Practical Cyber Intelligence
Practical Cyber Intelligence
Table of Contents
Preface 1
Chapter 1: The Need for Cyber Intelligence 6
Need for cyber intelligence 6
The application of intelligence in the military 8
Intel stories in history 8
The American Revolutionary War 9
Napoleon's use of intelligence 9
Some types of intelligence 10
HUMINT or human intelligence 10
IMINT or image intelligence 11
MASINT or measurement and signature intelligence 11
OSINT or open source intelligence 11
SIGINT or signals intelligence 12
COMINT or communications intelligence 12
ELINT or electronic intelligence 12
FISINT or foreign instrumentation signals intelligence 13
TECHINT or technical intelligence 13
MEDINT or medical intelligence 13
All source intelligence 14
Intelligence drives operations 15
Putting theory into practice isn't simple 19
Understanding the maneuver warfare mentality 22
Follow the process, the process will save you 22
What is maneuver warfare? 23
Tempo 23
The OODA Loop 25
Center of gravity and critical vulnerability 26
Surprise – creating and exploiting opportunity 27
Combined arms – collaboration 28
Flexibility 28
Decentralized command 28
Summary 29
Chapter 2: Intelligence Development 30
The information hierarchy 30
Introduction to the intelligence cycle 32
The intelligence cycle steps 33
Step 1 – Planning and direction 33
Requirements development 34
Requirements management 34
Table of Contents
[ ii ]
Directing the intelligence effort 35
Requirements satisfaction 36
Planning the intelligence support system 37
Step 2 – Collection 38
Step 3 – Processing 39
Step 4 – Analysis and Production 39
Step 5 – Dissemination 40
Methods 40
Channels 41
Modes 42
Dissemination architecture 42
Step 6 – Utilization 43
Summary 44
Chapter 3: Integrating Cyber Intel, Security, and Operations 45
A different look at operations and security 45
Developing a strategic cyber intelligence capability 46
Understanding our priorities 47
The business architecture 48
The data/application architecture 48
Technology architecture 48
Application of the architectures and cyber intelligence 48
A look at strategic cyber intelligence – level 1 50
Introduction to operational security 51
OPSEC step 1 – identify critical information 51
OPSEC step 2 – analysis of threats 52
OPSEC step 3 – analysis of vulnerabilities 52
OPSEC step 4 – assessment of risk 52
OPSEC step 5 – application of appropriate countermeasures 54
OPSEC applicability in a business environment 55
Cyber intel program roles 56
Strategic level – IT leadership 57
Strategic level – cyber intelligence program officer 57
Tactical level – IT leadership 58
Tactical level – cyber intelligence program manager 59
Operational level – IT leadership 60
Operational level – cyber intelligence analysts 60
Summary 61
Chapter 4: Using Cyber Intelligence to Enable Active Defense 62
An introduction to Active Defense 63
Understanding the Cyber Kill Chain 64
General principles of Active Defense 65
Active Defense – principle 1: annoyance 66
Active Defense – principle 2: attribution 66
Enticement and entrapment in Active Defense 67
Table of Contents
[ iii ]
Scenario A 67
Scenario B 68
Types of Active Defense 68
Types of Active Defense – manual 69
Types of Active Defense – automatic 69
An application of tactical level Active Defense 70
Summary 72
Chapter 5: F3EAD for You and for Me 74
Understanding targeting 75
The F3EAD process 79
F3EAD in practice 81
F3EAD and the Cyber Kill Chain 87
Cyber Kill Chain and OODA loop 87
Cyber Kill Chain and OPSEC 89
Cyber Kill Chain and the intelligence cycle 91
Cyber Kill Chain and F3EAD 92
Application of F3EAD in the commercial space 92
Limitations of F3EAD 93
Summary 94
Chapter 6: Integrating Threat Intelligence and Operations 95
Understanding threat intelligence 95
Capability Maturity Model – threat intelligence overview 98
Level 1 – threat intelligence collection capability 99
Phase initial 100
Example 1 – Open Threat Exchange – AlienVault 100
Example 2 - Twitter 107
Example 3 - Information Sharing and Analysis Centers 111
Example 4 - news alert notifications 112
Example 5 - Rich Site Summary feeds 113
Phase A 114
Example 1 - Cisco – GOSINT platform 116
Example 2 - The Malware Information Sharing Platform project 116
Phase B 116
Phase C 117
Level 2 – Threat Information Integration 118
Phase initial 119
Phase A 120
Categorization of items that are applicable to multiple teams 121
Phase B 121
Phase C 122
Summary 123
Chapter 7: Creating the Collaboration Capability 124
Purpose of collaboration capability 124
Formal communications 125
Table of Contents
[ iv ]
Informal communications 126
Communication and cyber intelligence process 126
Methods and tools for collaboration 128
Service level agreements and organizational level agreements 128
Responsible accountable supporting consulted informed matrix 129
Using key risk indicators 129
Collaboration at the Strategic Level 131
Executive support 133
Policies and procedures 133
Architecture 134
Understanding dependencies 134
Prioritized information 136
Intelligence aggregation 137
Intelligence reconciliation and presentation 138
Collaboration at the Tactical Level 140
Breaking down priority information requirements 140
Application of the theory 141
Theory versus reality 142
Creating the tactical dashboard 144
Collaboration at the Operational Level 147
Summary 149
Chapter 8: The Security Stack 150
Purpose of integration – it's just my POV 150
Core security service basics 151
Security Operations Center 153
The spider 154
Capabilities among teams 155
Capability deep dive – Security Configuration Management 156
Security Configuration Management – core processes 158
Security Configuration Management – Discovery and Detection 159
Security Configuration Management – Risk Mitigation 159
Security Configuration Management – Security State Analysis 160
Security Configuration Management – Data Exposure and Sharing 161
Prelude – integrating like services 163
Integrating cyber intel from different services 166
Overview – red team methodology 166
Red team – testing methods 167
White box 167
Gray box 167
Black box 167
Red team constraints 168
Red team – graphical representation 169
Data integration challenges 170
The end user perspective 170
Table of Contents
[ v ]
The service level perspective – cyber intelligence – Data Exposure and Sharing 171
The SOC perspective 173
Capability Maturity Model – InfoSec and cyber intel 174
Capability Maturity Model - InfoSec and cyber intel – initial phase 175
Capability Maturity Model - InfoSec and cyber intel – Phase A 176
Capability Maturity Model - InfoSec and cyber intel – Phase B 177
Capability Maturity Model - InfoSec and cyber intel – Phase C 178
Collaboration + Capability = Active Defense 179
Summary 179
Chapter 9: Driving Cyber Intel 180
The gap 180
Another set of eyes 181
The logic 182
Event 183
Incident 184
Mapping events and incidents to InfoSec capabilities 184
Capability Maturity Model – security awareness 186
Capability Maturity Model - security awareness Phase - Initial 187
Capability Maturity Model - security awareness – Phase A 187
Capability Maturity Model - security awareness – Phase B 188
Capability Maturity Model - security awareness – Phase C 190
Capability Maturity Model - security awareness – Phase C + 191
Just another day part 1 192
Summary 193
Chapter 10: Baselines and Anomalies 195
Setting up camp 195
Baselines and anomalies 196
Continuous monitoring – the challenge 197
Part 1 197
Part 2 198
Part 3 200
Capability Maturity Model – continuous monitoring overview 201
Level 1 – phase A 202
Level 1 – phase B 203
Level 1 – phase C 204
Capability Maturity Model – continuous monitoring level 2 205
Scenario 1 – asset management/vulnerability scanning asset inventory 206
Phase initial 208
Information gathering 208
Developing possible solutions 209
Phase A 210
Procedure RASCI (example) 210
Phase B 210
Regional data centers 211
Local office environment 212
Table of Contents
[ vi ]
Phase C 212
Scenario 2 – security awareness/continuous monitoring/IT helpdesk 214
Phase initial 215
Information gathering 216
Developing possible solutions 217
Phase A 217
Procedure RASCI (example) 218
Phase B and C – sample questions 218
Just another day part 2 219
Summary 221
Chapter 11: Putting Out the Fires 222
Quick review 222
Overview – incident response 223
Preparation and prevention 224
Detection and analysis 225
Containment, eradication, and recovery 225
Post-incident activity 225
Incident response process and F3EAD integration 226
Intelligence process tie-in 227
Capability Maturity Model – incident response 228
Initial phase 228
Phase A 228
Phase B 229
Phase C 231
Summary 233
Chapter 12: Vulnerability Management 234
A quick recap 235
The Common Vulnerability Scoring System calculator 236
Base metric group 236
Temporal metric group 238
Environmental metric group 238
CVSS base scoring 239
Metrics madness 240
Vulnerability management overview 240
Capability Maturity Model: vulnerability management – scanning 242
Initial phase 243
Phase A 245
Phase B 246
Phase C 247
Capability Maturity Model: vulnerability management – reporting 248
Initial phase 248
Phase A 250
Phase B 251
Phase C 252
Table of Contents
[ vii ]
Capability Maturity Model: vulnerability management – fix 252
Initial phase 254
Phase A 255
Phase B 256
Phase C 258
Summary 260
Chapter 13: Risky Business 261
Risk overview 261
Treating risk 261
Risk tolerance and risk appetite 262
Labeling things platinum, gold, silver, and copper 263
Differentiating networks 264
Taking a different look at risk 264
Review of threat intelligence integration 265
Capability Maturity Model: risk phase – initial 266
Improving risk reporting part 1 267
Capability Maturity Model: risk phase – final 268
Improving risk reporting part 2 269
Open source governance risk and compliance tools 270
Binary Risk Assessment 270
STREAM cyber risk platform 270
Practical threat analysis for information security experts 270
SimpleRisk 270
Security Officers Management and Analysis Project 271
Comentários
Postar um comentário