/CTI-fundamentals

A collection of papers, blogs, and resources that make up the quintessential aspects of cyber threat intelligence

logo

CTI Fundamentals

A collection of essential resources related to cyber threat intelligence theory.

CTI Theory

Author Description Resource URL
The US Central Intelligence Agency The traditional Intelligence cycle describes how intelligence is ideally processed in civilian and military intelligence agencies, and law enforcement organizations. the-intelligence-cycle.html
The US Central Intelligence Agency This primer highlights structured analytic techniques — some widely used in the private sector and academia, some unique to the intelligence profession Tradecraft-Primer-apr09.pdf
The US Central Intelligence Agency The psychology of intelligence analysis by the CIA’s Center for the Study of Intelligence Psychology_of_Intelligence_Analysis.pdf
iSIGHT Partners The first definitive guide to cyber threat intelligence ever produced cti-guide.pdf
Recorded Future The traditional intelligence life cycle tailored to threat intelligence embedded in modern security operations What the 6 Phases of the Threat Intelligence Lifecycle Mean for Your Team
SANS SANS shared a Cyber Kill Chain tailored to Industrial Control Systems (ICS), written by Michael J. Assante and Robert M. Lee. The Industrial Control System Cyber Kill Chain
Mercyhurst University Institute for Intelligence Studies The Analyst’s Style Manual is a product intended to assist student analysts with the many perplexing and complex rules they should follow in producing written intelligence products analysts_style_manual.pdf
Freddy M The Intelligence Architecture Map is based on interviews of industry experts, former intelligence practitioners, and Freddy's personal views. It represents a logical and meaningful way of how different aspects of producing intelligence should be put together. intelligence-architecture-map-freddy-m
Grace Chi IS SHARING CARING? A comprehensive study on the current cyber threat intelligence inter-personal and social networking practices, results, and attitudes ctinetworkingreport2022.pdf
Institute for Software Research School of Computer Science Carnegie Mellon University A paper from the Carnegie Mellon ISR on the life-cycle of an advanced persistent threat group attack, from reconnaissance to data exfiltration CMU-ISR-17-100.pdf
RAND Corporation RAND’s Four-Step Scalable Warning and Resilience Model RAND_RRA382-1.pdf
UK National Anti Fraud Network Basics of Intelligence Management, including classification, evaluation, dissemination, and the intelligence confidence matrix Intelligence%20Management%20Training.pdf
International Journal of Intelligence and CounterIntelligence An argument that CTI is a product without a process, which has several underlying causes and consequences for the CTI practice. It is also argues that the field needs to implement traditional intelligence analysis and methodology, rather than add more technology Cyber Threat Intelligence: A Product Without a Process?
mxm0z This is a collection of useful resources concerning intelligence writing such as manuals/guides, standards, books, and articles Awesome Intelligence Writing
threat-intelligence.eu Technical standards related to threat intelligence Standards related to Threat Intelligence
Joe Slowik Threat Intelligence and the Limitations of Malware Analysis dragos.com
Joe Slowik Analyzing Network Infrastructure as Composite Objects: While network infrastructure indicators and observables are typically viewed as atomic objects, seeing these items as composites enables powerful analysis able to keep pace with adversary evolution domaintools.com
US Government Analytic Tradecraft Primer on Structured Analytic Techniques stat.berkeley.edu
Juan Andrés Guerrero-Saade The ethics and perils of APT research: An unpected transition into intelligence brokerage. In the face of investigations with geopolitical weight and consequences, whose final attributions entail unmasking nation-state operations, even the most capable security researcher among us will need drastic preparations, not only to excel but to survive. Guerrero-Saade-VB2015.pdf
Juan Andrés Guerrero-Saade Expanding our descriptive palette for cyber threat actors VB2018-Guerrero-Saade.pdf
Matt Richard Common Cyber Threat Intel Biases: how to convey biases, blind spots, and systematic weaknesses in how teams evaluate and write about threat intelligence medium.com/@mrichard91

CTI Frameworks

Author Description Resource URL
John Boyd The OODA loop - is the cycle of observe–orient–decide–act. The approach explains how agility can overcome raw power in dealing with human opponents. It is especially applicable to cyber security and cyberwarfare. OODA_Loop.html
David J. Bianco The Pyramid of Pain - Analysing relationships between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when you are able to deny those indicators to them the-pyramid-of-pain.html
Center for Cyber Intelligence Analysis and Threat Research The Diamond Model - a novel model of intrusion analysis built by analysts, derived from years of experience diamond.pdf
Lockheed Martin The Cyber Kill Chain® framework - is part of the Intelligence Driven Defense® model for the identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective Cyber_Kill_Chain.pdf
Lockheed Martin The Courses of Action matrix - using the 7 Action Ds of detect, deny, disrupt, degrade, deceive, and destroy to counter cyber intrusions LM-White-Paper-Intel-Driven-Defense.pdf
MITRE The MITRE ATT&CK® framework - is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. attack.mitre.org
Mandiant The Targeted Attack Lifecycle - Mandiant’s depiction of the targeted attack lifecycle illustrates the major phases of a typical intrusion. mandiant.com
Paul Pols The Unified Kill Chain - was developed through a hybrid research approach, combining design science with qualitative research methods. The Unified Kill Chain extends and combines existing models, such as Lockheed Martin's Cyber Kill Chain® and MITRE's ATT&CK® unifiedkillchain.com
Verizon The VERIS framework - uses a common language and a structured, repeatable process, both of which allow organizations to objectively classify security incidents. Used for Verizon's DBIR. verizon.com
IBM X-Force The Cyberattack Preparation Framework and The Cyberattack Execution Framework - provide a logical flow representative of attacks today and they also incorporate phases not typically included in other frameworks ibm.com

Threat Intelligence Seminal Research

Author Description Resource URL
Scott J. Henderson The Dark Visitor: Inside the World of Chinese Hackers - analysis of the history, ideology, organization, exploits, and political motivations of the Chinese hacker network the-dark-visitor-inside-the-world-of-chinese-hackers.pdf
Mandiant Mandiant's unprecedented report linking APT1 to China's 2nd Bureau of the People's Liberation Army (PLA) General Staff Department's (GSD) 3rd Department (Military Cover Designator 61398). mandiant-apt1-report.pdf
CrowdStrike CrowdStrike's "breakout time" report provided an illuminating look at which actors operate the fastest within networks they have gained access to, and how effective and rapid the defenders have to be to defeat some of the most capable adversaries crowdstrike.com
Trevor Giffen The Initial Access Broker Landscape curatedintel.org
Trevor Giffen Assessing the State of Breached Data Search Services curatedintel.org
William Thomas Threat Group Naming Schemes In Cyber Threat Intelligence curatedintel.org
William Thomas CTI lexicon guide to some of the jargon and acronyms used in threat intelligence CTI Lexicon
William Thomas The Threat Actor Profile Guide for CTI Analysts Curated Intel Threat Actor Profile Guide
Sarah Jones A Brief History of Attribution Mistakes - analyse the mistakes made by others so that you do not repeat them securityandtechnology.org
Anastasios Pingios Intelligence Agency and Security Services Internal Structuring xorl.wordpress.com
RAND Corporation This report describes the fundamental characteristics of cybercriminal black markets and how they have grown into their current state in order to give insight into how their existence can harm the information security environment RAND_RR610.pdf
@Bank_Security HUMINT activities during undercover operations are fundamental as a part of Cyber Intelligence activities. This guide shares insights how someone could engage Threat Actors during undercover operations in the cybercriminal underground cyber-intelligence-humint-operations
MSTIC The "cybercrime gig economy" describes the intricacies of Ransomware-as-a-Service (RaaS) and RaaS affiliate operations microsoft.com
Google Project Zero GP0 has compiled a spreadsheet of 0day vulnerabilities leveraged in the wild by threat actors before the vendors were aware of them 0days "In the Wild"
Katie Nickels Analysts have compiled a list of court documents issued by the Department of Justice (DOJ) specifically regarding various threat actor charges and indictments, from APT group members to ransomware operators Legal Documents of Interest to CTI Analysts
Intel 471 The CU-GIRH is a baseline tool to assist security professionals and teams in organizing, prioritizing, and producing cyber underground intelligence based on General Intelligence Requirements (GIRs) — a compilation of frequently asked intelligence requirements applicable to the cybercrime underground such as: forums, marketplaces, products, services, and threat actors. Access to the GIR Handbook includes an intelligence planning workbook (templates, samples) Cybercrime Underground General Intelligence Requirements Handbook (CU-GIRH)
InfoStealers by Hudson Rock The all-around Infostealers hub with reports and recent news InfoStealers.com
Scott Small The Ultimate Guide To Cyber Threat Profiling Cyber_Threat_Profiling_Ebook.pdf

Running Enterprise Threat Intelligence Programs

Author Description Resource URL
CREST CREST released their CTI Maturity Model Assessment Tool (MMAT) in 2020, a customizable and modular tool for assessing the maturity of a threat intelligence program for free. This tool has three types: Summary, Intermediate, Detailed. In 2022, the tool vanished from CREST's website, but is archived by Curated Intelligence CREST CTI Maturity Model Assessment Tool (MMAT)
Recorded Future Recorded Future periodically updates a handbook detailing their vendor-biased roadmap for building an intelligence-led security program. This is useful for understanding what threat intelligence capabilities may need to be integrated with an enterprise CTI program The Intelligence Handbook: Fourth Edition
Recorded Future Recorded Future maintains a handbook detailing their vendor-biased playbooks for responding to typical CTI-type detections within an enterprise CTI program. This is useful for understanding what threat intelligence response cases may look like in an enterprise CTI program The Intelligence Playbook: Practical Applications Across the Enterprise
CERT-BI This whitepaper details an enterprise-friendly service architecture for offering an enhanced CTI capability A service architecture for an enhanced CTI capability
NCSC (UK) This guide is aimed at individuals who oversee or deliver threat intelligence capability to a department. This document provides a roadmap to delivering a CTI capability and an overview of the activities, deliverables and technologies required. Cyber Threat Intelligence in Government: A Guide for Decision Makers & Analysts
Mandiant The core skills framework provides enterprises and individuals guidance with three things: 1. determine appropriate development roadmaps to ensure CTI skills progression; 2. provide a guidepost for aspirant CTI analysts to tailor their studies; 3. assist network defenders in understanding the roles and responsibilities of a CTI analyst The Mandiant Cyber Threat Intelligence (CTI) Analyst Core Competencies Framework
ENISA ENISA report on evaluating Threat Intelligence Platform (TIPs) Exploring the opportunities and limitations of current Threat Intelligence Platforms
sfakiana This is the TLP WHITE version of the Excel document related to Threat Intelligence Platform requirements. This Excel document was first released during SANS CTI Summit 2021 presentation of Andreas Sfakianakis titled "Still thinking your Ex(cel)? Here are some TIPs". The contents of this document are related to the 2017 ENISA report on "The limitations and opportunities of current Threat Intelligence Platforms" (authors are Andreas Sfakianakis and Razvan Gavrila). Threat Intelligence Platform (TIP) Functional Requirements
Mandiant Mandiant publicly released a web-based Intelligence Capability Discovery (ICD) to help commercial and governmental organizations evaluate the maturity of their cyber threat intelligence (CTI) program. Cyber Threat Intelligence Program Maturity Assessment