8.0 KiB
8.0 KiB
CTI Fundamentals
A collection of essential resources related cyber threat intelligence theory
CTI Theory
| Authour | Description | Resource URL |
|---|---|---|
| The US Central Intelligence Agency | The traditional Intelligence cycle describes how intelligence is ideally processed in civilian and military intelligence agencies, and law enforcement organizations. | the-intelligence-cycle.html |
| The US Central Intelligence Agency | This primer highlights structured analytic techniques—some widely used in the private sector and academia, some unique to the intelligence profession | Tradecraft-Primer-apr09.pdf |
| iSIGHT Partners | The first definitive guide to cyber threat intelligence ever produced | cti-guide.pdf |
| David J. Bianco | Analysing relationships between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when you are able to deny those indicators to them | the-pyramid-of-pain.html |
| Lockheed Martin | The Cyber Kill Chain® framework is part of the Intelligence Driven Defense® model for the identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective | Cyber_Kill_Chain.pdf |
| Mercyhurst University Institute for Intelligence Studies | The Analyst’s Style Manual is a product intended to assist student analysts with the many perplexing and complex rules they should follow in producing written intelligence products | analysts_style_manual.pdf |
| Freddy M | The Intelligence Architecture Map is based on interviews of industry experts, former intelligence practitioners, and Freddy's personal views. It represents a logical and meaningful way of how different aspects of producing intelligence should be put together. | intelligence-architecture-map-freddy-m |
| Grace Chi | IS SHARING CARING? A comprehensive study on the current cyber threat intelligence inter-personal and social networking practices, results, and attitudes | ctinetworkingreport2022.pdf |
| Institute for Software Research School of Computer Science Carnegie Mellon University | A paper from the Carnegie Mellon ISR on the life-cycle of an advanced persistent threat group attack, from reconnaissance to data exfiltration | CMU-ISR-17-100.pdf |
| John Boyd | The OODA loop is the cycle observe–orient–decide–act. The approach explains how agility can overcome raw power in dealing with human opponents. It is especially applicable to cyber security and cyberwarfare. | OODA_Loop.html |
| RAND Corporation | RAND’s Four-Step Scalable Warning and Resilience Model | RAND_RRA382-1.pdf |
Adversary Intelligence
| Authour | Description | Resource URL |
|---|---|---|
| Mandiant | Mandiant's unprecedented report linking APT1 to China's 2nd Bureau of the People's Liberation Army (PLA) General Staff Department's (GSD) 3rd Department (Military Cover Designator 61398). | mandiant-apt1-report.pdf |
| CrowdStrike | CrowdStrike's "breakout time" report provided an illuminating look at which actors operate the fastest within networks they have gained access to, and how effective and rapid the defenders have to be to defeat some of the most capable adversaries | crowdstrike.com |
| Katie Nickels | Analysts have compiled a list of court documents issued by the Department of Justice (DOJ) specifically regarding various threat actor charges and indictments, from APT group members to ransomware operators | Legal Documents of Interest to CTI Analysts |
| Sarah Jones | A Brief History of Attribution Mistakes - analyse the mistakes made by others so that you do not repeat them | securityandtechnology.org |
| RAND Corporation | Case Study: Applying SWARM to Predict Phishing Campaigns from the North Korea–Nexus Kimsuky Threat Actor | RAND_RRA382-1.pdf |
| Anastasios Pingios | Intelligence Agency and Security Services Internal Structuring | xorl.wordpress.com |
The Cyber Underground
| Authour | Description | Resource URL |
|---|---|---|
| RAND Corporation | This report describes the fundamental characteristics of cybercriminal black markets and how they have grown into their current state in order to give insight into how their existence can harm the information security environment | RAND_RR610.pdf |
| @Bank_Security | HUMINT activities during undercover operations are fundamental as a part of Cyber Intelligence activities. This guide shares insights how someone could engage Threat Actors during undercover operations in the cybercriminal underground | cyber-intelligence-humint-operations |
| MSTIC | Microsoft's blog on the "cybercrime gig economy" describes the intricacies of Ransomware-as-a-Service (RaaS) and RaaS affiliate operations | microsoft.com |
Vulnerability Intelligence
| Authour | Description | Resource URL |
|---|---|---|
| Google Project Zero | GP0 has compiled a spreadsheet of 0day vulnerabilities leveraged in the wild by threat actors before the vendors were aware of them | 0days "In the Wild" |