CYBER THREAT INTELLIGENCE
"Martin takes a thorough and focused approach to the processes that rule threat intelligence, but he doesn't just cover gathering, processing and distributing intelligence. He explains why you should care who is trying to hack you, and what you can do about it when you know."
--Simon Edwards, Security Testing Expert, CEO SE Labs Ltd., Chair AMTSO
Effective introduction to cyber threat intelligence, supplemented with detailed case studies and after action reports of intelligence on real attacks
Cyber Threat Intelligence introduces the history, terminology, and techniques to be applied within cyber security, offering an overview of the current state of cyberattacks and stimulating readers to consider their own issues from a threat intelligence point of view. The author takes a systematic, system-agnostic, and holistic view to generating, collecting, and applying threat intelligence.
The text covers the threat environment, malicious attacks, collecting, generating, and applying intelligence and attribution, as well as legal and ethical considerations. It ensures readers know what to look out for when considering a potential cyber attack and imparts how to prevent attacks early on, explaining how threat actors can exploit a system's vulnerabilities. It also includes analysis of large scale attacks such as WannaCry, NotPetya, Solar Winds, VPNFilter, and the Target breach, looking at the real intelligence that was available before and after the attack.
Topics covered in Cyber Threat Intelligence include:
* The constant change of the threat environment as capabilities, intent, opportunities, and defenses change and evolve
* Different business models of threat actors, and how these dictate the choice of victims and the nature of their attacks
* Planning and executing a threat intelligence programme to improve an organistation's cyber security posture
* Techniques for attributing attacks and holding perpetrators to account for their actions
Cyber Threat Intelligence describes the intelligence techniques and models used in cyber threat intelligence. It provides a survey of ideas, views and concepts, rather than offering a hands-on practical guide. It is intended for anyone who wishes to learn more about the domain, particularly if they wish to develop a career in intelligence, and as a reference for those already working in the area.
Auflage
Sprache
Verlagsort
Dateigröße
ISBN-13
978-1-119-86175-1 (9781119861751)
Schweitzer Klassifikation
1 - Cover [Seite 1]
2 - Title Page [Seite 5]
3 - Copyright Page [Seite 6]
4 - Contents [Seite 7]
5 - Preface [Seite 13]
6 - About the Author [Seite 15]
7 - Abbreviations [Seite 17]
8 - Endorsements for Martin Lee's Book [Seite 21]
9 - Chapter 1 Introduction [Seite 23]
9.1 - 1.1 Definitions [Seite 23]
9.1.1 - 1.1.1 Intelligence [Seite 24]
9.1.2 - 1.1.2 Cyber Threat [Seite 25]
9.1.3 - 1.1.3 Cyber Threat Intelligence [Seite 26]
9.2 - 1.2 History of Threat Intelligence [Seite 27]
9.2.1 - 1.2.1 Antiquity [Seite 27]
9.2.2 - 1.2.2 Ancient Rome [Seite 29]
9.2.3 - 1.2.3 Medieval and Renaissance Age [Seite 30]
9.2.4 - 1.2.4 Industrial Age [Seite 32]
9.2.5 - 1.2.5 World War I [Seite 33]
9.2.6 - 1.2.6 World War II [Seite 35]
9.2.7 - 1.2.7 Post War Intelligence [Seite 36]
9.2.8 - 1.2.8 Cyber Threat Intelligence [Seite 37]
9.2.9 - 1.2.9 Emergence of Private Sector Intelligence Sharing [Seite 41]
9.3 - 1.3 Utility of Threat Intelligence [Seite 43]
9.3.1 - 1.3.1 Developing Cyber Threat Intelligence [Seite 45]
9.4 - Summary [Seite 46]
9.5 - References [Seite 46]
10 - Chapter 2 Threat Environment [Seite 53]
10.1 - 2.1 Threat [Seite 53]
10.1.1 - 2.1.1 Threat Classification [Seite 55]
10.2 - 2.2 Risk and Vulnerability [Seite 57]
10.2.1 - 2.2.1 Human Vulnerabilities [Seite 60]
10.2.1.1 - 2.2.1.1 Example - Business Email Compromise [Seite 61]
10.2.2 - 2.2.2 Configuration Vulnerabilities [Seite 61]
10.2.2.1 - 2.2.2.1 Example - Misconfiguration of Cloud Storage [Seite 62]
10.2.3 - 2.2.3 Software Vulnerabilities [Seite 63]
10.2.3.1 - 2.2.3.1 Example - Log4j Vulnerabilities [Seite 65]
10.3 - 2.3 Threat Actors [Seite 65]
10.3.1 - 2.3.1 Example - Operation Payback [Seite 68]
10.3.2 - 2.3.2 Example - Stuxnet [Seite 69]
10.3.3 - 2.3.3 Tracking Threat Actors [Seite 69]
10.4 - 2.4 TTPs - Tactics, Techniques, and Procedures [Seite 71]
10.5 - 2.5 Victimology [Seite 75]
10.5.1 - 2.5.1 Diamond Model [Seite 77]
10.6 - 2.6 Threat Landscape [Seite 78]
10.6.1 - 2.6.1 Example - Ransomware [Seite 79]
10.7 - 2.7 Attack Vectors, Vulnerabilities, and Exploits [Seite 80]
10.7.1 - 2.7.1 Email Attack Vectors [Seite 81]
10.7.2 - 2.7.2 Web-Based Attacks [Seite 82]
10.7.3 - 2.7.3 Network Service Attacks [Seite 83]
10.7.4 - 2.7.4 Supply Chain Attacks [Seite 83]
10.8 - 2.8 The Kill Chain [Seite 84]
10.9 - 2.9 Untargeted versus Targeted Attacks [Seite 86]
10.10 - 2.10 Persistence [Seite 87]
10.11 - 2.11 Thinking Like a Threat Actor [Seite 88]
10.12 - Summary [Seite 88]
10.13 - References [Seite 89]
11 - Chapter 3 Applying Intelligence [Seite 97]
11.1 - 3.1 Planning Intelligence Gathering [Seite 97]
11.1.1 - 3.1.1 The Intelligence Programme [Seite 99]
11.1.2 - 3.1.2 Principles of Intelligence [Seite 100]
11.1.3 - 3.1.3 Intelligence Metrics [Seite 103]
11.2 - 3.2 The Intelligence Cycle [Seite 104]
11.2.1 - 3.2.1 Planning, Requirements, and Direction [Seite 105]
11.2.2 - 3.2.2 Collection [Seite 106]
11.2.3 - 3.2.3 Analysis and Processing [Seite 106]
11.2.4 - 3.2.4 Production [Seite 107]
11.2.5 - 3.2.5 Dissemination [Seite 107]
11.2.6 - 3.2.6 Review [Seite 107]
11.3 - 3.3 Situational Awareness [Seite 108]
11.3.1 - 3.3.1 Example - 2013 Target Breach [Seite 110]
11.4 - 3.4 Goal Oriented Security and Threat Modelling [Seite 111]
11.5 - 3.5 Strategic, Operational, and Tactical Intelligence [Seite 113]
11.5.1 - 3.5.1 Strategic Intelligence [Seite 113]
11.5.1.1 - 3.5.1.1 Example - Lazarus Group [Seite 114]
11.5.2 - 3.5.2 Operational Intelligence [Seite 115]
11.5.2.1 - 3.5.2.1 Example - SamSam [Seite 115]
11.5.3 - 3.5.3 Tactical Intelligence [Seite 116]
11.5.3.1 - 3.5.3.1 Example - WannaCry [Seite 116]
11.5.4 - 3.5.4 Sources of Intelligence Reports [Seite 116]
11.5.4.1 - 3.5.4.1 Example - Shamoon [Seite 117]
11.6 - 3.6 Incident Preparedness and Response [Seite 118]
11.6.1 - 3.6.1 Preparation and Practice [Seite 121]
11.7 - Summary [Seite 122]
11.8 - References [Seite 122]
12 - Chapter 4 Collecting Intelligence [Seite 127]
12.1 - 4.1 Hierarchy of Evidence [Seite 127]
12.1.1 - 4.1.1 Example - Smoking Tobacco Risk [Seite 129]
12.2 - 4.2 Understanding Intelligence [Seite 130]
12.2.1 - 4.2.1 Expressing Credibility [Seite 131]
12.2.2 - 4.2.2 Expressing Confidence [Seite 132]
12.2.3 - 4.2.3 Understanding Errors [Seite 136]
12.2.3.1 - 4.2.3.1 Example - the WannaCry Email [Seite 136]
12.2.3.2 - 4.2.3.2 Example - the Olympic Destroyer False Flags [Seite 136]
12.3 - 4.3 Third Party Intelligence Reports [Seite 137]
12.3.1 - 4.3.1 Tactical and Operational Reports [Seite 138]
12.3.1.1 - 4.3.1.1 Example - Heartbleed [Seite 139]
12.3.2 - 4.3.2 Strategic Threat Reports [Seite 140]
12.4 - 4.4 Internal Incident Reports [Seite 140]
12.5 - 4.5 Root Cause Analysis [Seite 141]
12.6 - 4.6 Active Intelligence Gathering [Seite 142]
12.6.1 - 4.6.1 Example - the Nightingale Floor [Seite 144]
12.6.2 - 4.6.2 Example - the Macron Leaks [Seite 144]
12.7 - Summary [Seite 145]
12.8 - References [Seite 145]
13 - Chapter 5 Generating Intelligence [Seite 149]
13.1 - 5.1 The Intelligence Cycle in Practice [Seite 150]
13.1.1 - 5.1.1 See it, Sense it, Share it, Use it [Seite 150]
13.1.2 - 5.1.2 F3EAD Cycle [Seite 151]
13.1.3 - 5.1.3 D3A Process [Seite 153]
13.1.4 - 5.1.4 Applying the Intelligence Cycle [Seite 154]
13.1.4.1 - 5.1.4.1 Planning and Requirements [Seite 154]
13.1.4.2 - 5.1.4.2 Collection, Analysis, and Processing [Seite 155]
13.1.4.3 - 5.1.4.3 Production and Dissemination [Seite 156]
13.1.4.4 - 5.1.4.4 Feedback and Improvement [Seite 157]
13.1.4.5 - 5.1.4.5 The Intelligence Cycle in Reverse [Seite 157]
13.2 - 5.2 Sources of Data [Seite 158]
13.3 - 5.3 Searching Data [Seite 159]
13.4 - 5.4 Threat Hunting [Seite 160]
13.4.1 - 5.4.1 Models of Threat Hunting [Seite 161]
13.4.2 - 5.4.2 Analysing Data [Seite 162]
13.4.3 - 5.4.3 Entity Behaviour Analytics [Seite 165]
13.5 - 5.5 Transforming Data into Intelligence [Seite 166]
13.5.1 - 5.5.1 Structured Geospatial Analytical Method [Seite 166]
13.5.2 - 5.5.2 Analysis of Competing Hypotheses [Seite 168]
13.5.3 - 5.5.3 Poor Practices [Seite 168]
13.6 - 5.6 Sharing Intelligence [Seite 169]
13.6.1 - 5.6.1 Machine Readable Intelligence [Seite 172]
13.7 - 5.7 Measuring the Effectiveness of Generated Intelligence [Seite 173]
13.8 - Summary [Seite 174]
13.9 - References [Seite 174]
14 - Chapter 6 Attribution [Seite 177]
14.1 - 6.1 Holding Perpetrators to Account [Seite 177]
14.1.1 - 6.1.1 Punishment [Seite 178]
14.1.2 - 6.1.2 Legal Frameworks [Seite 178]
14.1.3 - 6.1.3 Cyber Crime Legislation [Seite 179]
14.1.4 - 6.1.4 International Law [Seite 180]
14.1.5 - 6.1.5 Crime and Punishment [Seite 180]
14.2 - 6.2 Standards of Proof [Seite 180]
14.2.1 - 6.2.1 Forensic Evidence [Seite 181]
14.3 - 6.3 Mechanisms of Attribution [Seite 182]
14.3.1 - 6.3.1 Attack Attributes [Seite 183]
14.3.1.1 - 6.3.1.1 Attacker TTPs [Seite 183]
14.3.1.2 - 6.3.1.2 Example - HAFNIUM [Seite 184]
14.3.1.3 - 6.3.1.3 Attacker Infrastructure [Seite 184]
14.3.1.4 - 6.3.1.4 Victimology [Seite 185]
14.3.1.5 - 6.3.1.5 Malicious Code [Seite 185]
14.3.2 - 6.3.2 Asserting Attribution [Seite 187]
14.4 - 6.4 Anti-Attribution Techniques [Seite 188]
14.4.1 - 6.4.1 Infrastructure [Seite 188]
14.4.2 - 6.4.2 Malicious Tools [Seite 188]
14.4.3 - 6.4.3 False Attribution [Seite 189]
14.4.4 - 6.4.4 Chains of Attribution [Seite 189]
14.5 - 6.5 Third Party Attribution [Seite 189]
14.6 - 6.6 Using Attribution [Seite 190]
14.7 - Summary [Seite 192]
14.8 - References [Seite 193]
15 - Chapter 7 Professionalism [Seite 197]
15.1 - 7.1 Notions of Professionalism [Seite 198]
15.2 - 7.1.1 Professional Ethics [Seite 199]
15.3 - 7.2 Developing a New Profession [Seite 200]
15.3.1 - 7.2.1 Professional Education [Seite 200]
15.3.2 - 7.2.2 Professional Behaviour and Ethics [Seite 201]
15.3.2.1 - 7.2.2.1 Professionalism in Medicine [Seite 201]
15.3.2.2 - 7.2.2.2 Professionalism in Accountancy [Seite 203]
15.3.2.3 - 7.2.2.3 Professionalism in Engineering [Seite 205]
15.3.3 - 7.2.3 Certifications and Codes of Ethics [Seite 208]
15.4 - 7.3 Behaving Ethically [Seite 210]
15.4.1 - 7.3.1 The Five Philosophical Approaches [Seite 210]
15.4.2 - 7.3.2 The Josephson Model [Seite 211]
15.4.3 - 7.3.3 PMI Ethical Decision Making Framework [Seite 212]
15.5 - 7.4 Legal and Ethical Environment [Seite 213]
15.5.1 - 7.4.1 Planning [Seite 214]
15.5.1.1 - 7.4.1.1 Responsible Vulnerability Disclosure [Seite 215]
15.5.1.2 - 7.4.1.2 Vulnerability Hoarding [Seite 216]
15.5.2 - 7.4.2 Collection, Analysis, and Processing [Seite 216]
15.5.2.1 - 7.4.2.1 PRISM Programme [Seite 217]
15.5.2.2 - 7.4.2.2 Open and Closed Doors [Seite 218]
15.5.3 - 7.4.3 Dissemination [Seite 218]
15.5.3.1 - 7.4.3.1 Doxxing [Seite 219]
15.6 - 7.5 Managing the Unexpected [Seite 220]
15.7 - 7.6 Continuous Improvement [Seite 221]
15.8 - Summary [Seite 221]
15.9 - References [Seite 222]
16 - Chapter 8 Future Threats and Conclusion [Seite 229]
16.1 - 8.1 Emerging Technologies [Seite 229]
16.1.1 - 8.1.1 Smart Buildings [Seite 230]
16.1.1.1 - 8.1.1.1 Software Errors [Seite 231]
16.1.1.2 - 8.1.1.2 Example - Maroochy Shire Incident [Seite 232]
16.1.2 - 8.1.2 Health Care [Seite 233]
16.1.2.1 - 8.1.2.1 Example - Conti Attack Against Irish Health Sector [Seite 234]
16.1.3 - 8.1.3 Transport Systems [Seite 235]
16.2 - 8.2 Emerging Attacks [Seite 236]
16.2.1 - 8.2.1 Threat Actor Evolutions [Seite 236]
16.2.1.1 - 8.2.1.1 Criminal Threat Actors [Seite 236]
16.2.1.2 - 8.2.1.2 Nation State Threat Actors [Seite 238]
16.2.1.3 - 8.2.1.3 Other Threat Actors [Seite 242]
16.3 - 8.3 Emerging Workforce [Seite 243]
16.3.1 - 8.3.1 Job Roles and Skills [Seite 243]
16.3.2 - 8.3.2 Diversity in Hiring [Seite 247]
16.3.3 - 8.3.3 Growing the Profession [Seite 249]
16.4 - 8.4 Conclusion [Seite 250]
16.5 - References [Seite 251]
17 - Chapter 9 Case Studies [Seite 259]
17.1 - 9.1 Target Compromise 2013 [Seite 260]
17.1.1 - 9.1.1 Background [Seite 260]
17.1.2 - 9.1.2 The Attack [Seite 263]
17.2 - 9.2 WannaCry 2017 [Seite 265]
17.2.1 - 9.2.1 Background [Seite 266]
17.2.1.1 - 9.2.1.1 Guardians of Peace [Seite 266]
17.2.1.2 - 9.2.1.2 The Shadow Brokers [Seite 267]
17.2.1.3 - 9.2.1.3 Threat Landscape - Worms and Ransomware [Seite 269]
17.2.2 - 9.2.2 The Attack [Seite 269]
17.2.2.1 - 9.2.2.1 Prelude [Seite 269]
17.2.2.2 - 9.2.2.2 Malware [Seite 271]
17.3 - 9.3 NotPetya 2017 [Seite 273]
17.3.1 - 9.3.1 Background [Seite 273]
17.3.2 - 9.3.2 The Attack [Seite 274]
17.3.2.1 - 9.3.2.1 Distribution [Seite 275]
17.3.2.2 - 9.3.2.2 Payload [Seite 275]
17.3.2.3 - 9.3.2.3 Spread and Consequences [Seite 276]
17.4 - 9.4 VPNFilter 2018 [Seite 277]
17.4.1 - 9.4.1 Background [Seite 277]
17.4.2 - 9.4.2 The Attack [Seite 278]
17.5 - 9.5 SUNBURST and SUNSPOT 2020 [Seite 279]
17.5.1 - 9.5.1 Background [Seite 280]
17.5.2 - 9.5.2 The Attack [Seite 281]
17.6 - 9.6 Macron Leaks 2017 [Seite 282]
17.6.1 - 9.6.1 Background [Seite 282]
17.6.2 - 9.6.2 The Attack [Seite 283]
17.7 - References [Seite 284]
18 - Index [Seite 299]
19 - EULA [Seite 307]
