Cyber Threat Intelligence by Martin Lee - A Book Review
Posted on May 20, 2025 • 20 minutes • 4119 words
Table of contents
The Book and Author
Cyber Threat Intelligence was written by Martin Lee and published on April 25, 2023. It is available on Amazon. He is the head of EMAE of Talos Threat Intelligence, Cisco. He obtained CISSP.
The book is fundamental to the cyber threat intelligence profession. It starts with a historical background and explains why intelligence is needed in decision-making. The ethical considerations are valuable and applicable to all occupations. If you want to start a career in CTI or already have a position or responsibilities, that is a must-read. It answers why nation-states need intelligence in the military and explains a similar situation for private industry regarding cyber threat intelligence.
I want to mention specific points from his book.
The Citations
A military commander wishing to operate in any of these domains must collect intelligence to understand the threats that may be encountered. This intelligence should be expected to describe where a threat is located, the specific danger that the threat may pose, and how the threat is changing over time. In this respect, cyberspace is no different. Within this new domain hostile adversaries may be operating, physical features of the infrastructure may constrain operations, and software installations may change as frequently as the weather (Mavroeidis and Bromander 2017). (p.24)
One document reflecting the uncertainties of the time, succinctly defines intelligence as: Intelligence is the official, secret collection and processing of information on foreign countries to aid in formulating and implementing foreign policy, and the conduct of covert activities abroad to facilitate the implementation of foreign policy. (Bimfort 1958) (p.23)
Writing in the fifth century BCE, the Greek historian, Herodotus, described how messages could be tattooed on a slave’s scalp before allowing the hair to grow and hide the message. Herodotus also described writing hidden messages on wooden backing of the wax tablets used by scribes to record and send messages (Fabien et al. 1999). (p.26)
During the American Civil War, both the Confederacy and the Union used the telegraph to send signals, both used cryptography to encrypt the contents of their messages, and both intercepted each other’s communications. (p.32)
The attacker was using the Lawrence Berkeley Laboratory computer system not only to search for and collect potentially sensitive information from the laboratory itself, but also as a site to launch further attacks on computer systems within the US, many of which were hosted by, or closely associated with the military (Stoll 1988). (p.40)
…the term APT came to be used as an umbrella term to refer to any attackers who appeared to be conducting a state‐sponsored attack (Bejtlich 2010). (p.41)
As technology increasingly assists and enhances everything within our professional and personal lives, networked computer systems perform vital functions within our society. Cyber threat intelligence seeks to inform how we protect these vital systems against threats. (p.44)
Communicating information about these risks is a threat intelligence activity in itself, informing others so they can make appropriate decisions and modify behaviour if required. (p.45)
Organisations should have a clear idea of why intelligence is needed, exactly how the intelligence will be used, and how the success of the intelligence programme will be measured. (p.45)
An intelligence function cannot foresee the future or read the minds of adversaries. The unpredicted and unpredictable does happen. (p.46)
Strategic threat intelligence – Describing long term changes, and the long term objectives of adversaries. Intended to be read by senior executives to drive long term strategy and priorities. (p.46)
Operational threat intelligence – Describing short to medium term changes in the threat landscape, and the current techniques used by adversaries. Intended to be read by security teams to help manage short term priorities and the current situation. (p.46)
Tactical (or technical) threat intelligence – Describing what is happening at this moment in time within the threat landscape. Largely intended to be read by machine to manage the immediate situation. (p.46)
Security teams should be mindful of the words of Frederick the Great of Prussia, ‘he who defends everything, defends nothing’. It is fanciful to expect that every system within an organisation can be protected to a maximum extent. Resources are not infinite, and compromises must be made trading off security against usability. (p.46)
…some systems will constitute the ‘crown jewels’ of an organisation, to the point that if they were successfully attacked the organisation would suffer extreme consequences. (p.46)
Threat intelligence allows security teams to focus on what is likely to happen rather than what might happen, and to take a proactive approach in responding to a changing threat environment. (p.46)
Providing guidance on how accidental data loss occurs, or the likely impact of an approaching weather system are both examples of relevant cyber threat intelligence. (p.55)
When under scrutiny, users may become more diligent in their work and less prone to human error when they are aware that security teams are watching. (p.55)
…it is impossible for a threat intelligence programme or team to collect intelligence on a threat of which they are not aware. (p.57)
Threat intelligence professionals can help staff members with financial authority recognise and resist these scams by spreading awareness of how the scams work, and report any newly discovered variations in the scam. (p.60)
Threat intelligence professionals have a key role in identifying common misconfigurations, and informing system administrators of these. (p.61)
Rarely is a CVSS score on its own enough to convey the particular risk faced by an organisation to a significant vulnerability. (p.63)
Comprehensive lists of known threat actor groups are published by the MITRE Corporation® ATT&CK team and the Malware Information sharing Platform (MISP) Galaxy Project who identify 122 and 364 active threat actor groups, respectively. (p.69)
Criminal entities may form and disband, blurring exactly which group was responsible for what attack. Or they may outsource components of an attack to a third party that links many different attacks from separate threat actors. (p.69)
Some criminal threat actors may act with various degrees of state sponsorship ranging from tacit tolerance of their activity through to state direction in the choice of their targets. In many ways, these primarily criminal threat actors acting under state direction and protection are analogous to privateers of the seventeenth and eighteenth centuries. Privateers were pirates who acted on behalf of a nation state as an adjunct to national armed forces, in return gaining respectability and protection for their otherwise criminal activities. (p.70)
…threat actors should not be thought of as monolithic entities whose motivations and modes of action are static and set in stone, but as fluid entities whose allegiances, associations, and motivations may change over time. (p.70)
Common Attack Pattern Enumeration and Classification (CAPEC™) is a separate initiative that seeks to enumerate the attack patterns used by attackers, listing the approaches used to exploit weaknesses within systems (US Department of Homeland Security and MITRE n.d.). (p.72)
Techniques used for defence evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. (p.73)
Native operating system tools are often used towards this post‐compromise information‐gathering objective. (p.74)
Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier. (p.74)
Threat intelligence professionals should be aware of the particular victimology of their own organisation. (p.77)
Decision makers within the organisation are unlikely to be aware of evolutions of the threat landscape and the consequences of these without input from the threat intelligence team. (p.78)
Spreading resources too thinly, especially when an intelligence function is being established, risks threat intelligence making little or no difference to the security goals of the organisation. (p.97)
Developing a threat intelligence team too quickly risks delivering more intelligence than other teams can process, or worse delivering intelligence that is of no use to the intended consumers. (p.98)
…even having a minimal threat intelligence function that is able to provide basic information enriching understanding of current threats and how these might be addressed is likely to provide benefit. (p.99)
ISO/IEC 27002 states that threat intelligence should be ‘relevant, perceptive, contextual, and actionable’ (ISO 2022). (p.99)
Timely Intelligence is useless if delivered too late. Less than perfect outputs delivered on time are preferable to outdated material. (p.100)
Strategic metrics describing how the intelligence programme has helped the business achieve its goals. This may include measures such as how intelligence has reduced risk, or money saved through detecting or resolving threats faster due to the contributions of intelligence. (p.102)
Recorded Future, another commercial threat intelligence organisation, recommends using metrics as a method of illustrating the story of the threat intelligence team. (p.102)
They recommend focusing on metrics that are directly affected by the intelligence team, namely the inputs to the team, the analyses that the team performs, the output that the team creates, and the impact that the intelligence has on the cyber security function. (p.102)
The focus should be on delivering an intelligence product that meets the requirements of the end user. (p.102)
Analysis and Processing: This phase involves the transformation of raw data and information into intelligence through the application of the intelligence analyst’s skill in combining and synthesising the inputs into intelligence analysis that meets the customer’s requirements. (p.104)
The intelligence should be timely, ‘It is better to provide 80% of the intelligence on time rather than 100% of the intelligence too late’ (Development, Concepts and Doctrine Centre, UK MoD 2011). (p.105)
…intelligence reports need to clearly indicate restrictions on the distribution of reports and the importance of keeping the report confidential. (p.105)
…if our perception of reality diverges from the actual environment then our situational awareness may be poor. (p.106)
…human oversight is required to ensure the veracity of the tactical intelligence, and whether it contributes to improving the security posture. (p.108)
If strategic intelligence is concerned with the ‘who’ and ‘why’ of threats, operational intelligence is concerned with the ‘how’ and ‘when’ (INSA 2014b). (p.112)
…in the immediacy of a difficult and fast developing situation, not every intelligence report will be accurate. (p.114)
Data that is enriched with threat intelligence also helps defenders develop situational awareness and quickly identify malicious behaviour. (p.116)
Ultimately, attacks by sophisticated attackers are rare events. Security teams that have never considered or practised against such an attack are unlikely to be prepared to effectively counteract the attack. (p.118)
No threat intelligence data can provide a crystal ball to see into the future and predict with perfect precision the attacks that will occur. (p.123)
…an attacker may purposefully leave clues that lead investigators to an incorrect conclusion regarding the origin or nature of an attack. (p.123)
Analysts need to be aware of what is not being said within reports. Information and context may be redacted due to national security or client confidentiality reasons. (p.131)
Analysts should be mindful that even the most credible of intelligence reports is unlikely to paint the full picture. (p.131)
An error to be aware of within intelligence reports is that of circular reporting. One source reports something incorrect or as conjecture, a second source repeats the assertion as fact, which is then repeated by a third source, and so forth. (p.131)
National cyber security agencies and industry regulators are excellent sources of information regarding long term threats or specific threat actors. (p.136)
Unlike honeypots, canary systems are not designed to attract malicious activity but to disclose the presence of malicious activity within active systems. Canaries may be systems, users, or even files. The goal is to alert security teams to the presence of an attacker, rather than to engage with the attacker and to learn more information about them. (p.139)
Castles in mediaeval Japan were built with wooden floorboards that purposefully squeaked when walked upon. The emitted sounds resembled the song of the bush warbler bird, often translated into English as ‘nightingale’. The sound betrayed the presence of anyone creeping around the castle at night, no matter how stealthy they tried to be. To distinguish friend from foe, allies were taught to walk with a specific rhythm that could be detected by the ‘singing’ of the floor as they walked (Baseel 2015). (p.140)
Strategic intelligence reports are written for senior decision makers to help make long term decisions. (p.145)
Operational intelligence reports are written for operational decision makers, providing information regarding the current environment for the near to medium future. (p.145)
Tactical reports describe the current situation and are often written to be ingested and read by machine. (p.145)
The cyber threat landscape is complex, the world does not necessarily need another voice that will provide little more than noise in an already noisy situation. A clear voice that cuts through the hubbub, or that provides new observations that are urgently required is of great benefit. (p.145)
Constant feedback from consumers of intelligence allows intelligence teams to refine their intelligence production to ensure the quality of their reports. (p.147)
The mnemonic MoSCoW is used to describe and rank requirements according to the following criteria: M – Must Have – absolutely necessary requirements for the system. S – Should Have – important requirements that will add value to the system. C – Could Have – useful requirements, but will have little impact if omitted. W – Will Not Have – requirements that will not be implemented. (Hatton 2008) (p.150)
…analyst collecting the data must clearly record how the data was obtained. The steps necessary to obtain the data should be recorded so that the data collection is repeatable. A different analyst following the same steps should obtain the same set of data. Noting the exact query terms will be very useful if the same or similar requests are made in the future. (p.151)
There is no single format for writing intelligence reports. There is no right or wrong way, but there are good practices that will help the consumers of the report in making best use of the intelligence. (p.151)
Provide the summary first. Separate facts from analysis. Ensure traceability. Keep it brief. Be actionable. (p.152)
In writing intelligence reports, remember the adages: half as long is twice as good, and a picture paints a thousand words. (p.152)
In addition to any mention of IoCs in the text, include a separate section containing IoCs so that operational teams can readily extract this data. (p.152)
Poor quality or unreliable data invariably leads to poor analyses and conclusions. (p.154)
Searching within the logs for the presence of any IoCs described in the report would be a good first step. (p.155)
Hunting for threats is achieved through the application of an analyst’s professional knowledge, a sense of curiosity, awareness of the data and systems within the environment as well as data science. (p.156)
If current observations are different from what is expected, then it is time to investigate and find out why this is the case. (p.159)
Hypothesis generation is one of the key skills of the intelligence analyst. The human mind tends to see the patterns that it expects to see within data. Accordingly, conclusions tend to be drawn towards those that fit the experiences and cultural background of the analyst. (p.161)
The hypothesis that fits best is not necessarily the one with the most positive marks, but more likely to be the one with the fewest negatives, since this hypothesis is the least refuted by the evidence (Heuer 1999a). (p.162)
Reasoning by analogy – selecting options based solely on prior experience with other options. Seeking to replicate successes or avoid failures without fully evaluating the options. (p.162)
Organisations seeking to share intelligence should be aware of, and happy to accept, any legal risk associated with the dissemination and publication of their intelligence reports. (p.164)
If the nature of the victim is a vital part of the description of the attack, such as with a spear phishing campaign, refer to the victim using a description of the job role such as ‘a senior financial executive’ instead. (p.165)
However, not only must you be able to express the information that you wish to include in an intelligence report in a machine readable format, but everyone to whom you distribute the report must possess software to be able to parse and make use of the report. (p.166)
…the number of security improvements that were made due to the findings of a threat intelligence report would be a suitable metric to demonstrate the utility of the activity. (p.167)
…the adoption of the COE’s Convention on Cybercrime from November 2001 (COE 2001a). Signed by over 65 nation states including many non‐COE members, this is the first multilateral legally binding treaty to address cyber crime. (p.173)
…threat intelligence reports expect and embrace doubt and uncertainty without trying to remove these. (p.176)
In encouraging others to use their tools, or reuse the code in other malicious software it becomes more difficult to tie the malicious software to any single group. (p.181)
Threat intelligence analysts must accept and adapt to uncertainty. (p.186)
Devotion to well‐doing – professionals are not primarily motivated by financial gain but work towards an altruistic notion of improvement. (p.194)
The assistant secretary of the General Education Board of New York City in 1915 succinctly summarised six criteria for recognising if an activity constituted a profession. (p.193)
…a code of ethics governs decision making, and a code of conduct governs actions. (p.196)
…professionals must have an objective stance, and hold the integrity of their profession higher than the financial pressures of commercialism or the efficiency drives of managerialism. (p.199)
In a speech denouncing sexism and misogyny, Lt. Gen. David Morrison, then chief of the Australian Army, coined the phrase, ‘the standard you walk past is the standard you accept’ (Wikiquote 2022). That is to say, if you witness behaviour that falls below the standards of conduct that you expect, if you fail to act or speak out to stop that behaviour, then that is the level of behaviour you find acceptable. (p.200)
Shall be prepared to contribute to public debate on matters of technical understanding in fields in which they are competent to comment. (p.201)
Professionalism includes the notion of serving the wider interest, and of having the moral courage to stand for what is right. (p.202)
The EC‐Council’s code of ethics consists of 19 points, which consist of instructions to obey rather than principles of behaviour to follow. These instructions include requirements to respect confidentiality, protect intellectual property, disclose dangers, act within competence, not use illegally obtained software, not engage in improper financial practices, only use authorised systems, disclose conflicts of interest, manage projects well, share knowledge, behave ethically when soliciting services, act ethically, do not engage in illegal hacking or associate with malicious hackers, don’t abuse certificates or logos, not convicted of a felony (EC Council n.d) (p.203)
The first two instructions to stop, calmly assess the situation, and consider what it is that we are trying to achieve are particularly important to remember in pressured, stressful situations where the importance of ethics may be overlooked. (p.207)
Threat intelligence products should bring benefit. This may be a benefit to a client or employer, to advance personal interests, or for the benefit of the wider community. (p.209)
As CTI professionals, we must remain objective and focus on our role of impartially gathering and analysing information in order to inform and assist decision making. Conflicts of interest, such as nationality, or feelings of kinship with third parties, which may affect judgement or impinge on objectivity should be declared within analyses, or better, if a conflict of interest is identified, the analyst should recuse themselves from the investigation. (p.210)
…researchers should take steps to report the vulnerability to an appropriate person within the affected organisation, and explain the vulnerability in a way that can be understood and replicated, while respecting the privacy of others, and without demanding payment. (p.210)
We should be prepared to justify our own work, show that we have considered ethics, and not be afraid to modify working practices or to deploy additional safeguards when necessary. (p.213)
The ramifications of a course of action that causes significant upset or harm to a partner may be severe, and the wider consequences may be unknown to the threat intelligence team. The ethical dimension of a course of action is likely to form part of the briefing that an intelligence team presents to decision makers, but it is for decision makers to make decisions. (p.216)
Although behaving ethically is a choice, occasionally there are no good outcomes to be found, and a decision maker must choose the least bad option and accept the consequences. (p.217)
Actively demonstrating to colleagues that ethics is a key part of intelligence activities and decision making helps promote moral development and develop moral courage so that when faced with a difficult decision, we do the right thing. (p.217)
…professionals are expected to have a higher purpose beyond commercial consideration in their activities. (p.217)
…this arena will resemble the sixteenth century model of conducting proxy naval conflict by privateers; self‐financing criminal gangs given state protection in return for some degree of state direction. (p.237)
Cyber threat intelligence professionals must be sure to advise decision makers on when it will be necessary to depreciate older encryption algorithms and move to modern alternatives. (p.238)
Defeating information warfare campaigns is not a simple matter. Free speech and open debate are hallmarks of a democracy. Identifying when the debate is not open, but being manipulated with opposing voices crowded out of the discussion is not an easy matter. Intervening to prevent such manipulation and holding perpetrators to account is even more complex. (p.240)
…criminal threat actors are responsible for the vast majority of cyber attacks. Nation state threat actors are the cause of far fewer attacks, but are responsible for the most sophisticated attacks. Other threat actors such as hacktivists or terrorists are much less active and less sophisticated than criminal or nation state threat actors. (p.240)
The European security agency, ENISA, sees training provided by employers as key to helping recruits gain the necessary skills. (p.242)
Employers need to be realistic regarding their hiring goals. Expecting to hire fully qualified and competent staff who will be able to hit the ground running in threat intelligence is unlikely. Hiring someone who has potential and is likely to gain the necessary skills with support and training is a feasible goal. (p.242)
…the skills and knowledge of the people within the threat intelligence team must also evolve. Some job roles will become more specialised over time, such as those that focus on specific facets of attacks or threat actor behaviour. Other job roles may become more prominent and important, such as communication skills including the ability to convey complex information succinctly. (p.242)
The NICE framework provides a mechanism by which employers can describe knowledge, skills, tasks, and competencies necessary for cyber security roles (NIST 2020). Those seeking to join the cyber security workforce can discover the skills and knowledge necessary for different job roles (NIST 2021). (p.242)
The Skills Framework for the Information Age (SFIA) is widely used to model skills, expertise, and requirements across digital industries. This framework defines 120 skills categorised into the seven high‐level categories. (p.242)
The US National Initiative for Cybersecurity Careers and Studies has already mapped many cyber security jobs to the NICE framework. (p.244)
Hiring someone who has a similar experience, training, and outlook to other members of the team may not be the best option. (p.246)
Technology will continue to develop, and threats will continue to evolve. If we are to put new technology to good use in benefitting our societies and enriching our lives, we must ensure that those who are developing these new applications are well informed about potential threats. (p.249)
Even the best cyber security teams do not reach the correct conclusion or react optimally or appropriately all of the time. (p.258)
Detecting malicious code integrated within legitimate software is fiendishly difficult. Supply chain attacks such as this require significant resources and know‐how. Microsoft estimates that the threat actor was likely to have deployed more than 1 000 engineers to work on the project. (p.282)
In anticipation of a potential breach, (Emmanuel Macron’s election campaign) workers had been briefed to expect any email they sent to be leaked, and to think of their communications this way. Emails were to be used for day‐to‐day communications, confidential information was only to be communicated over encrypted chat applications, and anything sensitive was reserved for face‐to‐face communication. (p.285)
Conclusion
Lastly, it’s a good and reputable reference to learn about threat intelligence and the profession written by an author with years of practical experience. I want to thank Mr. Lee especially for sharing his working experience and knowledge in his book. It will be a guide for any defender in cyberspace to protect societies.