obscenity
• Cyber‐violence: using networked systems to inflict psychological harm (e.g., hate speech, cyberstalking)
ATT&CK Model Relationship
• Threat actor uses software
• Software implements technique
• Threat actor uses technique
• Technique accomplishes tactic
• Mitigation prevents technique
Cyber Kill Chain weaknesses
• Not all attacks include all steps
• Model was developed for targeted APT attacks, and doesn't fit all attacks
• Some attacks include multiple instances of kill chain
Applying Intelligence
CROSSCAT principles of intelligence
• Centralized
• Responsive
• Objective
• Systematic: methodical handling of info
• Sharing: shared according to markings
• Continuous review: test assessments against new info; collect info throughout cycle
• Accessible: designed for audience
• Timely
2 types of intelligence metrics: team productivity, intelligence utility
Flashpoint intelligence metrics categories
• Operational: describe speed and efficiency of teams, as intel enables teams to process threats faster, or discover relevant threats with less effort
• Tactical: describe efficacy of intel (e.g., false negative rate, false positive rate)
• Strategic: describe how intel program has helped org achieve goals (e.g., reduced risk, saved money by detecting or resolving threats faster)
Focus on metrics that are directly affected by intel team (inputs to team, analysis performed, output, impact of intel on cybersecurity function).
There's a point where a decision-maker has all the info they're able to process, and adding more info decreases their ability to make decisions.
Generating Intelligence
Some criticize F3EAD because it has limited scope for decision-making.
D3A (Decide, Detect, Deliver, Assess)
Similar to F3EAD, with more emphasis on planning and decision-making.
1. Decide: determine various types of possible targets, their priorities, how to detect
2. Detect: identify priority threats
3. Deliver: remediate threat
4. Assess: determine if these were correct targets to remediate, and if operation proceeded smoothly and accurately; integrate feedback into next Decide phase
MoSCoW to describe and rank requirements
• Must Have: necessary
• Should Have: important; will add value
• Could Have: useful, but of little impact
• Will Not Have: will not be implemented
Intel reports
• Summary: BLUF (Bottom Line Up Front)
• Separate facts from analysis
• Be actionable: provide instructions to implement conclusions
• Ensure traceability: clearly state date, source, version; cite references
• Keep it brief: avoid unnecessary detail; use graphs and diagrams as appropriate
• Provide IoCs in accessible or machine readable format; include separate section of IoCs
• Indicate distribution: clearly mark audience and constraints, using TLP or other method
Attribution
Attack attributes for attribution
• Attacker TTPs
• Attacker infrastructure
• Victimology (nature of victim, how they were selected by threat actor, final steps of attack)
• Malicious code
Software use by threat actors
• Abuse legitimate software
• Use dual‐use software which can have legitimate or illegitimate use
• Use malicious software used by multiple threat actors
• Develop custom malicious software
Professionalism
CTI certifications
• CREST Practitioner Threat Intelligence Analyst
• CREST Registered Threat Intelligence Analyst
• CREST Certified Threat Intelligence Manager
• EC‐Council Certified Threat Intelligence Analyst
• GIAC Cyber Threat Intelligence (GCTI)
• McAfee Institute Certified Cyber Intelligence Investigator (CCII)
• McAfee Institute Certified Cyber Intelligence Professional (CCIP)
Future Threats and Conclusion
CTI pro traits
• Systemic thinker: consider big picture
• Team player
• Technical and social skills: understand cybersecurity issues from different perspectives, especially those of users
• Civic duty: sense of responsibility to society, desire to do the right thing
• Continued learning
• Communication: able to convey complex information in understandable way
June 25, 2025
There is nothing in the world that would have compelled me to pick this book up, aside from a plethora of downtime at work and a lack of anything more interesting to do. And even then, I barely survived half the book. It was incredibly dry and honestly, not very informative. It read more like a timeline of the history of cyber crime than anything else, and not even a very interesting one. Don't waste your time.
Displaying 1 - 2 of 2 reviews