Cyber Threat Intelligence - The Comprehensive Guide

Multilingual Book

🇺🇸 English (Original) 🇪🇸 Spanish (Translation)

✅ All languages are included in your purchase

Publisher SAP PRESS

Year / Edition 2026 / 1

Pages 755

Authors Haydar Yener Arici

Cyber Threat Intelligence

A strong cybersecurity program needs to stay informed. With this all-in-one guide, master cyber threat intelligence (CTI) techniques and understand its practical applications. Walk through the intelligence lifecycle, and then get up to speed on the latest tools and technologies for intelligence gathering, adversary profiling, network and host-based forensics, threat hunting, and more. Follow practical examples that showcase key CTI strategies in modern security operations.

Understand the cyber intelligence lifecycle and get to know your sources: OSINT, HUMINT, and SIGINT
Learn about threat models and walk through forensic analysis of network data and host systems to detect malicious behavior
Integrate CTI into incident response, explore threat hunting, and see how automation can improve your CTI workflows

You'll learn about:

Frameworks and Fundamentals:
See what cyber threat intelligence is and how it works in the real world. Understand the full intelligence lifecycle, from planning to feedback, and the different sources of intelligence, from OSINT to SIGINT.
Threat Modeling, Analysis, and Response:
Learn about CTI tools and techniques. Apply the MITRE ATT&CK framework to model threats, turn network and host data into actionable intelligence, interpret threat detection outputs, assess your automation options including tools like MISP, and more.
Best Practices and Case Studies:
Explore real-world workflows and practical examples. See how intelligence supports incident response, threat hunting, and automation, and learn proven methods for handling feed quality, enrichment, and operational integration.

Key Highlights:

Cyber intelligence lifecycle
Open-source intelligence (OSINT)
Human intelligence (HUMINT)
Signals intelligence (SIGINT)
Intelligence gathering
Adversary profiling
Threat intelligence feed integrity
Network forensics
Host-based forensics
Incident response
Threat hunting
Automation

View Full Table of Contents

Preface
- Who This Book Is For
- How This Book Is Organized
- Acknowledgments
- Conclusion
1 Foundations of Cyber Threat Intelligence
- 1.1 What Is Cyber Threat Intelligence?
- 1.2 The Strategic Context and Importance of CTI
  - 1.2.1 Strategic Value Dimensions
  - 1.2.2 Considerations at the Strategic Level
  - 1.2.3 Governance and Operating Models
  - 1.2.4 Intelligence Requirement Management
- 1.3 The Evolution of Threat Intelligence
  - 1.3.1 The Theoretical Foundations of Classical Military Intelligence
  - 1.3.2 The Beginning of the Cyber Age and the APT Concept
  - 1.3.3 The Threat Intelligence Cycle
  - 1.3.4 Milestones Through Case Studies
- 1.4 Types of Intelligence in Cybersecurity
- 1.5 Core Concepts and Conceptual Models
  - 1.5.1 Important Terminology
  - 1.5.2 Threat Actors and Their Motivations
  - 1.5.3 Threat Actors and the Intelligence Cycle
  - 1.5.4 TTPs and Detection Engineering
- 1.6 Summary
2 Intelligence Lifecycle in Practice
- 2.1 Planning and Direction Phase
  - 2.1.1 Components of the Planning Phase
  - 2.1.2 Deepening the Conceptual Framework: PIRs, SIRs, and EEIs
  - 2.1.3 References to Standards and Frameworks
  - 2.1.4 Analytical Biases and Bias Management
  - 2.1.5 Intelligence Governance Framework
  - 2.1.6 Stakeholder Analysis and Communication
  - 2.1.7 Threat Intelligence Sharing Ecosystem
  - 2.1.8 Risk Tolerance and Corporate Business Objectives
- 2.2 Collection: Active and Passive Techniques
  - 2.2.1 Strategic Importance of the Collection Phase
  - 2.2.2 Passive Collection Techniques
  - 2.2.3 Active Collection Techniques
- 2.3 Processing and Initial Analysis
  - 2.3.1 Data Normalization
  - 2.3.2 Tagging and Contextualization
  - 2.3.3 Automated Analysis of Malware Samples
  - 2.3.4 Enriching Indicators of Compromise
  - 2.3.5 Output: A Processed and Reliable Dataset
- 2.4 Interpretation and Dissemination
  - 2.4.1 Analysis and Interpretation
  - 2.4.2 Dissemination
- 2.5 Feedback and the Sustainability of the Lifecycle
- 2.6 Summary
3 Intelligence Sources
- 3.1 Understanding Intelligence Source Classifications
  - 3.1.1 The Role of Source Types in Cyber Intelligence
  - 3.1.2 Comparative Model of OSINT, HUMINT, and SIGINT
  - 3.1.3 Source Reliability Framework
- 3.2 Open-Source Intelligence
  - 3.2.1 The Role of OSINT in Cyber Intelligence
  - 3.2.2 Blogs, Security Reports, and Threat Intelligence Portals
  - 3.2.3 Social Media and Community-Based Sources
  - 3.2.4 DNS Data and Passive Internet Telemetry
- 3.3 Human Intelligence
  - 3.3.1 The Role of HUMINT in Cyber Intelligence
  - 3.3.2 Internal Source Interviews and Internal Information Flow
  - 3.3.3 Informants, Researchers, and Dark Web Engagements
  - 3.3.4 Social Engineering and the Analysis of Human Vulnerabilities
- 3.4 Signals Intelligence
  - 3.4.1 The Role of SIGINT in Cyber Intelligence
  - 3.4.2 Packet Inspection and Traffic Analysis
  - 3.4.3 Radio Signals and Wireless Environment Intelligence
  - 3.4.4 The Integrated Structure of SIGINT, Telemetry, and OSINT
- 3.5 Integrating and Correlating Multisource Intelligence
  - 3.5.1 Multisource Fusion Centers
  - 3.5.2 All-Source Analysis Framework
  - 3.5.3 Source Reliability and Prioritization Methodologies
- 3.6 Summary
4 Applied OSINT: Tools, Methodologies, and Operational Discipline
- 4.1 Principles of Effective OSINT Collection
  - 4.1.1 Intelligence Requirement: Focused Approach
  - 4.1.2 Ethics, Legal Framework, and Authority Boundaries
  - 4.1.3 Operational Security
  - 4.1.4 Chain of Custody
- 4.2 Passive OSINT Collection Strategies
  - 4.2.1 Advanced Use of Search Engine Operators
  - 4.2.2 Using Google Dorks and Advanced Queries
  - 4.2.3 Metadata Extraction
  - 4.2.4 WHOIS, DNS, and SSL/TLS Passive Analysis
  - 4.2.5 Social Media and Open User Profiles
- 4.3 Active OSINT Techniques
  - 4.3.1 Port and Service Discovery
  - 4.3.2 DNS Enumeration
  - 4.3.3 Web Discovery and Scanning
- 4.4 OSINT Data Structuring and Storage
  - 4.4.1 Technical Normalization of Intelligence Data
  - 4.4.2 Correlation Architecture
  - 4.4.3 Data Storage Options
  - 4.4.4 Example: Automatic Normalization and Scoring of the DNS-WHOIS-SSL Chain for a Single Domain
- 4.5 Summary
5 Advanced Intelligence Collection from the Deep and Dark Web
- 5.1 The Invisible Architecture of the Dark Ecosystem
  - 5.1.1 The Operational Differences of the Surface, Deep, and Dark Layers
  - 5.1.2 Special Methods Used by Threat Actors
  - 5.1.3 Techniques for Extracting Intelligence from Each Layer
  - 5.1.4 Example Scenarios
  - 5.1.5 Typology of Dark Web Ecosystems
- 5.2 Accessing Hidden Services and Managing Anonymity
  - 5.2.1 Secure Use of the Tor Infrastructure
  - 5.2.2 I2P and Alternative Privacy Networks
- 5.3 Summary
6 Threat Actor Profiling and Behavioral Mapping
- 6.1 Introduction to Threat Actor Profiling
  - 6.1.1 Types of Threat Actors
  - 6.1.2 Operational Psychodynamics
  - 6.1.3 Indicators, Context, and the Right Question
- 6.2 Tactics, Techniques, and Procedures
  - 6.2.1 What Are TTPs?
  - 6.2.2 TTP Analysis
- 6.3 Applying the MITRE ATT&CK Framework
  - 6.3.1 Techniques and Subtechniques
  - 6.3.2 Applications of MITRE ATT&CK
- 6.4 Using the Diamond Model in Threat Profiling
  - 6.4.1 Adversary: The Entity Conducting the Attack
  - 6.4.2 Capability: The Tools, Techniques, and Knowledge in the Adversary’s Hands
  - 6.4.3 Infrastructure: The Invisible Backbone Carrying the Attack
  - 6.4.4 Victim: The Target of the Attack and the Reflection of the Profile
  - 6.4.5 Diamond Model Relationships
- 6.5 Behavioral Indicators and Fingerprints
  - 6.5.1 Code Reuse
  - 6.5.2 Linguistic Patterns
  - 6.5.3 OPSEC Errors
  - 6.5.4 Correlation of Behavioral Traces
- 6.6 Summary
7 Integrity, Poisoning, and Enrichment in Threat Intelligence Feeds
- 7.1 The Anatomy of a Threat Intelligence Feed
  - 7.1.1 Data Structures and Content Models
  - 7.1.2 Standardized Protocols and Formats
  - 7.1.3 Feed Distribution Models
- 7.2 Feed Poisoning and Manipulation Techniques
  - 7.2.1 Objectives of Advanced Manipulation
  - 7.2.2 Generation of Fake or Manipulated IOCs
  - 7.2.3 Mirrored, Masked, or Deception-Oriented Infrastructures
- 7.3 Detecting Low-Quality or Malicious Threat Intelligence Feeds
  - 7.3.1 Structural and Statistical Quality Analysis
  - 7.3.2 Heuristic Validation Techniques
  - 7.3.3 Source Reliability Modeling
- 7.4 Data Enrichment Techniques
  - 7.4.1 IOC Contextual Enrichment
  - 7.4.2 Correlating with the Threat Profile
  - 7.4.3 Risk and Threat Scoring
- 7.5 Summary
8 Network-Centric Forensic Intelligence
- 8.1 Introduction to Network-Centric Digital Forensics
  - 8.1.1 The Fundamental Objective of Network Digital Forensics
  - 8.1.2 Defining the Scope
  - 8.1.3 The Value of Forensic Analysis in CTI Scenarios
- 8.2 Traffic Capture and Protocol Analysis
  - 8.2.1 The Power of Raw Traffic
  - 8.2.2 Wireshark Techniques
  - 8.2.3 Protocol Dissection
  - 8.2.4 Example: IATI-Based DNS Tunneling and Multistage C2 Rhythm Analysis
- 8.3 Flow-Level Analysis
  - 8.3.1 Introducing NetFlow and IPFIX
  - 8.3.2 Flow Morphology
  - 8.3.3 Rhythmic Deviation Analysis
  - 8.3.4 Directional Asymmetry Analysis
  - 8.3.5 Flow Entropy and Variance Analysis
  - 8.3.6 Example: Deriving Attacker Behavior from Mathematical Flow Traces and Advanced Flow Entropy Analysis
- 8.4 Correlation of Logs and Network Metadata
  - 8.4.1 Firewall Logs
  - 8.4.2 Proxy Logs
  - 8.4.3 DNS Metadata
  - 8.4.4 The Power of Correlation
- 8.5 Monitoring Attacker Infrastructure and Lateral Movement
  - 8.5.1 Intent-Based Monitoring
  - 8.5.2 C2 Pulse Mapping
  - 8.5.3 Pivot Point and East-West Traffic Monitoring
- 8.6 Summary
9 Host-Based Forensic Analysis and Windows Telemetry
- 9.1 Role of Host-Based Forensics in CTI
  - 9.1.1 The Strategic Value of Endpoint Telemetry
  - 9.1.2 The Limits of Endpoint Visibility
- 9.2 Advanced Configuration of Event Logs and Audit Policy
  - 9.2.1 Depth of the Security Log
  - 9.2.2 Design of an Advanced Audit Policy
  - 9.2.3 Behavioral Monitoring with Event Tracing for Windows
- 9.3 Windows Registry Forensic Analysis
  - 9.3.1 Understanding the Registry
  - 9.3.2 Reconstructing User Behavior Through the Registry
  - 9.3.3 Making Persistence Mechanisms Visible
  - 9.3.4 Example: Behavioral Analysis of Registry-Based Startup Persistence Using Python
  - 9.3.5 The Forensic Value of ShellBags, ShimCache, and AmCache
- 9.4 Memory Acquisition and Memory-Based Forensic Analysis
  - 9.4.1 Why Is Memory Acquisition Critical?
  - 9.4.2 Memory Acquisition Methods
  - 9.4.3 Detecting Anti-Forensic Techniques in Memory
  - 9.4.4 Memory Forensics Frameworks
- 9.5 Summary
10 Integrating CTI into Incident Response
- 10.1 The Role of CTI in Incident Response
  - 10.1.1 CTI in the Complete Incident Response Cycle
  - 10.1.2 Establishing an Intelligence-Driven Defense Architecture
  - 10.1.3 Context-Oriented Alert Validation Mechanisms
  - 10.1.4 Integrating Technical Findings with the Threat Model
- 10.2 Detection and Validation with IOCs and IOAs
  - 10.2.1 The Lifecycle of IOCs and Their Operational Value
  - 10.2.2 Strengthening IOA-Based Behavioral Detection Logic
  - 10.2.3 Multilayer Correlation with Live Telemetry
  - 10.2.4 Intelligence Enrichment Techniques for Reducing False Positives
- 10.3 Contextualization of Threats and Impact Analysis
  - 10.3.1 Interpreting Adversary Intent
  - 10.3.2 Impact Scope Analysis and Calculation of Propagation Potential
  - 10.3.3 Determining Operational Priority According to CTI
  - 10.3.4 Examples: Threat Contextualization in Practice
- 10.4 Summary
11 Intelligence-Driven Proactive Threat Hunting
- 11.1 What Is Threat Hunting?
  - 11.1.1 Importance of Threat Hunting
  - 11.1.2 The Limits of Reactive Security and Alert Fatigue
  - 11.1.3 Core Components of Proactive Hunting
  - 11.1.4 Hypothesis-Driven Approach
  - 11.1.5 Filling Information Gaps: The Role of the Hunter
- 11.2 Intelligence-Driven Hunting Methodologies
  - 11.2.1 Data Flow from CTI to the Operational Hunter
  - 11.2.2 Adversary Modeling: APT, Ransomware, and Insider Threat Profiles
  - 11.2.3 CTI Enrichment
  - 11.2.4 Target Prioritization Through Threat Landscape Analysis
- 11.3 Summary
12 Automation and Threat Intelligence Platforms
- 12.1 Introduction to CTI Automation
  - 12.1.1 The Limitations of Manual CTI Processes
  - 12.1.2 The Role of Automation in the CTI Lifecycle
- 12.2 Overview of Threat Intelligence Platforms
  - 12.2.1 What Is a TIP and What Does It Do?
  - 12.2.2 Core Components and Architectural Structure
- 12.3 Using MISP for Community-Based Threat Sharing
  - 12.3.1 Understanding the Role of MISP in CTI
  - 12.3.2 The Fundamental Structure of the MISP Architecture
  - 12.3.3 Feed and Event Management
  - 12.3.4 Attributes, Tagging, and Taxonomies
- 12.4 Summary
A Bibliography
B The Author
Index

ℹ️ How to purchase this book?

This product has a special price upon request. You can start your order or clarify any doubts using the Contact for Price button on the page.

We have also prepared a step-by-step guide to explain how to easily request your quote.

Read the guide here →

Disclaimer

SAP, other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Our Company is not affiliated to SAP SE or any of its affiliated companies including but not limited to: Sybase, Business Objects, Hybris, Ariba and SuccessFactors. All other names, brands, logos, etc. are registered trade or service marks of their respective owners.

Home > SAP Books > Multilingual Books > Cyber Threat Intelligence - The Comprehensive Guide

Cyber Threat Intelligence - The Comprehensive Guide

Name: Cyber Threat Intelligence - The Comprehensive Guide
Brand: SAP
SKU: BOOK-SAPPRESS-EBOOK-2026-9781493228140
Availability: InStock

Warranty

Receive the product you were expecting or we will refund your money

Would you like to see a sample of the course or book?

If you need a sample of the course or book, request it in the chat below and we will be happy to provide it to you.

1 installment of $0.00 USD without interest		Total $0.00 USD
2 installments of $0.00 USD without interest		Total $0.00 USD
3 installments of $0.00 USD without interest		Total $0.00 USD
4 installments of $0.00 USD without interest		Total $0.00 USD
5 installments of $0.00 USD without interest		Total $0.00 USD
6 installments of $0.00 USD without interest		Total $0.00 USD