Full Report
Introduction Cyber Threat Intelligence (CTI) analysts come from diverse backgrounds, and their roles can vary a lot depending on the type of organisation they work for. The path to becoming a CTI analyst can follow one of several routes, such as moving from Security Operations Center (SOC) and other information security roles, joining from university, or from law enforcement or military backgrounds. I’ve also met many who have radically changed trades and reskilled from jobs such as secondary school teachers to bar and hotel staff with great success. CTI teams can also vary significantly in their structure and focus. Some analysts work for vendors, providing intelligence to multiple clients across industries like, for example, Recorded Future’s Insikt Group. Others serve as defenders within a single company, working to protect that organization’s assets like, for example Equinix’s ETAC team. There are analysts who operate within government agencies as well, such as intelligence, security, or law enforcement bodies, often focusing on national security or large-scale cyber threats. I should also highlight that all these resources have either been created by myself or with the help of colleagues from Curated Intel, or are collections created by me that I personally vouch for as I saved them to be used for my job over the last five years.Also, if you’re short on time, you can now listen to this blog as a podcast via YouTube, which I generated using Google’s NotebookLM. Starting Out When starting out in CTI, it’s essential to become familiar with key frameworks and resources that shape the field. At the core is the Intelligence Lifecycle, a process that involves planning, data collection, processing, analysis, dissemination, and feedback. Another core concept are the three levels of intelligence: strategic, operational, and tactical. Understanding analysis frameworks like the Diamond Model, MITRE ATT&CK, the Cyber Kill Chain, and the Pyramid of Pain, as well as landmark case studies like the APT1 report are critical for grasping how adversaries operate and how CTI can counter their tactics. Resources: Description Link To help CTI analysts learn more about the theory and frameworks related to the field of CTI, here is a project containing various important resources called CTI Fundamentals CTI Fundamentals - Curated Intel Here’s a project that contains a collection of acronyms used often by CTI analysts CTI Lexicon - BushidoUK GitHub Adversaries Understanding the broad array of adversaries may seem like a daunting challenge for new CTI analysts. This due to the plethora of threat groups and campaigns, from state-sponsored adversaries belonging to “The Big 4” (Russia, China, North Korea, Iran), to thousands of hacktivist groups, to hundreds of ransomware gangs, and the broader cybercrime underground. Getting a handle on all of these types of cyber threats is a huge undertaking. Hopefully some of the resources below will help new analysts get started on this mammoth task, but it should highlight why CTI analysts are always constantly learning. Resources: Description Link Here’s a project which contains a large list of threat group names and their AKAs EternalLiberty - GitHub Here’s a project that contains information about ransomware groups and their tools Ransomware Tool Matrix - BushidoUK GitHub Here’s a similar project that contains all the vulnerabilities exploited by ransomware gangs Ransomware Vulnerability Matrix - BushidoUK GitHub Here’s a project that contains a collection of reports by companies who have been breached Breach Report Collection - BushidoUK GitHub Here’s a blog about various types of APT groups Fantastic APTs and Where to Find Them - BushidoToken Blog Here’s a blog about hacktivist groups and how they often lie and overhype their claims Hacktivists Liars and Morons - BushidoToken Blog Requests For Information (RFIs) Responding to Requests for Information (RFIs) is a crucial aspect of a CTI team’s function. RFIs typically come from internal stakeholders, such as security, executive teams, or external partners, who need in-depth analysis on specific threats or incidents. CTI analysts should answer RFIs by conducting their own research and produce clear, actionable reports that detail their findings, and their assessment of the potential impact on the organisation. Resources: Description Link To help CTI analysts practice answering RFIs, here is a project called The CTI Analyst Challenge The CTI Analyst Challenge - BushidoToken Blog To help CTI analysts answer executive requests, here is a blog on strengthening proactive CTI through collaboration Strengthening Proactive CTI - BushidoToken Blog Threat Actor Profiles Creating detailed threat actor profiles is a key part of a CTI analyst’s job. These profiles help organisations understand an adversary’s tactics, techniques, and procedures (TTPs) as well as who their victims are, their motivations, and their potential origin. By compiling data on malicious cyber adversaries, such as their preferred tools, infrastructure, and methods, CTI analysts can provide valuable insights that enable proactive defenses against future threats. Threat actor profiles can also serve as a valuable resource for internal teams and leadership to prioritise risk management. Resources: Description Link To help CTI analysts create their own threat actor profiles, here is a project called the Threat Actor Profiling Guide Threat Actor Profile Guide - Curated Intel Here’s a collection of various useful resources containing information about threat groups and adversaries Adversary Intelligence - BushidoUK GitHub Here’s some examples of Threat Actor Profiles and Campaign Summaries Tracking Adversaries – BushidoToken Blog Threat Landscape Another type of intelligence product, CTI analysts are likely to create are threat landscape reports, which offer a high-level view of the current threat environment. These reports are often produced on a periodic basis (monthly or quarterly) and provide insights on emerging threats, trends in adversary behavior, or significant incidents affecting the industry. Resources: Description Link Here’s also a collection of monthly threat landscape reports produced by CTI vendors Monthly CTI Reports - BushidoUK GitHub To help CTI analysts create their own threat landscape reports, here is a project called the CTI Research Guide The CTI Research Guide - CuratedIntel GitHub Threat Hunting & Malware Analysis Supporting threat hunting operations and malware analysis services are also standard responsibilities for CTI teams in the industry. The main prerequisite for this includes having security operations teams, such as SOCs and CERTs, as stakeholders. CTI teams can then provide detection rules, using behavioural signatures, based on intelligence gathered from proactive research or in response to an incident. These detection rules then enhance security measures, enabling teams to detect and mitigate attacks more effectively. Resources: Description Link Here’s a collection of various resources to help with threat hunting operations Threat Hunting Resources - BushidoUK GitHub Here’s a collection of various resources to help with malware analysis services Malware Analysis Resources - BushidoUK GitHub Brand Monitoring CTI analysts will often play a role in brand monitoring, keeping a close eye on mentions of the organisation in the news and cybercrime underground. This involves tracking chatter on news sites, social media, underground forums, dark web marketplaces, or Telegram channels to detect any references to the company, its assets, or its personnel to identify potential incidents. Early detection of these mentions can help respond to potential attacks, data breaches, or fraud attempts. This can also include monitoring for breaches impacting your organisation’s supply chain, partners, or large customer organisations. Resources: Description Link Here’s a collection of sources that CTI analysts can leverage to follow the various news sources Security News - BushidoUK GitHub Here’s a project created to help CTI analysts turn a free Discord server into a CTI dashboard using RSS feeds Using a Discord as a Threat Intelligence Dashboard - BsuhidoToken Blog Here’s a collection of Darknet related resources Darknet Resources - BushidoUK GitHub Here’s a project containing lists of Underground Forums, Darknet Sites, and Telegram Channels Deep Dark CTI - GitHub Indicators of Compromise (IOCs) CTI analysts will often be handling indicators of compromise (IOCs) during daily operations. Triaging IOCs received from various sources is a big part of the role. Understanding what makes an indicator useful is vital to be able to provide context about attacks. Collecting IOCs in threat intelligence platforms (TIPs) and vetting them to support their implementation into security controls is another duty that is often split between a CTI team and a security engineering program. However, it is important for CTI analysts to know how research, pivot on, vet, and disseminate IOCs. Due to CTI teams often having access to commercial TIPs or being able to conduct open source intelligence (OSINT) research on IOCs, this duty often fall to them. Resources: Description Link Here’s a collection of IOCs feeds that could be used for ingestion into a TIP IOCs Feeds - BushidoUK GitHub Here’s a collection of tools that can be used for triaging and vetting IOCs IOCs Vetting - BushidoUK GitHub Another project I created to help train CTI analysts on triaging IOCs is called The CTI Quiz CTI Quiz - BushidoUK GitHub Vulnerabilities CTI teams often play a key role in threat and vulnerability management (TVM). Many organisations have standalone TVM teams that interface with CTI teams who provide the latest news about vulnerabilities exploited in the wild from monitoring their sources. Another discipline that may come under a CTI team’s remit is attack surface scanning and looking for exposures. This is because as CTI teams tracks the latest exploitation campaigns of adversaries and will know which products and devices are being currently targeted. Therefore, it pays for organisations to have another team that performs an attack surface check based on threat intelligence. Resources: Description Link Here’s a collection of sources you can use to monitor for vulnerabilities Vulnerability Resources - BushidoUK GitHub Here’s a presentation about practical vulnerability intelligence Practical Vulnerability Intelligence Talk Here is a collection of Shodan queries for checking products regularly targeted by adversaries Collection of Shodan Queries - BushidoUK GitHub Community Lastly, once you start working in CTI you quickly realise that the CTI industry is very close knit. Due to the nature of working with the other organisations to share information, long-term bonds between analysts and teams are inherently forged. As an individual CTI analyst, CTI manager, or CTI team it is vital build up a network of contacts and form official intelligence sharing partnerships. This all starts however from being a member of the community. This includes going to conferences, talking to other analysts over social media (Twitter or LinkedIn), or participating in online communities, such as those on Discord. While participating in these communities and talking to other CTI practitioners it is always important to keep operational security (OPSEC) in mind and maintain trust, as well as obeying the Traffic Light Protocol (TLP). Resources: Description Link Here’s a list of Infosec Discord Servers to find other like-minded folks Infosec Discord Servers - BushidoToken Blog Here’s a list of Infosec YouTube channels to watch relevant content Infosec YouTube Channels - BushidoUK GitHub Here’s a list of CTI-focused conferences worth attending! CTI Conferences - BushidoUK GitHub Further Reading If you have gone through all the resources in this blog (well done!) but you’re still looking for more things to read, then luckily enough for you, there’s still plenty more out there. I recommend taking a look at other guides created by renowned CTI experts, such as Katie Nickels’ CTI Self Study Guide Part 1 and Part 2 as well as Andy Piazza’s CTI Study Plan here.
Analysis Summary
# Best Practices: Cyber Threat Intelligence (CTI) Program Establishment and Analyst Development
## Overview
These practices provide a structured roadmap for individuals looking to enter the field of Cyber Threat Intelligence (CTI) and for organizations establishing or enhancing their CTI functions. The focus is on understanding core frameworks, developing analytical rigor, managing information requests, and profiling threat actors.
## Key Recommendations
### Immediate Actions
1. **Review Core CTI Frameworks:** Immediately familiarize yourself with the **Intelligence Lifecycle** (planning, collection, processing, analysis, dissemination, feedback) and the three levels of intelligence (**strategic, operational, tactical**).
2. **Master Analysis Models:** Study key analysis frameworks: **Diamond Model, MITRE ATT&CK, Cyber Kill Chain, and the Pyramid of Pain.**
3. **Establish Actor Baselines:** Begin tracking and cataloging known adversary groups, focusing initially on the "Big 4" state-sponsored sponsors (Russia, China, North Korea, Iran) and prevalent ransomware gangs.
4. **Centralize Lexicon Knowledge:** Adopt and use a standardized CTI dictionary to ensure clear communication across the team and stakeholders.
### Short-term Improvements (1-3 months)
1. **Develop Threat Actor Profiles:** Create formal, detailed profiles for key adversaries impacting the organization. These profiles must document TTPs, motivations, infrastructure, and preferred tools.
2. **Implement an RFI Response Process:** Define a standardized workflow for handling Requests for Information (RFIs) from internal stakeholders (security, executives) to ensure timely, research-backed, and actionable responses.
3. **Curate Tool Matrices:** Compile and maintain matrices documenting the tools and vulnerabilities frequently exploited by high-priority threat groups, such as ransomware gangs, for immediate threat hunting application.
4. **Engage with Case Studies:** Analyze landmark security reports (e.g., the APT1 report) to understand historical adversary tradecraft.
### Long-term Strategy (3+ months)
1. **Integrate CTI into Risk Management:** Ensure threat actor profiles and intelligence assessments are directly used by leadership to prioritize risk management and resource allocation decisions.
2. **Formalize Proactive CTI Collaboration:** Establish standing communication channels with internal teams (e.g., Incident Response, Red Team) to transition from reactive reporting to proactive intelligence application.
3. **Establish Continuous Analyst Training:** Mandate ongoing training centered around the Intelligence Lifecycle and emerging actor capabilities to maintain relevance in a changing threat landscape.
4. **Leverage Commercial/Public Threat Intelligence Feeds:** Systematically integrate vetted OSINT and commercial intelligence into the collection phase of the Intelligence Lifecycle, paying attention to tool reuse patterns among adversaries.
## Implementation Guidance
### For Small Organizations
- **Focus on Fundamentals:** Prioritize mastering the Intelligence Lifecycle and core analysis models (MITRE ATT&CK) before attempting to track hundreds of actors.
- **Consolidate Research:** Leverage existing, curated open-source collections (e.g., threat group lists, acronym glossaries) to reduce initial effort in capability building.
- **Start with Incident Response Data:** Use lessons learned from any past internal incidents to build the first set of relevant threat actor profiles.
### For Medium Organizations
- **Standardize RFI Handling:** Implement a Service Level Objective (SLO) for responding to varying RFI types (e.g., executive summary vs. technical deep dive).
- **Define Team Focus:** Determine if the CTI function will focus on vendor support (client-facing), internal defense, or a hybrid model, and tailor profile creation accordingly.
- **Baseline Key Threats:** Dedicate resources to deep dives on the top three ransomware groups currently targeting the industry vertical.
### For Large Enterprises
- **Establish Governance for Sourcing:** Develop strict internal criteria for vetting and validating external intelligence feeds (vendor validation and confidence scoring).
- **Develop Specialized Profiling:** Create separate lines of effort for strategic intelligence (executive briefings) and tactical intelligence (detection engineering support, utilizing frameworks like ATT&CK).
- **Automate Feedback Loops:** Implement tooling or processes to ensure intelligence gathered during incident response immediately feeds back into the collection and refinement phases of the Intelligence Lifecycle.
## Configuration Examples
*No specific technical configuration examples were detailed in the source material for implementing CTI frameworks; the focus was on conceptual frameworks and resource aggregation.*
## Compliance Alignment
This practice set aligns heavily with foundational standards requiring threat understanding and adaptation:
- **NIST CSF (Identify/Detect):** Understanding threat actor TTPs is central to identifying and detecting threats relevant to the enterprise.
- **ISO/IEC 27001 (A.18.2.3):** Establishing clear processes, which includes intelligence gathering and validation, supports compliance requirements.
- **MITRE ATT&CK Framework:** Directly utilized as the primary analysis and communication tool for TTPs.
## Common Pitfalls to Avoid
- **Getting Lost in Enumeration:** Do not attempt to track every threat group simultaneously; focus collection and analysis efforts based on organizational relevance and impact potential.
- **Producing "Data Dumps":** Analysts must avoid simply summarizing research; responses to RFIs must provide an assessment of *impact* specific to the organization.
- **Ignoring the Feedback Loop:** Failing to incorporate feedback from stakeholders (e.g., "Was this intelligence useful for detection?") stalls the Intelligence Lifecycle and reduces CTI relevance.
- **Underestimating Tool Reuse:** Assuming adversaries use unique TTPs; defenders must track common tool usage (e.g., in ransomware) to maximize detection coverage.
## Resources
- **CTI Fundamentals Curation:** (For learning Theory & Frameworks)
- **CTI Lexicon Curation:** (For standardized terminology)
- **EternalLiberty GitHub:** (For threat group naming and AKA tracking)
- **Ransomware Tool Matrix:** (For tracking adversary TTPs and tools)
- **Ransomware Vulnerability Matrix:** (For tracking exploited vulnerabilities)
- **Breach Report Collection:** (For case study analysis)
- **Threat Actor Profiling Guide:** (For a systematic approach to creating actor reports)