CTI 101 Student Handout

Andy Piazza
4 min readJun 15, 2021

--

Admin note: I teach a CTI 101 workshop at BSidesNOVA and randomly at other locations throughout the year, and this is my list of resources and references mentioned in my training class. If you’re just a casual reader that reached this page outside of my workshop… welcome! There are lots of goodies in here.

Hi! You found the Resource Taco, your guide to the Cyber Threat Intelligence 101 course material. Why a taco, duh, they are delicious, and they are always there to help you out when you need it. The perfect way to reference Student Handouts. Right? RIGHT?

Resource Taco to the Rescue!

Books!

CTI analysts tend to read a lot: from threat reports to Twitter, we spend a lot of time reading. Here’s a list of books I mention in the CTI 101 workshop as required reading and/or good reads for CTI analysts.

Must Read — Intelligence Books

Good Reads

  • Relentless Strike: The Secret History of Joint Special Operations Command by Sean Naylor
  • Betrayal in Berlin by Steve Vogel

Must Read — CTI / Infosec/ Tech

  • The Art of Cyberwarfare: An Investigator’s Guide to Espionage, Ransomware, And Organized Cybercrime by Jon DiMaggio
  • Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers by Andy Greenberg
  • The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage by Cliff Stoll
  • Dark Territory: The Secret History of Cyber War by Fred Kaplan
  • Incident Response & Computer Forensics by Jason T. Luttgens, Matthew Pepe, and Kevin Mandia
  • Mandiant’s “APT1: Exposing One of China’s Cyber Espionage Units” https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

Good Reads

  • The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win by Gene Kim, Kevin Behr, et. al.
  • Countdown to Zero Day by Kim Zetter

Cool Tools

Here’s a handful of tools that CTI analysts should be familiar with… there are soooo many tools to track and this definitely doesn’t come close to covering them all, but here you go:

Part I References

“Gentlemen do not read each other’s mail”

Secretary of State Harry Stimson, in 1929, https://www.nsa.gov/Portals/70/documents/news-features/declassified-documents/nsa-60th-timeline/pre-nsa/19510319_PreNSA_Doc_3978470_BlackChamber.pdf

US-CERT’s NICE Framework Tool

https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework/threat-analysis

Psychology of Intelligence Analysis

https://www.cia.gov/static/9a5f1162fd0932c29bfed1c030edf4ae/Pyschology-of-Intelligence-Analysis.pdf

Mandiant’s APT1 Report

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

CIA’s Definition of Intelligence

https://www.cia.gov/static/554d7d05a62d7d6de84b5b84ae6702ae/A-Definition-Of-Intelligence.pdf

CIA Tradecraft Primer

https://www.cia.gov/static/955180a45afe3f5013772c313b16face/Tradecraft-Primer-apr09.pdf

Traffic Light Protocol

https://www.first.org/tlp/

Pyramid of Pain

http://4.bp.blogspot.com/-EDLbyYipz_E/UtnWN7fdGcI/AAAAAAAANno/b4UX5wjNdh0/s1600/Pyramid+of+Pain+v2.png

Words of Estimative Probability

https://www.cia.gov/static/0aae8f84700a256abf63f7aad73b0a7d/Words-of-Estimative-Probability.pdf

Confidence Assessment Definitions

https://www.dni.gov/files/documents/Newsroom/Reports%20and%20Pubs/20071203_release.pdf

Cloud Snooper References

https://news.sophos.com/en-us/2020/02/25/cloud-snooper-attack-bypasses-firewall-security-measures/

https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf

The Mandiant Cyber Threat Intelligence (CTI) Analyst Core Competencies Framework

–https://www.sans.org/white-papers/mandiant-cyber-threat-intelligence-cti-analyst-core-competencies-framework/

SANS Intelligently Developing a Cyber Threat Analyst Workforce

https://www.sans.org/webcasts/intelligently-developing-a-cyber-threat-analyst-workforce/

Goldilocks CTI: Building a Program That’s Just Right

https://klrgrz.medium.com/goldilocks-cti-building-a-program-thats-just-right-68dafdb7ca56

Critical Thinking Video

https://youtu.be/vJG698U2Mvo?t=7

False flag example: Olympic Destroyer

https://threatpost.com/olympic-destroyer-a-false-flag-confusion-bomb/130262/

NIST Definitions of indicator

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Automated Indicator Sharing by Preston Werntz

http://csrc.nist.gov/news_events/cif_2015/information-sharing/day2_info-sharing_330-420.pdf

STIX Standards

http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd

Formulating a Robust Pivoting Methodology

https://www.domaintools.com/content/formulating-a-robust-pivoting-methodology.pdf

Part II References

APT Groups and Operations

https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/htmlview#gid=1905351590

Malpedia — Actors & Families

https://malpedia.caad.fkie.fraunhofer.de/actors

Campaign definition

https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_pcpvfz4ik6d6

Infrastructure Analysis example: What’s in a Name Server

https://threatconnect.com/blog/whats-in-a-name-server/

Infrastructure Analysis example: Operation Pawn Storm

https://documents.trendmicro.com/assets/wp/wp-operation-pawn-storm.pdf

Cyber Kill Chain

https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf

MITRE ATT&CK

https://attack.mitre.org

MITRE ATT&CK report example: Winnti Group

https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/

ATT&CKing Threat Management: A Structured Methodology for Cyber Threat Analysis

https://www.sans.org/reading-room/whitepapers/threatintelligence/att-cking-threat-management-structured-methodology-cyber-threat-analysis-39090

Unit42 Playbook Viewer

https://pan-unit42.github.io/playbook_viewer/

Diamond Model of Intrusion Analysis

https://apps.dtic.mil/dtic/tr/fulltext/u2/a586960.pdf

Diamond Model example: Luke in the Sky with Diamonds

https://threatconnect.com/blog/diamond-model-threat-intelligence-star-wars/

The Cycle of Cyber Threat Intelligence — Webcast

https://www.sans.org/webcasts/111570

“Still Thinking about your Ex(cel)? Here are some TIPs” by Andreas Sfakianakis

https://www.youtube.com/watch?v=U7kuu7OFgYk

Part III References

Threat Box

https://www.youtube.com/watch?v=tcroXAcjdzU

https://klrgrz.medium.com/quantifying-threat-actors-with-threat-box-e6b641109b11

https://www.sans.org/reading-room/whitepapers/threatintelligence/paper/39585

“Top 10 Writing Mistakes in Cybersecurity and How You Can Avoid Them” by @lennyzeltser

https://www.sans.org/webcasts/110220

SANS Webcast “Analyzing the Enhanced Analysis of GRIZZLY STEPPE Report” by Robert M. Lee @RobertMLee

https://www.sans.org/webcasts/104402

“Operation Pawn Storm”

https://documents.trendmicro.com/assets/wp/wp-operation-pawn-storm.pdf

“Cloud Snooper Attack Bypasses AWS Security Measures”

https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf

“Cyber threat intelligence requirements: What are they, what are they for and how they fit in the…” by intel471’s Mark Arena @markarenaau

https://blog.intel471.com/2016/05/18/cyber-threat-intelligence-requirements-what-are-they-what-are-they-for-and-how-do-they-fit-in-the/

Eclectic IQ Maturity Model

https://go.eclecticiq.com/resources/white-paper-threat-intelligence-maturity-model

Woah… are you still here? This is a long list to make it through! HIGH FIVE!

--

--

Andy Piazza
Andy Piazza

Written by Andy Piazza

I enjoy writing, mentoring, and sharing knowledge. I’m klrgrz (killer grizz) on Twitter. I do stuff n things with cyber threat intel.

No responses yet