Download Full Version ebook - Visit ebookmeta.

com

The Intelligence Handbook A Roadmap for Building

an Intelligence Led Security Program 4th Edition
Cyberedge Group

https://ebookmeta.com/product/the-intelligence-handbook-a-
roadmap-for-building-an-intelligence-led-security-
program-4th-edition-cyberedge-group/

OR CLICK HERE

DOWLOAD NOW

Discover More Ebook - Explore Now at ebookmeta.com

 Instant digital products (PDF, ePub, MOBI) ready for you
Download now and discover formats that fit your needs...

Start reading on any device today!

Building a Cyber Risk Management Program: Evolving

Security for the Digital Age Brian Allen

https://ebookmeta.com/product/building-a-cyber-risk-management-
program-evolving-security-for-the-digital-age-brian-allen/

ebookmeta.com

Explainable Artificial Intelligence for Cyber Security

Mohiuddin Ahmed

https://ebookmeta.com/product/explainable-artificial-intelligence-for-
cyber-security-mohiuddin-ahmed/

ebookmeta.com

Security and Intelligence in a Changing World New

Perspectives for the 1990s A. Stuart Farson (Editor)

https://ebookmeta.com/product/security-and-intelligence-in-a-changing-
world-new-perspectives-for-the-1990s-a-stuart-farson-editor/

ebookmeta.com

Australia s Role in Feeding the World The Future of

Australian Agriculture 1st Edition Sarah Blagrove Tor
Hundloe Hannah Ditton
https://ebookmeta.com/product/australia-s-role-in-feeding-the-world-
the-future-of-australian-agriculture-1st-edition-sarah-blagrove-tor-
hundloe-hannah-ditton/
ebookmeta.com
DEAD Box Set 3 Books 7 9 Tw Brown Et El

https://ebookmeta.com/product/dead-box-set-3-books-7-9-tw-brown-et-el/

ebookmeta.com

Thrown to her Wolves 1st Edition Margo Bond Collins

https://ebookmeta.com/product/thrown-to-her-wolves-1st-edition-margo-
bond-collins/

ebookmeta.com

Costa Rica 7th Edition Insight Guides

https://ebookmeta.com/product/costa-rica-7th-edition-insight-guides/

ebookmeta.com

Basics of Statistical Physics 3rd Edition Harald J .W.

Müller-Kirsten

https://ebookmeta.com/product/basics-of-statistical-physics-3rd-
edition-harald-j-w-muller-kirsten/

ebookmeta.com

Avian Immunology 3rd Edition Bernd Kaspers

https://ebookmeta.com/product/avian-immunology-3rd-edition-bernd-
kaspers/

ebookmeta.com
F 8 Crusader Vietnam 1963 73 1st Edition Peter E Davies

https://ebookmeta.com/product/f-8-crusader-vietnam-1963-73-1st-
edition-peter-e-davies/

ebookmeta.com
About Recorded Future
Recorded Future is the world’s largest intelligence company.
The Recorded Future Intelligence Platform provides the most
complete coverage across adversaries, infrastructure, and
targets. By combining persistent and pervasive automated
data collection and analytics with human analysis, Recorded
Future provides real-time visibility into the vast digital
landscape and empowers clients to take proactive action
to disrupt adversaries and keep their people, systems,
and infrastructure safe. Headquartered in Boston with
offices and employees around the world, Recorded Future
works with more than 1,400 businesses and government
organizations across 60 countries.
recordedfuture.com
 The Intelligence
Handbook
Fourth Edition

A Roadmap for Building an

Intelligence-Led Security Program

Cover and Design by Lucas Clauser

Foreword by Christopher Ahlberg, Ph.D.
The Intelligence Handbook, Fourth Edition
Published by:
CyberEdge Group, LLC
1997 Annapolis Exchange Parkway
Suite 300
Annapolis, MD 21401
(800) 327-8711
www.cyber-edge.com
Copyright © 2022, CyberEdge Group, LLC. All rights reserved. Definitive Guide™ and
the CyberEdge Press logo are trademarks of CyberEdge Group, LLC in the United
States and other countries. All other trademarks and registered trademarks are the
property of their respective owners.
Except as permitted under the United States Copyright Act of 1976, no part of this
publication may be reproduced, stored in a retrieval system or transmitted in any
form or by any means, electronic, mechanical, photocopying, recording, scanning
or otherwise, without the prior written permission of the publisher. Requests to the
publisher for permission should be addressed to Permissions Department, CyberEdge
Group, 1997 Annapolis Exchange Parkway, Suite 300, Annapolis, MD, 21401 or
transmitted via email to info@cyber-edge.com.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR

MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY
OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM
ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS
FOR A PARTICULAR PURPOSE. THE ADVICE AND STRATEGIES CONTAINED HEREIN
MAY NOT BE SUITABLE FOR EVERY SITUATION. NEITHER THE PUBLISHER NOR THE
AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN
ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/
OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE
AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR
WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS
SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE
CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN
IT IS READ.

For general information on CyberEdge Group research and marketing consulting

services, or to create a custom Definitive Guide™ book for your organization, contact
our sales department at 800-327-8711 or info@cyber-edge.com.
ISBN: 978-1-7371618-2-0 (paperback)
ISBN: 978-1-7371618-3-7 (eBook)
Printed in the United States of America.
10 9 8 7 6 5 4 3 2 1

Publisher’s Acknowledgements
CyberEdge Group thanks the following individuals for their respective contributions:
Copy Editor: Susan Shuttleworth
Graphic Design: Debbi Stocco
Production Coordinator: Jon Friedman
Acknowledgements

This book’s publication was made possible by the Recorded

Future personnel who provided their insight and expertise
to this fourth edition. Contributors include: Stas Alforov,
Andrei Barysevich, Levi Gundert, Lindsay Kaye,
Jason Steer, Chris Ueland, John Wetzel, and Ellen
Wilson. Thanks to Lucas Clauser for developing the
distinctive cover art. We’d like to also thank those who con-
tributed to previous editions of this book.
Foreword by Dr. Christopher Ahlberg, co-founder and
CEO, Recorded Future.
 Table of Contents
Acknowledgements iii
Foreword to the Fourth Edition vii
Introduction ix

Section 1: What is Intelligence for Security Teams?

Chapter 1: What Is Intelligence for Security Teams? 3
Visibility Into Threats Before They Strike 3
Intelligence: Actionable Facts and Insights 5
Intelligence: The Process 7
Who Benefits From Intelligence? 9
Chapter 2: Types and Sources 11
Two Types of Intelligence 11
The Role of Threat Data Feeds 13
The Role of Private Channels and the Dark Web 15
Chapter 3: The Intelligence Life Cycle 17
The Six Phases of the Intelligence Life Cycle 17
Tools and People 23

Section 2: Applications of Intelligence for Security Teams

Chapter 4: SecOps Intelligence Part 1 – Triage 27
Responsibilities of the SecOps Team 28
The Overwhelming Volume of Alerts 29
Context Is King 30
Shortening the “Time to No” 33
Chapter 5: SecOps Intelligence Part 2 – Response 35
Continuing Challenges 36
The Reactivity Problem 37
Minimizing Reactivity in Incident Response 37
Strengthening Incident Response With Intelligence 38
SecOps Intelligence in Action 39
Essential Characteristics of SecOps Intelligence for Incident Response 41
Chapter 6: Vulnerability Intelligence 45
The Vulnerability Problem by the Numbers 45
Assess Risk Based on Exploitability 47
The Genesis of Intelligence for Security Teams: Vulnerability Databases 48
Vulnerability Intelligence and Real Risk 52
Sources of Intelligence 54
Use Cases for Cross-Referencing Intelligence 56
Bridging the Risk Gaps Among Security, Operations, and Business Leadership 56
Chapter 7: Threat Intelligence Part 1 – Knowing Attackers 59
Our Definition of “Threat Intelligence” 59
Understand Your Enemy 60
 Table of Contents | v

Criminal Communities and the Dark Web 62

Connecting the Dots 64
Use Case: More Comprehensive Incident Response 65
Use Case: Proactive Threat Hunting 65
Use Case: Advance Warning of Payment Fraud 66
Chapter 8: Threat Intelligence Part 2 – Risk Analysis 69
The FAIR Risk Model 70
Intelligence and Threat Probabilities 72
Intelligence and the Financial Cost of Attacks 74
Chapter 9: Third-Party Intelligence 75
Third-Party Risk Looms Large 75
Traditional Risk Assessments Fall Short 76
What to Look for in Third-Party Intelligence 77
Monitor Third Parties for These Five Critical Risks 79
Responding to High Third-Party Risk Scores 84
Chapter 10: Brand Intelligence 85
A Different Kind of Detection 86
Uncovering Evidence of Brand Impersonation and Abuse 87
Uncovering Evidence of Breaches on the Web 88
Critical Qualities for Brand Intelligence Solutions 91
Chapter 11: Geopolitical Intelligence 93
What Is Geopolitical Risk? 93
Geopolitical Intelligence 94
Who Uses Geopolitical Intelligence? 95
Data Collection With Geofencing 96
Data and Information Sources 97
Automation, Analytics, and Expertise 98
Interacting With Geopolitical Intelligence 99
Geopolitics and Cyber Threats 100
Chapter 12: Fraud Intelligence 103
Fraud Intelligence and Risk Assessment 103
Monitor Card Portfolio Exposure and Leaked Credentials 104
Identify Compromised Common Points of Purchase 105
Monitor Websites for Magecart and Other Attacks 106
Identify Signals 107
The ROI of Fraud Intelligence 108
Chapter 13: Identity Intelligence 109
Protecting Authentication 109
A Plan to Protect Identities 110
Sources for Stolen Identities 111
High-Volume Triage 112
Using Identity Information 113
vi | The Intelligence Handbook

Chapter 14: Attack Surface Intelligence 117

Your Digital Attack Surface Is Bigger Than You Think 117
Discovering Internet-Facing Assets 119
Analyzing the Exposed Assets 120
Continuously Monitoring the Attack Surface 121
Who Uses Attack Surface Intelligence? 122
Chapter 15: Intelligence for Security Leaders 125
Risk Management 126
Mitigation: People, Processes, and Tools 129
Investment 130
Communication 130
Supporting Security Leaders 131
The Security Skills Gap 132
Chapter 16: Intelligence for Prioritizing Emerging Threats 135
Planning for Next Year Today 135
Using Attack Life Cycles to Assess Risks 136
Deepfakes: Fraud’s Next Frontier 138
Insider Recruitment for Fraud 140
Databases and Network Access for Sale 142

Section 3: Creating and Scaling Your Intelligence Program

Chapter 17: Analytical Frameworks for Intelligence 147
The Lockheed Martin Cyber Kill Chain® 148
The Diamond Model 149
The MITRE ATT&CK™ Framework 152
Chapter 18: Intelligence Data Sources and Types: A Framework 155
A Framework for Intelligence Data 155
Initial Access 156
Lateral Movement, Escalation, and Reconnaissance 158
Data Exfiltration 160
Ransomware Payload Drop 161
A Flexible Framework 162
Chapter 19: Your Intelligence Journey 163
Don’t Start With Threat Feeds 163
Clarify Your Intelligence Needs and Goals 164
Key Success Factors 165
Start Simple and Scale Up 168
Chapter 20: Developing Your Core Intelligence Team 171
Dedicated, but Not Necessarily Separate 171
Core Competencies 173
Collecting and Enriching Threat Data 174
Engaging With Intelligence Communities 177
Conclusion: Using Intelligence to Disrupt Adversaries 179
Key Takeaways From the Book 179
Foreword to the Fourth Edition

T he global pandemic has accelerated the digitalization of

internal, customer, and supply chain operations. Today,
everything and everyone is connected, and cybercriminals are
taking advantage. Security practitioners, already stretched
thin, must now defend a virtually infinite attack surface.
Over the past year, we saw escalating attacks and responses in
the form of ransomware gangs halting oil pipelines and food
supply chains; civil unrest unfolding around the world and
internet use censored and monitored; critical infrastructure
being hacked in state-sponsored cyberespionage campaigns;
and disinformation campaigns targeting governments and
COVID-19 vaccine efforts – to name a few.
Current defense strategies are not working. Defenders must
switch to offense. Organizations must move to intelligence-
led security programs that anticipate adversaries and their
intent, monitor the infrastructure they build, and learn from
breached organizations.
At Recorded Future, we believe that intelligence is for
everyone. No matter what security role you play, intelligence
enables smarter, faster decisions. It’s not a separate domain of
security. It’s the context that empowers you to work smarter,
whether you’re staffing a SOC, managing vulnerabilities, or
making high-level business decisions. To be most effective,
intelligence must integrate with the solutions and workflows
that you already rely on – and it has to be easy to implement.
In 2020, Recorded Future introduced intelligence modules,
tailored to inform specific use cases and outcomes enterprise-
wide. In 2021 and early 2022 we extended our enterprise use
case coverage by adding three new modules to our Intelligence
Platform - Identity Intelligence, Fraud Intelligence, and Attack
Surface Intelligence.
Identity is the new perimeter to be validated and defended.
We introduced Identity Intelligence to help defenders control
viii | The Intelligence Handbook

access to sensitive data by protecting and verifying user

identities, detecting customer identity fraud, and preventing
account takeover.
Similarly, it has become increasingly difficult for organizations
to identify and prevent payment card fraud before it occurs.
Fraud Intelligence helps defenders monitor card portfolio
exposure in real-time, identify compromised common points
of purchase, and monitor a real-time stream of infected
e-commerce domains.
Also, organizations have hundreds or thousands of internet-
facing assets that are susceptible to attack, but no visibility
into many of them. Attack Surface Intelligence helps them
find and protect shadow IT systems, cloud workloads, mobile
devices, "forgotten domains," web servers, and IoT devices
with IP addresses.
This fourth edition of The Intelligence Handbook provides
practical information for developing an intelligence-led secu-
rity program. We hope you find it to be an informative and
useful companion as you integrate intelligence across your
security ecosystem.
I am grateful to everyone who has contributed to the devel-
opment of this Handbook – the users of our platform, our
clients, industry experts, and the Recorded Future team.
Christopher Ahlberg, Ph.D.
Co-Founder and CEO
Recorded Future
 Introduction

A Complete Picture of Intelligence

for Security Teams
You might have heard that intelligence involves collecting data
from a wide variety of sources, including the dark web. You
may know that it combines that data with insights from secu-
rity experts, and distills the data and insights into intelligence
for IT security professionals. You might work with threat feeds
or weekly reports about attacks on the network, or even expert
analysis of cyber risks. However, you probably don’t know
about all the roles and functions that intelligence supports, the
number of ways it protects organizations and their assets, and
its full potential for reducing risk.
This handbook will give you a complete picture of intelligence
and the role it plays in protecting your organization. Section
1 provides an overview of intelligence for security teams and
the phases of the intelligence life cycle. Section 2 examines
the specific ways that intelligence strengthens several critical
security functions and their workflows. Section 3 deals with
management and implementation issues, like using intel-
ligence to evaluate risk and justify investments, and how to
build an intelligence team.
By the end, you will understand how intelligence amplifies
the effectiveness of security teams and security leaders by
exposing unknown threats, clarifying priorities, providing data
to make better, faster decisions, and driving a common under-
standing of risk reduction across the organization.

No Longer Just “Threat Intelligence”

or “Security Intelligence”
Until recently, the topics discussed in this book were com-
monly known as “threat intelligence” or “security intelligence.”
However, those terms are generally associated with informa-
tion about threats to traditional IT systems controlled by the
x | The Intelligence Handbook

organization. This conception of the field is far too narrow.

Innovative threat actors continuously probe for weak points
and develop new ways to penetrate or circumvent traditional
IT defenses. They steal credentials from trusted third parties
and use those to burrow into corporate systems. They harvest
personal information from social media platforms to produce
convincing phishing campaigns, and create typosquatting
websites to impersonate brands and defraud customers. They
plot cyberattacks and leverage physical events against remote
facilities around the world. They devise attacks that, without
prior warning, are undetectable by conventional IT security
solutions.
Forward-thinking security experts and IT groups have realized
that they need to take the battle to the threat actors by uncov-
ering their methods and disrupting their activities before they
attack. This realization has prompted them to expand their
intelligence programs to include areas such as third-party risk
(exposure through vendors, suppliers, and business partners),
brand protection (the ability to detect and resolve security
issues that threaten an organization’s reputation), geopolitical
risk (threats associated with the locations of physical assets
and events), fraud intelligence (solutions addressing credit
card payment fraud and other fraud related to online transac-
tions), identity intelligence (real-time intelligence about
compromised credentials), and more.
Now, we can use “intelligence” to encompass everything that
was previously called “threat intelligence” or “security intel-
ligence,” as well as the newer areas of the field. That is why
the book you’re reading right now is titled The Intelligence
Handbook.
We hope this handbook will empower you to disrupt adversar-
ies, reduce your organization’s risk, and serve as a roadmap to
help you build an efficient and effective security posture.
 Introduction | xi

Chapters at a Glance
Section 1: What Is Intelligence for Security
Teams?
Chapter 1, “What Is Intelligence for Security Teams,”
outlines the value of intelligence and the characteristics of
successful intelligence programs.
Chapter 2, “Types and Sources,” discusses the differences
between operational and strategic intelligence, as well as the
roles of data feeds and the dark web.
Chapter 3, “The Intelligence Life Cycle,” examines
the phases of the intelligence life cycle and the relationship
between tools and human analysts.
Section 2: Applications of Intelligence for
Security Teams
Chapter 4, “SecOps Intelligence Part 1: Triage,”
explores how intelligence provides context for triage and
enables security operations teams to make better, faster
decisions.
Chapter 5, “SecOps Intelligence Part 2: Response,”
discusses how intelligence minimizes reactivity in incident
response and presents four use cases.
Chapter 6, “Vulnerability Intelligence,” examines how
intelligence enables practitioners to prioritize vulnerabilities
based on true risk to the organization.
Chapter 7, “Threat Intelligence Part 1: Understanding
Attackers,” explains the value of researching attacker tactics,
techniques, and procedures (TTPs).
Chapter 8, “Threat Intelligence Part 2: Risk
Analysis,” analyzes the value of risk models and how intelli-
gence provides hard data about attack probabilities and costs.
Chapter 9, “Third-Party Intelligence,” explores how
intelligence is used to assess supply-chain partners and reduce
third-party risk.
Chapter 10, “Brand Intelligence,” reviews different forms
of digital risks to brands and how intelligence empowers secu-
rity teams to defend their organization’s reputation.
xii | The Intelligence Handbook

Chapter 11, “Geopolitical Intelligence,” describes how

intelligence provides advanced warning of threats to facilities
and physical assets around the world.
Chapter 12, “Fraud Intelligence,” provides overviews of
several ways intelligence can thwart payment card fraud and
other types of fraud related to online transactions.
Chapter 13, “Identity Intelligence,” outlines methods for
protecting user identities, detecting customer identity fraud,
and preventing account takeover.
Chapter 14, “Attack Surface Intelligence,” investigates
how organizations can discover and protect unknown
domains and exposed internet-facing assets.
Chapter 15, “ Intelligence for Security Leaders,” exam-
ines how intelligence enables CISOs, CIO, and other leaders
to obtain a holistic view of the cyber risk landscape and make
better business decisions.
Chapter 16, “Intelligence for Prioritizing Emerging
Threats,” highlights three emerging threats every organiza-
tion should plan for, and how to prioritize them.
Section 3: Creating and Scaling Your
Intelligence Program
Chapter 17, “Analytical Frameworks for Intelligence,”
explains how three leading threat frameworks provide useful
structures for thinking about attacks.
Chapter 18, “Intelligence Data Sources and Types:
A Framework,” presents a framework of intelligence data
sources and types that can help organizations anticipate,
detect, and respond to a threat.
Chapter 19, “Your Intelligence Journey,” provides sug-
gestions on how to start simple and scale up an intelligence
program.
Chapter 20, “Developing Your Core Intelligence
Team,” describes how building a dedicated team takes intel-
ligence to a new level.
 Introduction | xiii

Icon Glossary
TIP
Tips provide practical advice you may want to apply in your
own organization.

DON’T FORGET
When you see this icon, take note, as the related content con-
tains key information that you’ll want to remember.

CAUTION
Proceed with caution, because it may prove costly to you and
your organization if you don’t.

TECH TALK
Content associated with this icon is more technical in nature
and is intended for IT and security practitioners.

ON THE WEB
Want to learn more? Follow the corresponding URL to dis-
cover additional content online.
Section 1: What Is Intelligence
for Security Teams?
 Chapter 1

What Is Intelligence
for Security Teams?
In this chapter
Understand why intelligence is important for security teams
Review characteristics of successful intelligence programs
Learn who benefits from using intelligence

Visibility Into Threats

Before They Strike

C yber threats come in many forms. Certainly some of

them are cybercriminals who attack your network at the
firewall. However, they also include threat actors operating on
the open and dark web who are trying to gain unauthorized
access through your employees and your business partners.
Some devastate your brand through social media and external
websites without ever touching your network. Malicious or
merely careless insiders may also wreak havoc with your data
and your reputation.
By the time you see indicators of these threats on your
network, it is probably too late. To prevent damage, you need
advance warning of threats, accompanied by actionable facts
in order to:

; Prioritize patching for your most serious vulnerabili-

ties before they are exploited
; Detect probes and attacks at the earliest possible
moment and with high confidence
4 | The Intelligence Handbook

; Understand the tactics, techniques, and procedures

(TTPs) of likely attackers and put effective defenses
in place
; Identify and correct your business partners’ security
weaknesses
; Detect data leaks and impersonations of your corpo-
rate brand
; Make wise investments in security to maximize
return and minimize risk

Many IT organizations have created intelligence programs

to obtain the advance warning and actionable data they need
to protect their enterprises and their brands. Figure 1-1 lists
metrics that show the dramatic improvement in security and
efficiency that an intelligence program provides.

Figure 1-1: An intelligence program can produce dramatic

improvements in security, efficiency, and scale. (Source: IDC)
 Chapter 1: What Is Intelligence for Security Teams | 5

Intelligence: Actionable
Facts and Insights
When people speak of intelligence, sometimes they are refer-
ring to certain types of facts and insights, and other times to
the process that produces them. Let’s look at the first case.

More than data or information

Even security professionals sometimes use the words “data,”
“information,” and “intelligence” interchangeably, but
the distinctions are important. Figure 1-2 highlights these
differences.

Data consists of discrete facts and statistics

gathered as the basis for further analysis.

Information is comprised of multiple data

points that are combined to answer specific
questions.

Intelligence is the output of an analysis of data

and information that uncovers patterns and pro-
vides vital context to inform decision-making.

Figure 1-2: Distinctions between data, information, and

intelligence.

Of course, the details of the data, information, and intelligence

differ across political, military, economic, business, and other
types of intelligence programs. In the context of intelligence
for security teams:

; Data is usually just indicators such as IP addresses,

URLs, or hashes. Data doesn’t tell us much without
analysis.
; Information answers questions like, “How many
times has my organization been mentioned on social
media this month?” Although this is a far more use-
ful output than the raw data, it still doesn’t directly
inform a specific action.
6 | The Intelligence Handbook

; Intelligence is factual insight based on analysis that

correlates data and information from across differ-
ent sources to uncover patterns and add insights. It
enables people and systems to make informed deci-
sions and take effective action to prevent breaches,
remediate vulnerabilities, improve the organiza-
tion’s security posture, and reduce risk.

Figure 1-3 shows the relationship between data, information,

and intelligence.

Figure 1-3: The relationship between data, information, and intel-

ligence. (Source: U.S. Joint Chiefs of Staff, Joint Publication 2.0,
Joint Intelligence)

Implicit in this definition of “intelligence” is the idea that

every instance of intelligence is actionable for a specific audi-
ence. That is, intelligence must do two things:

1. Point toward specific decisions or actions

2. Be tailored for easy use by a specific person, group, or
system that will use it to make a decision or take an
action

Data feeds that are never used and reports that are never read
are not intelligence. Neither is information, no matter how
accurate or insightful, if it is provided to someone who can’t
interpret it correctly or isn’t in a position to act on it.
 Chapter 1: What Is Intelligence for Security Teams | 7

Intelligence: The Process

Intelligence also refers to the process by which data and infor-
mation are collected, analyzed, and disseminated throughout
the organization. In industry parlance, this is called tradecraft.
The steps in such a process will be discussed in Chapter 3,
where we describe the intelligence life cycle. However, it is
important to note at the outset that successful intelligence
processes have four characteristics.

1. A collaborative process
and framework
In many organizations, intelligence efforts are siloed. For
example, the security operations (SecOps), fraud prevention,
and third-party risk teams may have their own analysts and
tools for gathering and analyzing intelligence. They may
answer to completely independent reporting chains. This
leads to waste, duplication, and an inability to share analysis
and intelligence. Silos also make it impossible to assess risk
across the organization and to direct security resources where
they will have the greatest impact. Intelligence programs need
to share a common process and framework, enable broad
access to insights and operational workflows, encourage a
“big picture” view of risk, and account for the allocation of
resources.

2. 360-degree visibility
Because cyber threats may come from anywhere, intelligence
programs need visibility within and outside the enterprise,
including:

; Security logs and events from endpoints and net-

work devices
; External lists from security vendors

; Community tools such as threat intelligence feeds

; Community web forums where security researchers

share and discuss observation and new findings
8 | The Intelligence Handbook

; Open and closed web forums where attackers

advertise new malware and patches and discuss and
demonstrate methods for exploiting vulnerabilities
; Dark web marketplaces where threat actors adver-
tise exploited machines, bots, and leaked credential
databases
; Social media accounts where threat actors intimi-
date and harass victims through open channels

Today, many organizations focus on free or pre-packaged

threat data feeds, and are only now becoming aware of the
need to scan a broader variety and greater quantity and qual-
ity of sources on a regular basis.

3. Extensive automation
and integration
Because there is so much data and information to capture,
correlate, and process, an intelligence program needs a high
degree of automation to reduce manual efforts and produce
meaningful results quickly. To add context to initial findings
and effectively disseminate intelligence, successful intelligence
programs must also integrate with many types of security
solutions, such as security dashboards, security information
and event management solutions (SIEMs), vulnerability
management systems, endpoint and XDR products, firewalls,
and security orchestration, automation and response (SOAR)
tools.

4. Alignment with the organization

and security use cases
Organizations often waste enormous resources capturing and
analyzing information that isn’t relevant to them. A successful
intelligence program needs to determine and document its
intelligence needs to ensure that collection and processing
activities align with the organization’s actual priorities.
Alignment also means tailoring the content and format of
intelligence to make it easy for people and systems to use.
 Chapter 1: What Is Intelligence for Security Teams | 9

Who Benefits From Intelligence?

Intelligence is sometimes imagined to be simply a research
service for the security operations and incident response
teams, or the domain of elite researchers. In reality, it adds
value to every security function and to several other teams in
an organization.
The middle section of this handbook examines the primary
use cases:

; Security operations and incident response

teams are routinely overwhelmed by alerts.
Intelligence accelerates their alert triage, minimizes
false positives, provides context for better decision-
making, and empowers them to respond faster.
; Vulnerability management teams often
struggle to differentiate between relevant, critical
vulnerabilities and those that are less critical to their
organization’s defense posture. Intelligence delivers
context and risk scoring that enables them to reduce
downtime while patching the vulnerabilities that
really matter first.
; Threat analysts need to understand the motiva-
tions and TTPs of threat actors and track security
trends for industries, technologies, and regions.
Intelligence provides them with deeper and more-
expansive knowledge to generate more valuable
insights.
; Third-party risk programs need up-to-date
information on the security postures of vendors,
suppliers, and other third parties that access the
organization’s systems. Intelligence arms them with
an ongoing flow of objective, detailed information
about business partners that static vendor question-
naires and traditional procurement methods can’t
offer.
; Brand protection teams need continuous
visibility into unsanctioned web and social media
mentions, data leaks, employee impersonations,
counterfeit products, typosquatting websites, phish-
ing attacks, and more. Intelligence tools monitor
for these across the internet at scale, and streamline
takedown and remediation processes.
10 | The Intelligence Handbook

; Geopolitical risk and physical security teams

rely on advanced warning of attacks, protests, and
other threats to assets in locations around the globe.
Intelligence programs capture data and “chatter”
from multiple sources and filter it to deliver precise
intelligence about what’s happening in the cities,
countries, and regions of interest.
; Fraud prevention teams use intelligence about
online attacks and leaked credentials to detect fraud
campaigns, strengthen risk-based authentication,
and improve defenses against online fraud.
; Identity and access management teams can
employ intelligence from the dark web to identify
compromised credentials of employees and busi-
ness partners and to prevent people from reusing
exposed passwords.
; Security leaders use intelligence about likely
threats and their potential business impact to assess
security requirements, quantify risks (ideally in
monetary terms), develop mitigation strategies, and
prioritize and defend cybersecurity investments to
CEOs, CFOs, and board members.

For a concise introduction to intelligence and six critical solu-

tion areas, read the Recorded Future white paper, “Security
Intelligence: Driving Security From Analytics to Action.”
 Chapter 2

Types and Sources

In this chapter
Differentiate between operational and strategic intelligence
Appreciate the roles of data feeds, private channels, and the
dark web

Two Types of Intelligence

F or security teams, there are two types of intelligence:

operational and strategic. These vary in their sources,
the audiences they serve, and the formats in which they
appear.
The purpose in making this distinction is recognizing that
various security teams have different goals and degrees of
technical knowledge. As we said earlier, intelligence needs to
be actionable — but because the responsibilities of a vulner-
ability management team differ significantly from those of a
CISO, “actionability” has distinct implications for each, and
the form and content of the intelligence they’ll benefit from
the most will vary.

Operational intelligence
Operational intelligence is knowledge about ongoing
cyberattacks, events, and campaigns. It provides specialized
insights that enable the individuals that use it to understand
the nature, intent, and timing of specific attacks as they are
occurring.
Operational intelligence is sometimes referred to as techni-
cal security intelligence or technical threat intel-
ligence, because it usually includes technical information
about attacks, such as which attack vectors are being used,
12 | The Intelligence Handbook

what vulnerabilities are being exploited, and what command

and control domains are being employed by attackers. This
kind of intelligence is often most useful to personnel directly
involved in the defense of an organization, such as system
architects, administrators, and security staff.
Threat data feeds are often used to provide context to internal
information, such as internal network telemetry events or end-
point detection and response (EDR) events. These feeds usually
focus on a single type of threat indicator, such as malware
hashes or suspicious domains. As we discuss below, threat data
feeds provide data, but that data is not intelligence. It lacks con-
textual information, such as the fact that an external IP address
is a ransomware command and control server.
TIP Operational intelligence is commonly used to guide improve-
ments to existing security controls, generate or improve new
rules in a SIEM, improve security processes and playbooks,
and speed up incident response. An operational intelligence
solution that integrates with data from your network is crucial
because it answers urgent questions unique to your organiza-
tion, such as, “Should this critical vulnerability, which is being
actively exploited by threat actors against my industry, be pri-
oritized for patching?”

Strategic intelligence
Strategic intelligence provides a broad overview of an
organization’s present and future threat landscape. It informs
resource decisions by security leadership and within security
architecture, application security, and other security develop-
ment projects. The content is generally risk oriented and
presented through reports or briefings.
This kind of intelligence requires human interaction because
it takes analytical thought and creativity to forecast future
trends, for example to evaluate and test new and emerging
adversary TTPs against existing security controls. Pieces of
this process may be automated, but a human mind is required
to complete the exercise.
Good strategic intelligence must provide insight into the risks
associated with certain actions, broad patterns in threat actor
tactics and targets, geopolitical events and trends, and similar
topics.
 Chapter 2: Types and Sources | 13

Common strategic intelligence sources include:

; Trends and research reports from security

companies
; Policy documents from nation-states or non-
governmental organizations
; News from local and national media, articles in
industry- and subject-specific publications, and
input from subject-matter experts

Organizations must set strategic intelligence requirements

by asking focused, specific questions. Analysts with expertise
outside of typical cybersecurity skills — in particular, a strong
understanding of policy, sociopolitical, and business concepts
— are needed to gather and interpret strategic intelligence.
Some aspects of the production of strategic intelligence are
dramatically sped up by automated collection. Producing
effective strategic intelligence takes deep research on massive
volumes of data, often across multiple languages. These chal-
lenges make initial data collection and processing too difficult
to perform manually, even for those rare analysts who possess
the right language skills, technical background, and tradecraft.
An intelligence solution that automates data collection and
processing reduces this burden and enables analysts with vari-
ous levels of expertise to work more effectively.

The Role of Threat Data Feeds

We mentioned earlier that data is not intelligence, and that
threat data feeds often overwhelm analysts already burdened
with countless daily alerts and notifications. However, when
used correctly, threat data feeds provide valuable raw material
for intelligence.
Threat data feeds are real-time streams of data that provide
information on potential cyber threats and risks. They’re usu-
ally lists of simple indicators or artifacts focused on a single
area of interest, like suspicious domains, hashes, bad IPs, or
malicious code. They provide a quick, real-time look at the
threat landscape.
14 | The Intelligence Handbook

Many feeds are filled with stale data, errors, redundancies,

and false positives. The data lacks context. Many organiza-
tions find they have pulled in so many feeds that they need
additional steps to process the information, usually manual
curation in another tool such as a threat intelligence platform
(TIP), before they can push the data into production in a
SIEM. This problem is compounded when security managers
attempt to widen coverage by investing in a staggering num-
ber of data feeds, ultimately creating more noise in their
environment.

Evaluating Threat Data Feeds

Use these criteria to assess threat data from other feeds, while
data feeds for your organization: others do not take care to place
common sources of noise, such
• Data sources: Feeds pull their
as RFC 1918 addresses, on their
data from all kinds of sources.
allow list.
You should select sources with
care and take the time to evalu- • Pe r i o d i c i t y o f d ata : D ata
ate the usefulness and noise of should be collected frequently,
each prior to implementing in and should cover the time pe-
your environment. riod relevant to your organiza-
tion. Also, it should cover a long
• Trans pare ncy of sourc es :
enough timespan to support
Knowing where your data is
strategic intelligence on long-
coming from empowers you
term trends. Understanding
to evaluate its relevance and
when data ages off the feed is
usefulness. Some sources ag-
also important.
gregate from other places, so
duplication can be an issue if • Measurable outcomes: Being
pulling from multiple sources. able to track the correlation
You should understand how rate — the percentage of
sources process and update alerts that correspond with
this information and how they your internal telemetry in a
purge stale data. given week, month, or quarter
— is critical to calculating the
• Percentage of unique data:
measurable outcomes of a
Some paid feeds just aggregate
particular feed.
Exploring the Variety of Random
Documents with Different Content
 Erklärung der Abbildungen
auf
Tafel X und XI

Tafel X

Die Figuren 13, 27, 28 und 29 sind direct nach den Präparaten, die
übrigen nach Microphotogrammen von dem Museumszeichner Hrn.
Geisler auf den Stein gravirt. Die einzelnen Haare sind so geordnet, dass
ähnliche Formen möglichst zusammenstehen, ohne Rücksicht auf die
systematische Verwandtschaft der Arten, denen sie entnommen sind.

1–6 Seitenansichten.

N . l i1m b a t u s (Ptrs.). Langes Spatelhaar mit Anhang an der

Endplatte, aus der Region median oberhalb der Nase. 46mal
vergrössert. Seite 38.
N2,. 2pau m i l u s (Crtschm.). 2 a sehr kurzes Spatelhaar mit
Anhang an der Endplatte, vom seitlichen Theile der Oberlippe.
46mal vergrössert. 2 Endplatte nebst Anhang von demselben
Haar. 190mal vergrössert. Seite 38.
N . 3,s 4a r a s i n o r u m A. B. M. Seite 37. 3 langes, wenig
typisches Spatelhaar von der Gegend seitlich oberhalb der
Nase. 4 typisches Haar von dem Felde zwischen Nase und
Mundrand 1. Vergrösserung von 3 und 4 je 46mal.
N . p5l i c a t u s (Buch. Ham.). Typisches Spatelhaar von den
Wülsten der Oberlippe 1. 46mal vergrössert. Seite 37, 38.
C h e i6r o m e l e s t o r q u a t u s Horsf. Langes, ziemlich
typisches Spatelhaar von der grossen Zehe. 46mal
vergrössert. Seite 39.

7–11 Flächenansichten.
 N . b i v i t t a t u s Hgl. Typisches Haar von dem Feld an der
7Schnauzenspitze. Die Endplatte ist in der Gravur viel zu
dunkel ausgefallen. 46mal vergrössert. Seite 37, 38.
N . l i8m b a t u s (Ptrs.). Ziemlich typisches Haar von den
Wülsten der Oberlippe. Bezüglich der Endplatte gilt das
Gleiche wie für Fig. 7. 46mal vergrössert. Seite 37, 38.
N 9–11
. p l i c a t u s (Buch. Ham.). Haare von den seitlichen
Theilen der Oberlippe. Mit Ausnahme von 9 a sämmtlich 46mal
vergrössert. 9 Haar von mittlerer Ausbildung 1, 9 a die Endplatte
desselben (190mal vergrössert). Seite 38. 10, 11 wenig
ausgeprägte Formen. Seite 37, 38.
12,
N .12bai v i t t a t u s Hgl. Borste oberhalb der Nase, zu den
modificirten Haaren der „ersten Gruppe“ gehörig, mit Anhang
an der Spitze. 12 ganzes Haar, 46mal vergrössert, 12 a oberes
Ende desselben, 100mal vergrössert. Seite 36, 38.
N. b 13r a c h y p t e r u s (Ptrs.). Endplatte eines mittleren
Spatelhaars von der Region oberhalb seitwärts der Nase, mit
Anhang, dessen Endglied abgerissen ist. Flächenansicht.
190mal vergrössert. Seite 38.
N14,
. b15i v i t t a t u s Hgl. Lange, wenig typische Spatelhaare der
Region median oberhalb der Nase. 14 von der Fläche, 15 von
der Seite. In letzterer Figur ist die Zackung der Oberfläche
versehentlich zu stark wiedergegeben. 46mal vergrössert.
Seite 37. [54]
N16,
. p17l i c a t u s (Buch. Ham.). Spatelhaare von den seitlichen
Theilen der Oberlippe, von der Seite gesehen. 46mal
vergrössert. 16 Haar mittlerer Form, etwa entsprechend Fig.
9 2. Seite 37. 17 sehr wenig ausgeprägtes Haar, etwa wie das
der Fig. 11. Seite 37, 38.
N. b 18i v i t t a t u s Hgl. Borste vom Gesichte, zur „ersten
Gruppe“ gehörig. 46mal vergrössert. Seite 36.
N. a 19s t r o l a b i e n s i s A. B. M. Borste von der Oberlippe, zur
„ersten Gruppe“ gehörig. 46mal vergrössert. Seite 36.
C20–25
h e i r o m e l e s t o r q u a t u s Horsf.
 Borste20 vom Gesichte, zur „ersten Gruppe“ gehörig.
46mal vergrössert. Seite 48.
Körperhaare von der Brust. Seite 35. a–d längere und
21 a–ekürzere ganze Haare, 46mal vergrössert; e
ein Stück aus der Mitte von a, 120mal vergrössert.
modificirte
22, 23 Spatelhaare des Feldes vorn an der
Schnauze, Flächenansicht. 46mal vergrössert.
Seite 39.
24, 25 von den seitlichen Theilen des Gesichts 2,
Borsten
in die „zweite Gruppe“ gehörig. 46mal vergrössert.
Seite 39.
N
26,
. b27r a s i l i e n s i s Is. Geoffr. Borsten der „zweiten Gruppe“.
46mal vergrössert. Seite 39. 26 von den Wülsten der
Oberlippe, 27 oberhalb der Nase.
N . s28a r a s i n o r u m A. B. M. Habitusbild der Spatelhaare des
Feldes unterhalb der Nasenlöcher. Der Pfeil am Rande deutet
die Medianebene und die Richtung nach der Nase an. Die
Endknöpfchen erscheinen in der Abbildung zu flach. Geringe
Vergrösserung (Zeiss, Binocular). Seite 36.
M o l29
o s s u s r u f u s o b s c u r u s (Geoffr.). Dasselbe wie von
vorigem. Der Pfeil am Rand hat die gleiche Bedeutung wie
dort. Vergrösserung dieselbe. Seite 36.
N y c30
t i n o m u s a s t r o l a b i e n s i s A. B. M. Eine Parthie
Körperhaar von der Brust, die verschiedenen Abschnitte
einzelner Haare zeigend. 110mal vergrössert. Seite 34.

Tafel XI

Umrisszeichnungen von Köpfen und Füssen verschiedener Molossiden,

um die Anordnung der Spatelhaare zu zeigen. In den Abbildungen der
Füsse sind die Spatelhaare und ausserdem die langen gekrümmten Haare
naturgetreu wiedergegeben; in denen der Köpfe sind nur Spatelhaare und
entsprechende Borsten und zwar schematisch durch Punkte oder durch
Striche mit verdickten Enden angedeutet.
 N1–1
y c tai n o m u s p l i c a t u s (Buch. Ham.) von Sumatra
(Dresd. Mus. 3631). 1 Kopf von vorn und unten in doppelter, 1
a rechter Fuss von rechts und etwas von unten in vierfacher
nat. Grösse. Seite 43–44.
N2–2
y c tai n o m u s s a r a s i n o r u m A. B. M. von Central
Celébes (Dresd. Mus. 3763). 2 Kopf von vorn und unten in
doppelter, 2 a rechter Fuss von rechts und etwas von unten in
vierfacher nat. Grösse. Seite 44.
N y c t3i n o m u s b i v i t t a t u s Hgl. von Keren, Bogos, NO
Afrika (Stuttg. Nat. Cabin. 981). Kopf von der Seite in doppelter
nat. Grösse. Seite 44.
N y c t4i n o m u s l i m b a t u s (Ptrs.) von Quelimane, O Afrika
(Stuttg. Nat. Cabin. 2036). Kopf von vorn und unten in
doppelter nat. Grösse. Seite 45.
N y c t5i n o m u s a n g o l e n s i s Ptrs. von Madagascar (Dresd.
Mus. 3761). Kopf von vorn und unten in doppelter nat. Grösse.
Seite 45.
N y c t6i n o m u s a s t r o l a b i e n s i s A. B. M. von Deutsch
Neu Guinea (Dresd. Mus. 3306). Kopf von vorn und unten in
doppelter nat. Grösse. Seite 46.
N y c t7i n o m u s b r a s i l i e n s i s Is. Geoffr. von Brasilien
(Dresd. Mus. 1981). Kopf von vorn und unten in doppelter nat.
Grösse. Seite 46. [55]
M o l o8s s u s r u f u s o b s c u r u s (Geoffr.) von Cuba (Dresd.
Mus. 1170). Kopf von vorn und unten in doppelter nat. Grösse.
Seite 47.
M o l o9s s u s a b r a s u s (Temm.) von Surinam (Dresd. Mus.
1148). Kopf von vorn und unten in doppelter nat. Grösse. Seite
47.
M o l10
o s s u s p e r o t i s (Wied) von Surinam (Stuttg. Nat. Cab.
293). Kopf von vorn und unten in doppelter nat. Grösse. Seite
48.
11–11
C h e idr o m e l e s t o r q u a t u s Horsf. von Java (Dresd. Mus.
3628). 11 und 11 a nat. Grösse, 11 b-d doppelte nat. Grösse.
Seite 48–49.
 Kopf11von der Seite
Kopf
11 von
a vorn und unten
rechter
11 b Fuss, Plantarseite
erste
11 cZehe des rechten Fusses von rechts
dieselbe
11 d von oben.

1 Der axiale dunkle Strang tritt im Präparate viel schärfer hervor. ↑ a b c

2 Der axiale dunkle Strang tritt im Präparate schärfer hervor. ↑ a b

[Inhalt]

Abh. Ber. K. Zool. Anthr. Ethn. Mus. Dresden 1898/9 Nr. 7

Meyer: Säugethiere Celébes II. Taf. I
 M a c a c u s m a u r u s F. Cuv.

c. ⅓ nat. Grösse

Abh. Ber. K. Zool. Anthr. Ethn. Mus. Dresden 1898/9 Nr. 7

Meyer: Säugethiere Celébes II. Taf. II
M a c a c u s m a u r u s F. Cuv.

¾ nat. Grösse
 Abh. Ber. K. Zool. Anthr. Ethn. Mus. Dresden 1898/9 Nr. 7
Meyer: Säugethiere Celébes II. Taf. III

1–2 T a r s i u s f u s c u s Fisch.-Waldh. 3 T a r s i u s s a n g i r e n s i s A. B.
Meyer

1 nat. Grösse, 2 circa ⅔, 3 circa ½ nat. Grösse

Abh. Ber. K. Zool. Anthr. Ethn. Mus. Dresden 1898/9 Nr. 7

 Meyer: Säugethiere Celébes II. Taf. IV

1 P t e r o p u s w a l l a c e i Gr. 2 V e s p e r u g o p e t e r s i n. sp. 3 V e s p e r u g o
m i n a h a s s a e n. sp. 4–6 N y c t i n o m u s s a r a s i n o r u m n. sp.

1 und 4 nat. Grösse, 2–5 doppelte, 6 vierfache nat. Grösse

Abh. Ber. K. Zool. Anthr. Ethn. Mus. Dresden 1898/9 Nr. 7

Meyer: Säugethiere Celébes II. Taf. V
 S c i u r u s s a r a s i n o r u m A. B. Meyer

nat. Grösse u. ½ nat. Grösse

Abh. Ber. K. Zool. Anthr. Ethn. Mus. Dresden 1898/9 Nr. 7

Meyer: Säugethiere Celébes II. Taf. VI
 1 Mus musschenbroeki Jent. 2–10 Mus xanthurus Gr.

1–8 nat. Grösse, 9 und 10 circa 5 fache nat. Grösse

Abh. Ber. K. Zool. Anthr. Ethn. Mus. Dresden 1898/9 Nr. 7

Meyer: Säugethiere Celébes II. Taf. VII
 1 M u s c a l l i t r i c h u s Jent. 2–10 M u s h e l l w a l d i Jent.

1–8 nat. Grösse, 9 und 10 circa 7 fache nat. Grösse

Abh. Ber. K. Zool. Anthr. Ethn. Mus. Dresden 1898/9 Nr. 7

Meyer: Säugethiere Celébes II. Taf. VIII
 L e n o m y s m e y e r i (Jent.)

nat. Grösse

Abh. Ber. K. Zool. Anthr. Ethn. Mus. Dresden 1898/9 Nr. 7

Meyer: Säugethiere Celébes II. Taf. IX
 C r a u r o t h r i x l e u c u r a (Gr.)

nat. Grösse

Abh. Ber. K. Zool. etc. Mus. Dresden 1898/9 Nr. 7

Meyer: Säugeth. Celébes II. (Anhg.: Jablonowski: Haare d. Molossi) Taf. X
 Nyctinomus plicatus (Buch. Ham.) Fig. 5, 9–11, 16, 17 N. sarasinorum
A. B. M. Fig. 3, 4, 28 N. bivittatus Hgl. Fig. 7, 12, 12a, 14, 15, 18 N.
brachypterus (Ptrs.) Fig. 13 N. pumilus (Crtschm.) Fig. 2, 2a N. limbatus
(Ptrs.) Fig. 1, 8 N. astrolabiensis A. B. M. Fig. 19, 30 N. brasiliensis Is.
Geoffr. Fig. 26, 27 Molossus rufus obscurus (Geoffr.) Fig. 29 Cheiromeles
torquatus Horsf. Fig. 6, 20–25
Abh. Ber. K. Zool. etc. Mus. Dresden 1898/9 Nr. 7
Meyer: Säugeth. Celébes II. (Anhg.: Jablonowski: Haare d. Molossi) Taf.
XI
1, 1a Nyctinomus plicatus (Buch. Ham.) 2, 2a N. sarasinorum A. B. M. 3
N. bivittatus Hgl. 4 N. limbatus (Ptrs.) 5 N. angolensis Ptrs. 6 N.
astrolabiensis A. B. M. 7 N. brasiliensis Is. Geoffr. 8 Molossus rufus
obscurus (Geoffr.) 9 M. abrasus (Temm.) 10 M. perotis (Wied) 11–11d
Cheiromeles torquatus Horsf.
 Inhaltsverzeichnis

Inhaltsverzeichniss V
Tafelerklärung VII
1. Macacus maurus F. Cuv. 1
2-3. Macacus cynomolgus L. und philippinensis Js. Geoffr. 4
4-5. Cynopithecus niger (Desm.) und nigrescens (Temm.) 5
6. Tarsius fuscus Fisch.-Waldh. 8
7. Tarsius sangirensis n. sp. 9
8. Tarsius philippensis A. B. Meyer 9
9. Tarsius spectrum (Pall.) 9
10. Paradoxurus musschenbroeki Schl. 10
11. Bubalus mindorensis Heude 12
12. Babirusa alfurus Less. 15
Vorkommen und damit in Verbindung stehende Fragen. 15
Zahnformel. 22
Bewehrung der Sau. 23
13. Sciurus tonkeanus n. sp. 25
14. Sciurus leucomus Müll. Schl. 25
15. Sciurus rosenbergi Jent. 26
16. Sciurus tingahi n. sp. 27
17. Sciurus steeri Gthr. 27
18. Sciurus mindanensis Steere 28
19. Sciurus samarensis Steere 29
20. Phlœomys cumingi Wtrh. 29
21. Crateromys schadenbergi (A. B. Meyer) 31
22. Phalanger celebensis (Gr.) 33
23. Phalanger sangirensis n. sp. 34
24. Phalanger ursinus (Temm.) 34
Index. 35
Tafeln
Inhaltsverzeichniss III
Tafelerklärung V
Alphabetischer Index VII
Addenda VIII
Einleitung 1
Primates Cercopithecidae 2
1. Macacus maurus F. Cuv. 2
Macacus tonkeanus n. sp. 3
2. Cynopithecus niger (Desm.) 4
3. Cynopithecus niger nigrescens (Temm.) 4
Tarsiidae 4
4. Tarsius fuscus Fisch.-Waldh. 4
Chiroptera Megachiroptera Pteropidae 5
5. Pteropus wallacei Gr. 5
6. Pteropus alecto Temm. 5
7. Pteropus hypomelanus Temm. 6
8. Pteropus mackloti Temm. (Pteropus celebensis Schl.) 6
9. Xantharpyia minor (Dobs.) 6
10. Cynopterus latidens Dobs. 7
Anmerkung 7
11. Uronycteris cephalotes (Pall.) 8
12. Cephalotes peroni Geoffr. 9
13. Carponycteris australis (Ptrs.) 10
Microchiroptera Rhinolophidae 11
14. Rhinolophus minor Horsf. 11
15. Hipposiderus diadema (Geoffr.) 11
Nycteridae 12
16. Megaderma spasma (L.) 12
Vespertilionidae 12
17. Vesperus pachypus (Temm.) 12
18. Vesperugo petersi n. sp. 13
Anmerkung 14
Vesperugo papuanus orientalis. 14
19. Vesperugo minahassae n. sp. 14
20. Vespertilio muricola Hdgs. 16
Emballonuridae Molossi 16
21. Nyctinomus sarasinorum n. sp. 16
Anmerkung 19
Nyctinomus astrolabiensis n. sp. 19
Insectivora Soricidae 20
22. Crocidura fuliginosa (Blyth) 20
Carnivora Viverridae 20
23. Viverra tangalunga Gray 20
24. Paradoxurus hermaphroditus (Schreb.) 20
25. Paradoxurus musschenbroeki Schl. 20
Rodentia Sciuridae 21
26. Sciurus leucomus Müll. Schl. 21
27. Sciurus leucomus occidentalis A. B. M. 21
28. Sciurus sarasinorum A. B. M. 21
29. Sciurus murinus Müll. Schl. 21
30. Sciurus rubriventer Müll. Schl. 22
Muridae 22
31. Mus rattus L. 22
32. Mus neglectus Jent. (?) 22
33. Mus ephippium Jent. 23
34. Mus musschenbroeki Jent. 23
35. Mus callitrichus Jent. 24