CTI Fundamentals
A collection of essential resources related to cyber threat intelligence theory.
CTI Theory
| Author | Description | Resource URL |
|---|---|---|
| The US Central Intelligence Agency | The traditional Intelligence cycle describes how intelligence is ideally processed in civilian and military intelligence agencies, and law enforcement organizations. | the-intelligence-cycle.html |
| The US Central Intelligence Agency | This primer highlights structured analytic techniques — some widely used in the private sector and academia, some unique to the intelligence profession | Tradecraft-Primer-apr09.pdf |
| The US Central Intelligence Agency | The psychology of intelligence analysis by the CIA’s Center for the Study of Intelligence | Psychology_of_Intelligence_Analysis.pdf |
| iSIGHT Partners | The first definitive guide to cyber threat intelligence ever produced | cti-guide.pdf |
| Recorded Future | The traditional intelligence life cycle tailored to threat intelligence embedded in modern security operations | What the 6 Phases of the Threat Intelligence Lifecycle Mean for Your Team |
| SANS | SANS shared a Cyber Kill Chain tailored to Industrial Control Systems (ICS), written by Michael J. Assante and Robert M. Lee. | The Industrial Control System Cyber Kill Chain |
| Mercyhurst University Institute for Intelligence Studies | The Analyst’s Style Manual is a product intended to assist student analysts with the many perplexing and complex rules they should follow in producing written intelligence products | analysts_style_manual.pdf |
| Freddy M | The Intelligence Architecture Map is based on interviews of industry experts, former intelligence practitioners, and Freddy's personal views. It represents a logical and meaningful way of how different aspects of producing intelligence should be put together. | intelligence-architecture-map-freddy-m |
| Grace Chi | IS SHARING CARING? A comprehensive study on the current cyber threat intelligence inter-personal and social networking practices, results, and attitudes | ctinetworkingreport2022.pdf |
| Institute for Software Research School of Computer Science Carnegie Mellon University | A paper from the Carnegie Mellon ISR on the life-cycle of an advanced persistent threat group attack, from reconnaissance to data exfiltration | CMU-ISR-17-100.pdf |
| RAND Corporation | RAND’s Four-Step Scalable Warning and Resilience Model | RAND_RRA382-1.pdf |
| UK National Anti Fraud Network | Basics of Intelligence Management, including classification, evaluation, dissemination, and the intelligence confidence matrix | Intelligence%20Management%20Training.pdf |
| International Journal of Intelligence and CounterIntelligence | An argument that CTI is a product without a process, which has several underlying causes and consequences for the CTI practice. It is also argues that the field needs to implement traditional intelligence analysis and methodology, rather than add more technology | Cyber Threat Intelligence: A Product Without a Process? |
| mxm0z | This is a collection of useful resources concerning intelligence writing such as manuals/guides, standards, books, and articles | Awesome Intelligence Writing |
| threat-intelligence.eu | Technical standards related to threat intelligence | Standards related to Threat Intelligence |
| Joe Slowik | Threat Intelligence and the Limitations of Malware Analysis | dragos.com |
| Joe Slowik | Analyzing Network Infrastructure as Composite Objects: While network infrastructure indicators and observables are typically viewed as atomic objects, seeing these items as composites enables powerful analysis able to keep pace with adversary evolution | domaintools.com |
| US Government | Analytic Tradecraft Primer on Structured Analytic Techniques | stat.berkeley.edu |
| Juan Andrés Guerrero-Saade | The ethics and perils of APT research: An unpected transition into intelligence brokerage. In the face of investigations with geopolitical weight and consequences, whose final attributions entail unmasking nation-state operations, even the most capable security researcher among us will need drastic preparations, not only to excel but to survive. | Guerrero-Saade-VB2015.pdf |
| Matt Richard | Common Cyber Threat Intel Biases: how to convey biases, blind spots, and systematic weaknesses in how teams evaluate and write about threat intelligence | medium.com/@mrichard91 |
CTI Frameworks
| Author | Description | Resource URL |
|---|---|---|
| John Boyd | The OODA loop - is the cycle of observe–orient–decide–act. The approach explains how agility can overcome raw power in dealing with human opponents. It is especially applicable to cyber security and cyberwarfare. |
OODA_Loop.html |
| David J. Bianco | The Pyramid of Pain - Analysing relationships between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when you are able to deny those indicators to them |
the-pyramid-of-pain.html |
| Center for Cyber Intelligence Analysis and Threat Research | The Diamond Model - a novel model of intrusion analysis built by analysts, derived from years of experience |
diamond.pdf |
| Lockheed Martin | The Cyber Kill Chain® framework - is part of the Intelligence Driven Defense® model for the identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective |
Cyber_Kill_Chain.pdf |
| Lockheed Martin | The Courses of Action matrix - using the 7 Action Ds of detect, deny, disrupt, degrade, deceive, and destroy to counter cyber intrusions |
LM-White-Paper-Intel-Driven-Defense.pdf |
| MITRE | The MITRE ATT&CK® framework - is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. |
attack.mitre.org |
| Mandiant | The Targeted Attack Lifecycle - Mandiant’s depiction of the targeted attack lifecycle illustrates the major phases of a typical intrusion. |
mandiant.com |
| Paul Pols | The Unified Kill Chain - was developed through a hybrid research approach, combining design science with qualitative research methods. The Unified Kill Chain extends and combines existing models, such as Lockheed Martin's Cyber Kill Chain® and MITRE's ATT&CK® |
unifiedkillchain.com |
| Verizon | The VERIS framework - uses a common language and a structured, repeatable process, both of which allow organizations to objectively classify security incidents. Used for Verizon's DBIR. |
verizon.com |
| IBM X-Force | The Cyberattack Preparation Framework and The Cyberattack Execution Framework - provide a logical flow representative of attacks today and they also incorporate phases not typically included in other frameworks |
ibm.com |
Practical Threat Intelligence
| Author | Description | Resource URL |
|---|---|---|
| Mandiant | Mandiant's unprecedented report linking APT1 to China's 2nd Bureau of the People's Liberation Army (PLA) General Staff Department's (GSD) 3rd Department (Military Cover Designator 61398). | mandiant-apt1-report.pdf |
| CrowdStrike | CrowdStrike's "breakout time" report provided an illuminating look at which actors operate the fastest within networks they have gained access to, and how effective and rapid the defenders have to be to defeat some of the most capable adversaries | crowdstrike.com |
| Trevor Giffen | The Initial Access Broker Landscape | curatedintel.org |
| Trevor Giffen | Assessing the State of Breached Data Search Services | curatedintel.org |
| William Thomas | Threat Group Naming Schemes In Cyber Threat Intelligence | curatedintel.org |
| William Thomas | CTI lexicon guide to some of the jargon and acronyms used in threat intelligence | CTI Lexicon |
| Sarah Jones | A Brief History of Attribution Mistakes - analyse the mistakes made by others so that you do not repeat them | securityandtechnology.org |
| Anastasios Pingios | Intelligence Agency and Security Services Internal Structuring | xorl.wordpress.com |
| RAND Corporation | This report describes the fundamental characteristics of cybercriminal black markets and how they have grown into their current state in order to give insight into how their existence can harm the information security environment | RAND_RR610.pdf |
| @Bank_Security | HUMINT activities during undercover operations are fundamental as a part of Cyber Intelligence activities. This guide shares insights how someone could engage Threat Actors during undercover operations in the cybercriminal underground | cyber-intelligence-humint-operations |
| MSTIC | The "cybercrime gig economy" describes the intricacies of Ransomware-as-a-Service (RaaS) and RaaS affiliate operations | microsoft.com |
| Google Project Zero | GP0 has compiled a spreadsheet of 0day vulnerabilities leveraged in the wild by threat actors before the vendors were aware of them | 0days "In the Wild" |
| Katie Nickels | Analysts have compiled a list of court documents issued by the Department of Justice (DOJ) specifically regarding various threat actor charges and indictments, from APT group members to ransomware operators | Legal Documents of Interest to CTI Analysts |
| Intel 471 | The CU-GIRH is a baseline tool to assist security professionals and teams in organizing, prioritizing, and producing cyber underground intelligence based on General Intelligence Requirements (GIRs) — a compilation of frequently asked intelligence requirements applicable to the cybercrime underground such as: forums, marketplaces, products, services, and threat actors. Access to the GIR Handbook includes an intelligence planning workbook (templates, samples) | Cybercrime Underground General Intelligence Requirements Handbook (CU-GIRH) |
Enterprise Threat Intelligence
| Author | Description | Resource URL |
|---|---|---|
| CREST | CREST released their CTI Maturity Model Assessment Tool (MMAT) in 2020, a customizable and modular tool for assessing the maturity of a threat intelligence program for free. This tool has three types: Summary, Intermediate, Detailed. In 2022, the tool vanished from CREST's website, but is archived by Curated Intelligence | CREST CTI Maturity Model Assessment Tool (MMAT) |
| Recorded Future | Recorded Future periodically updates a handbook detailing their vendor-biased roadmap for building an intelligence-led security program. This is useful for understanding what threat intelligence capabilities may need to be integrated with an enterprise CTI program | The Intelligence Handbook: Fourth Edition |
| Recorded Future | Recorded Future maintains a handbook detailing their vendor-biased playbooks for responding to typical CTI-type detections within an enterprise CTI program. This is useful for understanding what threat intelligence response cases may look like in an enterprise CTI program | The Intelligence Playbook: Practical Applications Across the Enterprise |
| CERT-BI | This whitepaper details an enterprise-friendly service architecture for offering an enhanced CTI capability | A service architecture for an enhanced CTI capability |
| NCSC | This guide is aimed at individuals who oversee or deliver threat intelligence capability to a department. This document provides a roadmap to delivering a CTI capability and an overview of the activities, deliverables and technologies required. | Cyber Threat Intelligence in Government: A Guide for Decision Makers & Analysts |
| Mandiant | The core skills framework provides enterprises and individuals guidance with three things: 1. determine appropriate development roadmaps to ensure CTI skills progression; 2. provide a guidepost for aspirant CTI analysts to tailor their studies; 3. assist network defenders in understanding the roles and responsibilities of a CTI analyst | The Mandiant Cyber Threat Intelligence (CTI) Analyst Core Competencies Framework |
| ENISA | ENISA report on evaluating Threat Intelligence Platform (TIPs) | Exploring the opportunities and limitations of current Threat Intelligence Platforms |
| sfakiana | This is the TLP WHITE version of the Excel document related to Threat Intelligence Platform requirements. This Excel document was first released during SANS CTI Summit 2021 presentation of Andreas Sfakianakis titled "Still thinking your Ex(cel)? Here are some TIPs". The contents of this document are related to the 2017 ENISA report on "The limitations and opportunities of current Threat Intelligence Platforms" (authors are Andreas Sfakianakis and Razvan Gavrila). | Threat Intelligence Platform (TIP) Functional Requirements |