Table of Contents

Open all
Close all
Preface
15
Who This Book Is For
15
How This Book Is Organized
16
Acknowledgments
18
Conclusion
19
1 Foundations of Cyber Threat Intelligence
21
1.1 What Is Cyber Threat Intelligence?
22
1.2 The Strategic Context and Importance of CTI
26
1.2.1 Strategic Value Dimensions
27
1.2.2 Considerations at the Strategic Level
28
1.2.3 Governance and Operating Models
30
1.2.4 Intelligence Requirement Management
33
1.3 The Evolution of Threat Intelligence
34
1.3.1 The Theoretical Foundations of Classical Military Intelligence
35
1.3.2 The Beginning of the Cyber Age and the APT Concept
36
1.3.3 The Threat Intelligence Cycle
36
1.3.4 Milestones Through Case Studies
38
1.4 Types of Intelligence in Cybersecurity
39
1.5 Core Concepts and Conceptual Models
41
1.5.1 Important Terminology
42
1.5.2 Threat Actors and Their Motivations
44
1.5.3 Threat Actors and the Intelligence Cycle
46
1.5.4 TTPs and Detection Engineering
49
1.6 Summary
50
2 Intelligence Lifecycle in Practice
53
2.1 Planning and Direction Phase
54
2.1.1 Components of the Planning Phase
54
2.1.2 Deepening the Conceptual Framework: PIRs, SIRs, and EEIs
57
2.1.3 References to Standards and Frameworks
59
2.1.4 Analytical Biases and Bias Management
63
2.1.5 Intelligence Governance Framework
66
2.1.6 Stakeholder Analysis and Communication
67
2.1.7 Threat Intelligence Sharing Ecosystem
69
2.1.8 Risk Tolerance and Corporate Business Objectives
71
2.2 Collection: Active and Passive Techniques
73
2.2.1 Strategic Importance of the Collection Phase
73
2.2.2 Passive Collection Techniques
74
2.2.3 Active Collection Techniques
77
2.3 Processing and Initial Analysis
79
2.3.1 Data Normalization
79
2.3.2 Tagging and Contextualization
80
2.3.3 Automated Analysis of Malware Samples
81
2.3.4 Enriching Indicators of Compromise
82
2.3.5 Output: A Processed and Reliable Dataset
83
2.4 Interpretation and Dissemination
85
2.4.1 Analysis and Interpretation
86
2.4.2 Dissemination
89
2.5 Feedback and the Sustainability of the Lifecycle
93
2.6 Summary
97
3 Intelligence Sources
99
3.1 Understanding Intelligence Source Classifications
100
3.1.1 The Role of Source Types in Cyber Intelligence
100
3.1.2 Comparative Model of OSINT, HUMINT, and SIGINT
102
3.1.3 Source Reliability Framework
103
3.2 Open-Source Intelligence
105
3.2.1 The Role of OSINT in Cyber Intelligence
105
3.2.2 Blogs, Security Reports, and Threat Intelligence Portals
107
3.2.3 Social Media and Community-Based Sources
109
3.2.4 DNS Data and Passive Internet Telemetry
113
3.3 Human Intelligence
124
3.3.1 The Role of HUMINT in Cyber Intelligence
124
3.3.2 Internal Source Interviews and Internal Information Flow
125
3.3.3 Informants, Researchers, and Dark Web Engagements
128
3.3.4 Social Engineering and the Analysis of Human Vulnerabilities
134
3.4 Signals Intelligence
139
3.4.1 The Role of SIGINT in Cyber Intelligence
140
3.4.2 Packet Inspection and Traffic Analysis
141
3.4.3 Radio Signals and Wireless Environment Intelligence
147
3.4.4 The Integrated Structure of SIGINT, Telemetry, and OSINT
152
3.5 Integrating and Correlating Multisource Intelligence
155
3.5.1 Multisource Fusion Centers
156
3.5.2 All-Source Analysis Framework
159
3.5.3 Source Reliability and Prioritization Methodologies
161
3.6 Summary
164
4 Applied OSINT: Tools, Methodologies, and Operational Discipline
167
4.1 Principles of Effective OSINT Collection
168
4.1.1 Intelligence Requirement: Focused Approach
169
4.1.2 Ethics, Legal Framework, and Authority Boundaries
173
4.1.3 Operational Security
179
4.1.4 Chain of Custody
182
4.2 Passive OSINT Collection Strategies
185
4.2.1 Advanced Use of Search Engine Operators
186
4.2.2 Using Google Dorks and Advanced Queries
191
4.2.3 Metadata Extraction
200
4.2.4 WHOIS, DNS, and SSL/TLS Passive Analysis
211
4.2.5 Social Media and Open User Profiles
221
4.3 Active OSINT Techniques
225
4.3.1 Port and Service Discovery
226
4.3.2 DNS Enumeration
235
4.3.3 Web Discovery and Scanning
239
4.4 OSINT Data Structuring and Storage
245
4.4.1 Technical Normalization of Intelligence Data
246
4.4.2 Correlation Architecture
250
4.4.3 Data Storage Options
253
4.4.4 Example: Automatic Normalization and Scoring of the DNS-WHOIS-SSL Chain for a Single Domain
256
4.5 Summary
259
5 Advanced Intelligence Collection from the Deep and Dark Web
261
5.1 The Invisible Architecture of the Dark Ecosystem
262
5.1.1 The Operational Differences of the Surface, Deep, and Dark Layers
262
5.1.2 Special Methods Used by Threat Actors
264
5.1.3 Techniques for Extracting Intelligence from Each Layer
267
5.1.4 Example Scenarios
270
5.1.5 Typology of Dark Web Ecosystems
272
5.2 Accessing Hidden Services and Managing Anonymity
276
5.2.1 Secure Use of the Tor Infrastructure
278
5.2.2 I2P and Alternative Privacy Networks
281
5.3 Summary
284
6 Threat Actor Profiling and Behavioral Mapping
287
6.1 Introduction to Threat Actor Profiling
288
6.1.1 Types of Threat Actors
288
6.1.2 Operational Psychodynamics
289
6.1.3 Indicators, Context, and the Right Question
291
6.2 Tactics, Techniques, and Procedures
291
6.2.1 What Are TTPs?
292
6.2.2 TTP Analysis
293
6.3 Applying the MITRE ATT&CK Framework
298
6.3.1 Techniques and Subtechniques
299
6.3.2 Applications of MITRE ATT&CK
302
6.4 Using the Diamond Model in Threat Profiling
304
6.4.1 Adversary: The Entity Conducting the Attack
304
6.4.2 Capability: The Tools, Techniques, and Knowledge in the Adversary’s Hands
306
6.4.3 Infrastructure: The Invisible Backbone Carrying the Attack
306
6.4.4 Victim: The Target of the Attack and the Reflection of the Profile
307
6.4.5 Diamond Model Relationships
307
6.5 Behavioral Indicators and Fingerprints
309
6.5.1 Code Reuse
309
6.5.2 Linguistic Patterns
310
6.5.3 OPSEC Errors
311
6.5.4 Correlation of Behavioral Traces
313
6.6 Summary
316
7 Integrity, Poisoning, and Enrichment in Threat Intelligence Feeds
317
7.1 The Anatomy of a Threat Intelligence Feed
318
7.1.1 Data Structures and Content Models
319
7.1.2 Standardized Protocols and Formats
324
7.1.3 Feed Distribution Models
330
7.2 Feed Poisoning and Manipulation Techniques
334
7.2.1 Objectives of Advanced Manipulation
334
7.2.2 Generation of Fake or Manipulated IOCs
337
7.2.3 Mirrored, Masked, or Deception-Oriented Infrastructures
339
7.3 Detecting Low-Quality or Malicious Threat Intelligence Feeds
350
7.3.1 Structural and Statistical Quality Analysis
351
7.3.2 Heuristic Validation Techniques
353
7.3.3 Source Reliability Modeling
357
7.4 Data Enrichment Techniques
366
7.4.1 IOC Contextual Enrichment
367
7.4.2 Correlating with the Threat Profile
370
7.4.3 Risk and Threat Scoring
379
7.5 Summary
382
8 Network-Centric Forensic Intelligence
385
8.1 Introduction to Network-Centric Digital Forensics
386
8.1.1 The Fundamental Objective of Network Digital Forensics
387
8.1.2 Defining the Scope
387
8.1.3 The Value of Forensic Analysis in CTI Scenarios
389
8.2 Traffic Capture and Protocol Analysis
392
8.2.1 The Power of Raw Traffic
393
8.2.2 Wireshark Techniques
395
8.2.3 Protocol Dissection
407
8.2.4 Example: IATI-Based DNS Tunneling and Multistage C2 Rhythm Analysis
413
8.3 Flow-Level Analysis
416
8.3.1 Introducing NetFlow and IPFIX
417
8.3.2 Flow Morphology
420
8.3.3 Rhythmic Deviation Analysis
422
8.3.4 Directional Asymmetry Analysis
424
8.3.5 Flow Entropy and Variance Analysis
426
8.3.6 Example: Deriving Attacker Behavior from Mathematical Flow Traces and Advanced Flow Entropy Analysis
429
8.4 Correlation of Logs and Network Metadata
433
8.4.1 Firewall Logs
433
8.4.2 Proxy Logs
438
8.4.3 DNS Metadata
439
8.4.4 The Power of Correlation
439
8.5 Monitoring Attacker Infrastructure and Lateral Movement
443
8.5.1 Intent-Based Monitoring
444
8.5.2 C2 Pulse Mapping
447
8.5.3 Pivot Point and East-West Traffic Monitoring
450
8.6 Summary
453
9 Host-Based Forensic Analysis and Windows Telemetry
455
9.1 Role of Host-Based Forensics in CTI
456
9.1.1 The Strategic Value of Endpoint Telemetry
456
9.1.2 The Limits of Endpoint Visibility
458
9.2 Advanced Configuration of Event Logs and Audit Policy
464
9.2.1 Depth of the Security Log
466
9.2.2 Design of an Advanced Audit Policy
474
9.2.3 Behavioral Monitoring with Event Tracing for Windows
484
9.3 Windows Registry Forensic Analysis
487
9.3.1 Understanding the Registry
487
9.3.2 Reconstructing User Behavior Through the Registry
491
9.3.3 Making Persistence Mechanisms Visible
499
9.3.4 Example: Behavioral Analysis of Registry-Based Startup Persistence Using Python
503
9.3.5 The Forensic Value of ShellBags, ShimCache, and AmCache
505
9.4 Memory Acquisition and Memory-Based Forensic Analysis
510
9.4.1 Why Is Memory Acquisition Critical?
511
9.4.2 Memory Acquisition Methods
512
9.4.3 Detecting Anti-Forensic Techniques in Memory
516
9.4.4 Memory Forensics Frameworks
525
9.5 Summary
537
10 Integrating CTI into Incident Response
539
10.1 The Role of CTI in Incident Response
540
10.1.1 CTI in the Complete Incident Response Cycle
540
10.1.2 Establishing an Intelligence-Driven Defense Architecture
541
10.1.3 Context-Oriented Alert Validation Mechanisms
550
10.1.4 Integrating Technical Findings with the Threat Model
554
10.2 Detection and Validation with IOCs and IOAs
559
10.2.1 The Lifecycle of IOCs and Their Operational Value
560
10.2.2 Strengthening IOA-Based Behavioral Detection Logic
563
10.2.3 Multilayer Correlation with Live Telemetry
569
10.2.4 Intelligence Enrichment Techniques for Reducing False Positives
578
10.3 Contextualization of Threats and Impact Analysis
589
10.3.1 Interpreting Adversary Intent
590
10.3.2 Impact Scope Analysis and Calculation of Propagation Potential
600
10.3.3 Determining Operational Priority According to CTI
609
10.3.4 Examples: Threat Contextualization in Practice
615
10.4 Summary
619
11 Intelligence-Driven Proactive Threat Hunting
621
11.1 What Is Threat Hunting?
622
11.1.1 Importance of Threat Hunting
622
11.1.2 The Limits of Reactive Security and Alert Fatigue
630
11.1.3 Core Components of Proactive Hunting
632
11.1.4 Hypothesis-Driven Approach
639
11.1.5 Filling Information Gaps: The Role of the Hunter
646
11.2 Intelligence-Driven Hunting Methodologies
657
11.2.1 Data Flow from CTI to the Operational Hunter
658
11.2.2 Adversary Modeling: APT, Ransomware, and Insider Threat Profiles
664
11.2.3 CTI Enrichment
670
11.2.4 Target Prioritization Through Threat Landscape Analysis
679
11.3 Summary
692
12 Automation and Threat Intelligence Platforms
695
12.1 Introduction to CTI Automation
696
12.1.1 The Limitations of Manual CTI Processes
697
12.1.2 The Role of Automation in the CTI Lifecycle
699
12.2 Overview of Threat Intelligence Platforms
703
12.2.1 What Is a TIP and What Does It Do?
704
12.2.2 Core Components and Architectural Structure
706
12.3 Using MISP for Community-Based Threat Sharing
711
12.3.1 Understanding the Role of MISP in CTI
712
12.3.2 The Fundamental Structure of the MISP Architecture
715
12.3.3 Feed and Event Management
720
12.3.4 Attributes, Tagging, and Taxonomies
727
12.4 Summary
734
A Bibliography
735
B The Author
739
Index
741