12 KiB
12 KiB
CTI Fundamentals
A collection of essential resources related cyber threat intelligence theory
CTI Theory
| Author | Description | Resource URL |
|---|---|---|
| The US Central Intelligence Agency | The traditional Intelligence cycle describes how intelligence is ideally processed in civilian and military intelligence agencies, and law enforcement organizations. | the-intelligence-cycle.html |
| Recorded Future | The traditional intelligence life cycle tailored to threat intelligence embedded in modern security operations | What the 6 Phases of the Threat Intelligence Lifecycle Mean for Your Team |
| The US Central Intelligence Agency | This primer highlights structured analytic techniques—some widely used in the private sector and academia, some unique to the intelligence profession | Tradecraft-Primer-apr09.pdf |
| iSIGHT Partners | The first definitive guide to cyber threat intelligence ever produced | cti-guide.pdf |
| David J. Bianco | Analysing relationships between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when you are able to deny those indicators to them | the-pyramid-of-pain.html |
| Center for Cyber Intelligence Analysis and Threat Research | The Diamond Model: a novel model of intrusion analysis built by analysts, derived from years of experience | diamond.pdf |
| Lockheed Martin | The Cyber Kill Chain® framework is part of the Intelligence Driven Defense® model for the identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective | Cyber_Kill_Chain.pdf |
| SANS | SANS shared a Cyber Kill Chain tailored to Industrial Control Systems (ICS), written by Michael J. Assante and Robert M. Lee. | The Industrial Control System Cyber Kill Chain |
| Mercyhurst University Institute for Intelligence Studies | The Analyst’s Style Manual is a product intended to assist student analysts with the many perplexing and complex rules they should follow in producing written intelligence products | analysts_style_manual.pdf |
| Freddy M | The Intelligence Architecture Map is based on interviews of industry experts, former intelligence practitioners, and Freddy's personal views. It represents a logical and meaningful way of how different aspects of producing intelligence should be put together. | intelligence-architecture-map-freddy-m |
| Grace Chi | IS SHARING CARING? A comprehensive study on the current cyber threat intelligence inter-personal and social networking practices, results, and attitudes | ctinetworkingreport2022.pdf |
| Institute for Software Research School of Computer Science Carnegie Mellon University | A paper from the Carnegie Mellon ISR on the life-cycle of an advanced persistent threat group attack, from reconnaissance to data exfiltration | CMU-ISR-17-100.pdf |
| John Boyd | The OODA loop is the cycle observe–orient–decide–act. The approach explains how agility can overcome raw power in dealing with human opponents. It is especially applicable to cyber security and cyberwarfare. | OODA_Loop.html |
| RAND Corporation | RAND’s Four-Step Scalable Warning and Resilience Model | RAND_RRA382-1.pdf |
| UK National Anti Fraud Network | Basics of Intelligence Management, including classification, evaluation, dissemination, and the intelligence confidence matrix | Intelligence%20Management%20Training.pdf |
| International Journal of Intelligence and CounterIntelligence | An argument that CTI is a product without a process, which has several underlying causes and consequences for the CTI practice. It is also argues that the field needs to implement traditional intelligence analysis and methodology, rather than add more technology | Cyber Threat Intelligence: A Product Without a Process? |
| mxm0z | This is a collection of great and very useful resources concerning intelligence writing such as manuals/guides, standards, books, and articles | Awesome Intelligence Writing |
| threat-intelligence.eu | Technical standards related to threat intelligence | Standards related to Threat Intelligence |
Practical Threat Intelligence
| Author | Description | Resource URL |
|---|---|---|
| Mandiant | Mandiant's unprecedented report linking APT1 to China's 2nd Bureau of the People's Liberation Army (PLA) General Staff Department's (GSD) 3rd Department (Military Cover Designator 61398). | mandiant-apt1-report.pdf |
| CrowdStrike | CrowdStrike's "breakout time" report provided an illuminating look at which actors operate the fastest within networks they have gained access to, and how effective and rapid the defenders have to be to defeat some of the most capable adversaries | crowdstrike.com |
| Trevor Giffen | The Initial Access Broker Landscape | curatedintel.org |
| Trevor Giffen | Assessing the State of Breached Data Search Services | curatedintel.org |
| William Thomas | Threat Group Naming Schemes In Cyber Threat Intelligence | curatedintel.org |
| William Thomas | CTI lexicon guide to some of the jargon and acronyms used in threat intelligence | CTI Lexicon |
| Sarah Jones | A Brief History of Attribution Mistakes - analyse the mistakes made by others so that you do not repeat them | securityandtechnology.org |
| Anastasios Pingios | Intelligence Agency and Security Services Internal Structuring | xorl.wordpress.com |
| RAND Corporation | This report describes the fundamental characteristics of cybercriminal black markets and how they have grown into their current state in order to give insight into how their existence can harm the information security environment | RAND_RR610.pdf |
| @Bank_Security | HUMINT activities during undercover operations are fundamental as a part of Cyber Intelligence activities. This guide shares insights how someone could engage Threat Actors during undercover operations in the cybercriminal underground | cyber-intelligence-humint-operations |
| MSTIC | The "cybercrime gig economy" describes the intricacies of Ransomware-as-a-Service (RaaS) and RaaS affiliate operations | microsoft.com |
| Google Project Zero | GP0 has compiled a spreadsheet of 0day vulnerabilities leveraged in the wild by threat actors before the vendors were aware of them | 0days "In the Wild" |
| Katie Nickels | Analysts have compiled a list of court documents issued by the Department of Justice (DOJ) specifically regarding various threat actor charges and indictments, from APT group members to ransomware operators | Legal Documents of Interest to CTI Analysts |
Enterprise Threat Intelligence
| Author | Description | Resource URL |
|---|---|---|
| Recorded Future | Recorded Future periodically updates a handbook detailing their vendor-biased roadmap for building an intelligence-led security program. This is useful for understanding what threat intelligence capabilities may need to be integrated with an enterprise CTI program | The Intelligence Handbook: Fourth Edition |
| Recorded Future | Recorded Future maintains a handbook detailing their vendor-biased playbooks for responding to typical CTI-type detections within an enterprise CTI program. This is useful for understanding what threat intelligence response cases may look like in an enterprise CTI program | The Intelligence Playbook: Practical Applications Across the Enterprise |
| CREST | CREST released their CTI Maturity Model Assessment Tool (MMAT) in 2020, a customizable and modular tool for assessing the maturity of a threat intelligence program for free. This tool has three types: Summary, Intermediate, Detailed. In 2022, the tool vanished from CREST's website, but is archived by Curated Intelligence | CREST CTI Maturity Model Assessment Tool (MMAT) |