Introduction
Cyber Threat Intelligence (CTI) analysts bring a variety of backgrounds and experiences, and their specific roles often differ widely depending on the organization they work for. Paths to becoming a CTI analyst are diverse, with some entering from Security Operations Centers (SOC) or other cybersecurity roles, some coming directly from academia, and others transitioning from fields like law enforcement or the military. I’ve also encountered many individuals who have successfully made major career shifts, reskilling from roles as diverse as school teachers to hospitality staff.
CTI teams themselves also vary greatly in structure and objectives. Some analysts work for intelligence vendors, supplying insights to multiple clients across sectors; for instance, Recorded Future’s Insikt Group operates this way. Others focus on protecting a single organization’s assets, such as Equinix’s ETAC team. Additionally, many analysts work within government agencies—often in intelligence, security, or law enforcement—where they prioritize national security or address significant cyber threats.
It’s also worth mentioning that the resources shared here have either been created by myself or in collaboration with colleagues from Curated Intel. Many are collections I’ve personally assembled and relied upon in my work over the past five years.
Lastly, if you’re pressed for time, this blog is now available as a podcast on YouTube, generated using Google’s NotebookLM.
Starting Out
When starting out in CTI, it’s essential to become familiar with key frameworks and resources that shape the field. At the core is the Intelligence Lifecycle, a process that involves planning, data collection, processing, analysis, dissemination, and feedback. Another core concept are the three levels of intelligence: strategic, operational, and tactical. Understanding analysis frameworks like the Diamond Model, MITRE ATT&CK, the Cyber Kill Chain, and the Pyramid of Pain, as well as landmark case studies like the APT1 report are critical for grasping how adversaries operate and how CTI can counter their tactics.
Resources:
| Description | Link |
| To help CTI analysts learn more about the theory and frameworks related to the field of CTI, here is a project containing various important resources called CTI Fundamentals | CTI Fundamentals – Curated Intel |
| Here’s a project that contains a collection of acronyms used often by CTI analysts | CTI Lexicon – BushidoUK GitHub |
Adversaries
Understanding the broad array of adversaries may seem like a daunting challenge for new CTI analysts. This due to the plethora of threat groups and campaigns, from state-sponsored adversaries belonging to “The Big 4” (Russia, China, North Korea, Iran), to thousands of hacktivist groups, to hundreds of ransomware gangs, and the broader cybercrime underground. Getting a handle on all of these types of cyber threats is a huge undertaking. Hopefully some of the resources below will help new analysts get started on this mammoth task, but it should highlight why CTI analysts are always constantly learning.
Resources:
| Description | Link |
| Here’s a project which contains a large list of threat group names and their AKAs | EternalLiberty – GitHub |
| Here’s a project that contains information about ransomware groups and their tools | Ransomware Tool Matrix – BushidoUK GitHub |
| Here’s a similar project that contains all the vulnerabilities exploited by ransomware gangs | Ransomware Vulnerability Matrix – BushidoUK GitHub |
| Here’s a project that contains a collection of reports by companies who have been breached | Breach Report Collection – BushidoUK GitHub |
| Here’s a blog about various types of APT groups | Fantastic APTs and Where to Find Them – BushidoToken Blog |
| Here’s a blog about hacktivist groups and how they often lie and overhype their claims | Hacktivists Liars and Morons – BushidoToken Blog |
Requests For Information (RFIs)
Responding to Requests for Information (RFIs) is a crucial aspect of a CTI team’s function. RFIs typically come from internal stakeholders, such as security, executive teams, or external partners, who need in-depth analysis on specific threats or incidents. CTI analysts should answer RFIs by conducting their own research and produce clear, actionable reports that detail their findings, and their assessment of the potential impact on the organisation.
Resources:
| Description | Link |
| To help CTI analysts practice answering RFIs, here is a project called The CTI Analyst Challenge | The CTI Analyst Challenge – BushidoToken Blog |
| To help CTI analysts answer executive requests, here is a blog on strengthening proactive CTI through collaboration | Strengthening Proactive CTI – BushidoToken Blog |
Threat Actor Profiles
Creating detailed threat actor profiles is a key part of a CTI analyst’s job. These profiles help organisations understand an adversary’s tactics, techniques, and procedures (TTPs) as well as who their victims are, their motivations, and their potential origin. By compiling data on malicious cyber adversaries, such as their preferred tools, infrastructure, and methods, CTI analysts can provide valuable insights that enable proactive defenses against future threats. Threat actor profiles can also serve as a valuable resource for internal teams and leadership to prioritise risk management.
Resources:
| Description | Link |
| To help CTI analysts create their own threat actor profiles, here is a project called the Threat Actor Profiling Guide | Threat Actor Profile Guide – Curated Intel |
| Here’s a collection of various useful resources containing information about threat groups and adversaries | Adversary Intelligence – BushidoUK GitHub |
| Here’s some examples of Threat Actor Profiles and Campaign Summaries | Tracking Adversaries – BushidoToken Blog |
Threat Landscape
Another type of intelligence product, CTI analysts are likely to create are threat landscape reports, which offer a high-level view of the current threat environment. These reports are often produced on a periodic basis (monthly or quarterly) and provide insights on emerging threats, trends in adversary behavior, or significant incidents affecting the industry.
Resources:
| Description | Link |
| Here’s also a collection of monthly threat landscape reports produced by CTI vendors | Monthly CTI Reports – BushidoUK GitHub |
| To help CTI analysts create their own threat landscape reports, here is a project called the CTI Research Guide | The CTI Research Guide – CuratedIntel GitHub |
Threat Hunting & Malware Analysis
Supporting threat hunting operations and malware analysis services are also standard responsibilities for CTI teams in the industry. The main prerequisite for this includes having security operations teams, such as SOCs and CERTs, as stakeholders. CTI teams can then provide detection rules, using behavioural signatures, based on intelligence gathered from proactive research or in response to an incident. These detection rules then enhance security measures, enabling teams to detect and mitigate attacks more effectively.
Resources:
| Description | Link |
| Here’s a collection of various resources to help with threat hunting operations | Threat Hunting Resources – BushidoUK GitHub |
| Here’s a collection of various resources to help with malware analysis services | Malware Analysis Resources – BushidoUK GitHub |
Brand Monitoring
CTI analysts will often play a role in brand monitoring, keeping a close eye on mentions of the organisation in the news and cybercrime underground. This involves tracking chatter on news sites, social media, underground forums, dark web marketplaces, or Telegram channels to detect any references to the company, its assets, or its personnel to identify potential incidents. Early detection of these mentions can help respond to potential attacks, data breaches, or fraud attempts. This can also include monitoring for breaches impacting your organisation’s supply chain, partners, or large customer organisations.
Resources:
| Description | Link |
| Here’s a collection of sources that CTI analysts can leverage to follow the various news sources | Security News – BushidoUK GitHub |
| Here’s a project created to help CTI analysts turn a free Discord server into a CTI dashboard using RSS feeds | Using a Discord as a Threat Intelligence Dashboard – BsuhidoToken Blog |
| Here’s a collection of Darknet related resources | Darknet Resources – BushidoUK GitHub |
| Here’s a project containing lists of Underground Forums, Darknet Sites, and Telegram Channels | Deep Dark CTI – GitHub |
Indicators of Compromise (IOCs)
CTI analysts will often be handling indicators of compromise (IOCs) during daily operations. Triaging IOCs received from various sources is a big part of the role. Understanding what makes an indicator useful is vital to be able to provide context about attacks. Collecting IOCs in threat intelligence platforms (TIPs) and vetting them to support their implementation into security controls is another duty that is often split between a CTI team and a security engineering program. However, it is important for CTI analysts to know how research, pivot on, vet, and disseminate IOCs. Due to CTI teams often having access to commercial TIPs or being able to conduct open source intelligence (OSINT) research on IOCs, this duty often fall to them.
Resources:
| Description | Link |
| Here’s a collection of IOCs feeds that could be used for ingestion into a TIP | IOCs Feeds – BushidoUK GitHub |
| Here’s a collection of tools that can be used for triaging and vetting IOCs | IOCs Vetting – BushidoUK GitHub |
| Another project I created to help train CTI analysts on triaging IOCs is called The CTI Quiz | CTI Quiz – BushidoUK GitHub |
Vulnerabilities
CTI teams often play a key role in threat and vulnerability management (TVM). Many organisations have standalone TVM teams that interface with CTI teams who provide the latest news about vulnerabilities exploited in the wild from monitoring their sources. Another discipline that may come under a CTI team’s remit is attack surface scanning and looking for exposures. This is because as CTI teams tracks the latest exploitation campaigns of adversaries and will know which products and devices are being currently targeted. Therefore, it pays for organisations to have another team that performs an attack surface check based on threat intelligence.
Resources:
| Description | Link |
| Here’s a collection of sources you can use to monitor for vulnerabilities | Vulnerability Resources – BushidoUK GitHub |
| Here’s a presentation about practical vulnerability intelligence | Practical Vulnerability Intelligence Talk |
| Here is a collection of Shodan queries for checking products regularly targeted by adversaries | Collection of Shodan Queries – BushidoUK GitHub |
Community
Lastly, once you start working in CTI you quickly realise that the CTI industry is very close knit. Due to the nature of working with the other organisations to share information, long-term bonds between analysts and teams are inherently forged. As an individual CTI analyst, CTI manager, or CTI team it is vital build up a network of contacts and form official intelligence sharing partnerships.
This all starts however from being a member of the community. This includes going to conferences, talking to other analysts over social media (Twitter or LinkedIn), or participating in online communities, such as those on Discord. While participating in these communities and talking to other CTI practitioners it is always important to keep operational security (OPSEC) in mind and maintain trust, as well as obeying the Traffic Light Protocol (TLP).
Resources:
| Description | Link |
| Here’s a list of Infosec Discord Servers to find other like-minded folks | Infosec Discord Servers – BushidoToken Blog |
| Here’s a list of Infosec YouTube channels to watch relevant content | Infosec YouTube Channels – BushidoUK GitHub |
| Here’s a list of CTI-focused conferences worth attending! | CTI Conferences – BushidoUK GitHub |
.jpg)
Further Reading
If you have gone through all the resources in this blog (well done!) but you’re still looking for more things to read, then luckily enough for you, there’s still plenty more out there. I recommend taking a look at other guides created by renowned CTI experts, such as Katie Nickels’ CTI Self Study Guide Part 1 and Part 2 as well as Andy Piazza’s CTI Study Plan here.
