A few weeks ago while teaching SANS FOR578 one of my students asked a great question by a student: What books or papers should a new cyber threat intelligence analyst read first? It’s a question I’d meant to answer before so instead of just sending back an email (I mean, I emailed back, HI MATT, but along with that) I figured I’d write up my list and have something to reference next time I get asked. So here’s my list of things you should read when getting started in cyber threat intelligence:
Books
Get that library card or Amazon account ready, here are my favorite books on CTI.
📘 The Cuckoo’s Egg
The best narrative version of the DFIR & CTI world I can imagine The Cuckoo’s Egg reads better than Tom Clancy and tells the true story of an astronomers year hunting cyber espionage in the early 1980s. A must read (and great for non-technical folks as well). Also a great gauge of interest for people thinking about dipping their toe into DFIR or CTI.
📘 Secrets and Lies
Written in 2000 Secrets and Lies was my introduction to many of the technical problems in security and has been my go to First Technical Security Book ever since. I’m reevaluating it now (against the Defensive Security Handbook: Best Practices for Securing Infrastructure by Lee Brotherston & Amanda Berlin) but Secrets and Lies is a classic.
📘 Incident Response & Computer Forensics, Third Edition
Ultimately CTI collection is the output of incident response. Doing CTI well requires a deep understanding of all aspects of Incident Response and Incident Response & Computer Forensics is the best book to learn the overall process from some folks who’ve been there and done that.
📘 Practical Malware Analysis
A huge amount of CTI comes down to malware analysis. Malware reverse engineering is a big part of understanding the capabilities of an adversary. This is the best introduction text I know. In fact it’s on my current reread list.
📘 Thwarting Enemies at Home and Abroad
SHOCKER: You’re not an intelligence analyst if you’re doing CTI. You’re a counter intelligence analyst. Many of the same techniques, but a totally different application. Understanding traditional counterintelligence tradecraft is essential and this is my favorite book to learn it.
📘 Structured Analytic Techniques For Intelligence Analysis
Analysis is often the least understood (and honestly least undertaken) piece of CTI. We, all of us in the CTI arena, need to get better at it. Richards Heuer literally wrote the book on this.
📘 Dark Territory
Like The Cukoo’s Egg Fred Kaplan’s Dark Territory is a story centric a history of the development of America’s cyber warfare capability and provides a detailed look into what developing a cyber warfare capability looks like at a policy level.
Papers
Plenty of key concepts don’t merit a full book but are more in the 10–30 page range which are perfect for academic style papers. These are good ones to start with:
- 📄 Threat Intelligence: Collecting, Analysing, Evaluating — I read this paper right when it came out (though I had to be reminded of it by John D. Swanson) and it’s a solid broad introduction to the core concepts of CTI. It’s not enough on it’s own, but it’s a solid start.
- 📄 Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains by Hutchins, Cloppert & Amin — The infamous kill chain paper. Love it or hate it this is a seminal work defining a model that every CTI analyst needs to understand even if they don’t use it directly.
- 📄 The Diamond Model of Intrusion Analysis by Caltagirone, Pendergast, & Betz — Another key model I admit I dismissed the Diamond model at first. Four simple buckets, how big a deal is that? Turns out it’s a huge one after I got past the TLDR. Not simple actually, but elegant.
- 📄 Psychology of Intelligence Analysis by Heuer — Added by popular demand I had this paper on the list originally, but took it off since it’s basically a subset of Heuer’s Structured Analytic Techniques listed above. That said this is a seminal paper on the human aspect of analyzing intelligence, so I’m adding it back. Thanks for the suggestions!
Adversaries
Most CTI programs are focused on four major sets of adversaries: China, Russia, the United States, & everyone else (I’ll write another post about that bias later on). Who’s important will depend on your threat model including geographic location and industry, but passing familiarity with the big players is important for everyone. Here’s are my favorites introductions:
- China: 📄 APT1 Report & 📄 Op SMN/Axiom Report — One sorta basic, one more advanced. A good cross section of Chinese state sponsored espionage.
- Russia: 📄 Peering Into the Aquarium — A leaked Google report (everyone has leaks) but the best survey of Russian threat actors I know of.
- United States: 📄 Equation Group — No one says US but it’s very clear. A great idea of the sort of capabilities everyone else wants to have.
- Everyone Else: 📄 Careto, 📄 Ocean Lotus, 📄 Desert Falcon, & 📄 Dark Seoul — A wide variety in three groups. Varied tactics & goals.
Non-Computer Network Defense Specific Reading
While the books above are very technically focused on computer network defense (CND) but there are a wide variety of subjects useful to a CTI analyst that go beyond CND & intelligence. Here’s my starting list:
📘 Near and Distant Neighbors
An exploration of the formation of the modern Russian intelligence apparatus. Studying those evolutions is interesting.
📘 The Art of War
Judge if you want, it’s a solid read detailing the meta nature of conflict and espionage. Yes it’s overdone, yes it was over quoted, but it’s still valuable. Ignore it at your own peril. (Want a more modern take? I’ve been meaning to read On War by Carl von Clausewitz.)
📘 Thinking, Fast and Slow
So I haven’t read this one (yet)… but I’ve been meaning too. From podcasts and discussions with friends it’s a perfect for this list so I’ll add it, even if it is still aspirational to me. Very meta-cognitive.
One Last Reading Idea
Rebekah Brown and I have been working very hard and are excited to share our own addition to this list:
Intelligence Driven Incident Response
Our book is meant to cover both the network defense process and the intelligence process but more importantly how they can be integrated. Ultimately computer networks defense takes intrusion detection, incident response, & intelligence.
Bonus! 🎥 Jiro Dreams of Sushi & 🎥 Sour Grapes
As I was originally thinking about this post I thought it would be nothing but Intelligence & Incident Response books, but as I kept considering the topic it kept expanding and I wanted to be encompassing. So in addition to some reading here are two movies I watched and couldn’t stop thinking of parallels to CTI.
Photo from The Gumroad
Jiro Dreams of Sushi is a beautiful documentary about food, but more than that about the depth of effort and dedication it takes to really be the best at a craft. This is all the more important in an adversarial vocation like CTI, where in many cases it matters who’s better, you or the adversary. For me I would like to be known as having the kind of tenacity as Jiro and those who work with him.
Photo from The Pool
Sour Grapes touches on a different but no less important, borderline unteachable, aspect of CTI/IR. I won’t spoil the surprise, but Sour Grapes is a wonderful lesson in the investigative desire, that need to track down the adversary and figure out their techniques and goals.
I recommend both highly and they’re both excellent to watch even with non-CND people. They also pair with tuna nigiri and an off-dry Riesling.