Log In
Or create an account -> 
Imperial Library
  • Home
  • About
  • News
  • Upload
  • Forum
  • Help
  • Login/SignUp

Index
Foreword Preface
Why We Wrote This Book Who This Book Is For How This Book Is Organized Conventions Used in This Book O’Reilly Safari How to Contact Us Acknowledgments
I. The Fundamentals 1. Introduction
Intelligence as Part of Incident Response
History of Cyber Threat Intelligence Modern Cyber Threat Intelligence The Way Forward
Incident Response as a Part of Intelligence What Is Intelligence-Driven Incident Response? Why Intelligence-Driven Incident Response?
Operation SMN Operation Aurora
Conclusion
2. Basics of Intelligence
Data Versus Intelligence Sources and Methods Process Models
OODA
Observe Orient Decide Act
Intelligence Cycle
Direction Collection Processing Analysis Dissemination Feedback
Using the Intelligence Cycle
Qualities of Good Intelligence Levels of Intelligence
Tactical Intelligence Operational Intelligence Strategic Intelligence
Confidence Levels Conclusion
3. Basics of Incident Response
Incident-Response Cycle
Preparation Identification Containment Eradication Recovery Lessons Learned
Kill Chain
Targeting Reconnaissance
Hard data versus soft data Active versus passive collection methods
Weaponization
Vulnerability hunting Exploitability Implant development Testing Infrastructure development
Delivery Exploitation Installation
System persistence Network persistence
Command and Control Actions on Objective Example Kill Chain
Diamond Model
Basic Model Extending the Model
Active Defense
Deny Disrupt Degrade Deceive Destroy
F3EAD
Find Fix Finish Exploit Analyze Disseminate Using F3EAD
Picking the Right Model Scenario: GLASS WIZARD Conclusion
II. Practical Application 4. Find
Actor-Centric Targeting
Starting with Known Information Useful Find Information
Indicators of compromise Behavior Using the kill chain
Scenario: building a kill chain GLASS WIZARD kill chain
Goals
Asset-Centric Targeting
Using Asset-Centric Targeting
News-Centric Targeting Targeting Based on Third-Party Notification Prioritizing Targeting
Immediate Needs Past Incidents Criticality
Organizing Targeting Activities
Hard Leads Soft Leads Grouping Related Leads Lead Storage
The Request for Information Process Conclusion
5. Fix
Intrusion Detection
Network Alerting
Alerting on reconnaissance Alerting on delivery Alerting on command and control
Command and control via misuse of shared resources No command-and-control malware
Alerting on actions over target
System Alerting
Alerting on exploitation Alerting on installation Alerting on actions over target
Fixing GLASS WIZARD
Network activity
System activity
Intrusion Investigation
Network Analysis
Traffic analysis
Applying intelligence to traffic analysis Gathering data from traffic analysis
Signature-based analysis
Applying intelligence to signature-based analysis Gathering data from signature-based analysis
Full content analysis
Applying intelligence to full content analysis Gathering data from full content analysis
Learning more
Live Response Memory Analysis Disk Analysis
Applying intelligence to disk analysis Gathering data from disk analysis
Malware Analysis
Basic static analysis Basic dynamic analysis Advanced static analysis Applying intelligence to malware analysis Gathering data from malware analysis Learning more about malware analysis
Scoping Hunting
Developing Leads Testing Leads
Conclusion
6. Finish
Finishing Is Not Hacking Back Stages of Finish
Mitigate
Mitigating delivery Mitigating command and control Mitigating actions over target Mitigating GLASS WIZARD
Remediate
Remediating exploitation Remediating installation Remediating actions over target Remediating GLASS WIZARD
Rearchitect
Rearchitecting GLASS WIZARD
Taking Action
Deny Disrupt Degrade Deceive Destroy
Organizing Incident Data
Tools for Tracking Actions
Personal notes The Spreadsheet of Doom Third-party, non-purpose-built solutions
Purpose-Built Tools
Assessing the Damage Monitoring Life Cycle Conclusion
7. Exploit
What to Exploit? Gathering Information Storing Threat Information
Data Standards and Formats for Indicators
OASIS Suite—CybOX/STIX/TAXII MILE Working Group OpenIOC
Data Standards and Formats for Strategic Information
VERIS CAPEC
Managing Information Threat-Intelligence Platforms
MISP CRITs YETI Commercial solutions
Conclusion
8. Analyze
The Fundamentals of Analysis What to Analyze? Conducting the Analysis
Enriching Your Data
Enrichment sources
WHOIS information Passive DNS information Malware information Internal enrichment information Information sharing
Developing Your Hypothesis Evaluating Key Assumptions
Accounting for biases
Confirmation bias Anchoring bias Availability bias Bandwagon effect Mirroring
Judgment and Conclusions
Analytic Processes and Methods
Structured Analysis Target-Centric Analysis Analysis of Competing Hypotheses Graph Analysis Contrarian Techniques
Devil’s advocate “What if” analysis Red team analysis
Conclusion
9. Disseminate
Intelligence Consumer Goals Audience
Executive/Leadership Consumer Internal Technical Consumers External Technical Consumers Developing Consumer Personas
Authors Actionability The Writing Process
Plan Draft
Start with the direction statement Start with facts Start with an outline or bullet points
Edit
Intelligence Product Formats
Short-Form Products
Event summary Target package Indicator-of-compromise report
Long-Form Products
Malware report Campaign report Intelligence estimate
The RFI Process
RFI request RFI response RFI flow example
RFI request RFI Response
Automated Consumption Products
Unstructured/semistructured IOCs
GLASS WIZARD unstructured IOCs
Network signatures with Snort
GLASS WIZARD network signatures
Filesystem signatures with Yara Automated IOC Formats
Establishing a Rhythm
Distribution Feedback Regular Products
Conclusion
III. The Way Forward 10. Strategic Intelligence
What Is Strategic Intelligence?
Developing Target Models
Hierarchical models Network models Process models Timelines
The Strategic Intelligence Cycle
Setting Strategic Requirements Collection
Geopolitical sources Economic sources Historical sources Business sources
Analysis
Processes for strategic intelligence
SWOT analysis Brainstorming Murder boarding
Dissemination
Conclusion
11. Building an Intelligence Program
Are You Ready? Planning the Program
Defining Stakeholders Defining Goals
Defining Success Criteria Identifying Requirements and Constraints Defining Metrics
Stakeholder Personas Tactical Use Cases
SOC Support Indicator Management
Operational Use Cases
​Campaign Tracking
Strategic Use Cases
Architecture Support​ Risk Assessment/Strategic Situational Awareness
Strategic to Tactical or Tactical to Strategic? Hiring an Intelligence Team Demonstrating Intelligence Program Value Conclusion
A. Intelligence Products
Short-Form Products
IOC Report: Hydraq Indicators
Summary Notes Related TTPs References
Event Summary Report: GLASS WIZARD Spear Phishing Email—Resume Campaign
Summary Timeline Impact Recommendations Ongoing Actions References
Target Package: GLASS WIZARD
Summary Tactics, Techniques, & Procedures Victim Profile Related References
Long-Form Products: Hikit Malware
Summary Basic Static Analysis
Interesting strings Other relevant files or data Basic Dynamic Analysis Behavioral Characteristics Delivery Mechanisms Persistence Mechanisms Spreading mechanisms Exfiltration mechanisms Command-and-control mechanisms Dependencies
Supported operating systems Required Files
Second Stage Downloads Registry Keys Detection
Network Indicators of Compromise Filesystem indicators of compromise
Response Recommendations
Mitigation steps Eradication steps
Related files
Requests for Intelligence: GLASS WIZARD GLASS WIZARD RFI Response
Index
  • ← Prev
  • Back
  • Next →
  • ← Prev
  • Back
  • Next →

Chief Librarian: Las Zenow <zenow@riseup.net>
Fork the source code from gitlab.

This is a mirror of the Tor onion service:
http://kx5thpx2olielkihfyo4jgjqfb7zx7wxr3sd4xzt26ochei4m6f7tayd.onion