You're reading from Practical Threat Intelligence and Data-Driven Threat Hunting A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools

Product type Paperback

Published in Feb 2021

Publisher Packt

ISBN-13 9781838556372

Length 398 pages

Edition 1st Edition

Tools

Elasticsearch

Concepts

Application Security

Author (1):

Valentina Costa-Gazcón

View More author details

Table of Contents (9) Chapters

1. What is Cyber Threat Intelligence?

2. What Is Threat Hunting? FREE CHAPTER

3. Where does data come from?

4. Mapping the Adversary

5. Working with the data

6. Emulating the Adversary

7. Creating a research environment

8. How to query the data

The State of the Hunt

Defining your intelligence requirements

As defined by the United States Department of Defense, an intelligence requirement is: “1. Any subject, general or specific, upon which there is a need for the collection of information, or the production of intelligence. 2. A requirement for intelligence to fill a gap in the command´s knowledge or understanding of the battlespace or threat forces.”

The first stage in the intelligence cycle is to identify the information that the decision maker needs. These requirements should be the driving factor in the intelligence team´s collection, processing and analysis.

The main problem that occurs when identifying the IRs is that usually, the decision makers do not know what information they want until they need it. Moreover, other issues like resources and budget shortcuts or sociopolitical events may arise and difficult the task of identifying and satisfying the intelligence requirements.

Posing and trying to answer a series of questions, not only the ones stated below as examples, could be a good starting point when trying to identify the PIRs (P for priority, referring to those that are more critical) and the IRs of an organization.

Important note

Identifying Intelligence Requirements

When working out your intelligence requirements, ask yourself the following questions:

What’s the mission of my organization?

What threat actors are interested in my organization´s industry?

What threat actors are known for having targeted my area of operation?

What threat actors could target my organization in order to reach another company I supply service for?

Had my organization been targeted before? If so, what type of threat actor was did it? Which were its motivations?

What asset does my organization need to protect?

What type of exploits my organization should be looking out for?

There are four criteria to have in mind to validate a PIR: the specificity and the necessity of the question, the feasibility of the collection, and the timeliness of the intelligence that would be generated from it. If the requirement meets the four of them, we can start the collection process around it.