Cyber Threat Intelligence Study Plan
A recent(ish) rant about mentoring on Twitter led to an awesome thread of Cyber Threat Intelligence (CTI) resources and reading plans. That discussion was the nudge I needed to finally write this article, which I have been putting off for way too long (ADHD? Imposter Syndrome? WHY NOT BOTH!)
It is safe to say that cybersecurity is a very complex field. It requires a wide range of knowledge, skills, and personalities. If you are trying to transition into cybersecurity, please understand that it will take real work on your part — reading, tinkering in labs, and networking with professionals — but there is room for you here. If you are looking for general infosec career advice, check out my two articles below.
Mind the Gap: Leveraging mind maps & self-assessments to develop a personal training plan
This blog is a written version of a talk I was blessed to give at The Diana Initiative (TDI2021) conference.
Career Hacking: Tips and Tricks to Making the Most of your Career
One of the best ways that ensure that you have an amazing career that is filled with challenges, enjoyment, and growth…
Now that general infosec career advice was introduced — and we can see there are many paths & skills to learn for infosec — this article will focus on the Cyber Threat Intelligence (CTI) career field.
CTI brings together two very LARGE disciplines: information security and intelligence studies, which means there is a lot we could cover in a CTI study plan. To keep things simple and logically grouped, we’ll break things out into five broad categories of study:
- Sec+ level of knowledge
- Practice clear & concise writing
- Study APT reports
- Practice critical thinking (so what?!)
- Study intelligence analysis fundamentals
Before getting into my suggestions, I have to point out that the amazing, smartful, and way too humble Katie Nickels already produced an amazing self-study plan and a separate CTI reading list. Both are must-reads for anyone I mentor into CTI and some of the resources I mention below are also found in her articles.
PRO TIP: Just go ahead and follow Katie on Medium and Twitter. Also subscribe to the SANS Threat Analysis Rundown she hosts on YouTube.
Wait, What is a CTI Analyst?
I sat down to write this section and nearly wrote an entire article’s worth of information — so I cut it all out and pasted it into a draft I may publish someday. The short version: CTI teams often consist of many backgrounds, skillsets, and individual roles. Some organizations have CTI teams with separate roles or cells of analysts for All-Source Analysts, Threat Analysts, Threat Hunters, Malware Analysts, Linguists, etc. In other organizations, those roles might be all rolled into the expectations of 3–4 analysts supporting a billion-dollar enterprise with hundreds of thousands of users (yep, I’ve seen it). In my experience, the primary responsibility of a CTI team is to understand the Intentions & Capabilities of cyber threat actors.
We assess the intentions of cyber threat actors by understanding their past campaigns, their perspective of the geopolitical climate they find themselves in, and how they perceive the relationship between their interests and your organization. Intelligence assessments are evidence-based and threat actor reports make up the bulk of our evidence.
PRO-TIP: When writing the word “assess”, always make sure you didn’t write “asses”; that’s not a fun typo to explain to stakeholders.
We assess the capabilities of cyber threat actors through their past campaigns too. As I said, intelligence assessments are evidence-based. CTI analysts read a LOT. Seriously, it is not all Twitter and sweet, sweet memes in CTI.
We read threat reports to consider if country X attacks us, what is the most likely type of attack or malware will we experience? Destructive malware? Espionage concerning trade deals, business negotiations, or other intellectual property theft? Is their malware custom written for specific campaigns or specific targets? Are they known to use publicly available malware? Do they tend to drop their own toolsets into compromised networks or use Living off the Land Binaries, Scripts, and Libraries? (LOLBins or LOLBAS).
As an enterprise CTI analyst, my role is to understand threat actor intentions and capabilities, and where they intersect with the organization I am defending. The role involves:
- Reading a lot of threat reporting
- Monitoring for breaking information concerning new threat actor TTPs, critical vulnerabilities, campaigns, etc.
- Understanding my organization’s defensive capabilities (sensor placement, network visibility through log collection, maturity of the SOC, vulnerability management processes & timelines, etc.)
- Intelligence requirements of my stakeholders (what type of information does the CISO need to know to make effective decisions? what does the SOC need to know to detect and respond to TTPs?)
Sec+ Level of Knowledge
When I say that new CTI analysts should have a “Security+ level of knowledge,” I want to STRESS the knowledge part of that statement. The CompTIA Security+ certificate is a really great cert for analysts and I don’t want to discourage anyone from pursuing it. In fact, that is a great certificate for most roles in infosec. But my reason for mentioning it here is to focus on building a foundation of technical knowledge so you know what the SOC analysts, security engineers, and IT folks are talking about when they ask you questions or brief you on an incident. You will need a basic understanding of how computers work, networking fundamentals, security architecture and best practices, encryption standards, and common attack types.
Security+ (Plus) Certification | CompTIA IT Certifications
Security+ validates the core skills required for a career in IT security and cybersecurity. Learn about the…
CTI isn’t all about nation-state actors and the strategic landscape. If you want to be a CTI analyst, you will have to learn how those nation-states (and a host of other actors) identify, enumerate, and compromise computer systems. CompTIA’s Sec+ material is a great place to start learning that information. I recommend going through Professor Messer’s YouTube course and then follow-up the videos by going through 6–9 months of his monthly study session videos.
I will expand this recommendation beyond just Sec+ material. Fire up any entry-level or 101 videos you can find on Cybrary, Udemy, and other platforms to get a light introduction to as many infosec disciplines as you can. You aren’t trying to become a pro in any of those areas, so feel free to run them in the background while working on other things.
I also recommend checking out the following books to understand how computer investigations work:
- “The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage” by Cliff Stoll
- “Incident Response & Computer Forensics”, Third Edition by Jason T. Luttgens, Matthew Pepe, Kevin Mandia
Obviously, there are a lot of great books I could have recommended above. I kept the list limited to these two books that help with the technical investigations mindset. With the same considerations in mind, I will limit my next suggestion — which websites to read to understand technical reporting — to one site, The DFIR Report. While there are a bunch of great APT reports and sites (we’ll get to those later), I include The DFIR Report in this section because it is a great technical reference to demonstrate how important the Sec+ level of knowledge is for CTI analysts.
As you read through the articles on this site, you will likely see technical information that makes zero sense to you. THAT IS COMPLETELY NORMAL. Here is how I approach reading forensics reports, malware reports, and other tech documents:
- I read until the information is over my head.
- When the confusion kicks in, I start skimming the report for any additional nuggets that jump out at me.
- I then re-read the sections that made sense to me.
- Lastly, I write down any keywords and concepts that I need to research further to better understand the subject material.
PRO-TIP: if you are reading a technical report, such as a malware report, and you get stuck, reach out to the malware analysts in your organization and ask to speak with them about the material.
The DFIR Report
Our previous report on Cobalt Strike focused on the most frequently used capabilities that we had observed. In this…
As a CTI analyst, you will read a lot of technical reports. Depending on your role, you may write a lot of these reports too. You will likely review logs, PCAP, and other forensics data yourself, or work alongside technical analysts performing this work. Learn the underlying technology and technical concepts to ensure your threat assessments are accurate and complete.
Practice Clear and Concise Writing
CTI analysts tend to write A LOT. From emails to written intelligence reports, writing is a critical skill that we must work on constantly. There is a lot I can say about writing, but I am trying to keep this article from being a full book, so I will keep it short.
When it comes to intel writing, I have a few ground rules:
- Not everything has to be a written product. CTI teams often get Requests for Information (RFI) from their stakeholders (usually someone in leadership) and hungry analysts will get to cranking on deep research and intense writing sessions… when all the stakeholder really needed was a “yeah we’re tracking this, here’s what we know so far” kind of response. I have seen analysts waste weeks — like actual 40+ hours — to answer questions that could have been a quick paragraph in an email response. Instead of jumping to a product right away, try a high-level summary via email on the same day or the next day after you are asked the question. End the response with something like “please let us know if you would like to more about this topic and we can dig in some more.” You might be amazed at how many times you don’t get asked for more information.
- Do not produce for the sake of production! You will lose the trust or the attention of your audience if you are constantly sending them more things to read. You don’t want to end up with a bad nickname, like “DDoS.” Before publishing something, ask yourself a few questions like “does this topic impact my organization?”, “am I providing actionable recommendations, guidance, or a request for action?”, or “am I publishing this because I like to say how many things I’ve published and it makes me feel smartful?”
- Executive Summaries are NOT introductions, they are summaries of the entire report. Your Exec Sum should cover a high-level overview of the topic, your analytical findings, and your recommendations to address the topic. Ideally, it should be about a page of writing. Using bullets to summarize your key findings and/or your key recommendations can also help ensure your audience reads the important stuff you want to convey.
- Analytical reports should be limited to 4–5 pages of text. Anything over ten pages of text, you will likely lose your reader or you’ll only be writing for other intel analysts at that point. So one page for your executive summary and 3 to 5 pages of analysis seem to be the sweet spot before you lose readers. This page count does not include any supporting appendixes. Go wild back there in the appendix with screenshots of your technical approach, but do not overwhelm your readers with too many details in the written report.
- FW: != CTI. Seriously, forwarding emails does not equal cyber threat intelligence. A basic rule to consider: intelligence reporting must have an assessment statement (Assessment= Confidence + Analysis + Evidence + Sources). Without adding your own assessment to the reports you’re sending forward, you are acting as a human RSS feed. See Rule #2 and stop DDoS’ing your stakeholders. A simple statement like “Based on the attached reporting, our team assesses with moderate confidence that our EDR and IPS are able to detect and respond to this threat actor’s capabilities.”
For writing resources, I am a big fan of SANS and Lenny Zeltser might be my favorite instructor (SORRY KATIE!). He produced a great checklist for reviewing threat reports which he included in “How You Can Write Better Threat Reports”, and his “Top 10 Cybersecurity Writing Mistakes” video should be required viewing for everyone.
PRO TIP: Do not fear the red ink! Feedback and peer-reviews are a critical part of the writing and learning processes. When you first see the feedback, it’ll sting a bit, that’s natural. Take a deep breath, realize it is an opportunity to learn, and then read through the edits.
Study APT Reports
While writing this article, I took to Twitter to ask the world which APT reports they consider foundational or “must-read” reporting for new analysts. That thread turned out to be an awesome list of great CTI resources.
Thank you to everyone that contributed to the thread!
When I have new analysts or mentees read threat reports, I usually ask them to read through the reports a few times and I present a different question for them to focus on each time they pass through the report. As you progress in your career, you may be able to focus on multiple questions at the same time while reading through a report, but I would encourage you to make it your practice to read through threat reports at least two times before acting on them.
PRO TIP: Read the FULL report before starting any actions or notifying stakeholders. I’ve seen it (and done it myself too many times) where analysts get the organization spun up about a major new report, then when managers and stakeholders start asking questions, it becomes clear that the analysts (cough, ME, cough) didn’t finish reading the report. It is embarrassing, trust me.
Here are a series of questions to consider when reading through threat reports:
- CONFIDENCE. What is my confidence in the source? Are they reputable? Do they have a history of accuracy or FUD? Is this a sales pitch under the veil of threat reporting? Do they have the access necessary for them to understand the threat?
- ACCURACY. Based on the evidence provided in the report, and what can be found through other sources, is the reporting accurate? Are there major gaps in their analysis? Did they acknowledge these gaps?
- COLLECTION. What type of collection was necessary to write this report? What type of collection does my team have to detect this type of activity?
- THREAT ASSESSMENT. If attribution is provided, how do we assess this actor’s intent and capabilities using the Threat Box methodology?
- RISK. How is my network similar to the target/victim’s network discussed in this report? Do we have the same hardware, software, or configuration? Is my environment vulnerable to this exploit or technique?
- DETECTION. Can we detect the malware and/or techniques discussed in this report? Do we need to deploy the rules they provided? Do we need to write new detection rules?
- HUNTING. How can we hunt the techniques used by this threat actor? Have we hunted these techniques previously?
- STAKEHOLDER INTEREST. Do my stakeholders need to know about this report? What is the “so what” factor for them? Does senior management need to be notified?
There are probably a dozen more questions you can ask yourself while reading threat reports. You should also consider these questions while writing your own threat reports for others to read.
I want to call attention to the fact that I put the stakeholder question last in my series of questions. I did this to set a cultural standard. I have seen WAY TOO MANY analysts and managers that focus all of their time and attention on things that they can send up the chain — while completely ignoring what they can actually do at their level to make their environments more secure. I have very little tolerance for this glory-seeking behavior, but stakeholder interest is also very important. You should consider ALL of your potential stakeholders (the SOC, end-users, the risk team, security engineers, IT Ops, and yes, even leadership interest). If someone says “stakeholders” and your immediate thought is the leadership team, I challenge you to check your biases. I would argue that your users and especially your tier 1 SOC analysts are the most important stakeholders and decision-makers when it comes to the security of an enterprise. It is the user that decides to click a link or open an attachment. It is the tier 1 SOC analyst that decides if the alert is a false-positive or worth more attention. If your CTI program does not focus on educating them about the current threat landscape, you are doing CTI wrong.
Mandiant’s APT1 Report
I believe that every CTI analyst should read Mandiant’s “APT1: Exposing One of China’s Cyber Espionage Units” report. Keep in mind that this was one of the first major threat reports produced by a vendor that included the real names of actors, pictures of their buildings, and organizational structures of the cyber units. Mandiant even included a video of the APT1 actors' activity on their devices.
While reading this report, consider the following questions:
- What type of enterprise collection is required to support this type of analysis?
- What type of external collection is required?
- Who is the audience of this report?
- How can an enterprise CTI team use this report to better defend their network?
A Deep-Dive Approach to Threat Reports
If you want to take a deep-dive approach to learning about CTI threat reporting, I recommend spending 1–2 months focused solely on a specific group or a nation while reading as many different sources as possible. Malpedia and Thai CERT are both great resources for this research since they link to thousands of resources across the infosec community. Pick a country, take notes as you read, focusing on mapping out their traditional targets (Intent), their attack types (Capabilities- e.g. espionage, crime, destructive, disruptive), their toolsets (Capabilities, and attack infrastructure (Capabilities — e.g. GoDaddy, stolen signing certs, supply chain?). While reading, consider what makes a good report. Level of technical detail? How do they do attribution? Flow of reporting (e.g. exec summary, followed by detailed analysis, followed by detections and mitigations?).
The best way to learn is to dig in. I would start here:
Side note: you may have noticed that this is a lot of really great info that should be cataloged and tracked. Theoretically, this is what Threat Intelligence Platforms (TIPs) are supposed to do for us, but most fall way short of being useful for tracking and linking intelligence reporting. Most vendors are overly focused on IOCs, integration, and handling high volumes of threat feeds. They completely fail to be useful for actual intelligence analysis. There are one or two good analyst platforms out there. Send me a DM on Twitter if you would like my input on specific platforms. Also, I wrote about intelligence platforms here:
An Analyst’s Need for a Threat Intelligence Platform
A lot of organizations are rushing out to get Threat Intelligence Platforms (TIPs) for their analysts- and rightfully…
Practice Critical Thinking
Important note: I am not a doctor and I don’t have a degree in psychology. My definitions below are how I make sense of the material I’ve read. I hope I am not misrepresenting any of the topics, but I’ll gladly adjust my thinking if anyone has feedback on how I present these ideas.
Intelligence is a lot more than just knowing things or being “smart”. Great analysts aren’t just encyclopedias of what’s happened in the past. Great analysts are critical thinkers — they think about the “so what” when they evaluate information, they are critical of their sources, and they challenge everything they know and think.
So What?! And What Else?
In the section “Study Threat Reports” above, I talked about the questions I consider while reading threat reports. They are great questions to assess the value of the reports for your organization, they help you consider how to operationalize the intelligence for defensive efforts, and they have you assess the value to your stakeholders. We often refer to this as the “so what?” of intelligence reporting.
There is a second part of the “so what?” question that great analysts consider, which is the “what else?” question. Based on everything I already know, and what I have read here in this new report, what am I missing? What else do I need to know about this information? Where are the gaps in my collection and analysis? What can we do to protect our organization from what is known and how can we get visibility on the unknown? Great analysts never assume they know everything, they assess their intelligence gaps, and they challenge their assumptions.
What’s the Angle Here?
Great intelligence analysts also consider their sources' intent. Some reports are pretty clear with their intent — they are an infosec vendor and they are writing about the awesome stuff their folks see because it is good for business and recruiting. Okay sure, it’s also good community stewardship to share what they are seeing so we can all defend against the techniques.
But some vendors send out threat reporting for the sole purpose of drumming up business — which is really gross. In fact, there is (at least) one vendor that has repeatedly reached out to my clients to vaguely say they saw a thing about our network, but the info is in a commercial feed from a partner of theirs so we’d have to pay their partner to access the info. This tactic comes off as a pyramid scheme and it is lamesauce.
PRO TIP for Vendors: Stop sending threat-vertisements. You know, “hey CISO I met once but I’ll pretend we’re besties, here’s the new report my awesome team wrote. We should set up a time to talk about how we can help your organization if you pay us enough.” STOP SELLING THREATS AND FUD.
PRO TIP for CISOs/Managers: Good CISOs send reports to their teams with a very clear message that it's an FYSA and not a tasking — inexperienced CISO’s don’t clarify this and their teams spend way too many hours processing the FUD and writing a response to the CISO. In the end, cycles are wasted because expectations weren’t set up front.
There are a number of other reasons organizations share information that can be considered. If you’re a CTI analyst and you’ve ever been confused about why the USG shared old threat actor campaign information and IOCs? Guess what, we weren’t the audience for those “threat” reports. The audience was political and the message was international signaling. If you know how to identify that type of messaging, you can spend fewer cycles burning through old data. I wouldn’t dismiss the information completely though. Sometimes, the USG shares old campaign information with new details, or confirms attribution, which can fill in gaps in the bigger intelligence puzzle. These reports can still have value, but they may be less “actionable” for computer network defense.
Anonymous and unverified sources can also provide valuable intelligence, but they are difficult to assess for confidence and intent. Intelligence analysts should be wary of spending too many cycles on unconfirmed sources and they need to be very clear when sharing unconfirmed sources with their stakeholders. Anonymous and unverified accounts can be great sources of vulnerability details or breach info on Twitter and GitHub — but analysts have a responsibility to account for the validity of their sources.
Note: when I say “unverified accounts”, I don’t mean they are missing Twitter verification. I mean, the account/site is brand new, likely established solely to share the sensitive info they are releasing, and there are very few records of other trusted sources referencing their information.
A great example of unverified accounts and questionable motives are the hacktivist site “DCLeaks” and the “Guccifer 2.0” persona that emerged during the 2016 elections. These accounts reportedly breached the DNC and had juicy political details to sell. The existence of these accounts and the information they released was valuable for threat intelligence analysts to understand the intent and capabilities of threat actors targeting US elections. It just happens that the “hacktivists” were unmasked as a Russian intelligence operation that would eventually lead to DoJ indictments. Attribution matters.
Does a BEAR Leak in the Woods?
ThreatConnect Identifies DCLeaks As Another Russian-backed Influence Outlet Read the full series of ThreatConnect posts…
Logical Fallacies, Biases, and Mental Models
The best way to begin practicing critical thinking is to learn about biases and mental models. If we have to think for a living, we should understand how we think.
Our brains use mental models and biases to shortcut the thinking process so we can process a lot of information very quickly and conserve our mental energy for more important tasks. Our biases can also impact the type of tasks we prioritize, how we react to challenges in our lives, and debate with our team. Here is a good resource about biases:
Understanding your biases
If there is one thing you need to know about biases, it is that you have them. When we see the word "bias" in the news…
I normally introduce mental models as the opposite of biases. If biases are normally subconscious — hey I said I’m not a doctor already! — then mental models are often conscious efforts to put information into buckets to make sense of it faster. There are plenty of mental models that are implemented subconsciously and become biases, so conscious vs. subconscious isn’t the best way to separate mental models from biases, but here we are. Thoroughly confused yet? Cool.
Here’s what is important to consider about mental models, we can use them to group data so we can quickly make sense of them. Intelligence frameworks like the kill chain and MITRE ATT&CK are mental models that help us summarize and visualize the activity of threat actors.
We can also use mental models to keep our thoughts organized and discussion on track — I call it preventing Mr. Tin Foil from throwing out too many crazy ideas. If you’ve ever heard, “well if I was a bad guy”, you’re hearing an individual’s biases (and inflated ego), and you can use Occam’s Razor to cut through the craziness and get the conversation back on track. Occam’s Razor basically states that the simplest explanation is often the right one. How does this help the debate? Simple, by reiterating the Occam’s Razor, we may get the conversation back on track to look for the most likely explanation for a situation or the most likely techniques that threat actors will use against our organization. So while Mr. Tin Foil is talking about writing AI supercomputers to identify and exploit zero-days in your architecture, the rest of the team can focus on discussing how the organization handles spear-phishing, patching, and other defensive realities.
One final thought about Occam’s Razor — I am a big fan of Sherlock Holmes and I love the quote below which is often considered a play on Occam’s Razor. My only concern is about our interpretation of “eliminate the impossible”. I prefer to eliminate the impossible by calling BS on it upfront. Others prefer to eliminate it by exploring it and proving it is impossible. In a world of limited time and resources, I’ll stick with eliminating it by calling it BS and moving on. You should find the method that’s best for you.
“If you eliminate the impossible, whatever remains, however improbable, must be the truth.” — Sherlock Holmes
Here is a great resource about mental models… that also lists out a bunch of biases, so enjoy the added confusion — see! it's not my fault!
Mental Models: The Best Way to Make Intelligent Decisions (~100 Models Explained) — Farnam Street
This guide explores everything you need to know about mental models. By the time you’re done, you’ll think better, make…
Another fun area to study is logical fallacies. If you’ve ever discussed anything with an intelligence analyst — or debated anything on the internet — you’ve probably heard someone say the name of one of these fallacies. The Straw Man Fallacy is a popular one that gets called out during debate because it is often used to attack an opponent's idea. The Straw Man Fallacy occurs when someone oversimplifies or misrepresents an argument to make it easier for them to attack. If you feel like you’re getting off track in an argument or the other person isn’t responding to the solid point you just made, look for the Straw Man.
15 Common Logical Fallacies and How to Spot Them
Logical fallacies -- those logical gaps that invalidate arguments -- aren't always easy to spot. While some come in the…
Additionally, it is important for us to understand how our stakeholders perceive the world so we can better communicate with them. When we make assumptions about what our stakeholders know or how they think, we can easily miscommunicate the importance of the information we are passing on to them. In fact, I’ve heard decision-makers exclaim “you didn’t tell me it was that important!” after a situation backfired. I had made the assumption that they understood the seriousness of our situation because I had spent a lot of time studying it and I didn’t appreciate that they didn’t have all of the same information I had read.
On the flip side, we can over-report to our stakeholders and make them overreact to situations, or worse, we can make them think the intel shop is “the boy who cried wolf” and they’ll stop reading our reports. Challenge your assumptions about what you know, what you think your audience knows, and what you think your audience needs to know.
As an intelligence analyst, you may not see the fallacies, mental models, and biases directly in the threat reports you consume, but they were likely involved in the writing of the reports and you will experience them while discussing analysis within your team. Being able to identify these models in yourself and in your teammates is important for healthy debate and accurate intelligence analysis. While I always recommend self-study, I encourage you to consider discussing these with your team. You need to build trust within your team to safely call each other out when a teammate defaults to a logical fallacy. Debate is a healthy part of intelligence analysis and it can help us lead to better decision-making. Please just ensure that you build the necessary relationships and structure within your team to encourage healthy debates.
PRO TIP: Careful with your newfound knowledge of biases and fallacies. While it can be fun to exercise our brains to identify others’ biases and fallacies, it is far less fun to call them out publicly — or worse — to call them out to a loved one during an argument. Don’t be a pedantic asshat.
Here’s one last resource for critical thinking, can you count the number of times the ball was passed?
Study Intelligence Analysis Fundamentals
We’ve made it to the final study area! Congrats if you’re still reading this… or I’m sorry, whichever seems appropriate to you.
The world of intelligence is an amazing discipline to study with a really crazy history. While I could recommend way too many books to read, I want to focus on learning the fundamentals of intelligence analysis. For that, we look no further than the CIA. Yes, that CIA. They have two great resources that are considered required reading for analysts
- (PDF LINK) Psychology of Intelligence Analysis by Richards J. Heuer, Jr.
- (PDF LINK) Sherman Kent and the Profession of Intelligence Analysis by Jack Davis
Another topic to study is Structured Analytical Techniques (SAT). The awesome folks at Penn Statue University published A Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence Analysis (PDF LINK), which covers a lot of great techniques. This primer also discusses how SATs can help overcome biases and mindsets. I highly recommend reading through the whole PDF and considering how you can implement some of the techniques in your day-to-day work.
If you’re serious about intelligence analysis, I highly recommend spending money on the book “Structured Analytical Techniques for Intelligence Analysis” (linked below). This is an amazing reference to have on hand to quickly lookup different techniques.
Structured Analytic Techniques for Intelligence Analysis
Structured Analytic Techniques for Intelligence Analysis [Pherson, Randolph H., Heuer, Richards J.] on Amazon.com…
Okay, there is a lot more to learn about intelligence analysis, but my intention isn’t to write an entire book here. Instead, I hope the above material got you interested in learning more about the intelligence discipline. The last resource I will include is yet again from Katie Nickels and SANS — The Cycle of Cyber Threat Intelligence. This video is an awesome look at a lot of CTI topics and it does an amazing job introducing the Intelligence Cycle.
A Closing Note about Mentoring
I struggle to consider CTI roles as entry-level — experience in intelligence analysis, IT, or journalism is quite helpful (I really want to say REQUIRED, but that’s a bridge too far). It is worth noting that mentoring is a lot more than just saying “hey go read this or watch this video.” These are resources I normally send to my mentees with a follow-up discussion 1 to 2 weeks later to hear what they have learned and answer any questions they may have from the material. If you’re interested in being mentored for anything in life, be prepared to put in some work to get what you want.
If you are looking for mentorship — specifically for CTI roles, I will offer my assistance under a few conditions:
- Read this entire article and the resources I included.
- You are currently in IT or an infosec role.
- You are willing to put in the work, including reading and writing assignments.
I have a full-time job, a family, and a lot of other commitments, but I will commit to responding with a few steps I would take in your situation to everyone that reaches out (DM on Twitter is best) with the below information:
- Short introduction about you and your career
- Why you are interested in CTI (general curiosity or want to move into a full-time CTI role)?
- 5–10 sentences discussing at least one of the resources I linked to in this article.
Wrapping It Up
Cyber Threat Intelligence (CTI) is an awesome career field with a wide range of opportunities. In CTI, you can work in the fast-paced environment of a SOC, helping Incident Response analysts understand the activity they are observing, providing context to the organization’s vulnerability management program, and helping management understand the intentions and capabilities of threat actors targeting their network. Alternatively, there are CTI roles that require deep research into nation-states, their histories and cultures, their technical capabilities, and their infrastructure. You can be a strategic analyst focused on geo-politics or a technical analyst digging into malware characteristics. We have threat hunters, journalists, and librarians. Bottom line, if you are curious and willing to put in the work to learn a broad set of skills, CTI is a great career field to consider. It is time to start studying.