Project Description

An extensive collection of Cyber Threat Intelligence resources. Articles, Tools, Standards, Definitions & more.
It's a work in progress, expect regular updates!

Table of Contents

1. Videos, Blog Posts & Articles
2. Tools & Collections
   • 2.1 IPs, Domains, Malware
   • 2.2 Miscellaneous
3. Standards & Frameworks
   • 3.1 MITRE Standards - CTI Management
   • 3.2 Threat Modeling - STRIDE/PASTA/DREAD
4. Definitions

1. Blog posts, Articles & Guides

• Getting started in cyber threat intelligence: 4 pieces of advice
• A Top 10 Reading List if You’re Getting Started in Cyber Threat Intelligence
• CTI Reading List
• ISAC list US
• JA3 Fingerprinting
• How Does Analysis of Competing Hypotheses Improve Intelligence Analysis?
• What is Cyber Threat Intelligence and how is it used - CREST
• What is CTI - Crowdstrike
• Definitive guide to CTI - Using Knowledge about Adversaries to win the war against targeted attacks
• Digital Footprint - Traces left behind | Digital Footprint vs Digital Shadow
• Cone of Plausibility - Applying Cone of Plausibility to CTI
• SANS CTI Summit 2018 - There Is MOAR To Structured Analytic Techniques Than Just ACH!
• Quick wins for busy analysts
• Actor Network Theory - Brief explanation of Bruno Latour's theory
• Why "Cyber Threat Intelligence Services" Should Be Part of Your Cyber Security Strategy

2. Tools & Collections

2.1 IPs, Domains, Malware

• abuse.ch - Identify and track cyber threats
  • Malware Bazaar - A resource for sharing malware samples
  • Feodo Tracker - A resource used to track botnet command and control (C2) infrastructure linked with Emotet, Dridex and TrickBot.
  • SSL Blacklist - A resource for collecting and providing a blocklist for malicious SSL certificates and JA3/JA3s fingerprints.
  • URL Haus - A resource for sharing malware distribution sites.
  • Threat Fox - A resource for sharing indicators of compromise (IOCs).
• Allien Vault OTX - Open Threat Exchange is the neighborhood watch of the global intelligence community.
• urlscan.io - Easily and confidently analyse unknown and potentially malicious websites
• VirusTotal - Online service that analyzes suspicious files and URLs to detect types of malware and malicious content using antivirus engines and website scanners.
• Cyber Gordon - Quickly provides you threat and risk information about observables like IP address or web domains.

2.2 Misc

• APT Reports & More - A collection of APT reports, information and IOC
• Awesome Threat Intel - Collection repository
• YARA - Identify and classify malware samples.
  • YARACI - Automated scanning of YARA rule
• Cuckoo Sandbox - Open source dynamic malware analysis system
• PhisTool - Seeks to elevate the perception of phishing as a severe form of attack and provide a responsive means of email security.
• OpenCTI - Threat Intelligence Platform (open source)

3. Standards & Frameworks

• The National Intelligence Model (5x5x5) - Source Evaluation / Intelligence Evaluation / Handling Code

• Disarm Framework - A framework designed to counter disinformation

• Nato Admiralty Scale - Two-character notation. Evaluating collected items of intelligence.

• TLP - Traffic Light Protocol

• TIBER-EU - Applying CTI to Red Team exercises

• Diamond Model - The Diamond Model of Intrusion Analysis

• MILE - Managed Incident Lightweight Exchange workgroup

  • IODEF - Incident Object Description Exchange
  • RID - Real time Inter-network Defense

• OpenIOC - Mandiant

• VERIS - Vocabulary for Event Recording and Incident Sharing (verizon)

• CFI 1 2 - The Collective Intelligence Framework

3.1 MITRE Standards - CTI management

Mitre has developed three standards that each fill different needs for a CTI management system.

• CybOX - Provides a standard for defining indicator details known as observables
• STIX - A language and serialization format used to exchange cyber threat intelligence (json format)
  • SDO & SRO Examples - Stix Domain Object & Stix Relationship Object
  • TAXII - Trusted Automated Exchange of Intelligence Information

3.2 Threat Modeling

A process by which potential threats, such as structural vulnerabilities, can be identified, enumerated, and prioritized – all from a hypothetical attacker’s point of view.

• Threat Models Comparison - STRIDE/PASTA/DREAD
• Octave threat model

4. Definitions

• Types of CTI - Strategic, Tactical, Operational, Technical
• Threat Intelligence Lifecycle - The 5 stages of TI (planning, collection, processing, production&analysis, dissemination)
• Analysis of competing hypotheses - ACH
• OODA Loop - Observe, Orient, Decide, Act
• F3EAD - Find, Fix, Finish / Exploit, Analyse, Disseminate
• ISAC - Information Sharing and Analysis Center
• PESTLE-MG analysis - Political, Economic, Social, Technological, Legal, Enviromental (MG - Military/Government)
• MSCoW Prioritization technique
• RACI Matrix - Responsibility Assignment | Responsible, Accountable, Consulted, Informed
• MTTR, MTTD, MTTF, and MTBF? - What’s the difference between the various mean times
• Morphological Analysis - A method for identifying, structuring and investigating the total set of possible relationships contained in a given multidimensional problem
• WEP - Words of Estimative Probability