"Martin takes a thorough and focussed approach to the processes that rule threat intelligence, but he doesn't just cover gathering, processing and distributing intelligence. He explains why you should care who is trying to hack you, and what you can do about it when you know."--Simon Edwards, Security Testing Expert, CEO SE Labs Ltd., Chair AMTSO"I really enjoyed this engaging book, which beautifully answered one of the first questions I had coming into the profession of cyber security: 'What is Cyber Threat Intelligence?'It progressively walked me through the world of cyber threat intelligence, peppered with rich content collected through years' of experience and knowledge. It is satisfyingly detailed to make it an interesting read for those already in cyber security wanting to learn more, but also caters to those who are just curious about the prevalent cyber threat and where it may be headed.One of the takeaways from this book for me is how finding threats is not the most important thing but how the effective communication of it is equally important so that it triggers appropriate actions at appropriate timing.Moreover, as a penetration tester, we are used to looking at the little details so it was refreshing and eye-opening to learn about the macro view on cyber threat landscape."--Ryoko Amano, Penetration Tester"Cyber threats are a constant danger for companies in the private sector, which makes cyber threat intelligence an increasingly crucial tool for identifying security risks, developing proactive strategies, and responding swiftly to attacks. Martin Lee's new book is a comprehensive guide that takes the mystery out of using threat intelligence to strengthen a company's cyber defence. With a clear and concise explanation of the basics of threat intelligence, Martin provides a full picture of what's available and how to use it. Moreover, his book is packed with useful references and resources that will be invaluable for threat intelligence teams. Whether you're just starting in cybersecurity or a seasoned professional, this book is a must-have reference guide that will enhance your detection and mitigation of cyber threats."--Gavin Reid, CISO VP Threat Intelligence at Human Security"Martin Lee blends cyber threats, intel collection, attribution, and respective case studies in a compelling narrative. Lee does an excellent job of explaining complex concepts in a manner that is accessible to anyone wanting to develop a career in intelligence. What sets this book apart is the author's ability to collect related fundamentals and applications described in a pragmatic manner. Understandably, the book's challenge is non-disclosure of sensitive operational information. This is an excellent reference that I would highly recommend to cyber security professionals and academics wanting to deepen their domain expertise and broaden current knowledge. Threats indeed evolve and we must too."--Dr Roland Padilla, FACS CP (Cyber Security), Senior Cyber Security Advisor - Defence Program (CISCO Systems), Army Officer (AUS DoD)"Cyber Threat Intelligence by Martin Lee is an interesting and valuable contribution to the literature supporting the development of cyber security professional practice. This well researched and thoroughly referenced book provides both practitioners and those studying cyber threats with a sound basis for understanding the threat environment and the intelligence cycle required to understand and interpret existing and emerging threats. It is supported by relevant case studies of cyber security incidents enabling readers to contextualise the relationship between threat intelligence and incident response."--Hugh Boyes, University of Warwick"Cyber Threat Intelligence is a valuable resource for anyone within the cyber security industry. It breaks down the concepts behind building an effective cyber threat intelligence practice by not only explaining the practical elements to gathering and sharing intelligence data, but the fundamentals behind why it's important and how to assess the usefulness of it. By also providing a detailed history of intelligence sharing across the ages with a rich set of examples, Martin is able to show the value of developing this side of cyber security that is often neglected.This book is equally accessible to those beginning their careers in cyber security as well as to those who have been in the industry for some time and wish to have a comprehensive reference."--Stephan Freeman, Director, Axcelot Ltd"This book is a wonderful read; what most impressed me was Martin's ability to provide a succinct history of threat intelligence in a coherent, easy to read manner. Citing numerous examples throughout the book, Martin allows the reader to understand what threat intelligence encompasses and provides guidance on industry best practices and insight into emerging threats which every organisation should be aware of. An incumbent read for any cybersecurity professional!"--Yusuf Khan, Technical Solutions Specialist - Cybersecurity, Cisco

Preface xiAbout the Author xiiiAbbreviations xvEndorsements for Martin Lee's Book xix1 Introduction 11.1 Definitions 11.1.1 Intelligence 21.1.2 Cyber Threat 31.1.3 Cyber Threat Intelligence 41.2 History of Threat Intelligence 51.2.1 Antiquity 51.2.2 Ancient Rome 71.2.3 Medieval and Renaissance Age 81.2.4 Industrial Age 101.2.5 World War I 111.2.6 World War II 131.2.7 Post War Intelligence 141.2.8 Cyber Threat Intelligence 151.2.9 Emergence of Private Sector Intelligence Sharing 191.3 Utility of Threat Intelligence 211.3.1 Developing Cyber Threat Intelligence 23Summary 24References 242 Threat Environment 312.1 Threat 312.1.1 Threat Classification 332.2 Risk and Vulnerability 352.2.1 Human Vulnerabilities 382.2.1.1 Example - Business Email Compromise 392.2.2 Configuration Vulnerabilities 392.2.2.1 Example - Misconfiguration of Cloud Storage 402.2.3 Software Vulnerabilities 412.2.3.1 Example - Log4j Vulnerabilities 432.3 Threat Actors 432.3.1 Example - Operation Payback 462.3.2 Example - Stuxnet 472.3.3 Tracking Threat Actors 472.4 TTPs - Tactics, Techniques, and Procedures 492.5 Victimology 532.5.1 Diamond Model 552.6 Threat Landscape 562.6.1 Example - Ransomware 572.7 Attack Vectors, Vulnerabilities, and Exploits 582.7.1 Email Attack Vectors 592.7.2 Web-Based Attacks 602.7.3 Network Service Attacks 612.7.4 Supply Chain Attacks 612.8 The Kill Chain 622.9 Untargeted versus Targeted Attacks 642.10 Persistence 652.11 Thinking Like a Threat Actor 66Summary 66References 673 Applying Intelligence 753.1 Planning Intelligence Gathering 753.1.1 The Intelligence Programme 773.1.2 Principles of Intelligence 783.1.3 Intelligence Metrics 813.2 The Intelligence Cycle 823.2.1 Planning, Requirements, and Direction 833.2.2 Collection 843.2.3 Analysis and Processing 843.2.4 Production 853.2.5 Dissemination 853.2.6 Review 853.3 Situational Awareness 863.3.1 Example - 2013 Target Breach 883.4 Goal Oriented Security and Threat Modelling 893.5 Strategic, Operational, and Tactical Intelligence 913.5.1 Strategic Intelligence 913.5.1.1 Example - Lazarus Group 923.5.2 Operational Intelligence 933.5.2.1 Example - SamSam 933.5.3 Tactical Intelligence 943.5.3.1 Example - WannaCry 943.5.4 Sources of Intelligence Reports 943.5.4.1 Example - Shamoon 953.6 Incident Preparedness and Response 963.6.1 Preparation and Practice 99Summary 100References 1004 Collecting Intelligence 1054.1 Hierarchy of Evidence 1054.1.1 Example - Smoking Tobacco Risk 1074.2 Understanding Intelligence 1084.2.1 Expressing Credibility 1094.2.2 Expressing Confidence 1104.2.3 Understanding Errors 1144.2.3.1 Example - the WannaCry Email 1144.2.3.2 Example - the Olympic Destroyer False Flags 1144.3 Third Party Intelligence Reports 1154.3.1 Tactical and Operational Reports 1164.3.1.1 Example - Heartbleed 1174.3.2 Strategic Threat Reports 1184.4 Internal Incident Reports 1184.5 Root Cause Analysis 1194.6 Active Intelligence Gathering 1204.6.1 Example - the Nightingale Floor 1224.6.2 Example - the Macron Leaks 122Summary 123References 1235 Generating Intelligence 1275.1 The Intelligence Cycle in Practice 1285.1.1 See it, Sense it, Share it, Use it 1285.1.2 F3EAD Cycle 1295.1.3 D3A Process 1315.1.4 Applying the Intelligence Cycle 1325.1.4.1 Planning and Requirements 1325.1.4.2 Collection, Analysis, and Processing 1335.1.4.3 Production and Dissemination 1345.1.4.4 Feedback and Improvement 1355.1.4.5 The Intelligence Cycle in Reverse 1355.2 Sources of Data 1365.3 Searching Data 1375.4 Threat Hunting 1385.4.1 Models of Threat Hunting 1395.4.2 Analysing Data 1405.4.3 Entity Behaviour Analytics 1435.5 Transforming Data into Intelligence 1445.5.1 Structured Geospatial Analytical Method 1445.5.2 Analysis of Competing Hypotheses 1465.5.3 Poor Practices 1465.6 Sharing Intelligence 1475.6.1 Machine Readable Intelligence 1505.7 Measuring the Effectiveness of Generated Intelligence 151Summary 152References 1526 Attribution 1556.1 Holding Perpetrators to Account 1556.1.1 Punishment 1566.1.2 Legal Frameworks 1566.1.3 Cyber Crime Legislation 1576.1.4 International Law 1586.1.5 Crime and Punishment 1586.2 Standards of Proof 1586.2.1 Forensic Evidence 1596.3 Mechanisms of Attribution 1606.3.1 Attack Attributes 1616.3.1.1 Attacker TTPs 1616.3.1.2 Example - HAFNIUM 1626.3.1.3 Attacker Infrastructure 1626.3.1.4 Victimology 1636.3.1.5 Malicious Code 1636.3.2 Asserting Attribution 1656.4 Anti- Attribution Techniques 1666.4.1 Infrastructure 1666.4.2 Malicious Tools 1666.4.3 False Attribution 1676.4.4 Chains of Attribution 1676.5 Third Party Attribution 1676.6 Using Attribution 168Summary 170References 1717 Professionalism 1757.1 Notions of Professionalism 1767.1.1 Professional Ethics 1777.2 Developing a New Profession 1787.2.1 Professional Education 1787.2.2 Professional Behaviour and Ethics 1797.2.2.1 Professionalism in Medicine 1797.2.2.2 Professionalism in Accountancy 1817.2.2.3 Professionalism in Engineering 1837.2.3 Certifications and Codes of Ethics 1867.3 Behaving Ethically 1887.3.1 The Five Philosophical Approaches 1887.3.2 The Josephson Model 1897.3.3 PMI Ethical Decision Making Framework 1907.4 Legal and Ethical Environment 1917.4.1 Planning 1927.4.1.1 Responsible Vulnerability Disclosure 1937.4.1.2 Vulnerability Hoarding 1947.4.2 Collection, Analysis, and Processing 1947.4.2.1 PRISM Programme 1957.4.2.2 Open and Closed Doors 1967.4.3 Dissemination 1967.4.3.1 Doxxing 1977.5 Managing the Unexpected 1987.6 Continuous Improvement 199Summary 199References 2008 Future Threats and Conclusion 2078.1 Emerging Technologies 2078.1.1 Smart Buildings 2088.1.1.1 Software Errors 2098.1.1.2 Example - Maroochy Shire Incident 2108.1.2 Health Care 2118.1.2.1 Example - Conti Attack Against Irish Health Sector 2128.1.3 Transport Systems 2138.2 Emerging Attacks 2148.2.1 Threat Actor Evolutions 2148.2.1.1 Criminal Threat Actors 2148.2.1.2 Nation State Threat Actors 2168.2.1.3 Other Threat Actors 2208.3 Emerging Workforce 2218.3.1 Job Roles and Skills 2218.3.2 Diversity in Hiring 2258.3.3 Growing the Profession 2278.4 Conclusion 228References 2299 Case Studies 2379.1 Target Compromise 2013 2389.1.1 Background 2389.1.2 The Attack 2419.2 WannaCry 2017 2439.2.1 Background 2449.2.1.1 Guardians of Peace 2449.2.1.2 The Shadow Brokers 2459.2.1.3 Threat Landscape - Worms and Ransomware 2479.2.2 The Attack 2479.2.2.1 Prelude 2479.2.2.2 Malware 2499.3 NotPetya 2017 2519.3.1 Background 2519.3.2 The Attack 2529.3.2.1 Distribution 2539.3.2.2 Payload 2539.3.2.3 Spread and Consequences 2549.4 VPNFilter 2018 2559.4.1 Background 2559.4.2 The Attack 2569.5 SUNBURST and SUNSPOT 2020 2579.5.1 Background 2589.5.2 The Attack 2599.6 Macron Leaks 2017 2609.6.1 Background 2609.6.2 The Attack 261References 262Index 277

Martin Lee is Technical Lead of Security Research within Talos, Cisco's threat intelligence and research organization. Martin started his career researching the genetics of human viruses, but soon switched paths to follow a career in IT. With over 20 years of experience within the cyber security industry, he is CISSP certified, a Chartered Engineer, and holds degrees from the Universities of Bristol, Cambridge, Paris-Sud and Oxford.