Study Guide: Introduction To Cyber Threat Intelligence

Study Guide
Introduction to Cyber Threat Intelligence
Module 1: Introduction to Cyber Threat Intelligence

Lesson 1.1: Course Introduction
Skills Learned From This Lesson: Course Objectives, Prerequisites, Target Audience, Agenda
● Course Objectives
○ To learn how to improve the security strategy of your organization.
○ Be one step ahead of threats, vulnerabilities and attacks.
○ Focus on a more proactive security perspective.
○ To learn how to use information and data to be prepared against threats outside
your organization.
● Prerequisites
○ Basic knowledge and understanding of Information Security triad (CIA triad):
Confidentiality, Integrity and Availability.
○ Experience in Cyber Security from a technical perspective.
○ Understanding of network protocols and data flow.
○ Common knowledge on Incident Response, Network Monitoring, Vulnerabilities
and Exploits.
● Target Audience
○ Anyone interested in the topic of Cyber Threat Intelligence, Cyber Security
professionals interested in exploring new areas, Students and professionals
seeking additional technical experience in cyber security threats and indicators of
compromise, People looking to acquire state of the art knowledge regarding
cyber security to advance current cyber security career.
● Supplementary Materials
○ Found in Study Resources
● Course Agenda
○ Module 1 - Introduction to Cyber Threat Intelligence Course
○ Module 2 - History and main concepts and definitions of Cyber Threat
Intelligence

Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and

competency analytics.
1

○ Module 3 - Intelligence-driven security

○ Module 4 - Cyber Threat Intelligence role in SOC, IR and Risk Analysis
○ Module 5 - Cyber Threat Intelligence for Fraud Prevention
○ Module 6 - Cyber Threat Intelligence frameworks
○ Module 7 - Developing the Core of Cyber Threat Intelligence
○ Module 8 - Conclusion
○ Module 9 - Summary and References
Lesson 1.2: Introduction to Cyber Threat Intelligence (CTI)

Skills Learned From This Lesson: Introduction, Cyber Threat Definition, Adversarial Capabilities,
Impact to Organization
● Brief Introduction
○ “Threat information that has been aggregated, transformed, analyzed,
interpreted, or enriched to provide the necessary context for decision-making
processes” (NIST, 2019)
○ “The analysis of an adversary’s intent, opportunity, and capability to do harm is
known” (SANS Institute, 2019)
● What is a cyber threat?
○ “An event or condition that has the potential for causing asset loss and the
undesirable consequences or impact from such loss” (NIST, 2019)
● What exactly are adversaries capable of?
○ 52% of data breaches analyzed by Verizon in 2018 were products of hacking
actions
○ 69% were perpetuated by external actors
○ 35% were caused by phishing campaigns
○ 71% were financially motivated (Verizon, 2019)
● How is this going to help my organization?
○ In this course we will find out:
■ Where the CTI unit is placed in an organization
■ What is the history and purpose of CTI in its many forms
■ How could you put all of this to work to get the best out of CTI


2

Module 2: History and Main Concepts and Definitions of Cyber Threat

Intelligence
Lesson 2.1: CTI History
Skills Learned From This Lesson: Cyber Threat Intelligence, Military Intelligence Definition,
Military Intelligence History, Intelligence Process, Strategic Intelligence, Tactical Intelligence,
Intelligence Evolution
● Where does intelligence come from?
○ “Military Intelligence is a military discipline that focuses on the gathering,
analysis, protection, and dissemination of information of both strategic and
tactical value” (New World Encyclopedia, 2019)
● Military Intelligence
○ “This includes information about the enemy, terrain, and weather in an area of
operations or area of interest, as well as information about political
decision-making, military intentions, and dissidents. Intelligence activities are
conducted both during peacetime and in war” (New World Encyclopedia, 2019)
○ Intelligence gathering should be an ongoing process
● Military Intelligence in History
○ “Spying is mentioned in both Homer’s Iliad and the Bible. The Romans had a
network of spies and embassies that they used to collect valuable information,
including the environment and socio-political information about neighboring
states and people” (New World Encyclopedia, 2019)
● The Intelligence Process
○ Intelligence has been conducted on two basic levels:
■ Strategic: “Strategic intelligence is used to formulate long-term policies on
the national and international scale and is concerned with broad issues
such as economics, military capabilities of foreign countries, and political
assessments” (New World Encyclopedia, 2019)
■ Tactical: “Tactical intelligence is more focused on the specific objectives
and situation of military commanders in the field. These types of
intelligence basically consist of the same type of information, only differing
in terms of scope” (New World Encyclopedia, 2019)
● The Intelligence Evolution
○ As time passed by, wars and military scopes were far from where they had
started.


3

○ Starting in the 1990s, all military activity was starting to move to the cyber realm.
○ Starting in the 2000s, Cyber Threat Intelligence was born.
● What comes next for Cyber Threat Intelligence?
○ In the next decade, Cyber Threat Intelligence continues to grow with the help of
two powerful tools:
■ Artificial Intelligence (AI)
■ Machine Learning
○ These subjects would help organizations to lower its cost and resource
requirements, allowing any type of organization (even small ones) to obtain all
the benefits of Cyber Threat Intelligence.
● Post-Assessment Question (will discuss these topics further in future lessons)
○ Why do you think this approach has been so important all this time?
○ If the roots of Cyber Threat Intelligence go back to military usage and war
approaches, does it mean we are at war?
○ How does the original military approach map to current Cybersecurity structure in
most organizations?
● Video Summary
○ All organizations regardless of size, industry, or geography will have threats to
their infrastructure, assets, and people.
○ Data is available from a variety of sources and the mechanisms to consume it
and give context are becoming more available with time.
○ The collection and interpretation of this data to drive an action is the essence of
intelligence.
Lesson 2.2: CTI Concepts and Definitions

Skills Learned From This Lesson: Cyber Threat Intelligence Approach, Intelligence Partners,
Vulnerability Management Cycle, Risk Analysis
● How does a Cyber Threat Intelligence approach work for an organization?
○ Cyber Threat Intelligence is far from being a “one size fits all”, and does not have
a specific recipe to get it working
○ It takes into account the nature of an organization and the information, security
strategies and capabilities that it already has.
○ Along this course we will be reviewing some other departments that Cyber Threat
Intelligence works with, so here are some definitions of them:


4

■Security Operations Center- McAfee defines a SOC as a “centralized

function within an organization employing people, processes, and
technology to continuously monitor and improve an organization’s security
posture while preventing, detecting, analyzing, and responding to
cybersecurity incidents” (McAfee, 2019)
● A big repository where all the assets chosen will be reporting what
they are doing, who they are communicating with, and what is
going on.
■ Incident Response Team - This is the team that enters the picture when
the SOC sees something that is not supposed to be happening (generally
something odd or dangerous looking). Mitigates risk and responds to
incidents as they happen.
● Cyber Threat Intelligence helps to plan based on current situations
to make it easier to develop a plan of attack for future situations.
■ Vulnerability Management - Vulnerabilities are out there, and there are
more of them discovered very day. How can we know which ones to
patch first? “A vulnerability is defined in the ISO 27002 standard as “A
weakness of an asset or group of assets that can be exploited by one or
more threats.” (ISO, 2005).
● Manage vulnerabilities!
■ Vulnerability Management - “Vulnerability management is the process in
which vulnerabilities in IT are identified and the risks of these
vulnerabilities are evaluated” (Palmaers, 2012)
● Vulnerability management is all about what you have and what
you are doing about it. It doesn’t mean you have to be vulnerability
free (almost impossible!), it just means you have to be aware of
what you have, vulnerability wise.
● Vulnerability Management Cycle
○ Scan -> Prioritize -> Assess -> Report -> Fix -> Verify (then repeat process)
● What happens with zero-day vulnerabilities?
○ A zero day vulnerability is “a vulnerability in a system or device that has been
disclosed but it is not yet patched” (TrendMicro, 2019) - A weakness without a
way to fix it
○ It is difficult to know what that attack looks like or the pattern of behavior


5

● Risk Analysis
○ Where is all my risk?
○ How can Cyber Threat Intelligence influence the risk posture of an organization?
○ Could the mere existence of Cyber Threat Intelligence in an organization lower
it’s risk?
○ All of the information obtained from Cyber Threat Intelligence increases the
chances and capability to defend yourself and decreases your overall risk.
○ RSA defines cyber risk as “the potential of loss or harm related to technical
infrastructure or the use of technology within an organization” (RSA, 2019)
● CTI is everywhere...right?
○ In every area we were able to identify the role of CTI in order to improve security
posture.
○ Data is everywhere, information can help every organizational unit, intelligence
can drive the right questions to the right answers.
○ Every single process in an organization can benefit from CTI with the right
implementation and the right organization nature.
Module 3: Intelligence-Driven Security

Lesson 3.1: Intelligence-Driven Security and CTI Lifecycle
Skills Learned From This Lesson: Cyber Threat Intelligence, Intelligence Driven Security, Cyber
Threat Intelligence Lifecycle, Direction phase, Collection phase
● Intelligence-Driven Security
○ “Every battle is won before it is ever fought” (Sun Tzu, 1965)
○ Cyber Threat Intelligence misconceptions:
■ Cyber Threat Intelligence is just data feeds and PDF reports
■ It is a research service for the incident response teams
■ Requires a dedicated team of high-priced, elite analysts
○ What Cyber Threat Intelligence really is:
■ Includes information and analysis from a rich array of sources presented
in a way that is easy to understand and use.
■ It is valuable for all the major teams in the cyber security organization.
■ Can be handled and executed mostly by the existing security staff.


6

● Six phases of the Cyber Threat Intelligence Lifecycle

○ The intelligence cycle is defined as “Direction, Collection, Processing, Analysis,
Dissemination, and Feedback” (Recorded Future, 2018)
● The Direction phase
○ Information assets and business processes
○ The potential impacts of losing those assets or interrupting those processes
○ The types of threat intelligence that the security organization requires
○ Priorities about what to protect
● Collection phase
○ “Collection is the process of gathering information to address the most important
intelligence requirements” (Recorded Future, 2018)
■ Pulling metadata and logs
■ Subscribing to threat data feeds
■ Holding conversations and targeted interviews with knowledgeable
sources
■ Scraping and harvesting websites and forums
● Video Summary
○ Covered the two main phases in the Cyber Threat Intelligence life cycle. With
this, we have a better idea of how Cyber Threat Intelligence gets its direction
aligned with the organization’s objectives and a brief introduction into the
Collection phase.
Lesson 3.2: Data Collection Sources

Skills Learned From This Lesson: Cyber Threat Intelligence, Threat Intelligence Sources, Using
Multiple Intelligence Sources, Automated Data Collection, Manual Data Processing
● Threat Intelligence Sources
○ “You need multiple sources of intelligence to get a complete picture of potential
and actual threats...Missing any one of these can slow down investigations and
cause gaps in remediation” (Recorded Future, 2018)
● Technical sources (e.g., threat feeds)
○ Threat feeds != Threat Intelligence
○ Available in huge quantities, often for free
○ More specific data is often available at a cost
○ Easy to integrate but some of them have a high proportion of false positives


7

○ Redundant information from different providers

● Media
○ Security websites
○ Vendor research
○ Information provided for human consumption
○ A manual procedure must be in place in order to connect them with technical
indicators
○ It should not be the first option to get information
○ Often may be misunderstood or misinterpreted
● Social Media
○ Huge amounts of valuable data
○ High probability of misinformation
○ Personal points of view may affect the information given
○ Large need for cross-referencing with multiple sources
○ Requires manual analysis to correlate with the already existent information
● Threat actor forums
○ Host relevant discussions
○ Emerging vulnerabilities, or latest research regarding a specific topic or system
○ Heavy analysis and cross-referencing is essential to determine what is truly
valuable for the organization
● The Dark Web
○ Including markets and forums
○ Often the birthplace of super valuable intelligence
○ Can be extremely hard to access
○ Especially those that can host serious criminal communities
● Post-Assessment Questions
○ Where can we obtain the information necessary for our organization?
■ Use a variety of sources, as discussed throughout the video
○ What are we going to do with the information collected?
■ CTI can provide intelligence to several different units, it depends on what
that unit’s purpose is
○ What processes should be automated?
■ Anything that can be, prior to analysis


8

○ What processes must be manual in order to guarantee the right context to the
information collected?
■ Any process requiring analysis should be manual
● Video Summary
○ In today’s lecture, we discussed:
■ Where the collection of information can be obtained from
■ How these sources may present a challenge for the organization
■ What techniques should be used to gather information for these sources
■ What risks exist in some of these information sources
Lesson 3.3: CTI Life cycle

Skills Learned From This Lesson: Cyber Threat Intelligence LIfecycle, Processing, Analysis,
Dissemination, Feedback
● The Cyber Threat Intelligence Lifecycle (continued)
● Processing
○ “Processing is the transformation of collected information into a format usable by
the organization. Almost all raw data collected needs to be processed in some
manner, whether by humans or machines” (Recorded Future, 2018)
● Analysis
○ “A human process that turns processed information into intelligence that can
inform decisions…The decisions might involve whether to investigate a potential
threat, what actions to take, how to strengthen security controls, or how much
investment is justified” (Recorded Future, 2018)
○ Analyst must have a clear understanding of the target user and purpose
○ A big challenge for analysts is the communication of information to non-technical
parties
○ Reports generated must follow multiple objectives to get the best outcome
possible
○ “Not all intelligence needs to be digested via a formal report. Continual technical
reporting can be done to other teams with external context around IOCs,
malware, threat actors, vulnerabilities, and threat trends” (Recorded Future,
2018)
● DIssemination
○ What threat intelligence do they need?


9

○ How should the intelligence be presented?

○ How often should we provide updates and other information?
○ Through what media should the intelligence be disseminated?
○ How should we follow up if they have questions? (Recorded Future, 2018)
● Feedback
○ What types of data to collect
○ How to process and enrich the data
○ How to analyze the information and present it as actionable intelligence
○ To whom each type of intelligence must be disseminated, how quickly, and how
fast to respond to questions (Recorded Future, 2018)
● Additional tools to take into account
○ Threat intelligence solutions that are designed to collect, process, and analyze all
types of threat data from internal, technical, and human sources.
○ Existing security tools, such as SIEMs and security analytics tools, which collect
and correlate security events and log data.
● Video Summary
○ The last three phases of the Cyber Threat Intelligence life cycle
○ How the analysis phase provides the right intelligence to the right teams
○ How the dissemination and feedback guarantees the effectiveness and
improvement of the procedures
○ Additional tools used to support the Cyber Threat Intelligence
Module 4: Cyber Threat Intelligence Role in SOC, IR and Risk

Analysis
Lesson 4.1: CTI Role in SOC - Part 1
Skills Learned From This Lesson: Cyber Threat Intelligence, SOC team roles and
responsibilities, Alert statistics, Alert Context
● Threat Intelligence for Security Operations
○ Threat Intelligence provides an antidote to many of SOC’s problems
○ It can be employed to filter out false alarms
○ Speed up triage
○ Simplify incident analysis (Recorded Future, 2018)



10

● The SOC team under the telescope

○ Monitor for potential threats
○ Detect suspicious network activity
○ Contain active threats
○ Remediate using available technology
○ Roles and responsibilities of the SOC team:
■ Triage - Determine the relevance and urgency of each incoming alert.
Decide if the alert is legitimate and should be escalated.
■ First Response - Determine the scope of the incident. Identify affected
and vulnerable systems. Recommend actions to contain the effects.
■ Investigation - Determine root causes and weaknesses in defenses.
Recommend actions to prevent recurrences.
● In a sea of alerts, context is a must
○ Security analysts are simply unable to review, prioritize, and investigate all these
alerts on their own, this causes:
■ Ignored alerts
■ Chasing false positives
■ Making overall mistakes
○ 35 percent of analysts said their biggest security operations challenge was
“keeping up with the volume of security alerts.”
● Numbers don’t lie
○ 34% of alerts are legitimate
○ 51% of legitimate alerts are remediated
○ 48% of legitimate alerts are not remediated
○ 56% of alerts are investigated
○ 44% of alerts are not investigated (Cisco, 2018)
● This is why context matters!
○ Enriching internal alerts with the external information and context helps to make
risk-based decisions
○ Context is critical for:
■ Rapid triage
■ Scoping
■ Containing incidents (Recorded Future, 2018)


11

● VIdeo Summary
○ In today’s video we dove into the SOC challenges and how the Cyber Threat
Intelligence unit can help to ease these.
■ The overwhelming amount of alerts
■ The key processes to guarantee an effective monitoring
■ The alerts enrichment to provide a more efficient use of their time
Lesson 4.2: CTI Role in SOC - Part 2

Skills Learned From This Lesson: Cyber Threat Intelligence, Alert Triage, Key Aspects for
Monitoring, Detecting False Alarms
● Triage requires a lot of context
○ Gathering information includes a variety of:
■ Internal system logs
■ Network devices
■ Security tools
○ Each one of these will provide some crucial information to determine the flow of a
possible attack
● Key aspects for monitoring and to get context from
○ Outbound connections
○ Firewall alerts
○ Internal network activity
○ Session activity by user and workstation
○ Accurate time in logs
● The importance of detecting false alarms
○ Actions that are more likely to be innocuous
○ Attacks that are not relevant to that enterprise
○ Attacks for which defenses and controls are already in place
● Review
○ What is the most important rule of Cyber Threat Intelligence in the SOC unit?
■ Provide context
○ What is the biggest problem for SOC Analysts and how does Cyber Threat
Intelligence integration help reduce this problem?
■ Information needs to be correlated appropriately, or it won’t be much help



12

○ What are the specific roles that SOC analysts have to execute in order to fulfill
their purpose?
● Video Summary
○ The overwhelming amount of alerts that SOC analysts have to go through
○ The key processes that have to assure to guarantee effective monitoring
○ The alerts enrichment in order to provide the necessary context to the analysts
Lesson 4.3: CTI Role in Incident Response - Part 1

Skills Learned From This Lesson: Cyber Threat Intelligence, Incident Response Complexities,
Incident Response Process, Reducing Reactiveness
● Cyber Threat Intelligence for Incident Response
○ The Incident Response Team is one of the most demanding teams to be part of,
because most of the time you have to attend an emergency where the necessary
security controls might not be in place, and containment becomes difficult.
● Why is it so complex?
○ Cybersecurity incidents have increased in number
○ Threats have become more complex
○ Security analysts are obligated to manually check data from different sources
○ Containment of attacks and eradication has become more difficult given the
complexity of the attacks used nowadays.
● Challenges in the Incident Response (IR) unit
○ IR team requires highly skilled analysts, since the topics covered are not
entry-level security.
○ The amount of alerts reported overwhelms security analysts just as much as the
SOC team.
○ Timing is critical!
○ Most organizations don’t take strategic design toward incident response
● Reaction is key!
○ A typical incident response process goes this way:
■ Incident detection
■ Discovery
■ Triage and Containment
■ Remediation
■ Resume normal operations



13

○ Each one of these steps requires high reactive response and most of the time it
is not done until an alert is flagged
● How can we reduce the “reactiveness” issue?
○ Two areas have been identified, that with the right preparation can be especially
helpful in reducing response times by becoming less reactive. Those are:
■ Identification of probable threats
■ Prioritization
● Incident Response + Cyber Threat Intelligence
○ Automatically identifying and dismissing false positive alerts
○ Enriching alerts with real-time context from across the open and dark web
○ Assembling and comparing information from internal and external data sources
○ Scoring threats according to the organization’s specific needs and infrastructure
● Video Summary
○ Incident Response teams have just as demanding of a job as the SOC team
when talking about alerts.
○ Cyber Threat Intelligence aids the Incident Response team by providing
Identification of threats and prioritization.

Skills Learned From This Lesson: Cyber Threat Intelligence, Prepare Processes, Scope and
Incident Containment, Remediation
● Prepare processes in advance
○ A comprehensive, up-to-date picture of the threat landscape
○ Information about popular threat actor tactics, techniques, and procedures
(TTPs)
○ Highlights of industry and area-specific attack trends
● Scope and incidents containment
○ Basically, when an incident occurs, three items have to be determined:
■ What happened
■ What the incident might mean for the organization
■ What actions to take
● Scope and incident containment with CTI
○ Automatically dismissing false positives
○ Enriching incidents with related information from across the open and dark web



14

○ Providing details about the threat and insights about the attacker TTPs
(Recorded Future, 2018)
● Remediate data exposure and stolen assets
○ Organizations take an average of 196 days to detect a breach
○ Stolen data and proprietary assets often turn up for sale on the Dark Web.
○ Cyber Threat Intelligence could be capable of alerting when:
■ The organization’s assets are exposed online
■ Someone is offering these assets for sale
● Half measures are worse than nothing
○ A minimum intelligence implementation will often leave aside critical analysis in
order to get real intelligence from information sources.
○ The lack of a complete analysis of information will leave the task to be performed
by security analysts at the moment of an incident when timing is crucial.
● Video Summary
○ In today’s lecture:
■ We identified multiple real life cases where CTI can help by:
● Prepare processes in advance
● Defining scopes and containing incidents
● Remediate data exposure and stolen assets
■ How half CTI is not better than none

Skills Learned From This Lesson:Cyber Threat Intelligence,Comprehension, Relevance,
Contextualization, Integration
● Essential value provided by the CTI unit
○ The most valuable aspects of information that CTI can provide are:
■ Comprehension
■ Relevance
■ Contextualization
■ Integration
● Comprehensive
○ Automatic capture of valuable information
○ Easy to understand and accurate information
○ Information can then be correlated with internal information regarding an alert



15

● Relevant
○ There are two categories of false positives to consider:
■ Alerts that are relevant to an organization but are inaccurate or unhelpful
■ Alerts that are accurate and/or interesting but aren’t relevant to the
organization
● Contextualized
○ Corroboration from multiple sources associated with recent attacks
○ Confirmation that it has been associated with threat actors active in industry
○ A timeline showing that the alert occurred before or after other events linked with
attacks
● Integrated
○ CTI can help the Incident Response team to:
■ Determine whether each alert should be dismissed as a false positive
■ Score the alert according to its importance
■ Enrich the alert with valuable extra content
● Post Assessment Question
○ How does the CTI process help with Incident Response timing?
■ It’s all about context
○ What aspects of Incident Response does CTI provide enrichment for?
○ How could a breach be identified through a CTI unit?
■ Machine Learning and Artificial Intelligence applied to solutions is an
important ally with discussing threats and alerts
● Video Summary
○ We identified multiple real life cases
■ Mapped them out with how CTI capabilities could help each one of them
○ We can identify the essential characteristics that CTI provides to the information
used in Incident Response
Lesson 4.6: CTI Role in Risk Analysis

Skills Learned From This Lesson: Cyber Threat Intelligence, Risk Analysis, Threat Probabilities
● Risk Analysis
○ Many risk models have a hard time with:
■ Vague, non-quantified outputs that show threat levels with three different
colors.



16

■ Threat probabilities and costs are based on partial information and riddled
with unfounded assumptions.
● FAIR Risk Framework
○ Keys of the FAIR framework
■ This framework enables organizations to create more efficient risk models
by:
● Making defined measurements of risk
● Transparent about assumptions, variables, and outcomes
● Show specific loss probabilities in financial terms
● Threat Intelligence and Threat Probabilities
○ A big part of creating a threat model involves estimating the probability of
successful attacks. To do so, Cyber Threat Intelligence can:
■ Create a list of threat categories that might affect the business
■ Estimate probabilities that the attacks will happen, and that they will
succeed
● Cost of attacks fed by CTI
○ Cost of similar attacks on enterprises of the same size and in the same industry
○ Systems that need to be remediated after an attack, and the type of remediation
they required
● So, how does Risk Analysis benefit from CTI?
○ How do Risk Assessments measure risks? Is that accurate?
○ What sort of information does CTI provide to Risk Analysis in order to make it
more effective?
○ Would you choose an approach with or without CTI?
● Video Summary
■ How risk models are often used in organizations
■ What specific areas can CTI enhance in order to obtain a more accurate
risk calculation
■ What processes considered in CTI benefit Risk Analysis
■ The type of intelligence that Risk Analysis needs



17

Module 5: Cyber Threat Intelligence for Fraud Prevention

Lesson 5.1: CTI for Fraud Prevention
Skills Learned From This Lesson: Cyber Threat Intelligence, Fraud Prevention, Dark Web,
Payment Fraud through CTI, Typosquatting, Fraudulent Domains
● Cyber Threat Intelligence against criminals and frauds
○ Understand how cybercriminals organize themselves to execute fraud and
extortion
○ See how conversations in criminal communities present opportunities to gather
valuable threat intelligence
○ Learn which types of cyber fraud you can combat by applying relevant threat
intelligence
● Diving into the Dark Web
○ The place to go for illicit activities
○ Wide range of options of tools and malware available to anyone with money
○ Cybercriminals as a service
○ Very privileged forums
○ Big payments upfront in order to access specific forums. Can range anywhere
from $50 to $100,000.
● What can we get from Dark Networks?
○ Different classification for forums
■ Underground forums
■ Higher tier dark web forums
■ Dark web markets
○ There’s a known connection with lower and higher tier forums
○ Not a connection between markets and forums
● Payment fraud through CTI
○ Most of the time, payment fraud can be accomplished by cyber criminals through:
■ Phishing campaigns
■ Advance techniques of POS system compromise or e-commerce sites
○ Once the data is obtained it is resold in bulk most of the time
● Typosquatting and Fraudulent domains
○ Possible malicious keyword domains close in spelling to the real domain



18

○ Example: Domain.com could be domian.com, domains.com, domaln.com,

domain.cm
○ How can fraud be prevented using CTI?
○ What processes have CTI that would gather data in advance to detect when a
fraud has happened?
● Video Summary
■ How Cyber Threat Intelligence resources and tools can detect when a
breach has happened and the security devices didn’t detect it.
■ When regional industries similar to the organization’s are involved in a
data breach
Module 6: Cyber Threat Intelligence Frameworks

Lesson 6.1: Cyber Kill Chain
Skills Learned From This Lesson: Cyber Threat Intelligence, Frameworks, Lockheed Martin
Cyber Kill Chain, Indicators, Cyber Kill Chain Peculiarities
● Cyber Threat Intelligence frameworks
○ Processes, procedures, and a structure to which they can attach to in order to
make everything more effective
○ In this module we are going to review three main frameworks that are often
useful to implement in a CTI lifecycle.
● Benefits of using a framework
○ Structures for thinking about attacks and adversaries
○ Understanding of how attackers think, the methods they use, and where in an
attack lifecycle specific events occur
○ Focus attention on the details that require further investigation
● The Lockheed Martin Cyber Kill Chain
○ By breaking an attack up, defenders can pinpoint which stage it is in and deploy
appropriate countermeasures
○ Security teams can develop standard responses for each stage
○ The Cyber Kill Chain also allows organizations to build a defense-in-depth model
that targets specific parts of the kill chain



19

○ Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command

and Control, Exfiltration
● Indicators are key
○ Lockheed Martin Corporation in its own paper about the Cyber Kill Chain stated
three specific types of indicators:
■ Atomic: Indicators that cannot be broken down into smaller parts
■ Computed: Indicators derived from data involved in an incident
■ Behavioral: Collections of computed and atomic indicators, often subject
to qualifications by quantity and possibly combinatorial logic (Lockheed
Martin Corporation, 2019)
● Cyber Kill Chain peculiarities
○ One of the big criticisms of this model is that it doesn’t take into account the way
made modern attacks work
○ Even with this limitation, the Cyber Kill Chain creates a good baseline to discuss
attacks and where they can be stopped
○ Why does an attack intrusion schema work well for CTI?
○ What type of information has to be available in each stage of the chain?
● Video Summary
○ In today’s lecture we discussed:
■ The benefits gained from CTI when sticking to a given framework
■ How the Cyber Kill Chain works and benefits the information collection in
its stages
■ How can the information collected help in stopping a compromise
Lesson 6.2: Diamond Model - Part 1

Skills Learned From This Lesson: Cyber Threat Intelligence, Diamond Model, Flexibility and
Extensibility
● The Diamond Model
○ Created in 2013 by the now-defunct Center for Cyber Intelligence Analysis and
Threat Research (CCIATR)
○ It is used to track attack groups over time rather than the process of individual
attacks.



20

○ In its most basic form, this model describes that an adversary deploys a
capability over some infrastructure against a victim.
● Pivoting
○ “The Diamond Model would help you “pivot” from this initial indicator to find
information about the attacker associated with that IP address, then research the
known capabilities of that attacker” (Recorded Future, 2018)
● Diamond Event
○ “For every intrusion event there exists an adversary taking a step towards an
intended goal by using a capability over infrastructure against a victim to produce
a result” (Sergio Caltagirone, 2013)
○ Each event feature has an associated confidence value. This value is left
purposefully undefined as each model implementation may understand
confidence differently.
● Flexibility
○ One of the big advantages of the Diamond Model is its flexibility and extensibility.
Other features of an attack that can be tracked include:
■ Phase
■ Result
■ Direction
■ Methodology
■ Resources
● Video Summary
■ The Diamond Model used for CTI
■ How is the information distributed in this model.
○ In the next video, we will study:
■ The roles of each one of the different events involved
■ The challenges that an implementation of this model may bring.
Lesson 6.3: Diamond Model - Part 2

Skills Learned From This Lesson: Cyber Threat Intelligence, Capability, Infrastructure, Victims,
Vulnerabilities and Exposures, Challenges with the Diamond Model
● Adversary



21

○ “There exists a set of adversaries (insiders, outsiders, individuals, groups, and

organizations) which seek to compromise computer systems or networks to
further their intent and satisfy their needs” (Sergio Caltagirone, 2013)
● Capability
○ The capability feature describes the tools and/or techniques of the adversary
used in the event
○ All of the vulnerabilities and exposures that can be utilized by the individual
capability regardless of victim are considered its capacity.
● Infrastructure
○ The infrastructure feature describes the physical and/or logical communication
structures the adversary uses to deliver a capability, maintain control of
capabilities and effect results from the victim.
● Victim
○ “A victim is the target of the adversary and against whom vulnerabilities and
exposures are exploited and capabilities used. As with other features, a victim
can be described in whichever way necessary and appropriate: organization,
person, target email address, IP address, domain, etc” (Sergio Caltagirone,
2013)
● Vulnerabilities and Exposures
○ “Every system, and by extension every victim asset, has vulnerabilities and
exposures.” (Sergio Caltagirone, 2013)
○ These can be described as broadly as “lack of user education causing
email-borne hyperlinks to be clicked” or as specific as a CVE to fit the
documentation requirements of the event
● Challenges with the Diamond Model
○ “The downside is the Diamond Models require a lot of care and feeding.
■ Some aspects of the model, especially infrastructure, change rapidly.
■ If you don’t update the diamond of an attacker constantly, you run the risk
of working with outdated information.” (Recorded Future, 2018)
● Post Assessment Questions
○ How different is the Cyber Kill Chain from the Diamond Model?
○ What benefits can we obtain from the Diamond Model that the Cyber Kill Chain
can’t provide?
○ How can both of them be seen working together?



22

Lesson 6.4: MITRE ATT&CK

Skills Learned From This Lesson: Cyber Threat Intelligence, MITRE, MITRE ATT&CK
knowledge base, ATT&CK Matrix
● MITRE
○ MITRE is a unique organization in the United States, it is responsible for
managing federal funding for research projects across multiple federal agencies.
○ Responsible for the development of the Common Vulnerabilities and Exposures
(CVE).
○ MITRE has also developed specific frameworks for Cyber Threat Intelligence
such as:
■ TAXII
■ STIX
■ CybOX
● MITRE ATT&CK knowledge base
○ “MITRE ATT&CK” is a globally-accessible knowledge base of adversary tactics
and techniques based on real-world observations.
○ This is used as a foundation for the development of specific threat models and
methodologies. (MITRE ATT&CK, 2019)
● The ATT&CK Matrix uses 11 different tactic categories to describe adversary behavior:
○ Initial Access
○ Execution
○ Persistence
○ Privilege Escalation
○ Defense Evasion
○ Credential Access
○ Discovery
○ Lateral Movement
○ Collection
○ Exfiltration
○ Command and Control
● ATT&CK coverage
○ The coverage of this framework helps tracking adversary behavior in order to
allow teams to:



23

■ Prioritize incident responses

■ Tie indicators to attackers
■ Identify holes in an organization’s security posture
● The ATT&CK framework is a pretty large collection of information used to classify
several data. This is why covering item by item is something hard to achieve in this
course.
○ How can this framework be contrasted with the Diamond model>
○ What purposes of Cyber Threat Intelligence does this framework provide that
others don’t?
○ How can the three frameworks live together?
● VIdeo Summary
○ In today’s brief lecture, we discussed the main concept behind the ATT&CK
framework and what objectives it aims to resolve.
○ Also, we review what capabilities can this framework provide to Cyber Threat
Intelligence and other units like SOC or the IR team.
Module 7: Developing the Core of Cyber Threat Intelligence

Lesson 7.1: Preparing Your Ground
Skills Learned From This Lesson: Cyber Threat Intelligence, Clarify Goals, Components of
Threat Intelligence
● You should have a defined start point
○ Threat feeds are a very important part of a Cyber Threat Intelligence team, but it
is not the best place to start.
○ You will get a lot of data and information, but it won’t be narrowed to the
organization’s needs.
○ Large volumes of data will immediately cause alerts exhaustion for adjacent
teams.
● How should you clarify your goals?
○ Cyber Threat Intelligence provides value to multiple teams in your organization
○ By defining each group goals, better intelligence can be provided to them.
■ What are their greatest risks?
■ How can CTI help in addressing those risks?



24

■ What is the impact of addressing them?

■ What information gaps do they currently have?
● How will you need Cyber Threat Intelligence?
○ Teams can benefit from intelligence that drives informed decision making and
offers unique perspectives.
○ It’s important to identify all the potential users.
○ Drill down into the types of cyber threat intelligence each group can use and
exactly how they will benefit.
● Components of Threat Intelligence
○ Threat Analysis
■ Find and respond to external threats
○ Security Operations
■ Accelerate triage and extend visibility with external context
○ Vulnerability Management
■ Effectively prioritize based on real-time exploitation information
○ Incident Response
■ Accelerate scoping, attribution, and remediation with external content
○ Security Leadership
■ Effectively prioritize spend based on unique knowledge of threats
● Video Summary
○ So far we have defined:
■ Cyber Threat Intelligence capabilities
■ Alignment of the Cyber Threat Intelligence team with the organization and
internal teams
■ Examples of what kind of requirement would the different teams have
Lesson 7.2: Key Success Factors

Skills Learned From This Lesson: Cyber Threat Intelligence, Generating Quick Wins with
Monitoring, Automation, Integrating Cyber Threat Intelligence with processes and infrastructure,
● Generating quick wins with monitoring
○ Look for a few types of data that are particularly meaningful for the organization
and cyber security strategy.
○ Checking for new vulnerabilities that affect your most important assets.
○ Tracking threat trends that pose potential risks to your business operations.



25

○ Watching for any leaked information on public sources.

● Automating as much as possible
○ Start by automating fundamental tasks like:
■ Data aggregation
■ Comparing
■ Labeling
■ Contextualization
○ When these tasks are performed by machines, people can work on making
effective, informed decisions.
● Integrating Cyber Threat Intelligence with processes and infrastructure
○ This is an effective way to make the intelligence accessible and usable.
■ Give CTI tools visibility into security events and activities.
■ Combining and correlating internal and external data points.
○ Deliver the most important, specific, relevant and contextualized intelligence to
the right group at the right time.
● Getting expert help to nurture internal experts
○ The value you get from cyber threat intelligence is directly related to your ability
to make it relevant to your organization.
○ These goals can be reached faster if you work with a vendor or consultant that
provides both technical capabilities and expertise.
○ You should be able to call on their expertise as needed.
● You don’t have to have it all at once
○ You don’t need to have everything set up perfectly in order to take advantage of
Cyber Threat Intelligence capabilities.
○ You can start simple with your current staff, a few data sources, and integration
with existing security tools.
○ Once that is set, you can go ahead and scale up.
● Video Summary
○ Scour the widest possible range of sources
○ Use automation to deliver easily consumable intelligence
○ Provide fully contextualized alerts in real time
○ Integrate with and enhance existing security technologies and processes
○ Consistently improve your entire security organization



26

Lesson 7.3: Team and Approach

Skills Learned From This Lesson: Cyber Threat Intelligence, Creating the Cyber Threat
Intelligence unit, Skill sets needed for Cyber Threat Intelligence members, Four types of Cyber
Intelligence
● Creating the Cyber Threat Intelligence unit
○ Two questions will arise:
■ Should there be a dedicated Cyber Threat Intelligence team?
■ Should it be independent, or can it live inside another cybersecurity
group?
■ The answers are: yes, and it depends.
● An independent Cyber Threat Intelligence team!
○ Organizational independence has its advantages, such as greater autonomy and
prestige.
○ It can come with the jealousies and political issues of creating a brand new unit
and re-assign people to it.
○ Start with individuals who are already in cybersecurity and are applying cyber
threat intelligence to their articular areas of security
● Specific skill set for future members
○ Correlating external data with internal telemetry
○ Providing threat situational awareness and recommendations
○ Proactively hunting internal threats
○ Educating employees and customers on cyber threats
○ Engaging with threat intelligence communities
○ Identifying and managing information sources
● Four types of Cyber Threat Intelligence
○ Strategic
■ High-Level Information on Changing Risk (The Board)
○ Tactical
■ Attacker Methodologies, Tools, and Tactics (Architects and Sysadmins)
○ Technical
■ Indicators of Specific Malware (SOC Staff / IR)
○ Operational
■ Details of a Specific Incoming Attack (Defenders)



27

● Video Summary
○ Review of what we have gone through so far:
■ Building a team for Cyber Threat Intelligence
■ Core competencies for the best profiles performing Cyber Threat
Intelligence operators.
■ Four types of Cyber Threat Intelligence and how they can be applied.
Lesson 7.4: Technical Resources

Skills Learned From This Lesson: Cyber Threat Intelligence, Collecting & Enriching Threat Data,
Human Element, Artificial Intelligence & Machine Learning
● Collecting and Enriching Threat Data
○ Resources available to enhance our Cyber Threat Intelligence capabilities.
■ Human
■ Technologies
■ Combination of sources
■ Cyber Threat Intelligence with AI
■ Cyber Threat Intelligence communities
● The Human Element
○ Cyber Threat Intelligence vendors can provide strategic intelligence vs in-house
capabilities.
■ In-house development will adapt to specific organizational objectives
■ Generates concrete data aligned with specific requirements
● Additional sources
○ Vendor or ISAC feeds
○ Whitelists
○ Blacklists
○ Cyber Threat Intelligence team research
● Machines can be intelligent too!
○ References to threats can be rendered “language-neutral” so it can be analyzed
by humans and machines.
○ The combination of machine learning, NLP, and AI creates huge opportunities for
the Cyber Threat Intelligence team



28

● You are not alone

○ External relationships are the lifeblood of successful Cyber Threat Intelligence
teams.
○ No single group can be as smart individually as the Cyber Threat Intelligence
world as a whole.
○ Participation requires time and resources, but relationship building must be a
priority for Cyber Threat Intelligence to be successful.
● Post Assessment Questions
○ What is your development plan for the Cyber Threat Intelligence unit?
○ What resources need to be considered?
○ What position will the Cyber Threat Intelligence team have in the organizational
chart?
Module 8: Conclusion
Lesson 8.1: Key Takeaways
Skills Learned From This Lesson: Cyber Threat Intelligence, Focus on Relevant Risk, Efficient
Security, Value of Data Feeds
● Cyber Threat Intelligence is for everyone!
○ Cyber Threat Intelligence enables teams to:
■ Anticipate threats
■ Respond to attacks faster
■ Make better decisions for risk reduction
● A focus on relevant risk
○ There is no such thing as “one hundred percent secure”
○ The identification and response to threats should be relevant as much as
possible.
○ The more relevant intelligence, the more effective would be the risk reduction at
your organization.
● Efficiency is key when talking about security
○ Integration of Cyber Threat Intelligence with other security teams help them
identify threats earlier.
○ Identifying threats earlier will guarantee a faster incident resolution.
○ Efficiency reducing risk is the ultimate goal of an organization



29

● Time is also crucial

○ If a potential threat is detected the most important step to follow is to determine if
it is a false positive or not.
○ Deploying a critical measure against a false positive threat can be really costly to
the organization.
● Learn from the people that have been doing CTI
○ Third party Cyber Threat Intelligence is only valuable if it can be correlated
against internal data
○ Internal correlations should be the core of the Cyber Threat Intelligence analysis
○ A Cyber Threat Intelligence provider must comply with several criteria
● Data feeds will be gold if chosen wisely
○ What do you want to get out of your Cyber Threat Intelligence program?
○ Are you able to handle the free data feeds where you have to clean them up and
use filtering?
○ Can you afford to have paid data feeds with digested data that you can almost
immediately use?
Lesson 8.2: Units in Need of CTI

Skills Learned From This Lesson: Cyber Threat Intelligence, Incident Response Team,
Vulnerability Management, Risk Analysis, Security Leadership
● Security Operation Center (SOC)
○ Data exposure incidents
○ High risk malware families
○ Reputation risk
● Incident Response Team
○ Doesn’t need big volume of information
○ Requires data exposure incidents to correlate and remediate
○ Learn from the mishaps of other organizations
● Vulnerability Management
○ Exploit kits
○ High risk vulnerabilities for the organization
○ Undisclosed vulnerabilities detected in the wild
● Risk Analysis
○ Third party security competence



30

○ Third parties with elevated risk

● Security Leadership
○ Attack planning
○ Industry attack trends
○ Infrastructure risk
○ Targeted threat actor and campaign research
Module 9: Summary and References

Lesson 9.1: Summary and References - Part 1
Skills Learned From This Lesson: Cyber Threat Intelligence, History of Cyber Threat
Intelligence, Intelligence-driven Security, Data Sources, Cyber Threat Intelligence Role,
● History and main concepts of Cyber Threat Intelligence
○ Intelligence come from military use
○ TTPs used from armies to be one step ahead of their rivals
○ Intelligence is performed all the same, in peace time and in war
○ Cyber Threat Intelligence is NOT a cooking recipe
● Intelligence-driven Security
○ Cyber Threat Intelligence is more than data feeds and PDF reports
○ Cyber Threat Intelligence lifecycle consists of:
■ Direction
■ Collection
■ Analysis
■ Processing
■ Dissemination
■ Feedback
● Data Sources
○ Threat feeds
○ Media
○ Social Media
○ Threat Actor forums
○ Dark Web forums



31

● Cyber Threat Intelligence role

○ For SOC, the most important aspect is enough information and context to
distinguish between an actual threat and a false positive.
○ For IR, information regarding known threats and mitigation.
○ For risk analysis, accurate statistics to determine the likelihood of occurrence.
Lesson 9.2: Summary and References - Part 2

Skills Learned From This Lesson: Cyber Threat Intelligence, CTI Role in Fraud Prevention,
Cyber Kill Chain, Diamond Model, MITRE ATT&CK Framework, Core of CTI, References
● Cyber Threat Intelligence role in fraud prevention
○ Cyber Threat Intelligence commonly expected to just detect active threats
○ Cyber Threat Intelligence can monitor Dark Web forums in order to detect when a
data exfiltration has occurred.
● Cyber Kill Chain
○ The Cyber Kill Chain focuses on one attack and is closely related to an actual
attacker methodology.
○ Defines every attribute of a possible compromise in each detection.
● Diamond Model
○ The Diamond model is more broad and flexible since it focused on the attack as
a whole.
○ Contains four main attributes and as much subset of attributes as needed.
○ There are no limitations to the information collected, since it can be added to the
model in one way or another.
● MITRE ATT&CK Framework
○ The last framework reviewed is the MITRE ATT&CK, distributed in 11 categories
for specific information regarding attacks.
○ The categories may not be related to one another specifically, but if enough
information is collected, they do provide a great analysis of the attack.
● Developing the core of Cyber Threat Intelligence
○ Clearly define the goals of Cyber Threat Intelligence unit
○ Define which teams are going to need to consume the Cyber Threat Intelligence
○ What information should every team need and how should it be delivered
○ Key success factors, such as:
■ Generating quick wins



32

■ Automating whenever possible

■ Getting expert help to improve the internal talent
■ Grow bit by bit
○ How will the Cyber Threat Intelligence work into the organization
○ Would it be internal personnel or new personnel
○ The different types of Cyber Threat Intelligence:
■ Technical
■ Tactical
■ Strategic
■ Operational
● Developing the core of Cyber Threat Intelligence
○ Human resource to work into the Cyber Threat Intelligence unit
○ The flow of Cyber Threat Intelligence once all the parts were connected
○ How to get the most of Cyber Threat Intelligence through Artificial Intelligence
and Machine Learning
○ Engaging with other communities
● References



33

Study Guide: Introduction To Cyber Threat Intelligence

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Study Guide: Introduction To Cyber Threat Intelligence

Uploaded by

Copyright:

Available Formats

Module 1: ​Introduction to Cyber Threat Intelligence

○ Module 3 - Intelligence-driven security

Lesson 1.2​: Introduction to Cyber Threat Intelligence (CTI)

Module 2: ​History and Main Concepts and Definitions of Cyber Threat

Lesson 2.2​: CTI Concepts and Definitions

■Security Operations Center- McAfee defines a SOC as a “centralized

Module 3: ​Intelligence-Driven Security

● Six phases of the Cyber Threat Intelligence Lifecycle

Lesson 3.2​: Data Collection Sources

○ Redundant information from different providers

Lesson 3.3​: CTI Life cycle

○ How should the intelligence be presented?

Module 4: ​Cyber Threat Intelligence Role in SOC, IR and Risk

● The SOC team under the telescope

Lesson 4.2​: CTI Role in SOC - Part 2

Lesson 4.3​: CTI Role in Incident Response - Part 1

Lesson 4.4​: CTI Role in Incident Response - Part 2

Lesson 4.5​: CTI Role in Incident Response - Part 3

Lesson 4.6​: CTI Role in Risk Analysis

Module 5: ​Cyber Threat Intelligence for Fraud Prevention

○ Example: Domain.com could be domian.com, domains.com, domaln.com,

Module 6: ​Cyber Threat Intelligence Frameworks

○ Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command

Lesson 6.2​: Diamond Model - Part 1

Lesson 6.3​: Diamond Model - Part 2

○ “There exists a set of adversaries (insiders, outsiders, individuals, groups, and

Lesson 6.4​: MITRE ATT&CK

■ Prioritize incident responses

Module 7: ​Developing the Core of Cyber Threat Intelligence

■ What is the impact of addressing them?

Lesson 7.2​: Key Success Factors

○ Watching for any leaked information on public sources.

Lesson 7.3​: Team and Approach

Lesson 7.4​: Technical Resources

● You are not alone

● Time is also crucial

Lesson 8.2​: Units in Need of CTI

○ Third parties with elevated risk

Module 9: ​Summary and References

● Cyber Threat Intelligence role

Lesson 9.2​: Summary and References - Part 2

■ Automating whenever possible

You might also like

Module 1: Introduction to Cyber Threat Intelligence

Lesson 1.2: Introduction to Cyber Threat Intelligence (CTI)

Module 2: History and Main Concepts and Definitions of Cyber Threat

Lesson 2.2: CTI Concepts and Definitions

Module 3: Intelligence-Driven Security

Lesson 3.2: Data Collection Sources

Lesson 3.3: CTI Life cycle

Module 4: Cyber Threat Intelligence Role in SOC, IR and Risk

Lesson 4.2: CTI Role in SOC - Part 2

Lesson 4.3: CTI Role in Incident Response - Part 1

Lesson 4.4: CTI Role in Incident Response - Part 2

Lesson 4.5: CTI Role in Incident Response - Part 3

Lesson 4.6: CTI Role in Risk Analysis

Module 5: Cyber Threat Intelligence for Fraud Prevention

Module 6: Cyber Threat Intelligence Frameworks

Lesson 6.2: Diamond Model - Part 1

Lesson 6.3: Diamond Model - Part 2

Lesson 6.4: MITRE ATT&CK

Module 7: Developing the Core of Cyber Threat Intelligence

Lesson 7.2: Key Success Factors

Lesson 7.3: Team and Approach

Lesson 7.4: Technical Resources

Lesson 8.2: Units in Need of CTI

Module 9: Summary and References

Lesson 9.2: Summary and References - Part 2