CTI 101 Student Handout
Admin note: I teach a CTI 101 workshop at BSidesNOVA and randomly at other locations throughout the year, and this is my list of resources and references mentioned in my training class. If you’re just a casual reader that reached this page outside of my workshop… welcome! There are lots of goodies in here.
Hi! You found the Resource Taco, your guide to the Cyber Threat Intelligence 101 course material. Why a taco, duh, they are delicious, and they are always there to help you out when you need it. The perfect way to reference Student Handouts. Right? RIGHT?
Books!
CTI analysts tend to read a lot: from threat reports to Twitter, we spend a lot of time reading. Here’s a list of books I mention in the CTI 101 workshop as required reading and/or good reads for CTI analysts.
Must Read — Intelligence Books
- Psychology of Intelligence Analysis by Richards J. Heuer (Hosted for FREE by the CIA, yes that CIA) https://www.cia.gov/static/9a5f1162fd0932c29bfed1c030edf4ae/Pyschology-of-Intelligence-Analysis.pdf
- Structured Analytic Techniques for Intelligence Analysis by Richard J Heuer
- The Craft of Intelligence, by Allen Dulles
- Active Measures by Thomas Rid
Good Reads
- Relentless Strike: The Secret History of Joint Special Operations Command by Sean Naylor
- Betrayal in Berlin by Steve Vogel
Must Read — CTI / Infosec/ Tech
- The Art of Cyberwarfare: An Investigator’s Guide to Espionage, Ransomware, And Organized Cybercrime by Jon DiMaggio
- Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers by Andy Greenberg
- The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage by Cliff Stoll
- Dark Territory: The Secret History of Cyber War by Fred Kaplan
- Incident Response & Computer Forensics by Jason T. Luttgens, Matthew Pepe, and Kevin Mandia
- Mandiant’s “APT1: Exposing One of China’s Cyber Espionage Units” https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
Good Reads
- The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win by Gene Kim, Kevin Behr, et. al.
- Countdown to Zero Day by Kim Zetter
Cool Tools
Here’s a handful of tools that CTI analysts should be familiar with… there are soooo many tools to track and this definitely doesn’t come close to covering them all, but here you go:
- https://www.virustotal.com/gui/
- https://malpedia.caad.fkie.fraunhofer.de/actors
- https://crt.sh/
- https://www.hackread.com/
- https://publicwww.com/
- https://censys.io/
- https://talosintelligence.com/
- https://gchq.github.io/CyberChef/
- https://www.hybrid-analysis.com/
- https://www.joesandbox.com/#windows
- https://mxtoolbox.com/SuperTool.aspx
- https://regex101.com/
- https://regexr.com/
- https://www.shodan.io/
- https://www.spamhaus.org/lookup/
- https://sitecheck.sucuri.net/
- https://www.threatcrowd.org/
- https://viewdns.info/
- https://virusshare.com/
- https://urlscan.io/
Part I References
“Gentlemen do not read each other’s mail”
Secretary of State Harry Stimson, in 1929, https://www.nsa.gov/Portals/70/documents/news-features/declassified-documents/nsa-60th-timeline/pre-nsa/19510319_PreNSA_Doc_3978470_BlackChamber.pdf
US-CERT’s NICE Framework Tool
https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework/threat-analysis
Psychology of Intelligence Analysis
https://www.cia.gov/static/9a5f1162fd0932c29bfed1c030edf4ae/Pyschology-of-Intelligence-Analysis.pdf
Mandiant’s APT1 Report
https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
CIA’s Definition of Intelligence
https://www.cia.gov/static/554d7d05a62d7d6de84b5b84ae6702ae/A-Definition-Of-Intelligence.pdf
CIA Tradecraft Primer
https://www.cia.gov/static/955180a45afe3f5013772c313b16face/Tradecraft-Primer-apr09.pdf
Traffic Light Protocol
Pyramid of Pain
Words of Estimative Probability
https://www.cia.gov/static/0aae8f84700a256abf63f7aad73b0a7d/Words-of-Estimative-Probability.pdf
Confidence Assessment Definitions
https://www.dni.gov/files/documents/Newsroom/Reports%20and%20Pubs/20071203_release.pdf
Cloud Snooper References
https://news.sophos.com/en-us/2020/02/25/cloud-snooper-attack-bypasses-firewall-security-measures/
https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf
The Mandiant Cyber Threat Intelligence (CTI) Analyst Core Competencies Framework
SANS Intelligently Developing a Cyber Threat Analyst Workforce
https://www.sans.org/webcasts/intelligently-developing-a-cyber-threat-analyst-workforce/
Goldilocks CTI: Building a Program That’s Just Right
https://klrgrz.medium.com/goldilocks-cti-building-a-program-thats-just-right-68dafdb7ca56
Critical Thinking Video
https://youtu.be/vJG698U2Mvo?t=7
False flag example: Olympic Destroyer
https://threatpost.com/olympic-destroyer-a-false-flag-confusion-bomb/130262/
NIST Definitions of indicator
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Automated Indicator Sharing by Preston Werntz
http://csrc.nist.gov/news_events/cif_2015/information-sharing/day2_info-sharing_330-420.pdf
STIX Standards
http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd
Formulating a Robust Pivoting Methodology
https://www.domaintools.com/content/formulating-a-robust-pivoting-methodology.pdf
Part II References
APT Groups and Operations
Malpedia — Actors & Families
https://malpedia.caad.fkie.fraunhofer.de/actors
Campaign definition
https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_pcpvfz4ik6d6
Infrastructure Analysis example: What’s in a Name Server
https://threatconnect.com/blog/whats-in-a-name-server/
Infrastructure Analysis example: Operation Pawn Storm
https://documents.trendmicro.com/assets/wp/wp-operation-pawn-storm.pdf
Cyber Kill Chain
MITRE ATT&CK
MITRE ATT&CK report example: Winnti Group
https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/
ATT&CKing Threat Management: A Structured Methodology for Cyber Threat Analysis
Unit42 Playbook Viewer
https://pan-unit42.github.io/playbook_viewer/
Diamond Model of Intrusion Analysis
https://apps.dtic.mil/dtic/tr/fulltext/u2/a586960.pdf
Diamond Model example: Luke in the Sky with Diamonds
https://threatconnect.com/blog/diamond-model-threat-intelligence-star-wars/
The Cycle of Cyber Threat Intelligence — Webcast
https://www.sans.org/webcasts/111570
“Still Thinking about your Ex(cel)? Here are some TIPs” by Andreas Sfakianakis
https://www.youtube.com/watch?v=U7kuu7OFgYk
Part III References
Threat Box
https://www.youtube.com/watch?v=tcroXAcjdzU
https://klrgrz.medium.com/quantifying-threat-actors-with-threat-box-e6b641109b11
https://www.sans.org/reading-room/whitepapers/threatintelligence/paper/39585
“Top 10 Writing Mistakes in Cybersecurity and How You Can Avoid Them” by @lennyzeltser
https://www.sans.org/webcasts/110220
SANS Webcast “Analyzing the Enhanced Analysis of GRIZZLY STEPPE Report” by Robert M. Lee @RobertMLee
https://www.sans.org/webcasts/104402
“Operation Pawn Storm”
https://documents.trendmicro.com/assets/wp/wp-operation-pawn-storm.pdf
“Cloud Snooper Attack Bypasses AWS Security Measures”
https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf
“Cyber threat intelligence requirements: What are they, what are they for and how they fit in the…” by intel471’s Mark Arena @markarenaau
Eclectic IQ Maturity Model
https://go.eclecticiq.com/resources/white-paper-threat-intelligence-maturity-model
Woah… are you still here? This is a long list to make it through! HIGH FIVE!