Cyber Intelligence: Analyzing Cyber Adversaries and Threats
Cyber intelligence is the collection and analysis of information about cyber adversaries’ (also known as hackers, cyber threat actors) motivations, capabilities, geopolitical aspirations and activities in the cyber and physical domains to support decision making about cyber security. Students use analytical methodologies, risk assessment models, and cyber security frameworks to develop common vocabulary to support technical and managerial discussions about cyber threats.
Using cyber intelligence tools and methodologies such as the intelligence cycle and cyber kill chain, students assess an organization’s internal and external environments to generate cyber threats matrix, harvest open source information about adversaries, analyze diverse data and conduct basic technical as well as strategic analyses of cyber threats and adversaries. Using the results of the analysis, students write analytical reports and present briefings for management. The course focuses on organizations’ cyber threats and cyber adversaries.
This course is organized around the intelligence cycle which is a planning process based on requirements, information gathering, analysis, and generation of finished intelligence product (i.e., briefing, alert, report). The intelligence cycle has been adapted to cyber security. The course is broken into the following modules which reflect a logical process for introducing cyber intelligence to assessing cyber security threats to organizations and their cyber adversaries:
- Module 1: Overview of Cyber Threats
- Module 2: Introduction to Cyber Intelligence
- Module 3: Intelligence Cycle and Cyber Intelligence
- Module 4: Cyber Threat Intelligence Cycle (CTIC): Intel Requirement, Environment, & Collection
- Module 5: Cyber Threat Intelligence Cycle (CTIC): Processing & Analysis
- Module 6: Cyber Threat Intelligence Cycle (CTIC): Production & Dissemination
- Analyze cyber security from organizational risk and geopolitical perspectives
- Using case studies and the cyber intelligence cycle, identify, categorize, and analyze cyber threats, intrusions, and adversaries’ tactics, techniques, and procedures (TTPs)
- Identify, leverage, and analyze diverse open source data (e.g., hacker forums, domain names, twitter chatter)
- Conduct tactical and strategic analyses using analytical methodologies (e.g., cyber kill chain, risk assessment, cyber threat matrix)
- Demonstrate how methodologies (e.g., cyber kill chain) can be used to generate an understanding of capabilities and intentions of cyber adversaries
- Write cyber intelligence reports and present a managerial briefing
- On a daily basis, practice safe cyber operational security (OPSEC) also known as (aka) cyber security hygiene such as being cautious about clicking on links in email messages
- A basic understanding of cyber security would be helpful.
The course uses several publications:
- Data Breach Investigations Report. Verizon, 11th edition, 2018.
- Friedman J. & Bouchard, M. Definitive Guide to Cyber Threat Intelligence: Using Knowledge about Adversaries to Win the War Against Targeted Attacks, 2015. ISightPartners.
- SEI, Cyber Intelligence Tradecraft Project, Software Engineering Institute (SEI) Emerging Technology Center, Carnegie Mellon University (CMU), 2013.
- Stern, M. Cyber Intelligence: Identifying the Threat and Understanding the Terrain in Cyberspace. SecurityWeek, Oct 10, 2012.
Readings, quizzes, or in-class exercises can be assigned as homework.
Quizzes are provided for every lesson. While a midterm exam is not provided, one could be easily developed from quizzes and material presented in the course content. A final team briefing project could also be developed and assigned.
It is left up to each instructor to determine how to grade the material in this course; however, one recommended grading breakdown is provided below. .
- 20% - Midterm Exam
- 25% - Assignments/Homework
- 35% - Participation/Quizzes
- 20% - Final team briefing (optional)
- K0005: * Knowledge of cyber threats and vulnerabilities.
- K0045: Knowledge of information security systems engineering principles.
- K0059: Knowledge of new and emerging information technology (IT) and cybersecurity technologies.
- K0114: Knowledge of electronic devices (e.g., computer systems/components, access control devices, digital cameras, electronic organizers, hard drives, memory cards, modems, network components, printers, removable storage devices, scanners, telephones, copiers, credit card skimmers, facsimile machines, global positioning systems [GPSs]).
- K0151: Knowledge of current and emerging threats/threat vectors.
- K0233: Knowledge of the National Cybersecurity Workforce Framework, work roles, and associated tasks, knowledge, skills, and abilities.
- K0273: Knowledge of general kill chain (e.g., footprinting and scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).
- K0309: Knowledge of emerging technologies that have potential for exploitation by adversaries.
- K0311: Knowledge of industry indicators useful for identifying technology trends.
- K0315: Knowledge of the principal methods, procedures, and techniques of gathering information and producing, reporting, and sharing information.
- K0356: Knowledge of analytic tools and techniques.
- K0390: Knowledge of collection strategies.
- K0409: Knowledge of cyber intelligence/information collection capabilities and repositories.
- K0460: Knowledge of intelligence preparation of the environment and similar processes.
- K0558: Knowledge of the available tools and applications associated with collection requirements and collection management.
- K0578: Knowledge of the intelligence requirements development and request for information processes.
- Cyber Threats (CTH)