CTI-fundamentals

A collection of papers, blogs, and resources that make up the quintessential aspects of cyber threat intelligence

CTI Theory

Authour	Description	Resource URL
The US Central Intelligence Agency	The traditional Intelligence cycle describes how intelligence is ideally processed in civilian and military intelligence agencies, and law enforcement organizations.	the-intelligence-cycle.html
The US Central Intelligence Agency	This primer highlights structured analytic techniques—some widely used in the private sector and academia, some unique to the intelligence profession	Tradecraft-Primer-apr09.pdf
iSIGHT Partners	The first definitive guide to cyber threat intelligence ever produced	cti-guide.pdf
David J. Bianco	Analysing relationships between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when you are able to deny those indicators to them	the-pyramid-of-pain.html
Lockheed Martin	The Cyber Kill Chain® framework is part of the Intelligence Driven Defense® model for the identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective	Cyber_Kill_Chain.pdf
Mercyhurst University Institute for Intelligence Studies	The Analyst’s Style Manual is a product intended to assist student analysts with the many perplexing and complex rules they should follow in producing written intelligence products	analysts_style_manual.pdf
Freddy M	The Intelligence Architecture Map is based on interviews of industry experts, former intelligence practitioners, and Freddy's personal views. It represents a logical and meaningful way of how different aspects of producing intelligence should be put together.	intelligence-architecture-map-freddy-m
Grace Chi	IS SHARING CARING? A comprehensive study on the current cyber threat intelligence inter-personal and social networking practices, results, and attitudes	ctinetworkingreport2022.pdf
Institute for Software Research School of Computer Science Carnegie Mellon University	A paper from the Carnegie Mellon ISR on the life-cycle of an advanced persistent threat group attack, from reconnaissance to data exfiltration	CMU-ISR-17-100.pdf
John Boyd	The OODA loop is the cycle observe–orient–decide–act. The approach explains how agility can overcome raw power in dealing with human opponents. It is especially applicable to cyber security and cyberwarfare.	OODA_Loop.html

Adversary Intelligence

Authour	Description	Resource URL
Mandiant	Mandiant's unprecedented report linking APT1 to China's 2nd Bureau of the People's Liberation Army (PLA) General Staff Department's (GSD) 3rd Department (Military Cover Designator 61398).	mandiant-apt1-report.pdf
Katie Nickels	Analysts have compiled a list of court documents issued by the Department of Justice (DOJ) specifically regarding various threat actor charges and indictments, from APT group members to ransomware operators	Legal Documents of Interest to CTI Analysts
Sarah Jones	A Brief History of Attribution Mistakes - analyse the mistakes made by others so that you do not repeat them	securityandtechnology.org

The Cyber Underground

Authour	Description	Resource URL
RAND Corporation	This report describes the fundamental characteristics of cybercriminal black markets and how they have grown into their current state in order to give insight into how their existence can harm the information security environment	RAND_RR610.pdf
@Bank_Security	HUMINT activities during undercover operations are fundamental as a part of Cyber Intelligence activities. This guide shares insights how someone could engage Threat Actors during undercover operations in the cybercriminal underground	cyber-intelligence-humint-operations

Vulnerability Intelligence

Authour	Description	Resource URL
Google Project Zero	GP0 has compiled a spreadsheet of 0day vulnerabilities leveraged in the wild by threat actors before the vendors were aware of them	0days "In the Wild"