Cyber Threat Intelligence Self-Study Guide

VEEXH
The Sleuth Sheet
Published in
14 min readJan 3, 2023

I must state for the record that this study guide would not be possible without adapting pieces of information from Katie Nickels & Andy Piazza. They’ve done a tremendous job of educating individuals on Cyber Threat Intelligence.

WHAT IS CTI?

Cyber threat intelligence (CTI) is information about the capabilities, intentions, and activities of adversaries in cyberspace, specifically their ability to compromise, disrupt, or exploit information systems. CTI helps organizations understand the potential risks and impacts of cyber threats, and can be used to inform decision-making, prioritize investments in cybersecurity, and develop effective defensive strategies.

CTI can be gathered from a variety of sources, including open-source information, industry reporting, and intelligence agencies. It can be delivered in various formats, such as reports, alerts, and briefings. CTI can be used by organizations of all sizes and in all sectors, including government, military, financial, healthcare, and critical infrastructure.

Effective CTI requires the ability to analyze and interpret large amounts of data from multiple sources, and to accurately assess the credibility and relevance of that information. It also requires the ability to communicate findings clearly and concisely to decision-makers, and to update and refresh CTI as new information becomes available.

DUTIES A CTI ANALYST MIGHT PERFORM

The specific duties of a CTI analyst may vary depending on the size and needs of the organization, but some common tasks include:

  • Monitoring open-source and industry intelligence feeds for information about potential threats
  • Identifying and analyzing patterns and trends in cyber attacks and adversaries
  • Conducting in-depth research on specific threats or groups of adversaries
  • Collaborating with other members of the organization’s security team to understand their needs and priorities for CTI
  • Providing timely and actionable intelligence to decision-makers and other stakeholders
  • Updating and maintaining a knowledge base of CTI
  • Participating in tabletop exercises and other simulations to test the organization’s CTI processes and response plans

To perform these tasks effectively, a CTI analyst should have strong analytical and research skills, as well as an in-depth understanding of the current threat landscape in cyberspace. They should also be able to communicate their findings clearly and concisely to both technical and non-technical audiences.

TOPICS

  • Intelligence Analysis Fundamentals
  • Security & Networking Fundamentals
  • Writing & Editing
  • Importance of Studying APT Reports
  • Training Frameworks to Learn
  • OSINT (Open Source Intelligence)
  • Extra

INTELLIGENCE ANALYSIS FUNDAMENTALS

The “intelligence” part of cyber threat intelligence (CTI) is important because it involves the analysis and interpretation of information about potential threats, rather than just the raw data itself. Without this step, the raw data may not be actionable or may be misunderstood, leading to ineffective or inefficient use of resources.

READING LIST IN ORDER

  • Psychology of Intelligence Analysis | ←Starting Point
    CTI analysts may find the book useful because it can help them understand the psychological factors that can influence their own thinking and decision-making, as well as the thinking and decision-making of others. This can be especially important in the fast-paced and high-stakes environment of CTI, where it is critical to make accurate and timely decisions based on incomplete or potentially biased information. By reading “Psychology of Intelligence Analysis,” CTI analysts may be better equipped to identify and overcome their own biases, as well as to recognize and manage the biases of others. This can ultimately lead to more accurate and effective intelligence analysis.
  • Structured Analytical Techniques for Intelligence Analysis
    CTI analysts may benefit from reading this book because it can help them develop more effective and efficient ways of analyzing and interpreting information about cyber threats. By using structured analytical techniques, CTI analysts can better identify patterns and trends, test hypotheses, and draw conclusions based on the available data. This can ultimately lead to more accurate and actionable intelligence that is better suited to inform decision-making and guide the development of effective defensive strategies. | PRACTICE & APPLY SAT’S ON REAL-WORLD EXAMPLES BEFORE MOVING ON TO THE NEXT BOOK
  • Critical Thinking for Strategic Intelligence
    Today’s organizations are under constant pressure to make quick, informed decisions in the face of rapidly changing conditions. To meet this challenge, decision-makers need a clear understanding of the role of critical thinking in the intelligence process. Critical Thinking for Strategic Intelligence is designed to help readers develop the necessary thinking skills to succeed in today’s fast-paced, information-rich environment. The book introduces a robust framework for thinking strategically about complex problems and opportunities and provides readers with practical tools and techniques for putting this framework into action. With its focus on real-world applications, Critical Thinking for Strategic Intelligence is an essential resource for anyone who needs to make better decisions in a constantly changing world.

OPTIONAL CONTINUED READING

SECURITY & NETWORKING FUNDAMENTALS

Networking and security fundamentals are important to learn before studying cyber threat intelligence (CTI) for several reasons:

  1. Understanding the basics of networking and security can help CTI analysts better understand how cyber threats work and how they can be detected and mitigated. For example, a CTI analyst who is familiar with networking protocols and security controls will be better equipped to analyze and interpret information about network-based threats or vulnerabilities.
  2. CTI analysts often work closely with other members of an organization’s security team, who may have a more technical background. Having a strong foundation in networking and security can help CTI analysts communicate more effectively with these team members and understand their perspectives and needs.
  3. Many CTI tools and resources, such as intrusion detection systems and vulnerability scanners, rely on a basic understanding of networking and security concepts. Without this foundation, it may be difficult for CTI analysts to effectively use these tools or to interpret their results.

PREREQUISITES

TryHackMe is a platform that offers a variety of interactive hacking challenges and virtual environments where users can learn and practice cybersecurity skills. It is designed to provide a hands-on learning experience for people interested in learning about cyber security, and it covers a wide range of topics including ethical hacking, penetration testing, and cyber security defense. The challenges are based on real-world scenarios and are intended to help users build and reinforce their skills in a safe and controlled environment.

TryHackMe.com
TryHackMe.com
Malware Analysis In 5+ Hours — Full Course — Learn Practical Malware Analysis!

THE BEST MALWARE ANALYSIS COURSE

TryHackMe.com

PRACTICAL TRAINING PLATFORMS

MAIN RESOURCES

“Intelligence-Driven Incident Response” is a book that provides guidance on how to use intelligence-gathering techniques to inform and improve the effectiveness of an organization’s incident response efforts. Some key points about the book include:

  • The importance of intelligence in incident response: The book emphasizes the value of using intelligence to understand the motivations, tactics, and capabilities of adversaries, and to anticipate and prepare for potential incidents.
  • The role of intelligence in the incident response process: The book discusses how intelligence can be used at each stage of the incident response process, from preparation and planning to detection and analysis, containment and eradication, and recovery and lessons learned.
  • The challenges and best practices of intelligence-driven incident response: The book identifies common challenges and pitfalls in using intelligence in incident response, and provides recommendations for overcoming these challenges and implementing best practices.

Domain Knowledge:

Security Fundamentals
Phishing Analysis
Threat Intelligence
Digital Forensics
SIEM
Incident Response

The BTL-1 certification is a highly practical certification and the perfect training ground for security, incident response, and those looking to obtain the necessary skills for cyber threat intelligence because it covers a wide range of topics that are directly applicable to the work of blue team members, including threat intelligence and incident response. The certification is designed to provide a solid foundation in these areas and to help individuals develop the skills and knowledge needed to effectively defend against cyber threats.

This course introduces students to real-world threats defenders experience in their networks and the tools used to defend against these threats. It provides the essential foundation of modern cyber defense operations. Students will learn the inner working of the three core pillars of CyberDefense; prevention, detection, and response. In addition, how to defend an enterprise using essential blue team incident response tools and techniques.

ALTHOUGH THESE RESOURCES ARE PAID FOR THEY WILL GIVE YOU THE BEST! HANDS ON & PRACTICAL TRAINING NECESSARY FOR CYBER THREAT INTELLIGENCE

WRITING & EDITING

Effective writing and editing are important in the intelligence community for several reasons:

  1. Clear and concise communication: Intelligence professionals often need to communicate complex and sensitive information to a variety of audiences, including decision-makers, analysts, and operational personnel. Effective writing and editing can help ensure that this information is presented in a clear and concise manner, which can improve understanding and facilitate decision-making.
  2. Professionalism: Intelligence reports and briefings are often used to inform important decisions, and as such, they need to be professional and credible. Poorly written or edited documents can undermine the credibility of the intelligence and create confusion or misunderstandings.
  3. Efficiency: The intelligence community often operates under tight deadlines and with limited resources. Effective writing and editing can help ensure that documents are produced quickly and efficiently, without sacrificing quality.

RESOURCES

Yes, it is important that threat reports are short, concise, and understandable, especially when they are being used to inform decision-making or guide the development of defensive strategies. Lengthy or complex reports can be difficult to digest and may not be effective in conveying the most important information.

In general, it is best to focus on the key points and to present the information in a clear and logical manner. This may involve breaking the report into sections or using visual aids to help illustrate key points. It is also important to use language that is appropriate for the audience and to avoid technical jargon or overly complex terms.

Overall, the goal of a threat report should be to present the most relevant and important information in a way that is easy for the reader to understand and use.

STUDY APT REPORTS

Taking an in-depth study into Advanced Persistent Threat (APT) reports can be highly important for cyber threat intelligence (CTI) professionals. APTs are a type of cyber attack in which an adversary gains access to a network or system and establishes a foothold for long-term, covert operations. These attacks can be difficult to detect and mitigate, and can have significant impacts on an organization.

Hence, APT reports should be monitored closely by CTI professionals as they provide detailed information about an attacker’s persistence and capabilities. Such information can be used to plan and implement security measures to protect the targeted organization. In addition, APT reports can provide valuable insights that can be used to fine-tune existing cyber security strategies or develop new ones. Thus, taking an in-depth study into APT reports is essential for CTI professionals who are looking to better protect their organizations from such attacks.

When reading Advanced Persistent Threat (APT) reports, some key questions to consider include:

  • Who is behind the APT? What is known about the group or individual responsible for the attack, including their motivations, goals, and capabilities?
  • How did the APT gain access to the network or system? What tactics, techniques, and procedures (TTPs) were used to compromise the target?
  • What was the APT’s objective? What actions did the APT take once it gained access, and what was the intended outcome of the attack?
  • What was the impact of the APT? What damage was done to the target, and what was the extent of the data breach or compromise?
  • How was the APT detected and mitigated? What indicators of compromise (IOCs) were used to identify the APT, and what steps were taken to contain and eradicate it?
  • What can be learned from the APT? What lessons can be drawn from the attack, and what can be done to prevent similar attacks in the future?

SPEND QUALITY TIME RESEARCHING

It is definitely beneficial to spend a significant amount of time studying a particular APT (advanced persistent threat) group, as this can help you understand their tactics, techniques, and procedures (TTPs) and become better equipped to defend against them. By learning as much as possible about an APT group, you can gain insights into their motivations, the tools and infrastructure they use, and their methods for compromising and maintaining access to victim systems. This knowledge can be critical for developing effective countermeasures and mitigating the risk posed by these groups.

In addition to studying the group itself, it can also be helpful to understand the broader context in which the group operates, including the geopolitical and economic factors that may influence their activities. This can help you better anticipate the group’s future actions and understand the motivations behind their attacks.

Overall, the more you can learn about an APT group, the better equipped you will be to defend against them and mitigate the risks they pose to your organization.

SOME APT REPORTS

RESOURCES

This is a repository for various publicly-available documents and notes related to APT, sorted by year. For malware sample hashes, please see the individual reports.

TRAINING FRAMEWORKS

The ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a useful resource for cybersecurity professionals, particularly those working in the field of cyber threat intelligence (CTI). It is a comprehensive, open-source database of known tactics and techniques used by cyber adversaries, which can be used to understand how different groups operate and how they might target a particular organization.

The Diamond Model is a framework used in cyber threat intelligence (CTI) to help analysts understand and analyze the motivations, capabilities, and intentions of cyber adversaries. It was developed by the Defense Advanced Research Projects Agency (DARPA) in the early 2010s as a way to better understand and predict the behavior of advanced persistent threat (APT) groups.

DEEP DIVE INTO CTI

Deep-dive into CTI focusing at least three months on an APT as this time researching is going to be pivotal but here are some reasons why this should be done:

  1. To gain a more comprehensive understanding of the threat landscape: By spending a significant amount of time studying CTI, analysts can gain a more thorough understanding of the various threats that organizations face, including the tactics, techniques, and procedures (TTPs) used by adversaries. This can help them better anticipate and prepare for future attacks.
  2. To identify trends and patterns: By studying CTI over a longer period of time, analysts may be able to identify trends and patterns in the types of attacks that organizations face, as well as the tools and infrastructure used by adversaries. This can help them better understand the motivations and intentions of cyber adversaries and develop strategies to defend against them.
  3. To stay up to date: The cyber threat landscape is constantly evolving, and analysts need to stay up to date on the latest threats and vulnerabilities. By deep diving into CTI, analysts can ensure that they are aware of the latest developments and trends in the field.

RESOURCES

FOLLOW PART 2 OF KATIES BLOG

NOTE

THIS SECTION CAN BE USED TO FURTHER ENHANCE KATIES OSINT SECTION IN PART 2

OSINT

Getting started in open source research can be daunting, especially if the field is completely new to you. But there’s no reason to fear: this guide will cover concrete steps that you can take to develop skills, discover communities based on your interests, and eventually lend a helping hand to important research.

Perhaps one of the most influential books on the topic of open-source intelligence gathering, “Open Source Intelligence Techniques” by Michael Bazzell, is a great starting point for those interested in learning more about this field. In his book, Bazzell covers a wide range of topics related to OSINT, from online search techniques to social media analysis. One thing that makes “Open Source Intelligence Techniques” so valuable is written by someone with real-world experience in the field. Bazzell spent many years working as an FBI computer forensics examiner, and he draws on this experience throughout the book. As a result, the book is packed with practical tips and advice that you can use immediately. If you’re serious about learning more about OSINT, “Open Source Intelligence Techniques” is an essential read.

OSINT & The Intelligence Cycle Part I
OSINT & The Intelligence Cycle Part II
OSINT & The Intelligence Cycle Part III
OSINT & The Intelligence Cycle Part IV
OSINT & The Intelligence Cycle Part V

PRACTICAL OSINT TRAINING

This Module covers the OSINT phase of a security assessment. Strong OSINT skills are essential for penetration testers and red teamers. They can often lead to information crucial to the success of the engagement, such as a foothold into the target network.

https://ozint.eu/

OZINT provides some of the best material and challenges for learning open source intelligence. I will always recommend them if you truly want to challenge yourself and go above and beyond in the field of OSINT.

EXTRA

If you want to go above and beyond the call of duty there is no greater way to prepare for the field of Cyber Threat Intelligence than the FOR578: Cyber Threat Intelligence course offered by SANS Institute.

--

--