A few weeks ago while teaching SANS FOR578 one of my students asked a great question by a student: What books or papers should a new cyber threat intelligence analyst read first? It’s a question I’d meant to answer before so instead of just sending back an email (I mean, I emailed back, HI MATT, but along with that) I figured I’d write up my list and have something to reference next time I get asked. So here’s my list of things you should read when getting started in cyber threat intelligence:


The best narrative version of the DFIR & CTI world I can imagine The Cuckoo’s Egg reads better than Tom Clancy and tells the true story of an astronomers year hunting cyber espionage in the early 1980s. A must read (and great for non-technical folks as well). Also a great gauge of interest for people thinking about dipping their toe into DFIR or CTI.

Written in 2000 Secrets and Lies was my introduction to many of the technical problems in security and has been my go to First Technical Security Book ever since. I’m reevaluating it now (against the Defensive Security Handbook: Best Practices for Securing Infrastructure by Lee Brotherston & Amanda Berlin) but Secrets and Lies is a classic.

Ultimately CTI collection is the output of incident response. Doing CTI well requires a deep understanding of all aspects of Incident Response and Incident Response & Computer Forensics is the best book to learn the overall process from some folks who’ve been there and done that.

A huge amount of CTI comes down to malware analysis. Malware reverse engineering is a big part of understanding the capabilities of an adversary. This is the best introduction text I know. In fact it’s on my current reread list.

SHOCKER: You’re not an intelligence analyst if you’re doing CTI. You’re a counter intelligence analyst. Many of the same techniques, but a totally different application. Understanding traditional counterintelligence tradecraft is essential and this is my favorite book to learn it.

Analysis is often the least understood (and honestly least undertaken) piece of CTI. We, all of us in the CTI arena, need to get better at it. Richards Heuer literally wrote the book on this.

Like The Cukoo’s Egg Fred Kaplan’s Dark Territory is a story centric a history of the development of America’s cyber warfare capability and provides a detailed look into what developing a cyber warfare capability looks like at a policy level.



Non-Computer Network Defense Specific Reading

An exploration of the formation of the modern Russian intelligence apparatus. Studying those evolutions is interesting.

Judge if you want, it’s a solid read detailing the meta nature of conflict and espionage. Yes it’s overdone, yes it was over quoted, but it’s still valuable. Ignore it at your own peril. (Want a more modern take? I’ve been meaning to read On War by Carl von Clausewitz.)

So I haven’t read this one (yet)… but I’ve been meaning too. From podcasts and discussions with friends it’s a perfect for this list so I’ll add it, even if it is still aspirational to me. Very metacognitive.

One Last Reading Idea

Intelligence Driven Incident Response

Our book is meant to cover both the network defense process and the intelligence process but more importantly how they can be integrated. Ultimately computer networks defense takes intrusion detection, incident response, & intelligence.

Bonus! Jiro Dreams of Sushi & Sour Grapes

Photo from The Gumroad

Jiro Dreams of Sushi is a beautiful documentary about food, but more than that about the depth of effort and dedication it takes to really be the best at a craft. This is all the more important in an adversarial vocation like CTI, where in many cases it matters who’s better, you or the adversary. For me I would like to be known as having the kind of tenacity as Jiro and those who work with him.

Photo from The Pool

Sour Grapes touches on a different but no less important, borderline unteachable, aspect of CTI/IR. I won’t spoil the surprise, but Sour Grapes is a wonderful lesson in the investigative desire, that need to track down the adversary and figure out their techniques and goals.

I recommend both highly and they’re both excellent to watch even with non-CND people. They also pair with tuna nigiri and an off-dry Riesling.

Network Defender, developer, speaker, writer, author of O’Reilly’s Intelligence Driven Incident Response, & SANS instructor. Bad guy catcher.