The Cyber Threat Intelligence (CTI) course is taught by Cybrary SME, Dean Pompilio. It consists of 12 modules and provides a comprehensive introduction to CTI. The subject is an important one, and in addition to discussing tactics and methods, quite a bit of focus is placed on operational matters including the various CTI analyst roles.
The course starts off with discussing fundamental concepts such as defining CTI and the foundations of threat intelligence. Defining threats and how an organization will respond to them truly is the foundation of CTI. The collection of data, otherwise known as Intel, forms the basis of threat analysis. During the analysis phase of CTI, threats are identified which then trigger an incident response effort or campaign. Indicators of attack (IoA) and of compromise (IoC) serve to guide the threat identification and incident response efforts.
The middle modules of the CTI course delve into the roles of the various security analysts. These roles correspond to the types of threat intelligence consisting of tactical, operational, and strategic threat intelligence. The timelines for each type vary accordingly with the tactical threat intelligence timeline being much shorter than that of the strategic threat intelligence timeline.
The duties of the various analysts also vary accordingly with the tactical analyst responsible for maintaining a strong security posture by spending most of the time hunting threats and chasing down leads on suspicious behavior.
Conversely, the role of the strategic analyst is focused on the long term defense of an organization and requires a big picture view of things. The strategic analyst performs threat modeling using brain-storming exercises to better understand situations that can be exploited by an adversary. In Module 6, Dean reviews several NIST documents concerned with threat modeling.
The important topic of the Cyber Kill Chain (CK) is fundamental to the course. It is first introduced in Module 7 and then a deeper dive is undertaken in Modules 9 and 10. The CKC is a procedural model for identifying and responding to threats consisting of seven phases. It’s a somewhat complex concept but an extremely important tool for dealing with threats and adversaries.
The methodical nature of the CKC enables the analyst to respond efficiently to threats. Its use also minimizes the risk of false positives which waste time and resources and can result in a loss of credibility of an analyst. Modules 9 and 10 continue the examination of the CKC with Module 10 concerned with the management of the CKC. Open lines of communication before, during, and after an event are a critical part of CTI.
The course concludes with an overview of some extremely useful and free resources for CTI. Module 11 presents some open source intelligence tools and resources. Dean demonstrates the open source Maltego tool and goes over its wealth of features. He also discusses a website that provides over 250 free OSINT resources. This course may be an introduction to CTI, but Dean packs an incredible wealth of information into it!
With new threats lurking around every corner, you need to be prepared. Join thousands of your infosec peers and subscribe to the Cyber Daily for free trending threat intelligence insights.