The No-Nonsense Guide for CISOs and Security Managers

Table of Contents
About the Author
Acknowledgments
Introduction
Chapter 1: The Cybersecurity Wild West
	Identifying the Wheat from the Chaff
	What Kinds of Vendors Are There?
	Where Do You Even Begin? Always Start with Intelligence Requirements
	What Sectors Is Your Business Operating In?
	What Systems and Services Do You Use and Want to Monitor for Threats?
	What Are the Threats You’re Worried About As a Business?
	What Other Security Vendors Do You Use?
	What Is Your Business Planning to Do in the Next X Years?
	Further Considerations for IRs
	What Do You Get for Your Money?
	Key Takeaways
Chapter 2: Cyber Threat Intelligence – What Does It Even Mean?
	The Intelligence Cycle
		1. Planning and Direction
		2. Collection
		3. Processing and Exploitation
		4. Analysis
		5. Dissemination
		6. Feedback
	The Diamond Model
		Diamond Model – Adversary
		Diamond Model – Victim
		Diamond Model – Infrastructure
		Diamond Model – Capabilities/TTPs
	How Do We Apply Intelligence to Existing Security? The Cyber Kill-Chain and MITRE ATT&CK Framework
		Human Behavior Doesn’t Change
		The IOC Is Dead. Long Live the IOC
		Security Products Are Evolving – So Should You
	The Cyber Kill-Chain
	Key Takeaways
Chapter 3: Structured Intelligence – What Does It Even Mean?
	OpenIOC
	MITRE ATT&CK
		Using MITRE ATT&CK
	STIX – Why It’s Important
	Aligning STIX with ATT&CK – Where the Magic Happens
		Threat Actor
		Campaign
		Attack Pattern
		Malware
		Vulnerability
		Course of Action
		Victim
		Report
		Indicators
		The Remaining STIX 2.1 Objects
			Grouping
			Identity
			Infrastructure
			Location
			Malware Analysis
			Note
			Observed Data
			Opinion
			Tool
			Relationship
			Sighting
		What About the Kill-Chain?
	Key Takeaways
Chapter 4: Determining What Your Business Needs
	Who Are Your Customers?
	Intelligence Reporting
		Tactical Intelligence
		Operational Intelligence
		Strategic Intelligence
		Other Types of Intelligence Reporting
			Awareness Reporting
			Executive/VIP Profile Reporting
			Spot/Flash Reporting
			Summary Reporting
	Intelligence Report Structure
		Key Points
		Summary
		Details
		Recommendations
	Appendices
	I Have Requirements! I Have Report Templates! Now What?
		Business Needs
		Automation – Can This Help?
	What If the Business Doesn’t Know What It Wants?
	Key Takeaways
Chapter 5: How Do I Implement This? (Regardless of Budget)
	Threat Feeds
	News Reports/Blogs
	Social Media
	Data Breach Notifications
	Patch and Vulnerability Notifications
	Geopolitical Affairs
	Industry Events
	Personal Contacts
	Sharing Groups
	Requirements, Check. Basic Collection Sources, Check. Now, What?
		Prioritizing Areas for Funding
	Intelligence Analysts – How to Use Them
		Different Analysts for Different Things?
	Key Takeaways
Chapter 6: Things to Consider When Implementing CTI
	Your Organization’s Footprint
		Big Game or Small Fry?
		Territories
		Digital Footprint
	The Risks Associated to Your Organization
		Risks Outside Your Control
	The Gaps Left Behind by Funding/Vendor/IT Black Holes
		Funding Gaps
		Vendor Gaps
		IT Black Holes
	The Human Factor
		What Is an Analyst?
			Curiosity
			Critical Thinking
			Self-Awareness
			Analysis
				Data Validation
				Inductive/Deductive Reasoning
				5WH – Who, What, Where, When, Why, and How
				Structured Analytical Techniques
			Cyber Specific
				Computer Literacy
				Information Security Fundamentals
		External Influences
	Key Takeaways
Chapter 7: The Importance of OSINT
	What Is OSINT?
	Different Types of OSINT Data Platforms
		Threat Feeds
		Research Platforms
		Social Media
		Messenger Platforms
	Platforms Are Good, But How Do I Research Data Using OSINT?
		OSINT – Technologies
		OSINT – Threat Actors
		OSINT – Data
	What Does an OSINT Investigator Need?
		Sockpuppets – What?
		A New Old Phone
		A New Face
		Password Manager
	Maintaining Accounts
	So If I’m Undercover, Should I Contact People for Information?
	Combining OSINT with Other Sources
	Key Takeaways
Chapter 8: I Already Pay for Vendor X – Should I Bother with CTI?
	Establishing What Your Existing Vendor(s) Do Well
		The Humble Conversation
	Establishing What Your Vendors Don’t Do Well (or at All)
	How Can You Improve the Existing Processes?
	What Sort of Things Should You Adopt In-House?
		What About Open Source Solutions?
		CTI Starting Block – What to Prioritize?
	The Benefits of Finding a Good Vendor
	Key Takeaways
Chapter 9: Summary
	The Main Themes Discussed in This Book
	How You Can Follow Up with Me
Chapter 10: Useful Resources
	Online Resources
		Domains
		IP Addresses
		File Hashes and Documents
		Web Technologies
		Email Addresses and Data Breaches
		Usernames
		Cryptocurrency
		Paste Sites
		Social Media
			Facebook
			Twitter
			Instagram
			Other Social Media and Messenger Apps
Index