Cyber Intelligence

Cyber Threat Intelligence

Introduction

The purpose of this course was to introduce to Cyber Threat Intelligence (CTI) with direct application to corporate commercial cybersecurity operations and establishing comparisons with the government intelligence agencies.

It examines the fundamentals of open source intelligence, refining information into actionable intelligence, and the basics of the intelligence cycle with emphasis on anticipating threats to the cyber domain.

It covered the following modules:

Fundamentals of Cyber Threat Intelligence
The U.S. Intelligence Community and Corporate America
The Intelligence Process and Adversarial Threat Assessments
Developing a Cyber Threat Intelligence Plan
Threats and the Attack Surface (The Cyber Kill Chain)
Business Case Studies: Threat Actors and Attack Patterns
Bringing it all together

Course Artifacts

The course artifact chosen is designed to conduct an adversarial threat assessment to find a competitive advantage using OSINT techniques.

From the professional and ethical standpoint to conduct an adversarial threat assessment rules of engagement must be followed, such as:

The adversary must be an actual company or organization.
Do not engage to 'hack' the company to gain intelligence.
Being able to document that everything learned was done through Open Source Intelligence (OSINT) gathering.
Leverage information must be verified as publicly accessible.
Do not leave a trace.
The actions should not be able to be attributed.

Based on the rules of engagement above, it was decided to put in place leading operational security practices to allow anonymity and ensure privacy.

The importance is behaving ethically, and following rules of engagement is a must for most of the security roles in the corporate or government sector. Understanding in and out of the rules of engagement is vital to avoid getting into legal or professional trouble.

The private company chosen was Facebook, and the industry sector is the technology sector or blue-chip company.

Facebook started in 2004 as an online social media and social networking based in California but currently has been expanding its portfolio in many areas and has mastered the software engineering and innovation aspect.

Cyber Threat Intelligence Report

Operational Security Procedures

To provide the right level of anonymity while conducting the OSINT activities, we established a virtual machine and protected the IP address for it.

A virtual machine was built to ensure anonymity and extreme privacy. The second step is to ensure where to conduct the searches for the information. A public hotspot was leverage to search. The next step was to hide the data layer installing TOR in the virtual machine. It would be possible to add two extra anonymity levels, which could be to leverage a VPN server and rent a single or couple of servers that could run behind a proxy server and other tools necessary to gather data. In this assignment, we did not implement these next extra steps.

Reflections

"Intelligence is the ability to gain knowledge or skill." (Bautista, 2018).

With the definition above, I start my reflectin for this excellent course content and vast literature about Cyber Threat Intelligence (CTI).

There is no consistency across the government and the private sector about intelligence.

The narrative that stood out throughout the course what is universal about building intelligence agencies or communities is the need to fight against a common threat and with that is nearly impossible to define who executes better in terms of intelligence since the public and private are gathering intelligence to apply against not necessarily common threats.

If we narrow our focus within cybersecurity, we can leverage cyber threat intelligence and cyber intelligence with different intentions in both the private or government sector.

Cyber threat intelligence is an analysis of an adversary's intent, opportunity, and capability to harm. This is a discipline within information security that requires a specific skill set and tools used by threat intelligence analysts.

Cyber intelligence is the ability to gain knowledge about an enterprise, and its existing conditions and capabilities to determine the possible actions of an adversary when exploiting inherit critical vulnerabilities.

It uses multiple information security disciplines (threat intelligence, vulnerability management, security configuration management, incident response, and so on) and toolsets to gather information about the network through monitoring and reporting to allow decision-makers at all levels to prioritize risk mitigation.

How do we apply those same concepts to the architecture of an enterprise?

How do we think like an attacker and build the capability within our architectures with the capacity to mitigate and reduce the risk?

The goal of organizations is to create a proactive defense mindset and lay the foundation for building a cyber intelligence capability architecture in your organization.

I believe the need for public-private-partnerships around this area. Not all organizations can afford, but I feel sharing intel data is relevant to fight against common threats and help to assist intelligence-led policing.

With the statement above, that is where I stand to leverage the knowledge gained to apply in both defensive and offensive practices of the current and future roles of the cybersecurity industry.

In the introduction of the course artifact, needless to say, the importance of following clear rules of engagement, principles, and ethics to engage successfully and adequately in the cyber threat intelligence domain in the private or public sector.

Resources

Books References

Bazzel Michael. OPEN SOURCE INTELLIGENCE TECHNIQUES: Resources for Searching and Analyzing Online Information. INDEPENDENTLY PUBLISHED, 2019.

Bodmer, Sean. Reverse Deception: Organized Cyber Threat Counter-Exploitation. McGraw-Hill, 2012.

Harper, Allen, et al. Gray Hat Hacking: The Ethical Hacker's Handbook. McGraw-Hill Education, 2018.