Book Image

Operationalizing Threat Intelligence

By : Kyle Wilhoit, Joseph Opacki
Book Image

Operationalizing Threat Intelligence

By: Kyle Wilhoit, Joseph Opacki

Overview of this book

We’re living in an era where cyber threat intelligence is becoming more important. Cyber threat intelligence routinely informs tactical and strategic decision-making throughout organizational operations. However, finding the right resources on the fundamentals of operationalizing a threat intelligence function can be challenging, and that’s where this book helps. In Operationalizing Threat Intelligence, you’ll explore cyber threat intelligence in five fundamental areas: defining threat intelligence, developing threat intelligence, collecting threat intelligence, enrichment and analysis, and finally production of threat intelligence. You’ll start by finding out what threat intelligence is and where it can be applied. Next, you’ll discover techniques for performing cyber threat intelligence collection and analysis using open source tools. The book also examines commonly used frameworks and policies as well as fundamental operational security concepts. Later, you’ll focus on enriching and analyzing threat intelligence through pivoting and threat hunting. Finally, you’ll examine detailed mechanisms for the production of intelligence. By the end of this book, you’ll be equipped with the right tools and understand what it takes to operationalize your own threat intelligence function, from collection to production.
Table of Contents (18 chapters)
Section 1: What Is Threat Intelligence?
Section 2: How to Collect Threat Intelligence
Section 3: What to Do with Threat Intelligence


Understanding the type of intelligence that is necessary and in what priority is a key focus of any CTI function. Not knowing what intelligence to collect and enrich is akin to a rudderless ship that is adrift at sea. PIRs help intelligence become more granular and well-defined by specifically answering several key intelligence questions.

PIRs are intelligence requirements that are defined by the organization, which have anticipated priorities in collection and enrichment to enable rapid decision-making. PIRs are meant to determine and outline the priority of intelligence requirements. PIRs are commonly changed or replaced entirely, as prioritization needs, GIRs, and the organization's threat profile change.

Good PIRs are always time-based and should ask singular questions, such as what are the threat actor's motives while attacking my organization? PIRs are often defined using a combination of GIRs, threat modeling, and red teaming, and they should be reevaluated...