Cyber Threat Intelligence for Autodidacts

Introduction

Cyber Threat Intelligence (CTI) analysts come from diverse backgrounds, and their roles can vary a lot depending on the type of organisation they work for. The path to becoming a CTI analyst can follow one of several routes, such as moving from Security Operations Center (SOC) and other information security roles, joining from university, or from law enforcement or military backgrounds. I’ve also met many who have radically changed trades and reskilled from jobs such as secondary school teachers to bar and hotel staff with great success.

CTI teams can also vary significantly in their structure and focus. Some analysts work for vendors, providing intelligence to multiple clients across industries like, for example, Recorded Future’s Insikt Group. Others serve as defenders within a single company, working to protect that organization’s assets like, for example Equinix’s ETAC team. There are analysts who operate within government agencies as well, such as intelligence, security, or law enforcement bodies, often focusing on national security or large-scale cyber threats.

I should also highlight that all these resources have either been created by myself or with the help of colleagues from Curated Intel, or are collections created by me that I personally vouch for as I saved them to be used for my job over the last five years.

Also, if you’re short on time, you can now listen to this blog as a podcast via YouTube, which I generated using Google’s NotebookLM.

Starting Out

When starting out in CTI, it’s essential to become familiar with key frameworks and resources that shape the field. At the core is the Intelligence Lifecycle, a process that involves planning, data collection, processing, analysis, dissemination, and feedback. Another core concept are the three levels of intelligence: strategic, operational, and tactical. Understanding analysis frameworks like the Diamond Model, MITRE ATT&CK, the Cyber Kill Chain, and the Pyramid of Pain, as well as landmark case studies like the APT1 report are critical for grasping how adversaries operate and how CTI can counter their tactics.

Resources:

Description	Link
To help CTI analysts learn more about the theory and frameworks related to the field of CTI, here is a project containing various important resources called CTI Fundamentals	CTI Fundamentals - Curated Intel
Here’s a project that contains a collection of acronyms used often by CTI analysts	CTI Lexicon - BushidoUK GitHub

Adversaries

Understanding the broad array of adversaries may seem like a daunting challenge for new CTI analysts. This due to the plethora of threat groups and campaigns, from state-sponsored adversaries belonging to “The Big 4” (Russia, China, North Korea, Iran), to thousands of hacktivist groups, to hundreds of ransomware gangs, and the broader cybercrime underground. Getting a handle on all of these types of cyber threats is a huge undertaking. Hopefully some of the resources below will help new analysts get started on this mammoth task, but it should highlight why CTI analysts are always constantly learning.

Resources:

Description	Link
Here’s a project which contains a large list of threat group names and their AKAs	EternalLiberty - GitHub
Here’s a project that contains information about ransomware groups and their tools	Ransomware Tool Matrix - BushidoUK GitHub
Here’s a similar project that contains all the vulnerabilities exploited by ransomware gangs	Ransomware Vulnerability Matrix - BushidoUK GitHub
Here’s a project that contains a collection of reports by companies who have been breached	Breach Report Collection - BushidoUK GitHub
Here’s a blog about various types of APT groups	Fantastic APTs and Where to Find Them - BushidoToken Blog
Here’s a blog about hacktivist groups and how they often lie and overhype their claims	Hacktivists Liars and Morons - BushidoToken Blog

Requests For Information (RFIs)

Responding to Requests for Information (RFIs) is a crucial aspect of a CTI team’s function. RFIs typically come from internal stakeholders, such as security, executive teams, or external partners, who need in-depth analysis on specific threats or incidents. CTI analysts should answer RFIs by conducting their own research and produce clear, actionable reports that detail their findings, and their assessment of the potential impact on the organisation.

Resources:

Description	Link
To help CTI analysts practice answering RFIs, here is a project called The CTI Analyst Challenge	The CTI Analyst Challenge - BushidoToken Blog
To help CTI analysts answer executive requests, here is a blog on strengthening proactive CTI through collaboration	Strengthening Proactive CTI - BushidoToken Blog

Threat Actor Profiles

Creating detailed threat actor profiles is a key part of a CTI analyst’s job. These profiles help organisations understand an adversary’s tactics, techniques, and procedures (TTPs) as well as who their victims are, their motivations, and their potential origin. By compiling data on malicious cyber adversaries, such as their preferred tools, infrastructure, and methods, CTI analysts can provide valuable insights that enable proactive defenses against future threats. Threat actor profiles can also serve as a valuable resource for internal teams and leadership to prioritise risk management.

Resources:

Description	Link
To help CTI analysts create their own threat actor profiles, here is a project called the Threat Actor Profiling Guide	Threat Actor Profile Guide - Curated Intel
Here’s a collection of various useful resources containing information about threat groups and adversaries	Adversary Intelligence - BushidoUK GitHub
Here’s some examples of Threat Actor Profiles and Campaign Summaries	Tracking Adversaries – BushidoToken Blog

Threat Landscape

Another type of intelligence product, CTI analysts are likely to create are threat landscape reports, which offer a high-level view of the current threat environment. These reports are often produced on a periodic basis (monthly or quarterly) and provide insights on emerging threats, trends in adversary behavior, or significant incidents affecting the industry.

Resources:

Description	Link
Here’s also a collection of monthly threat landscape reports produced by CTI vendors	Monthly CTI Reports - BushidoUK GitHub
To help CTI analysts create their own threat landscape reports, here is a project called the CTI Research Guide	The CTI Research Guide - CuratedIntel GitHub

Threat Hunting & Malware Analysis

 Supporting threat hunting operations and malware analysis services are also standard responsibilities for CTI teams in the industry. The main prerequisite for this includes having security operations teams, such as SOCs and CERTs, as stakeholders. CTI teams can then provide detection rules, using behavioural signatures, based on intelligence gathered from proactive research or in response to an incident. These detection rules then enhance security measures, enabling teams to detect and mitigate attacks more effectively.

Resources:

Description	Link
Here’s a collection of various resources to help with threat hunting operations	Threat Hunting Resources - BushidoUK GitHub
Here’s a collection of various resources to help with malware analysis services	Malware Analysis Resources - BushidoUK GitHub

Brand Monitoring

CTI analysts will often play a role in brand monitoring, keeping a close eye on mentions of the organisation in the news and cybercrime underground. This involves tracking chatter on news sites, social media, underground forums, dark web marketplaces, or Telegram channels to detect any references to the company, its assets, or its personnel to identify potential incidents. Early detection of these mentions can help respond to potential attacks, data breaches, or fraud attempts. This can also include monitoring for breaches impacting your organisation’s supply chain, partners, or large customer organisations.

Resources:

Description	Link
Here’s a collection of sources that CTI analysts can leverage to follow the various news sources	Security News - BushidoUK GitHub
Here’s a project created to help CTI analysts turn a free Discord server into a CTI dashboard using RSS feeds	Using a Discord as a Threat Intelligence Dashboard - BsuhidoToken Blog
Here’s a collection of Darknet related resources	Darknet Resources - BushidoUK GitHub
Here’s a project containing lists of Underground Forums, Darknet Sites, and Telegram Channels	Deep Dark CTI - GitHub

Indicators of Compromise (IOCs)

CTI analysts will often be handling indicators of compromise (IOCs) during daily operations. Triaging IOCs received from various sources is a big part of the role. Understanding what makes an indicator useful is vital to be able to provide context about attacks. Collecting IOCs in threat intelligence platforms (TIPs) and vetting them to support their implementation into security controls is another duty that is often split between a CTI team and a security engineering program. However, it is important for CTI analysts to know how research, pivot on, vet, and disseminate IOCs. Due to CTI teams often having access to commercial TIPs or being able to conduct open source intelligence (OSINT) research on IOCs, this duty often fall to them.

Resources:

Description	Link
Here’s a collection of IOCs feeds that could be used for ingestion into a TIP	IOCs Feeds - BushidoUK GitHub
Here’s a collection of tools that can be used for triaging and vetting IOCs	IOCs Vetting - BushidoUK GitHub
Another project I created to help train CTI analysts on triaging IOCs is called The CTI Quiz	CTI Quiz - BushidoUK GitHub

Vulnerabilities

 CTI teams often play a key role in threat and vulnerability management (TVM). Many organisations have standalone TVM teams that interface with CTI teams who provide the latest news about vulnerabilities exploited in the wild from monitoring their sources. Another discipline that may come under a CTI team’s remit is attack surface scanning and looking for exposures. This is because as CTI teams tracks the latest exploitation campaigns of adversaries and will know which products and devices are being currently targeted. Therefore, it pays for organisations to have another team that performs an attack surface check based on threat intelligence.

Resources:

Description	Link
Here’s a collection of sources you can use to monitor for vulnerabilities	Vulnerability Resources - BushidoUK GitHub
Here’s a presentation about practical vulnerability intelligence	Practical Vulnerability Intelligence Talk
Here is a collection of Shodan queries for checking products regularly targeted by adversaries	Collection of Shodan Queries - BushidoUK GitHub

Community

Lastly, once you start working in CTI you quickly realise that the CTI industry is very close knit. Due to the nature of working with the other organisations to share information, long-term bonds between analysts and teams are inherently forged. As an individual CTI analyst, CTI manager, or CTI team it is vital build up a network of contacts and form official intelligence sharing partnerships.

This all starts however from being a member of the community. This includes going to conferences, talking to other analysts over social media (Twitter or LinkedIn), or participating in online communities, such as those on Discord. While participating in these communities and talking to other CTI practitioners it is always important to keep operational security (OPSEC) in mind and maintain trust, as well as obeying the Traffic Light Protocol (TLP).

Resources:

Description	Link
Here’s a list of Infosec Discord Servers to find other like-minded folks	Infosec Discord Servers - BushidoToken Blog
Here’s a list of Infosec YouTube channels to watch relevant content	Infosec YouTube Channels - BushidoUK GitHub
Here’s a list of CTI-focused conferences worth attending!	CTI Conferences - BushidoUK GitHub

 

Further Reading

If you have gone through all the resources in this blog (well done!) but you’re still looking for more things to read, then luckily enough for you, there’s still plenty more out there. I recommend taking a look at other guides created by renowned CTI experts, such as Katie Nickels’ CTI Self Study Guide Part 1 and Part 2 as well as Andy Piazza’s CTI Study Plan here.