Practical Cyber Intelligence (eBook)
338 Seiten
Wiley (Verlag)
978-1-394-25610-5 (ISBN)
Overview of the latest techniques and practices used in digital forensics and how to apply them to the investigative process
Practical Cyber Intelligence provides a thorough and practical introduction to the different tactics, techniques, and procedures that exist in the field of cyber investigation and cyber forensics to collect, preserve, and analyze digital evidence, enabling readers to understand the digital landscape and analyze legacy devices, current models, and models that may be created in the future. Readers will learn how to determine what evidence exists and how to find it on a device, as well as what story it tells about the activities on the device.
Over 100 images and tables are included to aid in reader comprehension, and case studies are included at the end of the book to elucidate core concepts throughout the text.
To get the most value from this book, readers should be familiar with how a computer operates (e.g., CPU, RAM, and disk), be comfortable interacting with both Windows and Linux operating systems as well as Bash and PowerShell commands and have a basic understanding of Python and how to execute Python scripts.
Practical Cyber Intelligence includes detailed information on:
- OSINT, the method of using a device's information to find clues and link a digital avatar to a person, with information on search engines, profiling, and infrastructure mapping
- Window forensics, covering the Windows registry, shell items, the event log and much more
- Mobile forensics, understanding the difference between Android and iOS and where key evidence can be found on the device
Focusing on methodology that is accessible to everyone without any special tools, Practical Cyber Intelligence is an essential introduction to the topic for all professionals looking to enter or advance in the field of cyber investigation, including cyber security practitioners and analysts and law enforcement agents who handle digital evidence.
Adam Tilmar Jakobsen works for the Danish National Police Agency's special crime unit hunting down cyber criminals. Throughout his career he has worked on international cases with Europol and the FBI. Adam's journey into cybersecurity and intelligence began in the Danish Army Intelligence, where he honed his skills in SIGINT, OSINT, HUMINT, and all-source intelligence. In this role, he executed a wide range of defense, intelligence, and attack missions. Transitioning to Bluewater Shipping, Adam initially served as a Solution Architect before pivoting towards information security, where he oversaw critical security operations.
Overview of the latest techniques and practices used in digital forensics and how to apply them to the investigative process Practical Cyber Intelligence provides a thorough and practical introduction to the different tactics, techniques, and procedures that exist in the field of cyber investigation and cyber forensics to collect, preserve, and analyze digital evidence, enabling readers to understand the digital landscape and analyze legacy devices, current models, and models that may be created in the future. Readers will learn how to determine what evidence exists and how to find it on a device, as well as what story it tells about the activities on the device. Over 100 images and tables are included to aid in reader comprehension, and case studies are included at the end of the book to elucidate core concepts throughout the text. To get the most value from this book, readers should be familiar with how a computer operates (e.g., CPU, RAM, and disk), be comfortable interacting with both Windows and Linux operating systems as well as Bash and PowerShell commands and have a basic understanding of Python and how to execute Python scripts. Practical Cyber Intelligence includes detailed information on: OSINT, the method of using a device s information to find clues and link a digital avatar to a person, with information on search engines, profiling, and infrastructure mappingWindow forensics, covering the Windows registry, shell items, the event log and much more Mobile forensics, understanding the difference between Android and iOS and where key evidence can be found on the device Focusing on methodology that is accessible to everyone without any special tools, Practical Cyber Intelligence is an essential introduction to the topic for all professionals looking to enter or advance in the field of cyber investigation, including cyber security practitioners and analysts and law enforcement agents who handle digital evidence.
1
Intelligence Analysis
Intelligence analysis is the process of using data to comprehend a situation or problem and support decision-making. It involves collecting and analyzing data from various sources, such as human intelligence, signals intelligence, open-source information, and other types of data, to provide insights and inform decision-makers. Intelligence analysts employ a range of tools and techniques, including data mining, statistical analysis, and modeling, to discern trends, patterns, and relationships within the data. They then utilize this information to formulate hypotheses, make predictions, and offer recommendations for action. Intelligence analysis is applied across numerous fields, including national security, law enforcement, and business. You might be wondering what it has to do with digital forensics. They have a lot in common; they are both about identifying the most likely hypotheses based on the available data. The thing is we would always like to be precise in forensics, but that is not always possible as the necessary data might not be available to give a precise and scientific answer. In these cases, we have to look at the available data, understand the story it is telling, and then give an estimate of what most likely has happened. This is why the first section is about the tools used in intelligence analysis.
1.1 Intelligence Life Cycle
The intelligence life cycle1 is a framework that outlines the various stages involved in the process of collecting, analyzing, and disseminating intelligence. The typical stages of the intelligence process life cycle include:
- Planning and direction
- Collection
- Processing
- Analysis
- Dissemination
- Evaluation and feedback
These stages are interconnected and often overlap, with the ultimate goal of the intelligence process being to deliver timely and accurate information to decision-makers, thereby enabling them to take well-informed actions.
1.1.1 Direction and Planning
This stage is the foundation of the intelligence life cycle. It is about establishing a strategy for what is needed gathering the necessary data and tackling the different cases hitting your desk. This is about identifying what question the decision maker need answered to meet their objectives. Which defines what tool and data sources are needed, to formulate an answer to the question, have been given.
1.1.2 Collection
In the collection phase, raw data is obtained from different sources that are needed to facilitate the analysis. A good idea is to implement a collection management framework.2 The job of this tool is to help manage and create structure around the numerous data sources and the information that can be obtained from each source. This is done by maintaining a data sheet that outlines all the sources available. The expected data you can retrieve from each source, and the specific questions each source can answer; I have created an example of a collection management framework for a SOC in Table 1.1.
Table 1.1 Collection framework.
Endpoint | Network | Firewall | AD logs |
---|
Data type | Alert | Netflow | Alerts | logs |
Kill chain | Exploitation and installation | Internal recon, delivery, and C2 | Internal recon, delivery, and C2 | Internal recon |
Pivot on | Malware sample | Packet capture | Netflow | Endpoint |
Retention (days) | 30 | 60 | 21 | 30 |
Your collection framework will definitely look different, but it should be able to give you a general idea. What makes this useful is that it clearly defines what data is available to you and what it can be used for. That way you do not have to rely on people’s memories to remember what sources are available, and what they can be used for. Do not underestimate the usefulness of this tool; if you are ever in a situation where you ask yourself if you have a data source that could be used to answer X questions, then you need this tool. Another usage of this tool is to identify if you have blackspots in your data sources or if you have overlaps in capabilities.
1.1.3 Processing
During the processing stage, the raw data collected transforms into a format that can be easily understood by humans or interpreted by relevant computer systems. This step is crucial for preparing the data for in-depth analysis and interpretation by intelligence analysts or automated tools.
An essential aspect of this stage is evaluating the relevance and reliability of the data gathered. Analysts need to carefully examine the data to ensure its accuracy and ascertain its importance concerning the intelligence requirement. This process may entail cross-referencing data from multiple sources to authenticate its credibility and establish its relevance.
When processing threat reports from various vendors, it can be temping to create a Rosetta stone for that translation threat actors from across different vendors. The reason cyber threat intelligence organizations do not utilize the same naming convention for threat actors is because they do not have the same collection coverage and the method in which they cluster intrusion together is different depending upon their intelligence requirements, and we do not know all the details of the adversary, and this reason why unitize their own name scheme. The reason why we should not try to cluster together actor from different vendor as it will most likely be wrong.
1.1.4 Analysis
The process of intelligence analysis3 involves breaking down a complex problem or concept into smaller, simpler parts to better understand it and draw meaningful conclusions. It is a crucial step in an investigation, where information needs to be systematically examined and evaluated to identify patterns, connections, and insights that can help shed light on the case. The objective is to transform data into actionable information.
When it comes to digital evidence, expert examiners play a critical role in data analysis, as the data can be ambiguous, taken out of context, or simply incorrect, which may lead to wrongful conclusions. A good digital forensics expert possesses the ability to understand the context around the data and use analytical judgment to make objective conclusions about the evidence. This involves employing critical thinking skills, logical reasoning, and a systematic approach to assess and evaluate information based on the available evidence.
The good thing there are a variety of tools and techniques at our disposal, including statistical analysis, network analysis, and trend analysis, among others. The choice of technique depends on the type of investigation and the data available.
1.1.4.1 Structured Analytic Techniques (SAT)
Structured analytic techniques4 are a set of tools used to help analysts systematically analyze complex information. They provide a systematic and transparent approach to analysis to reduce bias, improve the quality of the analysis, and support more effective decision-making.
Structured analytic techniques typically involve the following steps:
- Define the problem or issue: The first step is to clearly define the problem or issue that the analysis will address. This involves identifying specific questions that need to be answered and the information needed to answer those questions.
- Collect and organize the information: The next step is to collect the raw intelligence information relevant to the problem or issue. This can involve various sources, such as human agents, electronic surveillance, and open-source information. Once the information has been collected, it must be organized and prepared for analysis.
- Apply structured analytic techniques: The third step is to apply a structured analytic technique to the collected information to identify patterns, trends, and relationships. A wide variety of structured analytic techniques can be used, such as statistical analysis, network analysis, geospatial analysis, decision trees, or Bayesian analysis, to name a few.
- Develop conclusions and insights: The fourth step is to use the results of the analysis to develop insights and conclusions about the problem or issue. This can involve identifying key factors driving the situation, making predictions about future developments, or providing recommendations for action.
- Document and communicate findings: The final step in the process is to document the analysis, including the methodology used, the information sources, the results of the analysis, and the conclusions and insights that were developed. This documentation should be clear, concise, and transparent, allowing others to understand and evaluate the analysis. It is important to communicate these findings to relevant decision-makers, ensuring they have access to the information needed to make informed decisions.
Using structured analytic techniques offers several benefits to analysts and decision-makers. First, it helps to ensure a more systematic and rigorous approach to the analysis, which can help to improve the accuracy and reliability of the results. Second, it...
Erscheint lt. Verlag | 31.7.2024 |
---|---|
Sprache | englisch |
Themenwelt | Mathematik / Informatik ► Informatik ► Netzwerke |
Mathematik / Informatik ► Informatik ► Theorie / Studium | |
Schlagworte | cyber crime • cyber forensics • cybersecurity • digital forensics • evidence location • forensics research • Malware • memory forensics • Mobile Forensics • open-source intelligence • OSINT • smart metrics • Virus • windows forensics |
ISBN-10 | 1-394-25610-8 / 1394256108 |
ISBN-13 | 978-1-394-25610-5 / 9781394256105 |
Informationen gemäß Produktsicherheitsverordnung (GPSR) | |
Haben Sie eine Frage zum Produkt? |
Größe: 19,7 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich