Book Image

Practical Threat Intelligence and Data-Driven Threat Hunting

By : Valentina Costa-Gazcón
Book Image

Practical Threat Intelligence and Data-Driven Threat Hunting

By: Valentina Costa-Gazcón

Overview of this book

Threat hunting (TH) provides cybersecurity analysts and enterprises with the opportunity to proactively defend themselves by getting ahead of threats before they can cause major damage to their business. This book is not only an introduction for those who don’t know much about the cyber threat intelligence (CTI) and TH world, but also a guide for those with more advanced knowledge of other cybersecurity fields who are looking to implement a TH program from scratch. You will start by exploring what threat intelligence is and how it can be used to detect and prevent cyber threats. As you progress, you’ll learn how to collect data, along with understanding it by developing data models. The book will also show you how to set up an environment for TH using open source tools. Later, you will focus on how to plan a hunt with practical examples, before going on to explore the MITRE ATT&CK framework. By the end of this book, you’ll have the skills you need to be able to carry out effective hunts in your own environment.
Table of Contents (21 chapters)
Section 1: Cyber Threat Intelligence
Section 2: Understanding the Adversary
Section 3: Working with a Research Environment
Section 4: Communicating to Succeed
Appendix – The State of the Hunt

Defining your IR

As defined by the United States Department of Defense, an intelligence requirement (IR) is as follows:

"1. Any subject, general or specific, upon which there is a need for the collection of information, or the production of intelligence.

2. A requirement for intelligence to fill a gap in the command´s knowledge or understanding of the battlespace or threat forces."

The first stage in the intelligence cycle is to identify the information that the decision-maker needs. These requirements should be the driving factor in the intelligence team's collection, processing, and analysis phases.

The main problem that occurs when identifying these IRs is that, usually, the decision makers do not know what information they want until they need it. Moreover, other issues, such as resource and budget shortcuts or sociopolitical events, may arise, as well as the difficult task of identifying and satisfying the IRs.

Posing and trying to answer a series of questions, not only the ones stated here as examples, could be a good starting point when you're trying to identify the PIRs (P for priority, referring to those that are more critical) and the IRs of an organization.

Important note

Identifying IR

When working out your IR, ask yourself the following questions:

What's the mission of my organization?

What threat actors are interested in my organization's industry?

What threat actors are known for targeting my area of operation?

What threat actors could target my organization in order to reach another company I supply a service for?

Has my organization been targeted previously? If so, what type of threat actor did it? What were its motivations?

What asset does my organization need to protect?

What type of exploits should my organization be looking out for?

There are four criteria to keep in mind when validating a PIR: the specificity and the necessity of the question, the feasibility of the collection, and the timeliness of the intelligence that would be generated from it. If the requirement meets all these criteria, we can start the collection process around it. In the next section, we will cover this in detail.