I have gotten older, I find I’m less eager learn the depths of every technical solution, and have been searching for my happy place. Since my SANS studies, I have gravitated towards an area that is – from what I can see – fun as heck. That area? Cyber Threat Intelligence (CTI). My rookie impression is that this vast world is understaffed and under-supported, and this might be because organizations are so busy looking for operators that they don’t classify this role as mission critical. Fast forward to today: I spent a good part of the day listening into the SANS CTI Conference virtually, and I took away two things. First, there are some wicked sharp folks who have a passion in this area. Second, while I am not likely to become a full-fledged CTI professional, I sure want to learn more and incorporate what I can to help organizations see CTI’s value. This post launches my cyber threat intelligence journey.

What is CTI all about?

We’ve touched on CTI in earlier blog posts, but CTI is all about understanding and analyzing cyber threats to make informed decisions on defending systems. This is the stuff that provides material for your threat picture. CTI is a critical component of threat modeling. Most organizations I have worked with that have an awareness of CTI do a couple of essential things: they collect information and they sort, filter or process it to better fit their own needs. Outside of that, it is a game with very loose rules. Some folks may have a full team, a threat intelligence platform (TIP), have formal exchange processes and integrations – you name it! Others might be closer to where I am. I want to better understand what I am up against but don’t know where to start.

What makes my impression of CTI compelling to me is that it mixes some of my other favorite things. I love history, geopolitics, and the cat-and-mouse nature of a good thriller. I also have the most fun when I get to collaborate with friends and colleagues in solving puzzles. While taking stock of my interests, it turns out that I enjoy knowing enough about the technology to understand they “why” and the “what.” This probably doesn’t apply to most of the CTI community, but this discipline also seems to allow me to de-emphasize worrying about the nitty gritty “how.” If you are a CTI professional, please correct me if I am off base on the priorities!

Charlie’s journey into CTI was full of passion, but light on a plan

Kicking off my own journey

Before I sought out help, I started doing what any well-disciplined researcher does. I spent countless hours diving into browser searches and websites, reading and learning and getting overwhelmed. By my estimation, I was doing CTI!!! (lay off me, folks, I was trying). Here is what that looked like for the last couple of years:

  • Understand the Basics:
    • I started with the fundamentals of cyber security through SANS and Cisco training, but have also found free blogs and courses to be a huge help. SANS has a free playlist here that has 102 videos, but you can pick and choose as you go!
    • Dive into the specifics of CTI by reading blogs and reports from leading security firms. The blogs of Cisco Talos, Mandiant, Blackberry and Microsoft are like gold mines. For nerdier details, The DFIR Report is unreal – I can’t believe how much those posts have taught me.
  • Follow the News:
    • Keep an eye on cyber news portals like The Hacker News, Krebs on Security, and Dark Reading. You’ll find more, but bookmark them and use them any chance you get. You’ll quickly see that they each have strengths and gaps. For longer-form stuff, Medium’s many blogs and Wired Magazine’s articles are fantastic.

The best laid plans…

The next steps, one may surmise, would lead us to start doing something. That is where I became overwhelmed. Do I set up a TIP? Subscribe to feeds? Get MISP up and running? Well, my DuckDuckGo search turned up a beautiful recipe that is now structuring my studies. In the past 3 months, I have been mixing in a steady diet by the way of Katie Nichols. Formerly of MITRE, now of Red Canary, Katie has put together a fantastic roadmap (Part1 | Part 2) that I have begun in earnest. IMHO this is a huge boost for your own cyber threat intelligence journey.

Notice I am sticking with the zero-entry pool of approaches here, and sticking with free and open stuff. Based on her plan CTI, that is doable! Where things go commercial or highly custom, you probably are going to get plenty of training on that organization’s platform anyway, and the fundamentals are what matter most. Here is what I have been doing so far, in case you want to catch up 😉

Intelligence

Per Katie’s guidance, I tackled the reading assignments on Intelligence, which were mostly available via the Internet Wayback Machine. The Psychology of Intelligence Analysis was well worth the time, and has me thinking a lot about this mindset. If you are following her script, the Intelligence Cycle page gives a 404, so this seems to be the new location and covers the basics. On her list of things to do, she is speaking my language! Sherman Kent in particular had a seat at the table of much of the Cold War, and it is fascinating to see how his leadership in the IC influenced world history.

Cyber Threat Intelligence

Queue the “You are here” marker. I have seen her recorded session on the process of CTI, and it was pretty inspiring. Sam Caltagirone’s paper on ICS related CTI was a page turner – so don’t sweat the 17 pages, all of them are worthwhile!

Next up is tackling Chris Sanders’ online Cuckoo’s Egg sessions. I am quickly learning that any time someone recommends something, even if it is above and beyond what they deem to be required, that it is probably a good character builder. A lot of Sam’s paper helps me better grasp adjacent stuff for the day job, so it is a bonus! While she recommends Session 6 from the Cuckoo’s Egg series, I will probably tackle them all whenever I can – that book was a fantastic intro to cybersecurity for me.

Taking a snapshot of the journey

This post is the first in what I hope is my running log of this journey. Everyone keeps telling me that the best way to finish something is to make sure folks know about the commitment and can hold me responsible. So please do! I’ll keep tackling my own cyber threat intelligence journey in the background, and report back once I have some more meat to report back on. So you know what I am signed up for. Next question on my mind? Who’s with me?