Udemy
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
Turn what you know into an opportunity and reach millions around the world.
Learn More
Your cart is empty.
Keep shopping
Building Cyber Threat Intelligence Capabilities
Rating: 3.8 out of 5(9 ratings)
63 students

Building Cyber Threat Intelligence Capabilities

Promoting Cyber Security and protecting organizations from cyber threats and attacks one at a time
Created byRobert Vidal
Last updated 6/2023
English

What you'll learn

  • Know and understand the basic concepts behind building a Cyber Threat Intelligence Team and its operations.
  • Discuss the key concepts behind Cyber-Threat Intelligence, including its benefits and capabilities and how these can be used to complement an organization.
  • Understand how Cyber Threat Intelligence can complement and interact with other business units.
  • Scope the implementation of Cyber Threat Intelligence activities based on organizational priorities, requirements and existing resources and capabilities.
  • Proactively identify emerging cyber threats and provide mitigation controls and recommendations.
  • Provide operational support to security investigations, Incident Response, and vulnerability management teams.
  • Produce operational metrics to gauge the effectiveness of the Threat Intelligence Program aids your organization in reducing risk.
  • Create Intelligence Requirements (IRs) and supporting processes and procedures to support the day-to-day operations of your Cyber-Threat Intelligence program.
  • Understand key tools and technologies that can be used to automate and otherwise support the operations of the Cyber Threat Intelligence program.
  • Produce actionable intelligence products that can be easily consumable by various teams, stakeholders and tools.
  • Identify and implement appropriate Courses-of-Action based on identified threats that have been identified and also have the potential to impact an organization

Course content

9 sections78 lectures7h 20m total length
  • Course Introduction17:13

    Introduction

    Course Description

    This course is designed to enable organizations, to build and operationalize a Cyber Threat Intelligence (CTI) program based on their specific needs, requirements, and budget. In addition to leveraging existing internal sources, an effective CTI program will add pro-active component to threat monitoring, as well as detection and response efforts. That way organization can be one more step ahead in defending against emerging cyber threats.

    As each organization varies in terms of size, capabilities, budget, there is no ‘one-size-fits-all’ solution when it comes to CTI. While Intelligence aggregation and correlation tools are nice to have, they are only required if they satisfy an Intelligence Requirement, use case or other internal need. CTI programs do not need to be overly expensive or complex, as long as they are designed to support organizational intelligence objectives.

    Topics include:

    • Asset Discovery

    • Risk Assessment and Threat Modelling

    • Intelligence Requirements (and dependencies)

    • Collection Plans

    • Courses-of-Action (CoAs)

    • Intelligence Products and Reporting Metrics.


    Please Note: This course is intended to address requirements, setup and operations of a CTI program.
    This course is not intended to address analytic or other investigation techniques.


    Course Objectives

    Upon completion of this course participants will be able to:

    • Discuss the key concepts behind CTI.

    • Outline the steps required to establish a CTI program.

    • Create intelligence requirements and supporting CTI processes.

    • Understand key tools and technologies that can be used to automate CTI operations.

    • Produce actionable intelligence products that can be integrated and/or distributed with various teams, stakeholders and tools.

    • Identify and implement appropriate Courses-of-Action to defend against threats that have the potential to negatively impact the organization.

    • Produce key operational performance metrics that highlight the activities and the efficiency of the CTI team.


    Program Maturity

    • As this course focuses on building CTI capabilities for an organization, we first have to focus on establishing basic processes and procedures”.

    • As your CTI program operates and evolves, the basic processes and procedures will start to mature through fine-tuning repeatable processes, enhanced tools, and automation.

    • The maturity process typically automates labour intensive tasks which result in the ability for analysts to take on, or otherwise develop, additional tasks and intelligence products that would benefit the organization.

    • A fully mature CTI program is highly efficient and leverages a high-amount of automation and tools that are integrated into other security tools or lines of business.

      • CTI capabilities have vastly expanded to support other teams such as Threat Hunters, Red/Blue Team, Malware Reverse Engineers

      • Data processing and enrichment capabilities with a very low false positive rate.

  • Introduction to Cyber Threat Intelligence12:30

    Introduction of Cyber Threat Intelligence

    Unit Objectives

    Upon completion of this unit participants will be able to:

    • Understand key concepts behind CTI, its benefits and capabilities, and how these can be used to compliment an organizations’ existing security operations.

    • Compare and contrast different types of adversaries (and their objectives) that have the potential to target your organization.

    • Discuss the success factors related to an effective CTI program.

    • Understand basic concepts and terminology associated to CTI including but not limited to ThreatCon, Cyber Threat Kill Chain, Traffic Light Protocol (TLP), and the Intelligence Life Cycle


    What is Cyber Threat Intelligence (CTI)

    • CTI leverages internal and external data to analyze and understand threats that can negatively impact an organization.

    • CTI allows organizations to pro-actively make informed decisions that will enhance their defensive capabilities against threat actor’s activity.

    • CTI achieves this through:

    • Structured analysis and assessment of potential threats with the ability to impact your organization.

    • Courses-of-Action that can be used to detect, discover, and block potential threats affecting your environment.

    • Targeted Intelligence products (strategic, tactical, technical, and operational) which
      can be consumed by various internal teams and security tools.

    Listed are a few significant vulnerabilities of the past ~2 years.


    From a CTI perspective organizations should know:

    • Is this vulnerability in our environment?

    • Are we already compromised?

    • What tools can I use to find out if I am affected

    • What do I need to identify this (i.e. signatures)

    • What security controls does our organization have in place to defend against these types of attacks

    • What remediation efforts can we implement

    • What stakeholders needs to know about this

    References:

    • https://thenewstack.io/30-of-apache-log4j-security-holes-remain-unpatched/

    • https://arstechnica.com/gadgets/2021/07/microsoft-discovers-critical-solarwinds-zero-day-under-active-attack/

    • https://techcrunch.com/2022/03/23/okta-breach-sykes-sitel/


    Integration across teams

    • CTI leverages a holistic organizational approach to cyber-security by interfacing
      with several internal teams.

    • This structure allows for the sharing of internal data and intelligence between teams to identify security gaps that may pose a cyber risk. This allows for CTI to provide the necessary support, intelligence and recommendations to assist in the reduction of risk, and mitigation of cyber threats.


    CTI Team Support:

    • Privacy: Identify the disclosure or potential sale of sensitive information from affected organizations,
      whom have recently been breached or compromised.

    • Incident Response: In the event of an incident, breach or compromise affecting organizations (directly or indirectly), Threat Intelligence can provide support through in-depth data enrichment based on the artifacts and information that have been identified.

    • Vulnerability Management: Monitor for recently exploited vulnerabilities affecting organizations technology stack and provide awareness and recommendations to the appropriate internal teams.

    • IT and Infrastructure: Leverage Threat Modelling to understand cyber threats and trends targeting the organizations sector and identify security enhancement that can be implemented to reduce risk.

    • Application Support & Development: Leverage Threat Modelling during the application development and Secure Software Development Lifecycle (SSDLC) process to provide a holistic approach to cyber threats and techniques used by threat actors that may be used to target organizations applications, and provide strategic recommendations during the development process.

    • Project Planning and Internal Initiatives: Identify the context of key components within internal projects and initiatives and assess the potential threats that may be applicable.


    What is NOT CTI

    • SOLELY Indicators of Compromise (IOC) FEEDS

      • Some security professionals believe Threat Intelligence is IOC Feeds into their SIEM.

      • While this is a component of Threat intelligence there are many other services and products CTI can provide other then Intelligence Feeds (IOCs) !

    • Simple news outlets monitoring

      • Security news and information is “interesting”, but is it also relevant to your organization?

      • Don’t waste time on irrelevant threats, or personal research requests

      • Rule of Thumb: If you cannot report on it you do not do it

  • What makes a successful Cyber Threat Intelligence Program12:05

    What makes a successful CTI program

    Executive buy-in

    • Support and interest from the executive management tier in an organization to pursue threat intelligence activities is a key component of any successful CTI program.

    • This will provide clear direction and required funding for:

      • Staffing resources

      • Hardware / Software - intel tools, community memberships, data/service/portal subscriptions

    • This will help in the planning and preparation stages of the CTI program

      • Can help shape the CTI team organization structure

        • Full Time Employee (FTE) count and their utilization

        • Develop roles and responsibilities of the new positions

      • Supports intelligence requirements and their development

      • Supports decisions regarding the acquisition of tools and other paid resources.


    Timely and actionable intelligence products:

    Good Operational Security (OPSec):

    Operational Security can be broken down into 2 main aspects:

    • Protecting organizational assets during investigations

    • When investigating malware samples, you do not want to accidentally execute the malware and compromise your system or any other systems on your corporate network.

    • Be cautious when using public sandboxes and online tools (i.e. VirusTotal, any.app.run, Hybrid Analysis)

    • Sensitive information could be publicly disclosed as part of the analysis report

    Prevent Threat Actors from knowing you are investigating them

    • Investigating a suspected threat actor from a personal LinkedIn account

    • You will show up in their “Viewed Your Profile” notifications and will tip them off that you are on to them.

    • Use a VPN** to hide your personal public IP Address

    • If you access a threat actor’s infrastructure or websites, your IP address will show up in their logs.

    • Use Sock Puppet* social media accounts during investigations

    * Sock Puppet - social media accounts are accounts of fake individuals with completely fabricated profiles. In using these profile, any digital footprints that may be left lead back to a random profile completely unattached from any investigator or organization.


    ** VPN - My personal favourite for a VPN service is Private Internet Access (PIA). PIA provides its users with the ability to have public IP addresses from almost all countries around the world and you are able to easily change this through a click of a button within their app. Setup and Installation were very easy, and just had to download an install the PIA application and enter your username and password.

    Click the image link below for more details on this service.


    Please Note: this is an affiliate link and any purchases made through the link above are appreciated and will help support course creation, management and support.


    Metrics and Reporting

    • With executive buy-in, the CTI team will need to report on performance, operational efficiencies, and the value it brings by reducing risk to the overall organization

    • Metrics should be meaningful, in the form of Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs)

    • Provide insight into the Cyber Threat landscape and help support strategic decisions and direction regarding security

    • Emphasize initiatives and controls in place to reduce risk to the organization

    • Highlight improvements to operational efficiencies and detection capabilities

    • Be concise, easily interpreted and highly visual


    Feedback from consumers and stakeholders

    • As the CTI team produces products and services the only way to improve on these is through feedback from your consumers.

    • This feedback should address:

    • Additional use-case and new products

    • Address suggestions to reduce the false positive rate of detection signatures

    • Enhancements to product formats in order to streamlined the products ingestion into security tools.

    • Data enrichment that could be used to enhance the quality of products

    • Try to meet with your stakeholders on a regular basis to discuss the performance and effectiveness of CTI products and services.

    • This will help improve and mature the overall CTI program and operations.

  • What you should know when developing a successful CTI program - Part #111:54

    What you should know when developing a successful CTI program - Part #1

    Types of cyber threats that can affect your organization


    What are your security capabilities

    When creating an Intelligence product, you need to understand what capabilities there are, and how the recipients can ingest and use CTI products and/or services. At the same time data sources could assist the CTI team build better products.

    Key questions for an organizations IT, Network, Security team(s), etc…:

    • What do you have visibility into within your organization?

      • Application logs / network traffic / user activity / other endpoint logs

      • Can these be shared?

    • What security tools, technologies does the organization have?

      • Endpoint Detection and Response (EDR), Intrusion Detection System/Intrusion Prevention System (IPS), Security Information Event Management (SIEM), Web-Application Firewall (WAF), Data-Loss Prevention (DLP)?

      • Can you add custom detection rules?

    • What capabilities do the security tools have?

      • Can you add custom rules, search for lists of data?

      • Could you integrate with these Application Programmable Interface (API)?

    • Know Security Subject Matter Experts (SME) within the organization

      • What intelligence and/or products could the CTI team provide to them?

      • What information could they provide when investigating a threat?

  • What you should know when developing a successful CTI program - Part #213:38

    What you should know when developing a successful CTI program - Part #2

    Who are your competitors and supply-chain

    Your competitors and supply-chain, although not directly associated with an organization's operation, could still impact an organization if they have been compromised.

    If competitors are compromised, this could be a precursor to other emerging threats/attack within your industry.

    If your supply-chain or other partners are compromised (i.e. SolarWinds) this could lead to an attack and/or other operational issues, or information disclosure of your sensitive data and/or processes via these attack vectors.

    • Common questions when addressing the industry wide threat landscape and your supply-chain / competitors:

      • What threats are your competitors and supply-chain experiencing?

      • Have they been compromised (if so how)?

        • How would your organization be affected?, Could the same threat affect your organization?

    • Can you work together?

      • Share between competitors or supply-chain (Trusted Circles)

        • Small/select number of organizations share information amongst each other.

      • Industry Information Sharing and Analysis Center (ISAC)

        • High number of organizations within an industry (i.e. Retail, HealthCare, Financial Services, Energy) participating in the sharing of threat information and other industry threat workgroups.

      • Other organization groups

        • Community Slack/Discord channels, mailing lists, etc…)


    Who are your customers

    • Customers who have had a negative experience or have found means to take advantage of an organization may be posting comments and discussing this online.

    • There are many open and online platforms facilitating conversations about your organization

      • What is the general population and your customers saying about your organization?

        • Is sentiment of these conversations positive/negative?

      • Where are these conversations taking place?

        • Social Media: Reddit, Facebook Groups, Twitter, YouTube, etc…

        • Online and Dark Web Forums

      • Do these conversations pose any threat to your organization?

        • Exploit in your product or service (i.e. password sharing, hack to unveil addition features)

      • Exploit the return/exchange policy (i.e. return fraud)

      • Sale of fake/knock-off products (i.e. unauthorized reproduction)

      • Physical threats (i.e. Protests, Activism, etc…

    Who are your adversaries

    There are numerous types of adversaries that may target your organization with malicious intent. When identifying what type of adversaries may target your organization each of the following should be reviewed and assessed to determine applicability to your organization.

  • What you should know when developing a successful CTI program - Part #314:20

    What you should know when developing a successful CTI program - Part #3

    The Cyber Threat Kill-Chain


    The Traffic Light Protocol (TLP)

    Source: https://www.us-cert.gov/tlp


    Example: SANS ThreatCon

    A ThreatCon, is a rating system used to measure threat exposure of the Global, National and Industry threat landscapes.

    Many different types of organizations measure the ThreatCon level such as security vendors, Information Sharing and Analysis Center (ISACs) and Communities, and Governments.

    Example: Symantec ThreatCon, Sans Institute, United States DefCon (Defense Condition)

    Each ‘Con’ has its own niche, such as the SANS InfoCON which is a cyber-security focused threat condition, others may pertain to physical threats, military readiness, or defense posture.


    Source: Infocon - SANS Internet Storm Center


    The intelligence lifecycle

    The Intelligence Lifecycle describes the process of how intelligence and other information is collected and analyzed in order to produce intelligence products.

    This lifecycle contains the following 5 steps to produce intelligence products and/or services:

    • Planning and Direction

    • Collection

    • Processing

    • Analysis and Production

    • Dissemination


    The feedback component of this lifecycle is a contributing factor in determining the success of the threat intelligence program.

    Based on client feedback you will be able to tune your Intelligence Requirements, support the evaluation of your intelligence products and/or services as well as their associated sources.

  • What resources do I need6:48

    What resources do I need

    The resources you need will depend on your intelligence requirements, and the maturity of your CTI program.

    Primarily resources fall into 2 categories:

    • Technical Resources

      • Data (paid intelligence services, data, and feeds)

      • Tools (Commercial or Open-Source)

      • Infrastructure Costs (Systems and environments to run tools and conduct investigations)

    • Human Resources (people doing the work)

      • These can be internal or external (outsourced) teams


    Data

    • CTI data can come from anywhere, as long as it is relevant to your Intelligence Requirements.

    • Data could be from publicly available open-sources (OSINT), Commercial (i.e., Recorded Future, SiloBreaker, Intel471, ISACs), or internally generated logs and data (i.e. application / system logs.

      • Open-Source (free) – requires additional tools/effort to vet and enrich in order to be useful.

        • Good starting place for most intelligence requirements.

      • Commercial data / platforms - typically already vetted, structured, and/or enriched.

        • As intelligence requirements mature commercial data / platforms are a great way to streamline and automate Intelligence requirements activities.

      • Internal data - great source of information as it costs nothing

        • Shows direct insight into what your applications, networks and systems are seeing.

    • When starting out, for most intelligence requirements open-source data typically
      works fine

    • If your CTI team is fairly new there may not be a need for an upfront additional expense.


    Tooling

    • In order to receive or generate data some type of tool is required.

    • These could be as simple as an internally developed PowerShell script, open-source tools from Git-hub, or even free online services.

    • On the other hand, expensive and complex tools such as Dark Web services, or Threat Intelligence Platforms (TIP) could also be used, yet the right tool is one that suites your needs and produces actionable output, inline with your intelligence requirements.

    • Multiple tools may be required as based on your intelligence requirements, which is absolutely fine, as long as they are effective, and the benefit outweigh the cost of the tools.

    • Tools do not produce CTI products or services on their own. Tools produce an output that needs to be reviewed and analyzed by intelligence analyst, which in turn produce the intelligence products.


    Remember:

    • The success of the CTI products and services is determined by the value your team and analyst brings to the organization to reduce risk, and not the tools you are using. It is possible to have very expensive tooling, and completely misuse or misinterpret the data its provides rendering the tool ineffective and a waste of money.


    Infrastructure

    • When using tools, they will have to be run from some type of system computer.

    • Most useful Intelligence tools are Linux based and can be run on a Linux Desktop / Server with 20 GB HD, and ~4 GBRAM works well.

    • Virtual environments can also work well such as a virtualized server or desktop within your environment (i.e. VMware / VirtualBox) or cloud infrastructure (AWS, GCP, Azure, etc…).

    • It is best to run your tools, scripts and Intelligence programs on a separate system and on a segregated network.

    • This way in the event that something goes wrong with these tools, or a malicious
      link was clicked on these systems it will not impact any other device on the
      corporate network.


    Human Resources

    • The human resources required for the CTI team depend on the scope of your intelligence requirements and your budget.

    • These roles can be filled internally through Full Time Employees (FTEs), internal contractors, or leveraged third-parties Teams such as Managed Security Service Providers (MSSPs), or other Threat Intelligence Vendors.

    • Resources do not need to be 100% utilized to CTI operations. If required, the operations may only require 0.25 – 0.50 of an FTEs.

    • For a successful CTI team it is best to have team members with a variety of experience and expertise.

  • Summary0:52

    Summary

    During this unit we discussed:

    • The key concepts behind CTI, including its benefits and capabilities and how these could compliment existing security controls and monitoring.

    • The different types of adversaries (and their objectives) that have the potential to target your organization.

    • Discussed the success factors related to effective CTI program.

    • The basic concepts and terminology associated to CTI including but not limited to ThreatCon, Cyber Threat Kill Chain, Traffic Light Protocol (TLP), and the Intelligence Lifecycle.

  • What is next0:57

    What is next

    • Feel free to join us for the next unit in our “Building Cyber Threat Intelligence Capabilities for Organizations” course.

    • The next unit we be discussing the Discovery phase of this process.

    • The Discovery phase aids in inventorying sensitive assets within an organization, that could potentially be exposed or otherwise impacted by cyber-based threats.

    • The inventory list is a key tool in a CTI program, and is will be used to help develop Intelligence Requirements, Collection requirements, and can be used as a reference in determining if emerging cyber threats have the ability to impact the organization.

Requirements

  • Previous experience in Information Security or Cyber-Security would be considered an asset but it is not a requirement or pre-requisite.

Description

The course aims to provide organizations, regardless of their size, with the necessary knowledge and skills to develop a customized Cyber-Threat Intelligence program that aligns with their unique needs, requirements, and budget. By following this course, participants will learn how to effectively plan, build, and operationalize such a program within their organization.

The course begins by emphasizing the importance of identifying critical assets, both in terms of technology and business processes. This step is crucial because it helps organizations understand which areas of their operations are most vulnerable to cyber threats. By recognizing these crown-jewels, which refer to the most valuable and sensitive assets, organizations can prioritize their efforts in protecting them.

Once the critical assets are identified, the course proceeds to teach participants how to detect cyber threats that specifically target those assets. This involves learning about various threat intelligence sources, such as open-source intelligence, dark web monitoring, and information sharing platforms. Participants will understand how to gather, analyze, and interpret threat data in order to identify potential risks and attacks.

Moreover, the course emphasizes the importance of implementing appropriate controls and detection capabilities to proactively respond to cyber threats. Participants will gain insights into different security measures and technologies that can be utilized to safeguard the organization's crown-jewels. This may include intrusion detection systems, security information and event management (SIEM) solutions, endpoint protection, and other relevant tools.

Importantly, the course highlights that developing a Cyber Threat Intelligence program does not have to be expensive or overly complex. Rather, the focus is on designing a program that aligns with the organization's intelligence objectives. This means tailoring the program to fit the specific needs, resources, and goals of the organization. By doing so, organizations can create an effective and efficient Cyber Threat Intelligence program that enhances their security posture without unnecessary financial burden or complexity.

Overall, the course provides organizations with a comprehensive understanding of the key elements involved in establishing a tailored Cyber Threat Intelligence program. By leveraging this knowledge, organizations can better anticipate and respond to cyber threats, safeguard their critical assets, and ultimately enhance their overall security posture.

Who this course is for:

  • This course is designed to enable organizations of any size to plan, build and operationalize a tailored Cyber-Threat Intelligence program based on their specific needs, requirements, and budget. Through identifying critical assets, technology and business processes, students will be able to detect cyber threats targeting your organizations crown-jewels and implement controls and detection capabilities to be able to proactively respond to these threats. Cyber Threat Intelligence programs do not need to be expensive or complex as long as they are designed to fit organizational intelligence objectives.