.

Module 1-4
I - (Chapter 1, 2)
1. Jon Friedman. Mark
.2- (Chapter 3) Bouchard, CISSP.
3 - (Chapter 4) Foreword by John P.
4 - (Chapter 7) Watters, Cyber
Threat Intelligence,
Definitive Guide
TM, 2015
(Module 1 - 4)

2.Alessandro Parisi,
“Hands-on Artificial
Intelligence for Cyber
Security”, Packt, 2019
(Module 5)
 19MAM92 - CYBER THREAT INTELLIGENCE
Module -1 (Chapter 1 ,2)

FUNDAMENTALS OF CYBER THREAT INTELLIGENCE (CTI)

The Need for Cyber Threat Intelligence: The menace of targeted attacks - Monitor and respond
strategy - Cyber Threat Intelligence Defined, Key Characteristics: Adversary based, Risk
focused - Process oriented - Tailored for diverse consumers -Benefits of Cyber Threat
Intelligence.
Developing Cyber Threat Intelligence Requirements: Assets that must be Prioritized:
Personal information - Intellectual property - Confidential business information - Credentials
and IT systems information - Operational systems. Adversaries: Cybercriminals - Competitors
and cyber espionage agents - Hacktivists. Intelligence Consumers: Tactical users - Operational
users - Strategic users By,
Dr S B Mahalakshmi
CTI - Foreword
● No professional sports team takes the field without scouting its opponent
● No general launches a military exercise without studying the battlefield and
the capabilities of the opposing forces.
● And no sensible business leader enters a market without identifying the major
competitors and their strengths and weaknesses.
● Yet every day most cybersecurity professionals go to work without any
idea about the identity and probable actions of their adversaries.

In information security, if you do not understand the motivations, intentions and

competencies of your opponents, then you cannot understand the risks to your
enterprise or focus your defenses.

“It is a discipline for protecting our enterprises, our livelihoods, the wellbeing of our
customers and clients, and sometimes even our values and way of life.”
 Module 1
Introduction - Defining Cyber Threat Intelligence
There is nothing more necessary than good Intelligence to frustrate a designing
enemy.” ― George Washington

CTI - Young discipline -growing rapidly - studied in depth by analysts at Gartner,

Forrester Research, IDC, the SANS Institute, and the National Institute of
Standards and Technology (NIST).
The Need for Cyber Threat Intelligence

The surge of interest in cyber threat intelligence owes much to the devastating
record of sophisticated targeted cyberattacks, including now-ubiquitous
Advanced Persistent Threats (APTs).(long term planned-skilled attackers)
Even the largest, best-protected enterprises have been victimized, sometimes
to the tune of tens of millions of dollars.
(Because of this, organizations are now paying more attention to cyber threat
intelligence, which means gathering and analyzing information about potential
cyber threats. This helps them understand, detect, and prevent attacks more
effectively.)
The menace of targeted attacks
10 years ago, IT security professionals mostly worried about mass attacks.(targets many
systems/people at once) Today these are regarded as secondary threats that merely
generate “noise” on the network. For the most part, security vendors and enterprises defend
against them successfully by analyzing the first instances discovered and quickly
disseminating signatures and Indicators Of Compromise (IOCs). A few initial victims suffer,
but everyone else can detect and block the attacks.

Today, the most serious data breaches and disruptions result from well-planned, complex
attacks that target specific companies or industries. Sophisticated, well-funded attackers
make detection difficult by:
 ● Utilizing social engineering techniques and multiphase campaigns that cannot be
identified by simple threat indicators or blocked by frontline defenses.

( SE - they trick people (like employees) into giving away sensitive information, often
through fake emails, phone calls, or messages.-Multiphase campaigns - doing step by
step over time, making it harder to notice)

● Constantly adapting their tools, tactics, and procedures to evade even advanced
cybersecurity measures.

( they constantly update their tools, techniques, and tactics, so even advanced
cybersecurity systems can’t easily stop them.)

They have also raised the stakes by systematically targeting their victims’ most valuable
information assets and business systems.
The monitor-and-respond strategy
Most enterprises have recognized that signature-based defenses are not effective against
sophisticated targeted attacks. They have shifted to a defensive strategy that focuses on
monitoring and incident response.
Why the strategy is failing
Unfortunately, this process is rife with difficulties at all levels:tactical (Tactical
Level (Day-to-Day Technical Issues) operational,(How Teams Work Together)
and strategic (Overall Direction and Planning)
Strategic level

At the strategic level, CISOs and IT managers don’t have the information needed
to set priorities or make budgeting and staffing decisions.

Executives also need information on what not to fear. Today, IT and business
managers alike are bombarded with an endless list of potential threats, along with
hyperbolic commentary about breaches from vendors and the press. They need
information that counters FUD (Fear, Uncertainty, and Doubt) so everyone can
focus on the real risks to the enterprise.
Cyber Threat Intelligence Defined
“Cyber threat intelligence is knowledge about adversaries and their
motivations, intentions, and methods that is collected, analyzed, and disseminated
in ways that help security and business staff at all levels protect the critical assets
of the enterprise.”
Key Characteristics (4)

1. Adversary based
2. Risk focused
3. Process oriented
4. Tailored for diverse consumers
1. Adversary based
.
2. Risk focused
3. Process oriented
4. Tailored for diverse consumers
The Benefits of Cyber Threat Intelligence (3 levels)
.
.
.
.
Chapter 2
Developing Cyber Threat Intelligence Requirements
"If you don't know where you are going, you'll end up someplace else.”

― Yogi Berra
Cyber threat intelligence requirements guide not only what intelligence is
collected, but also how it is analyzed and used. Developing a good set of
requirements helps the security organization
Assets That Must Be Prioritized
Personal information
Intellectual property
Confidential business information
Credentials and IT systems information
Operational systems
Adversaries
Cybercriminals
 Competitors and cyber espionage agents
● Cyber espionage involves stealing confidential information to obtain
commercial, economic, political, or military advantages
● Cyber espionage has long been familiar to military organizations,aerospace
and defense companies, and federal government agencies. Now it is being
detected by an ever-widening circle of companies that bump up against
foreign competitors
● Cyber espionage is carried out by commercial companies, by government-
sponsored agents on behalf of commercial companies, and by government
and military organizations. They target a wide range of IP and confidential
information that can be used to shortcut product development, win
competitive bids, and anticipate business strategies, or to gain advantages in
military or political struggles.
Hacktivists
Hacktivists attempt to carry out disruptive actions to express their political, social,
or ideological beliefs, or to discredit or damage representatives of opposing views.
They range from individuals, to loosely connected groups, to well-funded proxies
for governments and military forces. In many cases their desire for publicity leads
them to be more openly destructive than other types of threat actors.

Unfortunately, few enterprises are immune today. Banks, restaurant chains,

retailers, media outlets, social networking companies, and many others are being
targeted
Intelligence Consumers

3 types of users:
Tactical users - Operational users - Strategic users