Practical Cyber Intelligence E-Book

Practical Cyber Intelligence

Copyright © 2018 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors), nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Gebin GeorgeAcquisition Editor:Heramb BhavsarContent Development Editor:Abhishek JadhavTechnical Editor:Mohd Riyan KhanCopy Editor:Safis EditingProject Coordinator:Judie JoseProofreader: Safis EditingIndexer:Rekha NairGraphics:Tom ScariaProduction Coordinator: Shantanu Zagade

First published: March 2018

Production reference: 1280318

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78862-556-2

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

PacktPub.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.

Contributors

About the author

Wilson Bautista Jr. is a retired military officer who is the Director of IT and InfoSec at i3 Microsystems. His expertise is in the domains of InfoSec leadership, policy, architecture, compliance, and risk. He holds multiple InfoSec and IT certifications as well as a master's degree in Information Systems from the Boston University. He's an INTP on the Myers-Brigg Type Indicator test with a Driver-Driver personality. As a practitioner of Agile and SecDevOps, he develops innovative, integrated, enterprise-scale cyber security solutions that provide high value to businesses.

About the reviewer

David J. Gallagher CISSP is a senior security consultant who specializes in security intelligence and data protection solutions. With over 25 years of experience in testing, development, and business analytics across multiple industries, he has led global teams and works across multiple business units to achieve common goals and improve development/quality assurance processes. He specializes in advanced emerging threats and vulnerabilities as a security researcher and has a strong interest in understanding the vulnerabilities and developing solutions for them.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Preface

When I was first asked to write this book, it was supposed to be about applying military targeting methodology to threat intelligence. However, when I started writing, I began to ask:

How is threat intelligence beneficial to organizations?

How can we create value from threat intelligence?

So, the topic began to change to something I believe that is missing in how we operate as IT organizations. Threat intelligence is worthless to organizations if it is not applicable to them. Once it becomes applicable to an organization, it has to be communicated to someone to take action on. It sounds so simple but when we look further, there are so many touch points with different parts of the organization and different processes between teams, that the topic eventually morphed into what I call cyber intelligence.

If you spend some time looking at the cyber security news on your social media, you can read about the latest exploitation, the need for more cyber security professionals, and how insecure we are. It feels like sensationalism and further drives paranoia of being labeled "the next victim" for senior leadership. How many times have we seen senior leadership step down because of a breach? Perhaps some breaches were due to neglect, but I'm keen to think that we (collectively) are riddled with archaic and bureaucratic business processes that do not allow flexibility for decentralized decision making. 

Does your IT Operations and IT Security leadership act as one in decision making for the overall IT decisions, using information that impacts each side? If they do, then you should just put this book down because this isn't for you. If they don't, then you understand the pain of when separation of duties impact how quickly things get done.

In the military, intelligence capability allows a commander to understand the environment around them in order to make decisions. This book is about how we can take a variation of military intelligence processes and apply it across the organization. Whether you are an entry-level analyst or a senior manager, there is something for you to learn and put into practice right away in your organization. 

Who this book is for

The main audience of this book is for mid-level to senior management professionals in small to medium businesses that are looking to improve their IT and InfoSec operations utilizing a variation of military processes and concepts. It is also meant for future leaders in the industry to take another look at a holistic approach to improving IT operations in their organizations. No prior management or technical experience is assumed.  

What this book covers

Chapter 1, The Need for Cyber Intelligence, introduces a brief history of intelligence use in the military, the different types of intelligence, and the military mindset.

Chapter 2, Intelligence Development, introduces the intelligence cycle, shows you how intelligence is developed, and how to develop priority information requests.

Chapter 3, Integrating Cyber Intel, Security, and Operations, introduces OPSEC and lays the foundation for understanding how cyber intelligence can be integrated into Information Security and IT operations.

Chapter 4, Using Cyber Intelligence to Enable Active Defense, introduces the Cyber Kill Chain and develops another look into how we can utilize cyber intelligence to enable proactive defense measures.

Chapter 5, F3EAD For You and For Me, introduces how we can use the Find, Fix, Finish, Exploit, Analyze, and Disseminate process that is deployed for high value targets and it's applicability to the Cyber Kill Chain.

Chapter 6, Integrating Threat Intelligence and Operations, takes a deeper look into how we can develop meaningful and actionable information to stakeholders through incorporating threat intelligence information.

Chapter 7, Creating the Collaboration Capability, gives an overview of how we can create communication channels to provide cyber intelligence information throughout the organization.

Chapter 8, The Security Stack, provides a view on how information captured from different security capabilities can be developed into cyber intelligence that supports sound decision making.

Chapter 9, Driving Cyber Intel, goes into detail on how we can enable the users as another means of collecting and reporting information to develop intelligence packages.

Chapter 10, Baselines and Anomalies, highlights the complexity of reporting, teaches you how to take a look at entities and their processes horizontally and vertically, and provides a method to integrating an end-to-end continuous monitoring capability.

Chapter 11, Putting Out the Fires, introduces ways to improve incident response through developing good intelligence communication channels.

Chapter 12, Vulnerability Management, goes into more detail on a specific capability within InfoSec and how to improve what information gets into the hands of the stakeholders for action.

Chapter 13, Risky Business, gives a broad overview of risk and how we can use risk management tools and techniques to further improve the information being passed to stakeholders for action.

Chapter 14, Assigning Metrics, introduces a concept in assigning risk metrics and key risk indicators for an end-to-end process.

Chapter 15, Wrapping Up, provides a broad overview of the preceding chapters and takes you through an ideal situation, where a cyber intelligence capability is fully functional within an organization.

To get the most out of this book

You will want to read this book from start to finish as I've written each chapter to build off of each other. Each concept you learn in these chapters will relate to one another in some fashion. If you don't, you'll find yourself completely lost as a lot of what has gone into this have customized processes that have worked or is working in the organizations and teams I've helped develop.

So I want you to read this book with an open mind and ask yourself "what if this could work?" I only ask you to do this because I believe that we should all be on a path to improving our own processes (IT and business) within our organizations. The amount of breaches in 2017 alone is an indicator that some organizational processes don't work.

We cannot accept "this is how it has always been done" anymore

We need to reduce friction between each other

We need to increase the speed of decision making

We need to reduce the risk of exploitation

This book is another way to enable sound decision making at all levels by developing an intelligence capability between IT teams using the resources that we already have. It is  definitely a "bastardization" of military and civilian processes that have been put together to "make it work" for my teams. This book is not a solution, but a way to taking what we already know and trying to make an organization's collaboration and communication more efficient. By doing this, we are one more step closer in reducing the risk of exploitation to our organization.

Let's get started.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/PracticalCyberIntelligence_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Select System info from the Administration panel."

Get in touch

Feedback from our readers is always welcome.

General feedback: Email [email protected] and mention the book title in the subject of your message. If you have questions about any aspect of this book, please email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packtpub.com.

The Need for Cyber Intelligence

In this chapter, you will learn about the necessity of transforming data into actionable intelligence. You will also learn that there is a difference between cyber intelligence and cyber threat intelligence. In this chapter, we will review:

The need for cyber intelligence

The application of intelligence in the military

Different types of intelligence

How intelligence drives operations

Introduction to maneuver warfare

We will take a look at how intelligence has been used in the military and how the military incorporates intelligence to plan for missions. We will review high level concepts of maneuver warfare and use these as a new approach to understanding how to utilize information, so we can remove uncertainty and be proactive against threats to our environment.

Need for cyber intelligence

Are we using the data from our security software and services to transform the data into actionable intelligence that informs an organization's strategic and tactical business decisions?

In a recent SANS survey, phishing (72%), spyware (50%), ransomware (49%), and Trojans (47%) are the threats most seen by respondents' organizations in 2017. Organizations are being attacked daily by numerous threats. Alert fatigue is developing from the overwhelming amount of data to sort through and understand where to start remediating. There are many tools to discover vulnerabilities and potential threat vectors. In our world, sorting through this information is a challenge as there are always competing interests within the information security organization and the business. Leaders must strike the right balance of security and operations, as well as risk and compliance.

From textbooks, we've been taught that in security we should identify, contain, and eradicate vulnerabilities on the network so that we reduce the risk of being compromised. We've been led to believe that security will save the company from the bad guys and that we will be given the power to do that. However, the reality is much more complex, with chief information security officer (CISO) and managers balancing budgets, engineers trying to get change requests approved, lack of human resources due to burn out or availability, dealing with vendors, company culture, world culture, and organization processes hindering our ability to respond to these threats that can cause a considerable risk to the organization and its information. Uncertainty, fog of war, and friction are a part of life as a security professional.

The questions that come to mind are as follows:

How do we reduce this uncertainty?

What is the priority?

How do we focus our efforts?

How do we provide actionable information so that I can get my stakeholders on board?

How do I train my team?

Where do we begin to remediate? Can I even remediate?

The threat landscape is always changing. Every day we hear of a new group of hackers that are targeting systems that are vulnerable to X and Y. There are reports of nation-state cyber espionage attempts on the national media. The scary thing is that there may be an attack happening and no one has caught on. There seems to be general paranoia about who will be next and if that day comes, I hope it isn't me.

This book is meant to help executives and analysts understand their role in raising the bar, from effective communication of the state of their security, to gathering information about their environment. How we address this is by building a cyber intelligence capability that provides accurate information about the exploitation potential of vulnerabilities that exist within the environment by known adversaries, resulting in appropriate measures taken to reduce the risk to organizational property.

The application of intelligence in the military

Cyber threat intelligence is an analysis of an adversary's intent, opportunity, and capability to do harm. This is a discipline within information security that requires a specific skill set and tools used by threat intelligence analysts.

Cyber intelligence is the ability to gain knowledge about an enterprise and its existing conditions and capabilities in order to determine the possible actions of an adversary when exploiting inherit critical vulnerabilities. It uses multiple information security disciplines (threat intelligence, vulnerability management, security configuration management, incident response, and so on) and tool sets to gather information about the network through monitoring and reporting to allow decision makers at all levels to prioritize risk mitigation.

Over the past few years, we've seen a list of new certifications focusing on penetration testing and ethical hacking. These skills are perfect for the personnel on the ground looking for vulnerabilities within organizations using tools and methods that a malicious actor would use. There are so many tools that provide the ability to look, find, monitor, and report on their environment. How do we apply those same concepts to the architecture of an enterprise? How do we think like an attacker and build the capability within our architectures with the capability to mitigate and/or reduce the risk? The goal of the following few sections is to create a proactive defense mindset and lay the foundation for building a cyber intelligence capability architecture in your organization.

Intel stories in history

Having the capability to gather information on an adversary has been in practice in the art of warfare for centuries. The importance of using intelligence helps guide military commanders' decision-making for future operations. Military organizations have sections dedicated to operating their intelligence capability. In order to understand how to apply intelligence in our security operations, we should have an understanding of what intelligence is and how it has been used in military history. 

The American Revolutionary War

In order to combat an intimidating and larger British force, General George Washington needed to do something to even the playing field. The odds were against the fledgling American army as they were understaffed, under trained, and had little to no budget. The answer to this problem was espionage. 

The Americans needed to know about their adversary's actions in order for them to win the Revolutionary War. Washington needed patriots who were close to the British at all levels of society. So he employed ordinary people, such as farmers, tailors, housemaids, and other patriots to build spy rings. Additionally, he turned British spies into double agents. The Americans had established multiple networks of agents passing information between the lines, informing Washington of the whereabouts of the British and what their next plans were. As mail was intercepted, General Washington proposed to, "