CTI Reading List

A few weeks ago while teaching SANS FOR578 one of my students asked a great question by a student: What books or papers should a new cyber threat intelligence analyst read first? It’s a question I’d meant to answer before so instead of just sending back an email (I mean, I emailed back, HI MATT, but along with that) I figured I’d write up my list and have something to reference next time I get asked. So here’s my list of things you should read when getting started in cyber threat intelligence:

Books

Get that library card or Amazon account ready, here are my favorite books on CTI.

The best narrative version of the DFIR & CTI world I can imagine The Cuckoo’s Egg reads better than Tom Clancy and tells the true story of an astronomers year hunting cyber espionage in the early 1980s. A must read (and great for non-technical folks as well). Also a great gauge of interest for people thinking about dipping their toe into DFIR or CTI.

Written in 2000 Secrets and Lies was my introduction to many of the technical problems in security and has been my go to First Technical Security Book ever since. I’m reevaluating it now (against the Defensive Security Handbook: Best Practices for Securing Infrastructure by Lee Brotherston & Amanda Berlin) but Secrets and Lies is a classic.

Ultimately CTI collection is the output of incident response. Doing CTI well requires a deep understanding of all aspects of Incident Response and Incident Response & Computer Forensics is the best book to learn the overall process from some folks who’ve been there and done that.

A huge amount of CTI comes down to malware analysis. Malware reverse engineering is a big part of understanding the capabilities of an adversary. This is the best introduction text I know. In fact it’s on my current reread list.

SHOCKER: You’re not an intelligence analyst if you’re doing CTI. You’re a counter intelligence analyst. Many of the same techniques, but a totally different application. Understanding traditional counterintelligence tradecraft is essential and this is my favorite book to learn it.

Analysis is often the least understood (and honestly least undertaken) piece of CTI. We, all of us in the CTI arena, need to get better at it. Richards Heuer literally wrote the book on this.

Like The Cukoo’s Egg Fred Kaplan’s Dark Territory is a story centric a history of the development of America’s cyber warfare capability and provides a detailed look into what developing a cyber warfare capability looks like at a policy level.

Papers

Plenty of key concepts don’t merit a full book but are more in the 10–30 page range which are perfect for academic style papers. These are good ones to start with:

Adversaries

Most CTI programs are focused on four major sets of adversaries: China, Russia, the United States, & everyone else (I’ll write another post about that bias later on). Who’s important will depend on your threat model including geographic location and industry, but passing familiarity with the big players is important for everyone. Here’s are my favorites introductions:

Non-Computer Network Defense Specific Reading

While the books above are very technically focused on computer network defense (CND) but there are a wide variety of subjects useful to a CTI analyst that go beyond CND & intelligence. Here’s my starting list:

An exploration of the formation of the modern Russian intelligence apparatus. Studying those evolutions is interesting.

Judge if you want, it’s a solid read detailing the meta nature of conflict and espionage. Yes it’s overdone, yes it was over quoted, but it’s still valuable. Ignore it at your own peril. (Want a more modern take? I’ve been meaning to read On War by Carl von Clausewitz.)

So I haven’t read this one (yet)… but I’ve been meaning too. From podcasts and discussions with friends it’s a perfect for this list so I’ll add it, even if it is still aspirational to me. Very metacognitive.

One Last Reading Idea

Rebekah Brown and I have been working very hard and are excited to share our own addition to this list:

Intelligence Driven Incident Response

Our book is meant to cover both the network defense process and the intelligence process but more importantly how they can be integrated. Ultimately computer networks defense takes intrusion detection, incident response, & intelligence.

Bonus! Jiro Dreams of Sushi & Sour Grapes

As I was originally thinking about this post I thought it would be nothing but Intelligence & Incident Response books, but as I kept considering the topic it kept expanding and I wanted to be encompassing. So in addition to some reading here are two movies I watched and couldn’t stop thinking of parallels to CTI.

Photo from The Gumroad

Jiro Dreams of Sushi is a beautiful documentary about food, but more than that about the depth of effort and dedication it takes to really be the best at a craft. This is all the more important in an adversarial vocation like CTI, where in many cases it matters who’s better, you or the adversary. For me I would like to be known as having the kind of tenacity as Jiro and those who work with him.

Photo from The Pool

Sour Grapes touches on a different but no less important, borderline unteachable, aspect of CTI/IR. I won’t spoil the surprise, but Sour Grapes is a wonderful lesson in the investigative desire, that need to track down the adversary and figure out their techniques and goals.

I recommend both highly and they’re both excellent to watch even with non-CND people. They also pair with tuna nigiri and an off-dry Riesling.

Show your support

Clapping shows how much you appreciated Scott J Roberts’s story.