I’ve been thinking about writing this blog post for a while, but I felt like there are versions of this out there already, so didn’t bother. But then I realized I was falling into a trap I warn people about all too often…just because your content is entirely new doesn’t mean it won’t be useful to someone! With that, inspired by this thread from Courtney and fully admitting I have a lot of overlap with Scott Roberts’ excellent CTI Reading List, here are 10 recommendations for what you should read (and sometimes watch) if you’re starting out in Cyber Threat Intelligence (CTI). Plus, they’re all free because I realize those starting out may not have a ton of extra $ to spend on books or classes.
1. Industrial Control Threat Intelligence by Sergio Caltagirone This isn’t just about Industrial Control Systems (ICS). This is a beautifully-written, concise paper that provides the fundamentals of what you need to know about CTI: a definition of it (which I use in my CTI presentations), indicators vs. analytics, tactical/operational/strategic levels, and the “CART” approach to measuring threat intelligence quality. If you’re not familiar with ICS, no worries — consider the ICS parts as examples of the points he makes in the paper. I try not to fangirl too much, but I fully embrace being a Sergio fangirl, and I feel that this paper justifies my feelings. I also recommend reading Sergio’s blog, including posts that are a couple years old —good CTI blog posts are like fine wine, they get better with age.
2. Psychology of Intelligence Analysis by Richards Heuer This book breaks down how to think about how we think. Very meta, I know, but being aware of your own cognitive limitations and biases is key if you want to be a good CTI analyst. Richards Heuer is the OG when it comes to cognitive biases, and this is an excellent, approachable read that’s full of examples, fun diagrams, and clear explanations. Use caution, though…if you read this, you might start hyper-analyzing biases you see in yourself and others! (And you’ll be a breath of fresh air, especially if you’re on Twitter!)
3. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains by Eric Hutchins, Michael Cloppert, and Rohan Amin Also known as “the Kill Chain paper,” this represents the first in the “CTI framework triumvirate” that I consider required reading for any analyst. Even if you feel like the Kill Chain is old news, I encourage you to take some time to thoughtfully read this paper. Check out the different definitions of indicators (since this is a topic of hot debate in this community) as well as the courses of action, which are often overlooked. The intrusion attempt examples in the paper can also be helpful to new analysts who have never worked an intrusion themselves.
4. The Diamond Model of Intrusion Analysis by Sergio Caltagirone, Andrew Pendergast, and Chris Betz The Diamond Model is a simple but powerful model every analyst should understand, and it’s the second of the “big three” CTI frameworks. Even if you don’t use it on your team, it’s helpful to understand the parts of an intrusion. This paper also has a lot of useful CTI fundamentals that we need to understand about adversaries — check out the axioms for many of those (like Axiom 7, which gives a nice definition of Advanced Persistent Threat). Yes, this is a long, academic paper, so I recommend breaking it up into a few sittings, but I promise that the time you devote to reading it will pay off in the end.
5. MITRE ATT&CK™: Design and Philosophy by Blake Strom, et al I was a co-author of this paper, so I’m biased (how could I mention Heuer in this post and not call out my own biases??!?), but I think the community has bought into the idea that this whole ATT&CK thing can be pretty useful. I consider ATT&CK to be the third framework that all CTI analysts should be familiar with, and this paper explains the philosophy behind ATT&CK and how it’s structured. After reading this paper, I suggest heading over to the Groups page and skimming some examples of techniques to give you a feel for ATT&CK. You also might find the Getting Started page or my recent Sp4rkcon presentation to be helpful in learning more.
If you don’t trust me on the importance of knowing the “framework triumvirate,” trust John Lambert!
6. A Brief History of Attribution Mistakes by Sarah Jones This is an important presentation for newer analysts to read and heed. True attribution back to a person is extremely difficult, and even attribution to a group can be tough. Sarah explains some common mistakes to watch out for when you’re trying to do attribution. After you check out Sarah’s presentation (you can also watch the video here), I highly recommend scrolling through more CTI Summit presentations. I was a fan of the CTI Summit long before I joined the advisory board because it’s one of the few non-CTI-vendor-specific conferences that focuses solely on this field (the FIRST CTI Symposium is another), and there are many excellent presentations from it.
7. CTI SquadGoals — Setting Requirements by Scott J. Roberts A common issue among CTI teams is that they completely miss the point of it — CTI is supposed to help someone outside the CTI team itself. One way you can ensure your CTI team is trying to help support decision-making is by creating requirements. I love this blog post by Scott because it not only explains what requirements are but also provides practical examples of them to help get you started. Requirements don’t have to be scary! (Of course, you should then read more of Scott’s blog posts, because he has many great ones.)
8. Threat Intelligence Naming Conventions: Threat Actors, & Other Ways of Tracking Threats by Robert M. Lee Like struggling with attribution, the issue of naming actors is almost a rite of passage for analysts to figure out. I went through this mental struggle myself a couple years ago and came out of it with an understanding of why we can’t say that different names from different companies are “the same” actors. I’m cheating because this is a video, but I think Rob does an awesome job of clearly explaining why naming is so challenging and why we’ll never be able to “just agree on one name.” If you can understand this early on in your CTI career, you’ll be ahead of the game and save yourself a lot of torment.
9. Does a BEAR Leak in the Woods? by Toni Gidwani There are so many blog posts, reports, and presentations on adversary activity out there, but I like this one because it covers many key things a CTI analyst should know — who Fancy Bear and Cozy Bear are, what happened in the DNC breach, how to apply the Diamond Model, how to pivot, and how to wade through a lot of conflicting information to try to make sense of what adversaries did. You can also view the video of Toni’s Shmoocon 2017 presentation here. This was the first time I saw Toni speak (she’s awesome, so go see her if you get a chance), and it remains one of my all-time favorite conference presentations (along with No Easy Breach by Nick Carr and Matt Dunwoody, which you should also watch).
10. Cyber Intelligence Tradecraft Report — The State of Cyber Intelligence Practices in the United States by Jared Ettinger This is a carefully-written and well-researched report by Jared and the team at the Carnegie Mellon Software Engineering Institute. Though it has a US focus, I think it’s a good primer for best practices to look for on a CTI team. Yes, it’s a long read, but if you take the time to dive into it (or even just skim the headings and read parts that interest you), you can learn a lot about common issues to avoid on a CTI team and best practices to strive for.
In addition to those resources, I also wanted to mention two repos you can check out for much more reading:
- APTNotes hasn’t been updated in a bit, but it’s a nice repo of a lot of reports on APT actors. I suggest skimming through some of them to get a sense of historical reporting, then making your own RSS feed so you can read current reports that come out. I use Feedly and suggest searching around for key terms to find sources you like, then making your own feed and tailoring it as you go. Twitter is also a great way to learn about new reports. Here’s a massive sampling of sources I follow on Feedly and/or Twitter that you could use to start from for CTI and cybersecurity content (with my apologies because I’m sure I’m forgetting many great ones — I don’t endorse any particular company): ESET, AlienVault, Anomali, Ars Technica, bellingcat, Bitdefender Labs, Cybereason, Carbon Black, DHS CISA, Dark Reading, Forcepoint, Intezer, Krebs on Security, Dragos, Malwarebytes Labs, McAfee, Microsoft Security, The Citizen Lab, SpecterOps, Proofpoint, SANS Internet Storm Center, Schneier on Security, Securelist, Dell Secureworks, Sophos, Symantec, Cisco Talos, TaoSecurity, TrendLabs Security Intelligence Blog, WeLiveSecurity, CrowdStrike, F-Secure, Endgame, FireEye, Fortinet, Fidelis, LookingGlass, Morphisec, Threatpost, CyberScoop, Unit 42, Project Zero, RiskIQ, Recorded Future.
- Awesome Threat Intelligence pulls together a wealth of CTI resources.
Scott covers books very well in his post, but I’d like to highlight three books that I find particularly worthwhile:
- Intelligence-Driven Incident Response by Scott Roberts, Kyle Maxwell, and Rebekah Brown — I think this is as close to a CTI textbook as there is right now. If you buy one CTI book, I suggest it be this. I constantly loan mine out to people who are looking to get started in this field.
- Structured Analytic Techniques for Intelligence Analysis by Richards Heuer and Randolph Pherson — It’s not cheap, but if you like Psychology of Intelligence Analysis and structured analytic techniques, this is a worthy investment for your bookshelf. It’s divided by types of techniques, so you can easily flip through to choose a technique depending on the challenge you have.
- The Cuckoo’s Egg by Cliff Stoll — Cliff is considered one of the earliest CTI analysts, and this is a fun read that also helps you learn about the process of investigating an incident and thinking through what you see. You can probably find this at a local library, and in the meantime, you can watch his extremely entertaining CTI Summit keynote from a few years ago.
There are many, many more CTI resources out there if you look, but those are some of my recommendations to get you started. Happy reading!
***
The author’s affiliation with The MITRE Corporation is provided for identification purposes only and is not intended to convey or imply MITRE’s concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author.