A few weeks ago while teaching SANS FOR578 one of my students asked a great question by a student: What books or papers should a new cyber threat intelligence analyst read first? It’s a question I’d meant to answer before so instead of just sending back an email (I mean, I emailed back, HI MATT, but along with that) I figured I’d write up my list and have something to reference next time I get asked. So here’s my list of things you should read when getting started in cyber threat intelligence:
Get that library card or Amazon account ready, here are my favorite books on CTI.
The Cuckoo's Egg
The Cuckoo's Egg has 6,915 ratings and 539 reviews. Brian Rosenblat said: I really enjoyed this book. Loved the…
The best narrative version of the DFIR & CTI world I can imagine The Cuckoo’s Egg reads better than Tom Clancy and tells the true story of an astronomers year hunting cyber espionage in the early 1980s. A must read (and great for non-technical folks as well). Also a great gauge of interest for people thinking about dipping their toe into DFIR or CTI.
Secrets and Lies
Secrets and Lies has 1,389 ratings and 54 reviews. Alis said: The INFOSEC book by the INFOSEC guy. Also pretty…
Written in 2000 Secrets and Lies was my introduction to many of the technical problems in security and has been my go to First Technical Security Book ever since. I’m reevaluating it now (against the Defensive Security Handbook: Best Practices for Securing Infrastructure by Lee Brotherston & Amanda Berlin) but Secrets and Lies is a classic.
Incident Response & Computer Forensics, Third Edition
Incident Response & Computer Forensics, Third Edition has 5 ratings and 0 reviews. The definitive guide to incident…
Ultimately CTI collection is the output of incident response. Doing CTI well requires a deep understanding of all aspects of Incident Response and Incident Response & Computer Forensics is the best book to learn the overall process from some folks who’ve been there and done that.
Practical Malware Analysis
Practical Malware Analysis has 253 ratings and 13 reviews. Takedown said: Written by Mandiant experts, this is THE BOOK…
A huge amount of CTI comes down to malware analysis. Malware reverse engineering is a big part of understanding the capabilities of an adversary. This is the best introduction text I know. In fact it’s on my current reread list.
Thwarting Enemies at Home and Abroad
Thwarting Enemies at Home and Abroad has 129 ratings and 6 reviews. Alex said: I don't think this book would be good…
SHOCKER: You’re not an intelligence analyst if you’re doing CTI. You’re a counter intelligence analyst. Many of the same techniques, but a totally different application. Understanding traditional counterintelligence tradecraft is essential and this is my favorite book to learn it.
Structured Analytic Techniques For Intelligence Analysis
Structured Analytic Techniques For Intelligence Analysis has 120 ratings and 9 reviews. Pantaleon said: Great sourcebook…
Analysis is often the least understood (and honestly least undertaken) piece of CTI. We, all of us in the CTI arena, need to get better at it. Richards Heuer literally wrote the book on this.
Dark Territory has 892 ratings and 124 reviews. John said: I continue my quest to be the most informed snob at any…
Like The Cukoo’s Egg Fred Kaplan’s Dark Territory is a story centric a history of the development of America’s cyber warfare capability and provides a detailed look into what developing a cyber warfare capability looks like at a policy level.
Plenty of key concepts don’t merit a full book but are more in the 10–30 page range which are perfect for academic style papers. These are good ones to start with:
- Threat Intelligence: Collecting, Analysing, Evaluating — I read this paper right when it came out (though I had to be reminded of it by John D. Swanson) and it’s a solid broad introduction to the core concepts of CTI. It’s not enough on it’s own, but it’s a solid start.
- Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains by Hutchins, Cloppert & Amin — The infamous kill chain paper. Love it or hate it this is a seminal work defining a model that every CTI analyst needs to understand even if they don’t use it directly.
- The Diamond Model of Intrusion Analysis by Caltagirone, Pendergast, & Betz — Another key model I admit I dismissed the Diamond model at first. Four simple buckets, how big a deal is that? Turns out it’s a huge one after I got past the TLDR. Not simple actually, but elegant.
- Psychology of Intelligence Analysis by Heuer — Added by popular demand I had this paper on the list originally, but took it off since it’s basically a subset of Heuer’s Structured Analytic Techniques listed above. That said this is a seminal paper on the human aspect of analyzing intelligence, so I’m adding it back. Thanks for the suggestions!
Most CTI programs are focused on four major sets of adversaries: China, Russia, the United States, & everyone else (I’ll write another post about that bias later on). Who’s important will depend on your threat model including geographic location and industry, but passing familiarity with the big players is important for everyone. Here’s are my favorites introductions:
- China: APT1 Report & Op SMN/Axiom Report — One sorta basic, one more advanced. A good cross section of Chinese state sponsored espionage.
- Russia: Peering Into the Aquarium — A leaked Google report (everyone has leaks) but the best survey of Russian threat actors I know of.
- United States: Equation Group — No one says US but it's very clear. A great idea of the sort of capabilities everyone else wants to have.
- Everyone Else: Careto, Ocean Lotus, Desert Falcon, & Dark Seoul — A wide variety in three groups. Varied tactics & goals.
Non-Computer Network Defense Specific Reading
While the books above are very technically focused on computer network defense (CND) but there are a wide variety of subjects useful to a CTI analyst that go beyond CND & intelligence. Here’s my starting list:
Near and Distant Neighbors
Near and Distant Neighbors has 84 ratings and 10 reviews. Daniel said: A comprehensive review of Soviet intelligence …
An exploration of the formation of the modern Russian intelligence apparatus. Studying those evolutions is interesting.
The Art of War
The Art of War has 201,747 ratings and 6,253 reviews. Anne said: Hey! Look at me stepping outside my comfort zone!I saw…
Judge if you want, it’s a solid read detailing the meta nature of conflict and espionage. Yes it’s overdone, yes it was over quoted, but it’s still valuable. Ignore it at your own peril. (Want a more modern take? I’ve been meaning to read On War by Carl von Clausewitz.)
Thinking, Fast and Slow
Thinking, Fast and Slow has 146,230 ratings and 5,596 reviews. Folboteur said: In the last few years two books took me…
So I haven’t read this one (yet)… but I’ve been meaning too. From podcasts and discussions with friends it’s a perfect for this list so I’ll add it, even if it is still aspirational to me. Very metacognitive.
One Last Reading Idea
Rebekah Brown and I have been working very hard and are excited to share our own addition to this list:
Our book is meant to cover both the network defense process and the intelligence process but more importantly how they can be integrated. Ultimately computer networks defense takes intrusion detection, incident response, & intelligence.
Bonus! Jiro Dreams of Sushi & Sour Grapes
As I was originally thinking about this post I thought it would be nothing but Intelligence & Incident Response books, but as I kept considering the topic it kept expanding and I wanted to be encompassing. So in addition to some reading here are two movies I watched and couldn’t stop thinking of parallels to CTI.
Jiro Dreams of Sushi is a beautiful documentary about food, but more than that about the depth of effort and dedication it takes to really be the best at a craft. This is all the more important in an adversarial vocation like CTI, where in many cases it matters who’s better, you or the adversary. For me I would like to be known as having the kind of tenacity as Jiro and those who work with him.
Sour Grapes touches on a different but no less important, borderline unteachable, aspect of CTI/IR. I won’t spoil the surprise, but Sour Grapes is a wonderful lesson in the investigative desire, that need to track down the adversary and figure out their techniques and goals.
I recommend both highly and they’re both excellent to watch even with non-CND people. They also pair with tuna nigiri and an off-dry Riesling.