Welcome to the deep dive. Today. We're tackling cyber threat intelligence, a really crucial area, and we're.
Doing that using a great resource you shared with us, Visual Threat Intelligence by Thomas Rochia.
Exactly.
Yeah. Our goal here is really to pull out the key ideas, the essential concepts from the book.
Right, and the practical applications too, exactly and.
Make it really clear for you, even if your background isn't super technical.
In this book, Visual Threat Intelligence, it seems perfect for that. It's gotten praise from places like the DFIR.
Report that's Digital Forensics and Incident Response.
Right and Pulse Dive too. They highlighted its clear explanations, its real world focus.
And the author Thomas Rochia, he definitely knows his stuff.
Oh yeah, over a decade at Microsoft as a senior security researcher. Plus he runs security break dot io shares his research there, and.
He's been involved in some big cyber events, contributes to open source projects like the unprotect project.
So definitely experienced.
Absolutely so for you, our listener, thinking of you as the learner, this should be a good shortcut.
Yeah, helping understand these important cybersecurity concepts, hopefully getting those aha, moments without you know, getting totally bogged down in jargon.
That's the plan.
Okay, let's jump right in. Then fundamentally, what is threat intelligence?
Well, at its core, it's about gathering information on cyber.
Threats Okay, gathering info, yeah.
Then analyzing it to really understand those threats, and then crucially sharing that understanding so you can improve security.
So it's kind of like reconnaissance, getting a step ahead of attackers by figuring out who they are and what they do decisely.
Now, the book makes it distinction, which is useful. There's security intelligence it's broader any security info, right, and then there's cyber threat intelligence CTI. Yeah, that's our focus today, just like in the book. Often they just call it threat intelligence.
I got it. CTI. It is, So what kind of intelligence are we talking thinking about? The book lays out three main types it does.
Yeah, and it's interesting these terms actually come from military intelligence originally. So the first one is tactical threat intelligence, think immediate.
Actionable, like what's happening right now exactly?
Threats targeting you in real time. Security teams use this stuff daily for identifying ongoing incidents and responding quickly.
So spotting some specific malware trying to get in and knowing exactly how to stop it right then and there.
That's a perfect example. Then you've got operational threat intelligence. Okay, this goes a bit deeper into the attackers themselves. It asks why are they attacking? What are their capabilities, their tools, their methods, their tools, techniques, intentions, all of it. This is super important for incident response. If you know who you're dealing with, you can anticipate their moves better.
Right, So it's not just seeing the attack, but understanding the attackers whole playbook.
Almost you got it. And the third type is strategic threat intelligence.
Strategic sounds high level.
It is. It's the big picture view, long term analysis of the whole cyber threat.
Landscape, looking at overall trends.
Trends, yeah, emerging threats, even how things like geopolitics might impact cyber risk. This helps the leadership the execs make informed decisions about the overall security strategy long term stuff.
Okay, that makes sense. So tactical for the now, operational for the who and why, and strategic for the long view. Each has its place.
Definitely, a complete security program needs all three working together.
Now, the book talks about a threat intelligence life cycle. Why is having a structured process like that important?
Well, it gives you a systematic way to actually do threat intelligence effectively. It's a recognized method turning raw data just noise sometimes into insights you can actually use.
And you mentioned its origins CIA.
Yeah. Interestingly, a similar structured cycle was first developed by the CIA for intelligence work, not just cyber. It's been adapted since there.
Okay, and it has six stages. Let's uh walk through those.
Sure. It starts with planning and direction. This is crucial. It is where you figure out what you actually need to know, what threats matter most to.
Your organization, defining the mission basically exactly.
Then comes data collection, pretty straightforward, gathering the raw info from all sorts of sources.
Okay.
Stage three is processing and exploitation. Here you take that raw data and make it usable, filter out the noise, organize it, format it.
Like panning for gold, sifting through the dirt to find the valuable nuggets.
That's a great analogy. Actually, yeah. After that, Stage four is analysis and production. This is where the real magic.
Happens, taking sense of it all.
Exactly, examining the process, data finding, patterns, connecting dots and producing actual intelligence reports or briefings. Right then Stage five dissemination hugely important, getting the finished intelligence to the people who need it, the ones who can act on it.
No point the analysis if it just sits on a shelf precisely, and the final stage six is feedback.
This closes the loop. Did the intelligence help? Was it useful? What can we do better next time? It makes the whole process iterative, always improving.
So it's a continuous cycle, constantly refining based on needs and results, not just a one shot deal. The book also mentions tailoring this life cycle. Can you give an example of how that works?
Sure, the book uses a good one. Think about a bank versus say, a manufacturing plant.
Okay, different priorities.
Totally different. The bank, in their planning stage would heavily prioritize intelligence on threats targeting financial systems right like buoy TOSEL malware. A tax on online banking makes sense, whereas the manufacturing company might be much more focused on threats to their industrial control systems, the ICs networks that run the factory floor.
So the life cycle structure stays the same, but the focus within each stage changes based on the organization's specific risks.
Exactly, and then tying back to dissemination, that tailored intelligence needs to get to the right people for the bank. Maybe it's the fraud team and the application security team for the factory. Maybe it's the plant operations engineers and the OT security group.
Got it okay, So we understand what the types of intelligence and the how the life cycle. Now the book moves into more practical aspects. What does that involve?
Right? Practical threat intelligence? This is where it gets really grounded. The book talks about needing to consider real world context. Geopolitics is a big one, how so well tensions or alliances between countries can directly influence cyberactivity, state sponsored attacks, activism. It's often linked to global.
Events, So you need to look beyond just the technical bits of an attack.
Absolutely. The book suggests not just relying on news, but maybe even consulting experts in economics, politics, sociology sometimes to get a deeper understanding of a nation's goals and how they might play out in cyberspace.
Interesting, that adds another layer.
It does, and practically it means gathering info from diverse sources, not just your own logs, but security vendor reports, open source feeds, but also being aware of vulnerabilities potential weaknesses attackers might target. The analyst's job is then to pull all that together.
Okay, and then we get to indicators of compromise IOCs. We hear that term all the time. What are they really?
The IOCs are basically the breadcrumbs left behind by attackers, digital footprints, like.
Clues at a crime scene.
Exactly like that. They are pieces of data that suggest a system or network has been compromised. Could be a malicious file hash, its digital fingerprint, or a suspicious IP address the malwar talks to a weird domain name, maybe unusual network traffic.
Patterns, things that shouldn't be there.
Right. They give you a concrete trace of known bad activity. Now, the book does point out these IOCs can be fleeting. Attackers change their tools their infrastructure to avoid detection.
So they might not be useful for law.
They might have a short shelf life, yes, but they are still incredibly valuable. Collecting them, analyzing them, you can often identify other compromise systems, and if you link those IOCs back to that geopolitical context or other operational intelligence you start building a bigger picture of the attackers campaign.
Ah so even a short lived IOC can be a key piece of the puzzle, helping.
Connect dots precisely.
The book also briefly mentions the Diamond model of intrusion analysis. Here. What's the gist of that.
Right, The Diamond model. It's a framework really for breaking down an intrusion. It looks at four key interconnected points, the adversary, their capabilities, the infrastructure they use, and the victim.
They target, like the corners of a diamond.
Exactly. By analyzing how these four elements relate in this specific incident, analysts can get a much clearer picture of the attack, who's likely behind it, and maybe what they're after. We might touch on it more if other sources cover it.
Okay, another tool for analysis, Now, this next one sounds really interesting. Analysis of competing hypotheses or ACH.
Yes, ACH is a really powerful technique, especially when you're dealing with fuzzy situations, incomplete information, maybe even deliberately misleading clues during an investigation.
Which happens a lot in cyber incidents.
I imagine it certainly does. ACCH was actually developed by a CIA analyst back in the day. Its main purpose is to help analysts overcome their own cognitive biases.
Like confirmation bias, where you just look for evidence that confirms what you already think.
That's the big one, Yeah, confirmation bias. ACH tackles that head on by forcing you to consider multiple possible explanations hypotheses at the same time.
Instead of just fixating on one theory.
Right. And the key thing about ACCH the book stresses is that the goal isn't to prove one hypothesis, right, It's actually to disprove or eliminate the hypotheses that are inconsistent with the evidence.
Oh, okay, It's about elimination, not confirmation exactly.
It pushes you to think critically, if hypothesis be We're true, what evidence should I be seeing that I'm not. It forces a more rigorous objective approach.
That sounds incredibly useful. How do you actually do it? Is there a process?
There is? The book describes using a matrix. It's pretty straightforward. Conceptually, you list your competing hypotheses, your different theories about what happened across a top row, ok, and then down the left column you list all the relevant pieces of evidence or information.
You have got it evidence versus hypotheses.
Right, then you go sell by sell For each piece of evidence, you evaluate how consistent it is with each hypothesis. Does it support it, contradict it, is it irrelevant?
So you systematically weigh everything against every possibility.
You do, and this matrix visually shows you which hypotheses are most consistent with the bulk of the evidence, and crucially, which ones are clearly contradicted and can likely be ruled out. The book even points to a template for this matrix by Pasquale Sterparro, which is available online Hindi. Yeah, while this chapter doesn't go into all eight steps of the full eighth process, it gives you the core idea, the core value.
Yeah, that structured thinking seems vital for complex investigations avoiding those mental traps. Okay, Moving on, the book talks about intelligence gathering disciplines. Sounds like different ways to get the information in the first place.
Exactly, These are the various methods, the i iNTS as they're often called. Each gives you a different perspective, a different type of data.
So what are the main ones?
The book highlights several key ones. First up is open source intelligence ohcent probably the most well known.
That's using publicly available stuff right the Internet.
Right, Internet searches, public databases, social media, news reports, academic papers, even accessible parts of the dark web, anything publicly accessible.
Okay, what else?
Then there's human intelligence human seuman tea. This is gathering info from people, interviews, conversations, maybe even things like social engineering, though that gets ethically tricky.
Right, talking to people yep.
Then geospatial intelligence GUI in t uses imagery, satellite photos, aerial picks plus mapping data can be useful for pinpointing physical locations related to threats, like.
Where servers might be hosted.
Potentially yeah, or identifying physical infrastructure. Then you have signals intelligence SIGANT. This is about intercepting electronic signals like communications, recepting communications yeah, or analyzing network traffic metadata like NetFlow to understand communication patterns without seeing the content. And the book also mentions financial intelligence fem dietarian focusing on money
trails analyzing transactions. This is obviously huge for tracking things like ransomware payments, often involving cryptocurrency these days.
That's quite a list ocent human joint singant finite. The book mentions others too, like socent recon.
Yeah, they're more specialized ones like social media intelligence, sobsince, imagery intelligence. I am in reconnaissance recon. The point the book makes is that you rarely rely on just one. You need a mix exactly. Combining insights from multiple disciplines gives you a much richer, more comprehensive understanding of the threat randscape that leads to better analysis and more effective responses.
Makes sense, build a fuller picture from different angles. Okay. One last foundational concept from this part of the book, the Traffic Light Protocol TLP. What's that about?
TLP is all about sharing information safely. It's a simple standardized system for classifying sensitive information to indicate how widely it can be shared.
Standardize is key, I guess. So everyone's on the same page absolutely.
It was developed by first that's the form unsend response and security teams to create a common language. It helps organizations share threat intel with partners, but with clear rules to prevent misuse or leaks.
Okay, so it's like a handling label. What are the levels? The book mentions four colors.
Right four cash KELP r ED is the most restrictive, basically for your eyes only or only the specific people it was directly sent to. No further sharing.
Got it. Red means stop sharing, pretty much.
Than TLP dot amb This means you can share it within your own organization on a need to know basis, but not outside your org.
Okay, internal sharing allowed correct.
Next is TLP green. This allows sharing with trusted partners or within a specific community like an industry group. But it shouldn't be posted publicly on the Internet.
Wider sharing, but still within a defined community.
Yes. And finally, TLP clear, no restrictions, share it freely publicly whatever.
Red ambergreen clear seems pretty straightforward, and the book says it's the sender's job to label it correctly.
Yes, the originator labels the information it needs to make sure the recipients understand what those labels mean and respect the sharing boundaries.
And these labels get used in sharing platforms.
They do. Platforms like MISP and OPENCTI often have built in TLP support, making it easier demand how intelligence is distributed based on its classification. The book briefly outlines the steps for senders using TLP, like being clear about recipients for each level.
Clarifies TLP isn't the same as the Chatham House.
Rule, right, important distinction. Yeah, Chathamhouse Rule is about anonymity of speakers at meetings. TLP is about the dissemination rules for the information itself, different purposes.
Okay, that clears that up. So wow, that's a lot of ground covered for the fundamentals it really is. We've talked about what threat intelligence is, the different types tactical, operational, strategic. We've looked at the structured life cycle for producing.
It, right, the six stages.
Then the practical side gathering info, considering context like geopolitics, using IOCs as.
Clues, and critically analyzing things with frameworks like ACH to avoid.
Bias exactly, plus the different gathering disciplines ocent, human, et cetera. And finally how to share information responsibly using TLP.
That's a really solid foundation from this first part of visual threat Intelligence.
It definitely feels like it, and the book hints there's more detail to come on things like specific threat actors, diving deeper into IOCs and the tools used.
This initial exploration using visual threat intelligence has really set the stage well, covering those core concepts and the structured thinking behind CTI. You know, thinking about IOCs. Again, it's not just finding one.
Clue, right, you said, it's like puzzle pieces exactly.
The real value is connecting them. Imagine security team sees a weird file in IOC. Using ACH, they might brainstorm, okay, hypothesis one, it's known malware X hypothesis Two, it's a legit file acting weirdly hypothesis three it's something totally new.
Okay.
Then they gather more evidence network logs, process activity and test it against each hypothesis. Using that matrix idea which ones did the evidence contradict, which seem more likely? It helps them focus their investigation effectively.
That practical application really helps solidify it. So for you listening, we hope this deep dive has given you a clearer picture of how threat intelligence works and frankly, why it's so essential in today's cybersecurity world.
Yeah. Absolutely, and maybe it sparks a broader thought too. These principles we've discussed, gathering diverse information, carefully weighing competing explanations, being aware of bias. How amight applying that kind of thinking be useful elsewhere in how you consume news, make decisions just navigating the sheer amount of information we all face every day.
That's definitely interesting food for thought, thinking like an intelligence analyst in everyday life sort of.
Yeah.
Well, if this has piqued your interest, definitely consider exploring more. Maybe check out those resources the book mentions like Security break dot io or the unprotect project.
Or feel free to share other species with us for future deep dives if there are specific areas you want to explore further.
Absolutely, and thank you again for sharing this source visual threat intelligence with us. It's been a fantastic starting point.
It really has a great way to understand these crucial foundations