Aaron Roberts

Cyber Threat Intelligence

The No-Nonsense Guide for CISOs and Security Managers

1st ed.
Aaron Roberts
London, UK
ISBN 978-1-4842-7219-0e-ISBN 978-1-4842-7220-6
© Aaron Roberts 2021
This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This Apress imprint is published by the registered company APress Media, LLC part of Springer Nature.

The registered company address is: 1 New York Plaza, New York, NY 10004, U.S.A.

For Berta. Thank you for supporting me on this journey and pushing me. This book wouldn’t exist without you.

Introduction

Since the Internet became a regular fixture in everyday life in the 1990s, the threat from criminals utilizing this modern wonder of the world has grown exponentially. As the world has become more dependent on technology, the sophistication and reach of hackers, nation-states, and criminals continues to evolve at an unprecedented rate and an unprecedented scale.

I have always been fascinated by computers and technology. As a young child, I remember my Commodore 64 fondly. I grew up as a working-class lad and didn’t own a “proper” computer until I was 18. However, from that moment, my interest and inquisitive nature took over. In 2009, after three years on and off in the Army Reserve, I embarked on my then newfound career working in IT and, subsequently, intelligence within the UK Civil Service. I worked in a variety of roles and locations and received some excellent training and foundations to specialize in the emerging field of cyber intelligence, which is something I’m incredibly grateful for.

However, in 2017, my career evolved and moved away from working in the traditional areas of operation into primarily being solely focused on threats within cybersecurity. I spend my days working in cyber threat intelligence (CTI). Now, if that doesn’t sound very long to you, I’d like to identify that this is a very new industry that is still growing and coming to terms with what it actually is. However, I’d like to highlight the credentials that will hopefully convince you that I have the relevant and appropriate experience to write this book that you may wish to consider:
  • Beyond the public sector, I have now worked for a CTI-specific start-up, a global telecommunications company, and the largest broadcast media company in Europe, in addition to opening my own cyber intelligence consultancy.

  • I spend my days focusing on the threats from cybercriminals and nation-state actors to my organization and our peers, what we should be considering, and how we stop them.

  • I’m actively engaged within the community in London and maintain a presence in groups, networking events, and (now) regularly posting about things on social media and my website.

  • The skills I have picked up since 2009 have enabled me to become the principal intelligence analyst at my employer, and I continue to mentor junior analysts and find new tradecraft and improved ways of working. These skills have also allowed me to open my own business providing investigative support, consultancy, and training services.

Although I hope you find this book of value, and that it helps you in setting up or maintaining an excellent CTI program in your own business or, indeed, learning some of the core concepts around CTI as an analyst, I would urge you not to consider this book a one-stop shop for what or how you should adapt CTI within your organization.

I am one person who has some valuable experience and insight, but the needs of your organization may differ from my experiences. You likely operate in different geographies, use different technologies, and, due to the nature of your business, face different threats as a result. As such, you have a unique challenge in front of you, as every business is different. Some of the things that differ from business to business (B2B) would be as follows:
  • Do you use Windows as the corporate desktop? macOS? Linux?!

  • The hardware used to run your corporate system – laptop, desktop, thick client, thin client, etc.

  • What cloud services are you using?

  • What Internet-facing services are already in place?

  • What security mechanisms does your organization already deploy for these systems?

  • What is your key business?

  • Who are the actors targeting you? Who have they already successfully compromised?

  • What systems are in place that you don’t know about?

  • What geographies do you operate in?

  • What previous security incidents have you faced?

  • How big is the security team? What functions do they serve?

These are just a few questions that you should be asking yourself before considering a CTI program. After all, your threat profile is very different if you’re Barclays Bank or if you’re Peggy’s News on the high street in Skipton. This example may be crude, but it helps to illustrate that you need to adopt a unique response to your intelligence program and some of the reasons why. If you don’t adopt a unique strategy within your own business, you’re going to have gaps in your coverage and/or detection processes.

Something I strongly believe is that cybersecurity should always be intelligence-led. CTI gives you the reason why to adopt a specific approach. Without it, you just have information and response without context.

What This Book Isn’t

This book is written almost like a manifesto for what CTI practices should be. It is not, however, a step-by-step guide on what you should do and how you should do it. There are a couple of reasons for this. Foremost, as I mentioned, every single organization has different requirements, different IT estates, and a unique threat model from every other organization, unique even from its own peers.

I can’t in good conscience tell you what to do and know that it will work 100% of the time. Some of my suggestions will ring true for you; some of them won’t. You may agree with me in some cases and wholeheartedly disagree with me elsewhere. However, I hope the overlying message conveyed within this book is something that you do agree with and therefore take into consideration when looking at broader practices, vendors, and approaches to security controls moving forward.

Secondly, this book is not and will never be a guide on what to do with specific pieces of information to achieve an intelligence goal. Cyber, more than any other industry, evolves at an incredible pace. What I write today regarding a particular way to analyze something could be wholly outdated and useless tomorrow; therefore, I will not attempt to do so. This is an obvious issue with books and ebooks, and I’d recommend you check my website1 and the other resources referred to in this book for up-to-date content on specific techniques.

The most apparent issue with what I say here of course is also time. I can’t update this book often enough with new techniques and expect you to pay for it over and over again. That is why I hope sharing a message or way of thinking is more beneficial to the long-term, sustained success for you and your organization. I’m active online, and you can follow me or any of the highly recommended resources, groups, and individuals I share for new techniques or evolving trends for analyzing data.

I personally also fail to see the full value of a book that claims to give you the full technical rundown when the industry, and indeed technology, moves on at such a rapid pace. For example, there are an untold number of books that discuss the idea of property and why it’s a good investment. However, the one book that stands the test of time is Rich Dad, Poor Dad by Robert Kiyosaki, and it stands the test of time for one excellent reason – it discusses the concepts of assets vs. liabilities with a focus on property/real estate. It doesn’t focus on an investment strategy that worked in the 1980s when the book was originally published and why you should absolutely go all-in on it. Instead, it explains the underlying logic of why someone would invest in property and why using money to acquire assets rather than depreciating liabilities (such as nice cars) is the best way to long-term financial success.

My hope and aim for this book is for it to become a kind of “Rich Dad, Poor Dad” for cybersecurity, but CTI specifically. I wholeheartedly believe in the ideas I discuss in this book, and I think the concepts can help every organization to protect themselves better. It won’t tell you to use the following commands in a Linux terminal to achieve X result, because I can’t guarantee that will work for you when you read this. Still, I can ensure the logic and methodology I discuss will hold weight and will help you improve your security controls and response moving forward. I also hope my great sense of humor will see you get to the end, but more of that later.

Who Can Get Value from This Book?

My goal for this book is aimed predominantly at those in charge of making cybersecurity decisions (i.e., CISOs or SOC managers). However, I believe everyone involved in cybersecurity or who has an interest in the concepts could benefit, including new or junior CTI analysts. This book is not a hugely technical deep dive, but it is a methodology and way of approaching a subject that’s growing in the industry and has the potential to leave a lot of people burnt if they don’t approach it correctly.

Whether you are a student keen to learn more or a seasoned cyber veteran, I hope this book will give you something to consider and will encourage you to adopt new approaches or indeed raise discussions with myself or your wider community.

The security industry is always going to be behind the curve compared to those who threaten our organizations, and only by sharing our thoughts, methodologies, and working together can we ensure that we remain as effective as possible. We will not always win, as we continually fight with at least one hand tied behind our back, but together as a community we have strength in numbers that our adversaries do not. If we approach CTI in the right way, this can be the great leveler for any cybersecurity team.

I also hope this book will become of relevance to individuals across all sectors of cybersecurity, whether private, public, military, or law enforcement. My message is the same for all, and while each industry faces its own unique threats, the approach to all should be considered and structured.

What Else Will We Consider?

Within this book, I will cover a wide range of intelligence topics. I aim to provide a background understanding of intelligence and why it is useful, as well as some more in-depth concepts to help you to propel your business’s security practices forward.

By providing you with these concepts in a clear, concise manner, I hope you will adopt intelligence-led cybersecurity and evolve your business to adapt and react to the threats relevant to you. You could ingest indicators of compromise (IOCs) all day long and claim you’re receiving intelligence. I hope that by the end of this book, you see that that approach is frankly nonsense and that there is a better way, a way that can be unique for you and your business. Or indeed, any business. The concepts won’t change, but the approach taken by each individual will, dependent on their own IT, security posture, and the risks they likely face. Such is the beauty of CTI and why we never have a day to get bored. Except for the odd day in lockdown, as I’m writing this during a global pandemic, and frankly, it’s no fun. I can’t wait to go to the pub.

Key Takeaways

  • Cybersecurity is unique to every business. The IT each company employs, the risks, and the threats it faces are completely bespoke, even to its peers.

  • Adopting an intelligence-led approach enables an organization to deal with situations as they develop. You can apply security controls and responses when they become relevant to you rather than carte blanche.

  • This book can benefit anyone involved in cybersecurity, from students to CISOs. The methodologies and concepts considered allow an individual to understand the critical facets of CTI without the need for outdated techniques or methods. We have other resources for those which can be updated much more regularly than a book.

  • Global pandemics sometimes force CTI professionals to consider writing a book, so we should probably avoid any more of those in future.

Acknowledgments

Firstly, this book wouldn’t have happened without my wife Berta, who has always stood behind me and encouraged me to go beyond what I thought possible. Without you, I’d not be where I am, nor would I have ever made the steps to get here. You’re my rock and I love you now and always. Thank you.

I’d also like to thank those who’ve helped me professionally and personally and indeed to create this book. To Sam, not only for his fantastic help with reviewing the content of this book but for taking a chance on me all those years ago. Without that opportunity, I doubt I’d be writing this book today. To Simon, Tim, Dave, and Stu, I thank you for the opportunities and for the risks you took when I was more than a little wet behind the ears. I sincerely appreciate it.

In no particular order, I’d also like to thank Chris, Ant, Josef, Jörg, Miguel, Caitlin, Foster, Adam, Sergey, Matt, Boring Al, Jon, Luke, Christy, Lynne, Chris B, Rob, and all the guys from Harrisment – you’ve helped me learn, grow, and inspired me to keep going. Finally, I’d like to thank David and Tony for reinvigorating my passion for OSINT, which has led me to meeting fantastic people at Locate International including Neil and Ray, who are absolute rock stars.

To my family, friends, and especially my parents, thank you for the support, encouragement, and enthusiasm over the years. It means so much. And Monty the Cyber Corgi, who is the very best boy.

Table of Contents
About the Author
Aaron Roberts
../images/505542_1_En_BookFrontmatter_Figb_HTML.jpg

is an intelligence professional specializing in cyber threat intelligence (CTI) and open source intelligence (OSINT). He is focused on building intelligence-led cyber capabilities in large enterprises and conducting online investigations and research. He has worked within several public and private sectors as well as the British Military. As such, he understands how intelligence can and should be utilized within a range of environments and the fundamental approach that businesses must take to get the maximum value out of their cyber threat intelligence program.

 
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
52.207.218.95