O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Practical Cyber Intelligence

Book Description

Your one stop solution to implement a Cyber Defense Intelligence program in to your organisation.

About This Book

  • Intelligence processes and procedures for response mechanisms
  • Master F3EAD to drive processes based on intelligence
  • Threat modeling and intelligent frameworks
  • Case studies and how to go about building intelligent teams

Who This Book Is For

This book targets incident managers, malware analysts, reverse engineers, digital forensics specialists, and intelligence analysts; experience in, or knowledge of, security operations, incident responses or investigations is desirable so you can make the most of the subjects presented.

What You Will Learn

  • Learn about the Observe-Orient-Decide-Act (OODA) loop and it's applicability to security
  • Understand tactical view of Active defense concepts and their application in today's threat landscape
  • Get acquainted with an operational view of the F3EAD process to drive decision making within an organization
  • Create a Framework and Capability Maturity Model that integrates inputs and outputs from key functions in an information security organization
  • Understand the idea of communicating with the Potential for Exploitability based on cyber intelligence

In Detail

Cyber intelligence is the missing link between your cyber defense operation teams, threat intelligence, and IT operations to provide your organization with a full spectrum of defensive capabilities. This book kicks off with the need for cyber intelligence and why it is required in terms of a defensive framework.

Moving forward, the book provides a practical explanation of the F3EAD protocol with the help of examples. Furthermore, we learn how to go about threat models and intelligence products/frameworks and apply them to real-life scenarios. Based on the discussion with the prospective author I would also love to explore the induction of a tool to enhance the marketing feature and functionality of the book.

By the end of this book, you will be able to boot up an intelligence program in your organization based on the operation and tactical/strategic spheres of Cyber defense intelligence.

Style and approach

A step-by-step practical guide that will help you master defensive frameworks to secure your system, and the F3EAD protocol to help you boot up an intelligence program in your organization.

Downloading the example code for this book You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.

Table of Contents

  1. Title Page
  2. Copyright and Credits
    1. Practical Cyber Intelligence
  3. Dedication
  4. Packt Upsell
    1. Why subscribe?
    2. PacktPub.com
  5. Contributors
    1. About the author
    2. About the reviewer
    3. Packt is searching for authors like you
  6. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the color images
      2. Conventions used
    4. Get in touch
      1. Reviews
  7. The Need for Cyber Intelligence
    1. Need for cyber intelligence
    2. The application of intelligence in the military
      1. Intel stories in history
        1. The American Revolutionary War
        2. Napoleon's use of intelligence
    3. Some types of intelligence
      1. HUMINT or human intelligence 
      2. IMINT or image intelligence
      3. MASINT or measurement and signature intelligence
      4. OSINT or open source intelligence
      5. SIGINT or signals intelligence
      6. COMINT or communications intelligence
      7. ELINT or electronic intelligence
      8. FISINT or foreign instrumentation signals intelligence
      9. TECHINT or technical intelligence
      10. MEDINT or medical intelligence
      11. All source intelligence
    4. Intelligence drives operations
      1. Putting theory into practice isn't simple
    5. Understanding the maneuver warfare mentality
      1. Follow the process, the process will save you
      2. What is maneuver warfare?
        1. Tempo
          1. The OODA Loop
        2. Center of gravity and critical vulnerability
        3. Surprise – creating and exploiting opportunity
        4. Combined arms – collaboration
        5. Flexibility
        6. Decentralized command
    6. Summary
  8. Intelligence Development
    1. The information hierarchy
    2. Introduction to the intelligence cycle
      1. The intelligence cycle steps
      2. Step 1 – Planning and direction
        1. Requirements development
        2. Requirements management
        3. Directing the intelligence effort
        4. Requirements satisfaction
        5. Planning the intelligence support system
      3. Step 2 – Collection
      4. Step 3 – Processing
      5. Step 4 – Analysis and Production
      6. Step 5 – Dissemination
        1. Methods
        2. Channels
        3. Modes
        4. Dissemination architecture
      7. Step 6 – Utilization
    3. Summary
  9. Integrating Cyber Intel, Security, and Operations
    1. A different look at operations and security
    2. Developing a strategic cyber intelligence capability
      1. Understanding our priorities
        1. The business architecture
        2. The data/application architecture
        3. Technology architecture
        4. Application of the architectures and cyber intelligence
      2. A look at strategic cyber intelligence – level 1 
    3. Introduction to operational security
      1. OPSEC step 1 – identify critical information 
      2. OPSEC step 2 – analysis of threats
      3. OPSEC step 3 – analysis of vulnerabilities
      4. OPSEC step 4 – assessment of risk
      5. OPSEC step 5 – application of appropriate countermeasures
    4. OPSEC applicability in a business environment
    5. Cyber intel program roles
      1. Strategic level – IT leadership
      2. Strategic level – cyber intelligence program officer
      3. Tactical level – IT leadership
      4. Tactical level – cyber intelligence program manager
      5. Operational level – IT leadership
      6. Operational level – cyber intelligence analysts
    6. Summary
  10. Using Cyber Intelligence to Enable Active Defense
    1. An introduction to Active Defense
    2. Understanding the Cyber Kill Chain
    3. General principles of Active Defense
      1. Active Defense – principle 1: annoyance
      2. Active Defense – principle 2: attribution
    4. Enticement and entrapment in Active Defense
      1. Scenario A
      2. Scenario B
    5. Types of Active Defense
      1. Types of Active Defense – manual
      2. Types of Active Defense – automatic
    6. An application of tactical level Active Defense
    7. Summary
  11. F3EAD for You and for Me
    1. Understanding targeting
    2. The F3EAD process
    3. F3EAD in practice
    4. F3EAD and the Cyber Kill Chain
      1. Cyber Kill Chain and OODA loop
      2. Cyber Kill Chain and OPSEC
      3. Cyber Kill Chain and the intelligence cycle
      4. Cyber Kill Chain and F3EAD
    5. Application of F3EAD in the commercial space
      1. Limitations of F3EAD
    6. Summary
  12. Integrating Threat Intelligence and Operations
    1. Understanding threat intelligence
    2. Capability Maturity Model – threat intelligence overview
      1. Level 1 – threat intelligence collection capability
        1. Phase initial 
          1. Example 1 – Open Threat Exchange – AlienVault
          2. Example 2 - Twitter
          3. Example 3 - Information Sharing and Analysis Centers
          4. Example 4 - news alert notifications
          5. Example 5 - Rich Site Summary feeds
        2. Phase A
          1. Example 1 - Cisco – GOSINT platform
          2. Example 2 - The Malware Information Sharing Platform project
        3. Phase B
        4. Phase C
      2. Level 2 – Threat Information Integration
        1. Phase initial
        2. Phase A
          1. Categorization of items that are applicable to multiple teams
        3. Phase B
        4. Phase C
    3. Summary
  13. Creating the Collaboration Capability
    1. Purpose of collaboration capability
      1. Formal communications
      2. Informal communications
      3. Communication and cyber intelligence process
      4. Methods and tools for collaboration
        1. Service level agreements and organizational level agreements
        2. Responsible accountable supporting consulted informed matrix
        3. Using key risk indicators
    2. Collaboration at the Strategic Level
      1. Executive support
      2. Policies and procedures
      3. Architecture
        1. Understanding dependencies
      4. Prioritized information
      5. Intelligence aggregation
      6. Intelligence reconciliation and presentation
    3. Collaboration at the Tactical Level
      1. Breaking down priority information requirements
      2. Application of the theory
      3. Theory versus reality
      4. Creating the tactical dashboard
    4. Collaboration at the Operational Level
    5. Summary
  14. The Security Stack
    1. Purpose of integration – it's just my POV
    2. Core security service basics
    3. Security Operations Center
      1. The spider
      2. Capabilities among teams
    4. Capability deep dive – Security Configuration Management
      1. Security Configuration Management – core processes
      2. Security Configuration Management – Discovery and Detection
      3. Security Configuration Management – Risk Mitigation
      4. Security Configuration Management – Security State Analysis
      5. Security Configuration Management – Data Exposure and Sharing
    5. Prelude – integrating like services
    6. Integrating cyber intel from different services
      1. Overview – red team methodology
      2. Red team – testing methods
        1. White box
        2. Gray box
        3. Black box
      3. Red team constraints
      4. Red team – graphical representation
      5. Data integration challenges
        1. The end user perspective
        2. The service level perspective – cyber intelligence – Data Exposure and Sharing
        3. The SOC perspective
    7. Capability Maturity Model – InfoSec and cyber intel
      1. Capability Maturity Model - InfoSec and cyber intel – initial phase
      2. Capability Maturity Model - InfoSec and cyber intel – Phase A
      3. Capability Maturity Model - InfoSec and cyber intel – Phase B
      4. Capability Maturity Model - InfoSec and cyber intel – Phase C
    8. Collaboration + Capability = Active Defense
    9. Summary
  15. Driving Cyber Intel
    1. The gap
    2. Another set of eyes
      1. The logic
        1. Event
        2. Incident
      2. Mapping events and incidents to InfoSec capabilities
    3. Capability Maturity Model – security awareness
      1. Capability Maturity Model - security awareness Phase - Initial
      2. Capability Maturity Model - security awareness – Phase A
      3. Capability Maturity Model - security awareness – Phase B
      4. Capability Maturity Model - security awareness – Phase C
      5. Capability Maturity Model - security awareness – Phase C +
        1. Just another day part 1
    4. Summary
  16. Baselines and Anomalies
    1. Setting up camp
      1. Baselines and anomalies
    2. Continuous monitoring – the challenge 
      1. Part 1
      2. Part 2
      3. Part 3
    3. Capability Maturity Model – continuous monitoring overview
      1. Level 1 – phase A
      2. Level 1 – phase B
      3. Level 1 – phase C
    4. Capability Maturity Model – continuous monitoring level 2
      1. Scenario 1 – asset management/vulnerability scanning asset inventory
        1. Phase initial
          1. Information gathering
          2. Developing possible solutions
        2. Phase A
          1. Procedure RASCI (example)
        3. Phase B
          1. Regional data centers
          2. Local office environment
        4. Phase C
      2. Scenario 2 – security awareness/continuous monitoring/IT helpdesk
        1. Phase initial
          1. Information gathering
          2. Developing possible solutions
        2. Phase A
          1. Procedure RASCI (example)
        3. Phase B and C – sample questions 
      3. Just another day part 2
    5. Summary
  17. Putting Out the Fires
    1. Quick review
    2. Overview – incident response
      1. Preparation and prevention
      2. Detection and analysis
      3. Containment, eradication, and recovery
      4. Post-incident activity
      5. Incident response process and F3EAD integration
      6. Intelligence process tie-in
    3. Capability Maturity Model – incident response
      1. Initial phase
      2. Phase A
      3. Phase B
      4. Phase C
    4. Summary
  18. Vulnerability Management
    1. A quick recap
    2. The Common Vulnerability Scoring System calculator
      1. Base metric group
      2. Temporal metric group
      3. Environmental metric group
      4. CVSS base scoring
        1. Metrics madness
    3. Vulnerability management overview
    4. Capability Maturity Model: vulnerability management – scanning
      1. Initial phase
      2. Phase A
      3. Phase B
      4. Phase C
    5. Capability Maturity Model: vulnerability management – reporting
      1. Initial phase
      2. Phase A
      3. Phase B
      4. Phase C
    6. Capability Maturity Model: vulnerability management – fix
      1. Initial phase
      2. Phase A
      3. Phase B
      4. Phase C
    7. Summary
  19. Risky Business
    1. Risk overview
      1. Treating risk
      2. Risk tolerance and risk appetite
    2. Labeling things platinum, gold, silver, and copper
      1. Differentiating networks
    3. Taking a different look at risk
      1. Review of threat intelligence integration
      2. Capability Maturity Model: risk phase – initial
        1. Improving risk reporting part 1
      3. Capability Maturity Model: risk phase – final
        1. Improving risk reporting part 2
      4. Open source governance risk and compliance tools
        1. Binary Risk Assessment
        2. STREAM cyber risk platform
        3. Practical threat analysis for information security experts
        4. SimpleRisk
        5. Security Officers Management and Analysis Project
    4. Summary
  20. Assigning Metrics
    1. Security configuration management
      1. Developing the risk score
      2. Working in key risk indicators
    2. Summary
  21. Wrapping Up
    1. Just another day part 3
    2. Lessons learned
  22. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think