**3.1 Development cycle of threat intelligence**

It is important for cyber security analysts conducting threat intelligence to adopt best practices methodology in developing their threat intelligent techniques and solutions [15]. This Intelligence cycle can be defined by five phases. In the first phase of requirement, the security intelligence professionals get information from their top management about what type of information they should gather and this information usually are considered the facts as main concerns of the end-clients or customers of the organization. Analysis is the second phase of the intelligence cycle with the purpose of turning these collected facts into actionable intelligence. For example, intrusion detection log files can be collected and analyzed in response to the rise of SSH attacks. For the sake of informative decision-taking procedures, the third phase of intelligence as dissemination to share useful information to end-clients in forms of technical reporting. Finally, feedback from end-client should be gathered to determine their satisfaction level and how to improve intelligence collection efforts in near future [16].

### **3.2 Threat indicators tools management**

Threat indictors are the properties that describe a threat. These types of information are used to identify and describe certain threat. These indicators can include IP addresses, signatures of malicious detected files, highlighted communication patterns and any other types of identifiers can be used in cybersecurity to threat intelligence as all these collaborators should understand certain common communication language. So, if threat detected with the aids of these tools it will be very easy and efficient to inform other about that particular threat even in automated fashion [17]. The fist important threat sharing indicator tool for information sharing is the Cyber Observable Expression (CybOX) for categorizing security observations that helps in understand the properties of the intrusion attempts or malicious software. The second tool for this information exchange is the Structured Threat Information

*Intelligent Cybersecurity Threat Management in Modern Information Technologies Systems DOI: http://dx.doi.org/10.5772/intechopen.105478*

Expression (or STIX) which is a standardized language that communicate security information between organizations and their systems. It uses the properties from the first tool and make language easy to use in structured manner. Trusted Automated Exchange of Indicator Information (TAXII) is tool containing services to effectively share security information between organizations and their systems. So at the end. TAXII can considered as framework for exchanging messages written as STIX language [18].

#### **3.3 Threat intelligent information sharing**

Previously discussed technological tools as TAXII, STIX and CybOX are enablers for sharing threat intelligence information between different organizations and systems. These tools give and added security values to different business functions within an organization such as the incident response team, vulnerability management team, risk management team, security engineering team and detection and monitoring team. The automated share information between tools and these different teams is the key achievement issue here. Threat information sharing in collaboration manner between different organizations is highly recommended and required and to facilitate such information sharing, Information and Analysis Centers (or ISACS) bring together different cybersecurity teams from different organizations to help sharing security of specific industry in confidential manners [19].

#### **3.4 Use cases where threat intelligent is highly effective solution**

Some of the use cases which show the importance of threats intelligence development in detection and treatments for these security problems can be shown for detecting unauthorized network connections, monitoring events that may change the user credentials, monitoring antivirus logs to identify insecure ports and services, managing replicas to ensure data protection and generating compliance reports in suitable formats by collecting system and security logs. Security compliance as GDPR can be enhanced significantly with good utilization of threat intelligent modeling for use cases where data protection is needed as verification and auditing security control, enable periodical reporting to data owners by providing structural access to log information, monitoring critical changes of users credentials also, managing data breaches by managing security alerts and analyze the full impact of the incidents.

## **4. Threat modeling**

Threat modeling to be performed effectively, it needs some preprocessing modules such as performing threat research and then identifying and understanding the different types of possible threats [20, 21]. Once an organization can effectively model possible threats then threat hunting can be performed to significantly reduce and manage the different cybersecurity threats.

#### **4.1 Conducting threat research**

This step is important to understand better the environment that certain organization operate in also, to understand the motivations and levels of capabilities of the potential attackers. This can lead to better understanding of how to defend against

these possible attacks. The aim of threat research is to know how attackers think and behave. Two important techniques can be followed in threat research to identify potential threats. The first technique is the reputational threat research to discover potential attackers based on their IP addresses, emails, domains that been previously involved in some attacks. This is very good practice to block future possible attacks from these sources. The second technique is the behavioral threat research aiming to potential malicious actors by observing the similarities of their behaviors when they attacked in the past [22].

#### **4.2 Threat identification and understand the different types of attacks**

To help organization keep tracking different types of threats efficiently, it is highly recommended that the security professionals use threats modeling techniques that can classify the different potential threats and categorize them based on their degree of risks. To properly identify the potential threat in an organization, a structured approach as threat management can be used. This structured approach can be utilized in three ways to efficiently identify threats. The first is the assets-focused approach and here the analysts base their analysis on an organization asset's inventory to identify the potential threat for each asset. The second structure approach in analyzing possible threat is the threat focused approach to properly understand all the possible threat that might affect the different information system within the organization. As for example, the different hacking techniques that might gain access to the network. These type of hacking can come from different parties include known hackers, trusted partners and even from the employees. Finally; a service focused approach can be used to identify the impact of various threats on each specific service when different services in an organization offered by different service providers. For example, when an organization is using certain API and expose it to the public, it is good practice to think about all the interfaces offering by that API and the threat can be associated with each interface. Identifying properly the different threat an organization maybe can be threaten by, is the first step toward proper threat modeling processes [23].

Once different security threats can be properly identified, security analysts should move forward to fully understand the possible attacks. The most commonly used model that help in categorizing these attack is the Microsoft STRIDE model. In this model. Each letter represents a category of attack as S stand for spoofing attack which uses falsified identity information to get access to the system and here the best control against spoofing is to use strong authentication. T indicate Tempering attack which is type of attack that make unauthorized changes to the system and disrupt the data integrity. R indicates Repudiation which is type of attack aiming to deny responsibility for an action and even can go further in blaming third-party, here digital signature can be very useful against such type of attack. I indicate information disclosure and in this type of attack, a theft of confidential information is intended and disclose it publically. D refers to the denial of service attacks (DOS) and this attack is trying to prevent the legitimate users accesses to information or the system they need. Finally; E standing for elevation of privileges which is also sometimes knowns as privileges escalation. This attack tries to use normal user account and then transform that to superuser account or root account in a purpose to exceed legitimate privileges [24]. A system diagrams that illustrate the data flow and relations between system modules is quite helpful in understanding the impact of different attacks in certain organization. These types of diagrams can be used in reduction analysis that breaks down the

#### *Intelligent Cybersecurity Threat Management in Modern Information Technologies Systems DOI: http://dx.doi.org/10.5772/intechopen.105478*

system into smaller components to properly perform assessment in each of them. This helps in simplifying complex systems to make thorough security reviews.

There are two important terms that should be clear to the security analysts as the "Total Attack Surface" which considers all of the systems and services that could be considered as potential entry points for an attacker. Also, the "Attack Vector" which can be defined as a means used by an attacker to gain initial access to a system or network [25].

#### **4.3 Threats modeling as threat risk management**

Threat modeling involve some important factors such as capabilities of the malicious hackers. Here by understanding the levels of sophistication and tools available to the potential hackers, it can give better understanding about how these attackers may approach and attack an organization. Another factor to be understood is the total attack surface and the potential attack vectors as these are two keys of characteristics to understand the types of attacks to be faced. Then, the factor of Impact as prioritize the different types of threats. Finally; the factor of Likelihood as combination between the impact of a threat can cause in an organization if it occurred and the likelihood of that threat to be materialized. As recommendation of the adoption of best practices, the threat modeling should be periodically prompt analysis of the security infrastructure. The significant benefit of using the efficient threat modeling is that it can detect repeated system inefficiencies such as data theft or data leakage and that may indicate the importance in using for example a data loss prevention (DLP) system to help cover the inefficiencies [26].

#### **4.4 Effective threat hunting after proper threats Modeling**

Threat hunting is an organized and systematic approach to clearly discover and find indicators of compromise on networks using different analytical techniques [27]. Threat hunting uses a combination tested security techniques as well as new analytic tools and technologies to monitor and tack signs of suspicious activities. Google trends can be considered as very good example in this context and it shows us how threat hunting grew rapidly recently as organization adopted this new approach. Threat hunting requires mind shifting from defense-focused to offense-focused approach. Here is very good to think as hackers who involved on activities attacking our organization. To conduct effective threat hunting, it is highly recommended to begin by establishing hypotheses and these hypotheses can be based upon profiling threat actors and their engaged activities or maybe hypotheses can be formulated based on possible information vulnerabilities. Once these hypotheses formulated then the thinking should be focused on the indicators of compromises that can be associated to these hypotheses if we assume them are true. These indicators might be considered as any unusual signs in the system such as unusual binary files with malicious or unknown content or some unpredicted modifications appeared in the system. This may include as well unexpected processes in the system or pattern of unusual consumption of resources. Sometimes even presence of unexpected account can be pointing or indicating to possible intended attack. Deviation of network traffic patterns is also considering obvious indicator here. Unexplained log entries and unapproved system configurations changes. All these indicators are the core of the threat hunting process [28].
