Threat Intelligence by the Book

October 8, 2018 • Amanda McKeon

The Recorded Future team is proud to have recently published its first book, “The Threat Intelligence Handbook — A Practical Guide for Security Teams to Unlocking the Power of Intelligence.” The book aims to provide readers with the information they’ll need to integrate threat intelligence into their organizations, to ensure that it’s actionable, and to put it in the hands of people who can most effectively make use of it.

Joining us once again is Recorded Future’s Chris Pace, who served as editor of the new book. He’ll take us through the process he and his colleagues went through to organize and write it, and why he believes the book is valuable for both those new to threat intelligence and the more experienced readers as well.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello, everyone, and welcome to episode 77 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

The Recorded Future team is proud to have recently published its first book, “The Threat Intelligence Handbook — A Practical Guide for Security Teams to Unlocking the Power of Intelligence.” The book aims to provide readers with the information they’ll need to integrate threat intelligence into their organizations, to ensure that it’s actionable, and to put it in the hands of people who can most effectively make use of it.

Joining us once again is Recorded Future’s Chris Pace, who served as editor of the new book. He’ll take us through the process he and his colleagues went through to organize and write it, and why he believes the book is valuable for both those new to threat intelligence and the more experienced readers as well. Stay with us.

Chris Pace:

I think there are two main reasons why we wanted to write a book. One is that we just have a ton of people with a lot to say on the subject — otherwise, we wouldn’t be able to be involved in a podcast like this. And the other, really, is because we’re at a place where we think threat intelligence is moving to be a more ubiquitous security need, as opposed to perhaps just a siloed function in an organization. So our drive is to begin to give security professionals the kinds of useful advice that can help them start to apply threat intelligence in their own organizations.

So that sort of shift in mindset put us in a place where we thought, “Well, this is a perfect time to write a book, plus we have all this expertise. Let’s put it all in one place. Let’s put our whole ethos in one place.”

Dave Bittner:

So can you take us through the process of how you go about organizing something like this? And also, I suppose, there’s the danger here that you don’t want this to become just a brochure — if you will, a marketing effort.

Chris Pace:

Yeah, that’s obviously a challenge. One of the reasons why is, leading an effort to produce something like this involved corralling quite a lot of people at Recorded Future, a lot of people who are intelligence experts, people who know their business. And some people who have no real interest, let us be honest, in marketing products. So actually, having those people be more involved helped to make sure that the book ended up being a handbook as opposed to anything else.

The publishers of the book told us that they’ve never had so many people contribute to one of the books that they published before. And I wear that as a badge of honor, because that means that we got an awful lot of expertise into this fairly short book.

Dave Bittner:

And if I do say so myself, the list of contributors also looks like a “who’s who” of folks we’ve enjoyed having on this podcast as well, including yourself.

Chris Pace:

Yeah, I don’t think there’s anyone on the list who hasn’t been on the podcast. There were some other people in there, in the background, who added their own expertise as well. So actually, that list is not even exhaustive, but it was fascinating. And the way we wrote the book was to get these guys, a bit like you and I are doing now, to have a conversation for a little while, and to collect their intelligence, if you’d like, from that process. And it was absolutely fascinating to listen to these insights from people who’ve worked inside organizations with intelligence, giving useful, practical help. Yeah, it was absolutely fascinating to be a part of the process.

Dave Bittner:

Can you take us inside of that a little bit? What were some of the organizing principles and what were people advocating for?

Chris Pace:

We began with this focus around moving threat intelligence away from being seen as a silo in an organization to a key function of security. That’s been our ultimate aim with writing the book. And then, to empower people who are in, perhaps, other parts of security, people who work in security operations, or in incident response, or as part of vulnerability management. We want them to feel like they can own ways to use threat intelligence in their own function, and have that permeate through their organization.

So we began with an ethos that threat intelligence is for all of security, and then we tried to cover as many use cases as we could, which is tough, but we crammed a lot in there. We crammed a lot of starting advice for these security pros. And those are the people that we’ve written the book for, and that was where we began.

Dave Bittner:

So let’s walk through it a little bit. The book starts off with an introduction from the boss, from Christopher Ahlberg, sort of setting the table for what to expect.

Chris Pace:

Yeah, and I think one of the great things that the foreword does is, it articulates this idea that your perception of what you think maybe threat intelligence is, is definitely changing. We’ve seen this over quite a short period of time, how what we may have seen as only for government analysts, or experts in threat hunting, or malware analysis, we’re starting to see that shift to more practical applications for intelligence in businesses, and what Christopher’s done in the foreword is to frame that, to make that our reference point as we begin, so that people don’t get put off by the idea … It’s not a technical manual, it’s not a training course. It’s designed to be a practical guide, and what we’ve focused on is practical steps.

Dave Bittner:

Yeah, that is one of the things that struck me as I was reading through it, that regardless of what your place is in the security ecosystem, you can flip through this, through the list of chapters, and find something that’s going to apply to you.

Chris Pace:

Yeah, and I think the other thing when you start to think about it that way is, that maybe one of these areas doesn’t apply to you today. And that’s fine. You can dip into the bits that do. Maybe you reach a place in your organization where something happens — there’s a compelling event, and suddenly everyone wants to talk about incident response, or everyone wants to talk about vulnerability management. This will give you a point of reference to go to and say, “Is there a role that threat intelligence can play in helping us to address the issues that we’re facing in those particular areas?”

That’s why we wrote it in this way. We’re hoping it’s the sort of book that people will leave on their desk, and when something comes up and they need an answer to a question, or they’re looking for a direction where intelligence may be able to equip a part of security, that they’ll go back to that guide.

Dave Bittner:

Let’s walk through some of the chapters here. Can you sort of give us a sense for how things are organized?

Chris Pace:

Yeah, so we’ve begun by trying to encapsulate this idea of intelligence-driven security. So rather than intelligence for the sake of producing intelligence that might be used in a number of different ways, instead, we begin by saying intelligence should drive security and the reasons why. And then what we’ve done, which I think is useful to both traditional threat intelligence professionals and analysts, and also to security and risk professionals, is we’ve reworked the threat intelligence cycle to show how security aligns with that cycle. And suddenly, when those two things begin to come together, you get an entirely different understanding of how threat intelligence can work as part of a security organization.

So that’s why we felt it was so important to bring those two worlds together in the first chapter, so that everything we cover afterwards has a foundation. And then, each of the subsequent chapters does focus in on very specific roles and responsibilities. Some of them I’ve already mentioned, like vulnerability management, security operations, but also security leaders, those involved in risk analysis. We have a chapter in there on fraud prevention, as well.

And then, we have the second section of the book, which is on how to get going. So, beginning your journey to applying threat intelligence, and then looking at how you can use frameworks and develop a team, ultimately. So it begins role by role, and then gets into, “Okay, what can you actually do? You want to do something with intelligence? Here are some places to start.”

Dave Bittner:

Yeah, I really like the practical approach here. This is not a technical manual. This deals with real people being able to apply real tools for real use cases.

Chris Pace:

I said before that we come across … We deal with a lot of people as a business, as a vendor of a security product. We talk to a lot of people at events and through our social media, and all that kind of stuff. And the questions that I get asked all the time are, “What actually is threat intelligence?” And the most common question is actually, “How are other people using this?” They want to get a feel for how other organizations are using threat intelligence. And the problem is, normally, that our answer to that is, “Okay, well, they’re using it in a lot of different ways” or, “Well, it depends,” which in a way, is a terrible answer to that question.

But it is the right answer, because there are so many use cases. We’ve written 10 chapters here, and even to begin with, there are so many use cases. But what we’ve tried to do is, in the book, is give people a way to decide which of those use cases might bring them the clearest benefits early on. And we wanted to put all those options, all of the answers to that question, all in one place.

Dave Bittner:

Yeah, and there is some interesting specificity here. One of the chapters deals with threat intelligence for security operators. You cover threat intelligence for incident response, for vulnerability management, for security leaders. But then, what I like is, as you said, the book wraps up with some chapters on the actual journey through getting started with this. And it tells you what not to do.

Chris Pace:

Yeah, I mean, as always, starting is … as someone who has just finished being involved in a book, I can tell you that the blank page is the worst part of starting anything. That flashing cursor is nagging away at you. And I think the process is the same for anything, and so that’s why what we’ve attempted to do is to not overload people with information if they’re just beginning, to give them those practical steps and maybe things that they can achieve reasonably quickly with the right help and with the right direction. And then, we’ve given them the place they should aspire to. As well as being practical, we also wanted to be aspirational, we want to show where the potential is for the application and use of intelligence.

And so, that’s why that second half of the book is written in a way that says, “There are ways you can make a start, so don’t be put off by that blank page. Here are places where you can begin, and in some cases, here are places where you shouldn’t begin.”

Dave Bittner:

Yeah, it seems to me that you all have done a good job of straddling that line between making sure that you’re taking care of the folks who are just beginning their journey. But like you said, this can also be a good desk reference for people who have a lot more experience.

Chris Pace:

Yeah, I think there are organizations now who are using intelligence of some type. In their organization, they might be doing some automation, they might be integrating things with their security technologies. But even those users, they’re in a place where they could still potentially develop to building out a full-blown threat intelligence team, looking to recruit specialist analysts, broadening out that function for it to become a servant, if you like, to the rest of the security. So there’s, in some ways, even for a large financial organization, there’s still something for them to learn from the later chapters of this book.

And actually, there may be something for them to learn from the earlier chapters, because they may not have thought about how the intelligence that they produce could be ingested and applied by the other parts of their security organization. So we have tried to include something for everyone, although it’s obviously almost impossible to do that. We have tried to include something for everyone, so that there’s a useful reason for you to keep this book on your desk.

Dave Bittner:

The last chapter talks about developing the core threat intelligence team. I’d like to dig into that a little bit. Can you walk us through some of the lessons that you share there?

Chris Pace:

I think one of the biggest things from this is, when you get to a point where you think, “Yes, we know if we make an investment in this particular area, we’re going to see a return that will help the whole of our security,” one of the challenges is actually where, then, does that belong. That’s one of the first things that we address. You know, where should that threat intelligence team belong? In some cases, they exist completely separately. In some cases, they’re part of an incident response function, and that’s sometimes because of the way that these teams organically grow and the nature of the people in those teams.

But actually, where it ends up is quite key, because you need buy-in from everyone. So some of the internal politics that might come with setting up that new team, and the resources that it gets, that’s something definitely to bear in mind. The other thing, of course, naturally, is what are the core competencies of the people in that team? What are their capabilities?

And the other thing that we’ve highlighted here is that as you build this team, you shouldn’t just be looking to build it with people who have tons of threat intelligence experience. You have a load of people who have experience working in that organization. So if there are people who are showing an aptitude for this sort of work, who were working in other parts of security, you should be looking to bring those guys on to develop them, to show them how they can move from one role to another.

And the last thing, and probably the most important when it comes to building out the team is, how do you plan to produce, and then deliver intelligence, and what kind of intelligence will it be? So, again, that goes back what I was saying about use cases. Really, you have to know where the benefits are most likely to come from, in terms of the type of intelligence that you decide to produce. Then you’ll be able to make sure that it’s of most benefit to the rest of the organization. So that’s a lot of what we talk about in that final chapter.

Dave Bittner:

Can you take us through some of the things that you learned just going through the process of putting together a book like this? Were there things that you didn’t expect? Lessons that you learned for yourself personally?

Chris Pace:

One of the big things … It’s interesting, I’ve been working in security and for security vendors for a long time now, as much as that pains me to say. But one thing I did learn is that there’s a lot more overlap in some of these functions than perhaps you would expect. And once you begin to examine more closely, what does threat intelligence mean for incident response, for example — the most traditional application — and then thinking about security operations. Some of those needs are actually quite similar, but the application of the intelligence is quite different.

And I think that’s one of the things that I took away, that as much as, sometimes, these roles can be seen as very much these neat swim lanes of what people do day to day, I learned that with most organizations, there’s a great deal of overlap, there’s a great deal of cross-functional work that’s happening. Some of that is to do with the fact that these teams are stretched. But it was just interesting to see how if you could put intelligence right at the center of a lot of these functions, it would amp up the capabilities of a security organization as a whole.

And I think I knew that at the beginning, but actually getting into detail of how these teams operate helped me to see how that could be a reality.

Dave Bittner:

What’s your advice for folks to jump into this book? Is this something they should sit down with and read from start to finish? Or is this the sort of thing where maybe they should look through the chapter list and find the things that apply to them?

Chris Pace:

Yeah, I mean, one of the reasons that at the beginning we created the “Chapters at a Glance” section is that we want to encourage to people to be able to head to where they think they’re most likely, when they first get the book, to get a benefit. It is a guide rather than a narrative, although we lay out what we’re going to say right at the beginning and the rest of the book follows that narrative. But if you went straight to chapter four, for example, you wouldn’t miss anything necessarily because you hadn’t read the first three chapters.

So it goes back to that whole thing about a practical guide. We want to encourage people … We’re time-poor enough anyway as it is, so we want to get people to head to what’s really useful to them. And that’s why we broke this up in this way. You can read it start to finish, but our advice would be to head to what you think is going to offer you the most, the biggest benefit right now. And then if you’re hooked and you keep reading, that’s great. But if not, maybe you took away some gems that you could start to apply tomorrow.

Dave Bittner:

Was there anything that had to be left on the cutting room floor? Or do you have plans for, perhaps, a sequel?

Chris Pace:

Oh, gosh. It might be a bit too soon to be thinking about that.

Dave Bittner:

Too early, too early. All right, sorry, Chris.

Chris Pace:

It might be a bit too early. He’s got me writing the second edition already. But I think, yeah, there was naturally … This is just an introduction, right from the beginning. This is just an introduction. There is a ton of stuff around frameworks, around the actual processes involved in the collection, analysis, and production of intelligence. Certainly, the more technical elements, they didn’t make it. There just wasn’t the room.

This is designed as the practical guide for security pros, so there was a load more that we could’ve added that would’ve walked people right through the whole … We’ve got that kind of experience at Recorded Future. We would’ve been able to have created that, but yeah, that was stuff that didn’t make it unfortunately. Maybe there will be a second edition at some point, but there is so much more that could’ve been said. We really have just begun.

Dave Bittner:

Yeah. Well, congratulations, Chris, to you and the whole team. I think it’s quite an accomplishment. I think you’ve achieved what you set out to do here. It is a good read, and of course, it’s free, so go ahead and grab your downloadable version. You can also request a printed version to keep on your desk like we said before. I think it’s worth your time.

Chris Pace:

Yeah, and of course, I want to make sure that I thank everyone who was involved in the production of this. It took effort from a lot of people, a lot of involvement from a lot of people, a lot of organizing, copyediting, design, all of the things that are involved in the process of publishing a book and it could not have been done without the team effort from people at Record Future. So we’re very proud.

Dave Bittner:

Our thanks to Recorded Future’s Chris Pace for joining us. Be sure to get your free copy of “The Threat Intelligence Handbook — A Practical Guide for Security Teams to Unlocking the Power of Intelligence.” It’s on the Recorded Future website.

If you enjoyed this podcast, we hope you’ll take the time to rate it and leave a review on iTunes. It really does help people find the show.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.