LEADER 08421nam 2200481 450 001 9910830854003321 005 20230710050641.0 010 $a9781119861751$b(electronic book) 010 $a1-119-86177-2 010 $a1-119-86175-6 035 $a(MiAaPQ)EBC7235417 035 $a(Au-PeEL)EBL7235417 035 $a(OCoLC)1376194600 035 $a(EXLCZ)9926411733300041 100 $a20230611d2023 uy 0 101 0 $aeng 135 $aurcnu|||||||| 181 $ctxt$2rdacontent 182 $cc$2rdamedia 183 $acr$2rdacarrier 200 10$aCyber threat intelligence /$fMartin Lee 210 1$aHoboken, New Jersey :$cJohn Wiley & Sons, Inc.,$d[2023] 210 4$dİ2023 215 $a1 online resource (307 pages) 311 08$aPrint version: Lee, Martin Cyber Threat Intelligence Newark : John Wiley & Sons, Incorporated,c2023 9781119861744 320 $aIncludes bibliographical references and index. 327 $aCover -- Title Page -- Copyright Page -- Contents -- Preface -- About the Author -- Abbreviations -- Endorsements for Martin Lee's Book -- Chapter 1 Introduction -- 1.1 Definitions -- 1.1.1 Intelligence -- 1.1.2 Cyber Threat -- 1.1.3 Cyber Threat Intelligence -- 1.2 History of Threat Intelligence -- 1.2.1 Antiquity -- 1.2.2 Ancient Rome -- 1.2.3 Medieval and Renaissance Age -- 1.2.4 Industrial Age -- 1.2.5 World War I -- 1.2.6 World War II -- 1.2.7 Post War Intelligence -- 1.2.8 Cyber Threat Intelligence -- 1.2.9 Emergence of Private Sector Intelligence Sharing -- 1.3 Utility of Threat Intelligence -- 1.3.1 Developing Cyber Threat Intelligence -- Summary -- References -- Chapter 2 Threat Environment -- 2.1 Threat -- 2.1.1 Threat Classification -- 2.2 Risk and Vulnerability -- 2.2.1 Human Vulnerabilities -- 2.2.1.1 Example - Business Email Compromise -- 2.2.2 Configuration Vulnerabilities -- 2.2.2.1 Example - Misconfiguration of Cloud Storage -- 2.2.3 Software Vulnerabilities -- 2.2.3.1 Example - Log4j Vulnerabilities -- 2.3 Threat Actors -- 2.3.1 Example - Operation Payback -- 2.3.2 Example - Stuxnet -- 2.3.3 Tracking Threat Actors -- 2.4 TTPs - Tactics, Techniques, and Procedures -- 2.5 Victimology -- 2.5.1 Diamond Model -- 2.6 Threat Landscape -- 2.6.1 Example - Ransomware -- 2.7 Attack Vectors, Vulnerabilities, and Exploits -- 2.7.1 Email Attack Vectors -- 2.7.2 Web-Based Attacks -- 2.7.3 Network Service Attacks -- 2.7.4 Supply Chain Attacks -- 2.8 The Kill Chain -- 2.9 Untargeted versus Targeted Attacks -- 2.10 Persistence -- 2.11 Thinking Like a Threat Actor -- Summary -- References -- Chapter 3 Applying Intelligence -- 3.1 Planning Intelligence Gathering -- 3.1.1 The Intelligence Programme -- 3.1.2 Principles of Intelligence -- 3.1.3 Intelligence Metrics -- 3.2 The Intelligence Cycle -- 3.2.1 Planning, Requirements, and Direction. 327 $a3.2.2 Collection -- 3.2.3 Analysis and Processing -- 3.2.4 Production -- 3.2.5 Dissemination -- 3.2.6 Review -- 3.3 Situational Awareness -- 3.3.1 Example - 2013 Target Breach -- 3.4 Goal Oriented Security and Threat Modelling -- 3.5 Strategic, Operational, and Tactical Intelligence -- 3.5.1 Strategic Intelligence -- 3.5.1.1 Example - Lazarus Group -- 3.5.2 Operational Intelligence -- 3.5.2.1 Example - SamSam -- 3.5.3 Tactical Intelligence -- 3.5.3.1 Example - WannaCry -- 3.5.4 Sources of Intelligence Reports -- 3.5.4.1 Example - Shamoon -- 3.6 Incident Preparedness and Response -- 3.6.1 Preparation and Practice -- Summary -- References -- Chapter 4 Collecting Intelligence -- 4.1 Hierarchy of Evidence -- 4.1.1 Example - Smoking Tobacco Risk -- 4.2 Understanding Intelligence -- 4.2.1 Expressing Credibility -- 4.2.2 Expressing Confidence -- 4.2.3 Understanding Errors -- 4.2.3.1 Example - the WannaCry Email -- 4.2.3.2 Example - the Olympic Destroyer False Flags -- 4.3 Third Party Intelligence Reports -- 4.3.1 Tactical and Operational Reports -- 4.3.1.1 Example - Heartbleed -- 4.3.2 Strategic Threat Reports -- 4.4 Internal Incident Reports -- 4.5 Root Cause Analysis -- 4.6 Active Intelligence Gathering -- 4.6.1 Example - the Nightingale Floor -- 4.6.2 Example - the Macron Leaks -- Summary -- References -- Chapter 5 Generating Intelligence -- 5.1 The Intelligence Cycle in Practice -- 5.1.1 See it, Sense it, Share it, Use it -- 5.1.2 F3EAD Cycle -- 5.1.3 D3A Process -- 5.1.4 Applying the Intelligence Cycle -- 5.1.4.1 Planning and Requirements -- 5.1.4.2 Collection, Analysis, and Processing -- 5.1.4.3 Production and Dissemination -- 5.1.4.4 Feedback and Improvement -- 5.1.4.5 The Intelligence Cycle in Reverse -- 5.2 Sources of Data -- 5.3 Searching Data -- 5.4 Threat Hunting -- 5.4.1 Models of Threat Hunting -- 5.4.2 Analysing Data. 327 $a5.4.3 Entity Behaviour Analytics -- 5.5 Transforming Data into Intelligence -- 5.5.1 Structured Geospatial Analytical Method -- 5.5.2 Analysis of Competing Hypotheses -- 5.5.3 Poor Practices -- 5.6 Sharing Intelligence -- 5.6.1 Machine Readable Intelligence -- 5.7 Measuring the Effectiveness of Generated Intelligence -- Summary -- References -- Chapter 6 Attribution -- 6.1 Holding Perpetrators to Account -- 6.1.1 Punishment -- 6.1.2 Legal Frameworks -- 6.1.3 Cyber Crime Legislation -- 6.1.4 International Law -- 6.1.5 Crime and Punishment -- 6.2 Standards of Proof -- 6.2.1 Forensic Evidence -- 6.3 Mechanisms of Attribution -- 6.3.1 Attack Attributes -- 6.3.1.1 Attacker TTPs -- 6.3.1.2 Example - HAFNIUM -- 6.3.1.3 Attacker Infrastructure -- 6.3.1.4 Victimology -- 6.3.1.5 Malicious Code -- 6.3.2 Asserting Attribution -- 6.4 Anti-Attribution Techniques -- 6.4.1 Infrastructure -- 6.4.2 Malicious Tools -- 6.4.3 False Attribution -- 6.4.4 Chains of Attribution -- 6.5 Third Party Attribution -- 6.6 Using Attribution -- Summary -- References -- Chapter 7 Professionalism -- 7.1 Notions of Professionalism -- 7.1.1 Professional Ethics -- 7.2 Developing a New Profession -- 7.2.1 Professional Education -- 7.2.2 Professional Behaviour and Ethics -- 7.2.2.1 Professionalism in Medicine -- 7.2.2.2 Professionalism in Accountancy -- 7.2.2.3 Professionalism in Engineering -- 7.2.3 Certifications and Codes of Ethics -- 7.3 Behaving Ethically -- 7.3.1 The Five Philosophical Approaches -- 7.3.2 The Josephson Model -- 7.3.3 PMI Ethical Decision Making Framework -- 7.4 Legal and Ethical Environment -- 7.4.1 Planning -- 7.4.1.1 Responsible Vulnerability Disclosure -- 7.4.1.2 Vulnerability Hoarding -- 7.4.2 Collection, Analysis, and Processing -- 7.4.2.1 PRISM Programme -- 7.4.2.2 Open and Closed Doors -- 7.4.3 Dissemination -- 7.4.3.1 Doxxing -- 7.5 Managing the Unexpected. 327 $a7.6 Continuous Improvement -- Summary -- References -- Chapter 8 Future Threats and Conclusion -- 8.1 Emerging Technologies -- 8.1.1 Smart Buildings -- 8.1.1.1 Software Errors -- 8.1.1.2 Example - Maroochy Shire Incident -- 8.1.2 Health Care -- 8.1.2.1 Example - Conti Attack Against Irish Health Sector -- 8.1.3 Transport Systems -- 8.2 Emerging Attacks -- 8.2.1 Threat Actor Evolutions -- 8.2.1.1 Criminal Threat Actors -- 8.2.1.2 Nation State Threat Actors -- 8.2.1.3 Other Threat Actors -- 8.3 Emerging Workforce -- 8.3.1 Job Roles and Skills -- 8.3.2 Diversity in Hiring -- 8.3.3 Growing the Profession -- 8.4 Conclusion -- References -- Chapter 9 Case Studies -- 9.1 Target Compromise 2013 -- 9.1.1 Background -- 9.1.2 The Attack -- 9.2 WannaCry 2017 -- 9.2.1 Background -- 9.2.1.1 Guardians of Peace -- 9.2.1.2 The Shadow Brokers -- 9.2.1.3 Threat Landscape - Worms and Ransomware -- 9.2.2 The Attack -- 9.2.2.1 Prelude -- 9.2.2.2 Malware -- 9.3 NotPetya 2017 -- 9.3.1 Background -- 9.3.2 The Attack -- 9.3.2.1 Distribution -- 9.3.2.2 Payload -- 9.3.2.3 Spread and Consequences -- 9.4 VPNFilter 2018 -- 9.4.1 Background -- 9.4.2 The Attack -- 9.5 SUNBURST and SUNSPOT 2020 -- 9.5.1 Background -- 9.5.2 The Attack -- 9.6 Macron Leaks 2017 -- 9.6.1 Background -- 9.6.2 The Attack -- References -- Index -- EULA. 606 $aCyber intelligence (Computer security) 606 $aCyberspace operations (Military science) 615 0$aCyber intelligence (Computer security) 615 0$aCyberspace operations (Military science) 676 $a005.8/7 700 $aLee$b Martin$c(Computer security expert),$01367425 801 0$bMiAaPQ 801 1$bMiAaPQ 801 2$bMiAaPQ 906 $aBOOK 912 $a9910830854003321 996 $aCyber threat intelligence$93986458 997 $aUNINA