Congratulations, you’ve made it and now are a certified expert in everything there has ever been known about cyber threat intelligence! Woo-hoo! OK, maybe not, but I hope that this book has given you the foundations from which to build upon.
This book aimed to introduce some of the core concepts and methodologies used in CTI, which can help you make better decisions for your business. We’ve discussed how to take intelligence requirements and turn them into something tangible that the business can use. In turn, we looked at things like the ATT&CK framework and structured intelligence to provide contextualized information to those who need it.
CTI is not a one-size-fits-all game. You need to understand the needs of your business in addition to the risks you face. Your technologies are almost certainly different from the next organization, your operational areas are different, and your services are probably different too. Of course, there’s going to be crossover and overlaps. After all, we all care about ransomware – but where CTI brings the most value is in contextualizing the threat specifically to your business.
I hope this book has given you a firmer understanding of how to maximize value from a CTI program. You can now appreciate some of the common ways to make intelligence actionable. From understanding where you can get better value from your existing security systems to appreciating what features you may need moving forward with new vendors and considering approaches regardless of your budget. Of course, you’re going to need to spend money somewhere to really get value from a CTI program. Still, nothing is stopping you today from starting to consider how you can adopt intelligence into your cybersecurity program and start bringing value.
If I can suggest one takeaway from this book above all else – you must adopt a formalized intelligence requirements process. There is no more significant pain as an intelligence team than creating intelligence products you think the business cares about without ever knowing or getting feedback. Utilizing the intelligence cycle to ensure you get feedback regularly from every stakeholder team (ideally every product!) will help the team hone in and focus on things the business needs and those awareness pieces on things that are good to know but may not affect you directly.
I’d also encourage you to ensure that your organization standardizes how it handles threat data. The use of MITRE ATT&CK is increasingly becoming industry standard, and failure to adopt will see you struggle to have coherent messaging and understanding with incident response or prevention. Of course, nothing is a silver bullet, but taking these baby steps that help you improve incrementally will undoubtedly leave you in a stronger position than where you started. Wider adoption of ATT&CK will also help you respond to threats at a TTP level as security systems gravitate away from IOCs being the be-all and end-all in time. It may feel a long time off, but I am confident that TTP-level detection will be the industry standard in the future. If you can set yourself up for that today, then why wouldn’t you? With this in mind, let’s look at the main themes we’ve discussed to give a more rounded takeaway from this book.
The Main Themes Discussed in This Book
I hope the first thing that’s been consistent throughout this book is that CTI is not a dark art. I purposefully chose not to make this book an instructional guide on how to research an IP address/domain/file/certificate etc. for this reason. I also felt that telling you how to do A, B, and C at the time of writing is fine, but it’s almost inevitable that from the time I write it down to the book being published (not to mention when you may read it), something will change or no longer be at all relevant. But I feel the concepts and methodologies we’ve discussed will stand the test of time, even if they evolve over time.
We’ve discussed ATT&CK at length as well as STIX/TAXII, and while there’s every possibility they change or evolve beyond what they look like in 2021 as I write this, the underlying value and the benefits of both will still be relevant. Meanwhile, some traditional intelligence concepts have already stood the test of time and will likely do so forever.
The vendor-agnostic approach to this book is another thing I hope you’ve been able to take to heart. While there are references to some tools or companies throughout, I wanted to ensure that the book didn’t force you down a specific path or make you think there was only one solution. As I’ve stated on what feels like every page, you and your business are unique. Only you can make the decisions that make sense for your organization. But make sure you put each vendor through its paces, and you get the people who will be using the tool to give you their honest feedback. Combined with your intelligence requirements, you should be in a great position to understand if you’re likely to get the required value out of a tool or service. Make it count.
Suppose you can get the right tooling in. In that case, you can structure your analysis and your intelligence to provide actionable and timely products for your stakeholders; you will already be way ahead of the game for most businesses. It sounds like hyperbole, I know, but CTI as an industry is in its infancy, and most companies and people haven’t fully grasped what CTI currently is and what it can be. However, having now read this book, I feel like you can consider yourself someone who does understand what CTI is presently and what it can bring to your organization at the fundamental level. You still need good analysts, and you need the proper tooling and integration among your people and systems, but that’s always going to be an ongoing process. As you establish your foothold, things will improve, and efficiencies will be identified. This is only the start of a journey to professionalizing and standardizing an approach to a new field; embrace it and carry it forward, you won’t be sorry you did.
If you’re also willing to embrace the power of OSINT, you can start to reap the benefits from day one. The Internet and social media are both a blessing and a curse for CTI (and you may argue, everything else!). Still, the availability of information and threat intelligence is incredible. If you can make use of that data to help protect your organization, then fantastic! Your analysts can also use OSINT techniques in their research to help contextualize threats and the risk to your organization. You should actively encourage and promote the use of OSINT – the capability of good OSINT analysis is hard to find and hard to quantify. In many ways, OSINT is trying to find the proverbial needle in a haystack, and a good OSINT analyst can give you that ability. Combining that with a good suite of CTI tools and providers will provide your business with an excellent CTI capability.
Even if you don’t have the budget for a broad swathe of tools and new toys, you can start to reap the benefits by embracing OSINT as a starting point. Spend wisely on tools that enhance your capability in a meaningful way, and you’ll see the progression over time, and you can address any gaps when appropriate. It’s not an exact science, and it would be quite an achievement if you can stand up a new intelligence function and not have any gaps anywhere from the outset. It’s a journey that can and probably will take years until you consider your offering as “mature,” but the logical and gradual progression should mean you notice a discernible impact from your intelligence products much sooner than that.
Remember, CTI is constantly evolving, as are the threats we face and the businesses we protect. Wherever you are on your journey today, what you currently envision as your end state is likely going to change, or you’ll get there and realize there’s something else that could be used or you need. That’s essentially what’s so appealing about working in the industry. While some of the concepts may never change, the real-world implications are constantly evolving. Every organization can use CTI in their security. Threat or intelligence-led defense is the most efficient way to ensure your business responds to relevant threats, and it should become the de facto normal for cybersecurity. I think we will see this gradual shift to moving CTI front and center, particularly in large enterprises, but it needs support and understanding from the top down to make it happen. If you’re a CISO and you’re trying to understand the core concepts of CTI, then I hope this book has helped you with that. It’s down to you to give your business the impetus and drive to implement and embrace CTI, and subsequently it’s down to the CTI team to deliver on the business requirements. A fun journey for all, I’m sure you’ll agree.
If you haven’t already, then start considering and implementing CTI into your security program.
Identify where you can get value from your existing tooling and, depending on intelligence requirements, find suitable vendors to help you fulfill your stakeholders’ needs.
Ensure the business adopts standardization with methodologies like MITRE ATT&CK. Utilize ATT&CK mappings in intelligence reporting and providing mitigation/prevention advice.
Consider using STIX/TAXII when sharing threat data so that your stakeholders and partners can see things exactly as you intend. In addition to the analytical benefits this brings, you can help promote further standardization in security.
Embrace OSINT and get your CTI team to use it as much as possible, in addition to commercial or closed sources of intelligence.
But what if you’ve read this book and still feel like you can’t do anything? What should you take away from this book? I’d honestly be surprised if that were the case; even in high-security environments, there’s going to be scope to use OSINT or commercial tools to help answer a need. It may not be a quick or easy solution, but there’s going to be something you can do.
Suppose you feel like you’re in a position where you’d like to adopt CTI, but there’s simply nothing you can do. In that case, I’d encourage you to take a step back, look at your broader security program, and see if there’s anywhere you could look to bring intelligence into the equation. If it’s a question of budgeting, I hope that this book has given you some ideas for getting started with literally zero spend. It just needs some creative thinking and clever embracing of different services. I’m sure almost everyone would be able to use TweetDeck to look at threat research and sharing of information on malware, for example.
If you’re in a position where you can’t afford analysts, then again I’d urge you to consider the value in utilizing threat feeds to give you at least some level of threat intelligence. You won’t get much value, and you may get a lot of false positives without any manual analysis or eyes on the data, but it would at least be something. At the end of the day, CTI is about giving the organization the timely and actionable intelligence to respond to a specific cyber threat, whether providing awareness of an emerging malware or while conducting incident response. Suppose the business isn’t prepared to support that for some reason. In that case, I’d suggest the company doesn’t take its cybersecurity very seriously, which in any case means you have more significant issues than whether to use CTI or not.
How You Can Follow Up with Me
If you’ve enjoyed this book (or if you think it’s rubbish), I would love any and all feedback! You can find me on Twitter at @AaronCTI and LinkedIn at https://linkedin.com/in/aaroncti, and I have a blog which you can reach at https://aaroncti.com.
Writing this book has been a privilege and an honor for me. Way back in the 1990s, before I ever discovered craft beer and heavy metal, I wanted to be an author, and thanks to Apress, I’ve been given the opportunity to write this book. It’s a book built on my experience working in intelligence for many years and all the good, bad, and plain ugly that I’ve had the fortune to experience along the way.
I hope that even if there’s opinions or ideas in the book that you disagree with, there’s still something that resonates with you or at least has given you food for thought when considering how your business conducts CTI. I’ve tried to keep this book around approaches, concepts, and methodologies more than hands-on analysis, as there’s already lots of books on that, and I personally believe books aren’t the best medium for learning “how to” do something like analysis. In contrast, a book is excellent for bringing concepts and ideas to life, rather than many screenshots and potentially outdated information by the time you ever get to read it.
If you’re interested in having more discussions or need assistance with anything to do with your CTI program, my company Perspective Intelligence1 can undoubtedly help. We offer a range of services from OSINT investigations to CTI consulting and intelligence training.
Finally, I’d like to thank you for giving this book and, in turn, me the opportunity to provide my experiences and thoughts on cyber threat intelligence into your life and, hopefully, your business. By reading this book and considering implementing (or improving) your CTI practice, you’re helping your business become better at security. You should hopefully now have an excellent foundation for building a CTI program that does your business justice. Wherever you are on your journey, I wish you the best of luck, and I hope we cross paths either on social media or through business in the future.