Operationalizing Threat Intelligence: A guide to developing and operationalizing cyber threat intelligence programs by Kyle Wilhoit is an informative guide to cyber threat intelligence, covering theory and practice. It recommends and shows how to use many tools. It explains what threat intel is, how to collect it, and how to…

Mastering Cyber Intelligence by Jean Nestor M. Dahj is the best cyber threat intel book I’ve read so far. It’s comprehensive and detailed, explaining theory and providing practical instructions and tools. It covers all steps of the CTI cycle. My notes follow. This page contains one or more affiliate links…

OSINT CTFs (Capture The Flag games) let you hone your skills through problem-solving games. I especially like those that educate you throughout the CTF, providing tools and techniques. Here are a few OSINT CTFs. Please let me know if you recommend others! Be aware that the older an OSINT CTF…

Here’s my writeup of Sector035’s 2020 OSINT quiz (CTF), including solutions (spoiler alert!). I like that this CTF is educational, sharing plenty of tips and resources. There are 20 questions in 6 areas: Social Media & Forums Video & Images Source & JSON EXIF & Metadata History & Archives Geolocation…

Here’s my writeup of Sector035’s 2019 OSINT quiz (CTF), including solutions (spoiler alert!). I like that this CTF is educational, sharing a few tips and resources. There are at least 23 questions in 7 areas: Geolocation SIGINT (3G/LTE, Wi-Fi) Social media News articles Surface web & dark web File…

Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage by Timo Steffens is a useful, informative resource on APT group attribution, covering the process, reasons, and considerations. It includes plenty of examples. My notes follow. This page contains one or more affiliate links. As an Amazon Associate…

Here’s my writeup of the Sakura Room OSINT CTF by OSINT Dojo on TryHackMe, including solutions (spoiler alert!). If you know of any other CTFs or challenges that provide good OSINT or CTI practice, please let me know! What username does the attacker go by? I opened the provided SVG with Atom, a text editor, and saw…

The Unified Kill Chain is a combination of the Cyber Kill Chain and MITRE ATT&CK tactics. It’s meant to be an updated version of the Cyber Kill Chain to better fit modern attacks. Attack Phases (Tactics) The Unified Kill Chain includes 18 phases or tactics, which are the steps a cyberattack may progress…

What’s the difference between an indicator of compromise (IoC) and an indicator of attack (IoA)? First, what are indicators? Indicators are evidence related to security incidents. They can be hashes, domain names, IP addresses, URLs, malware signatures, registry keys, filenames, processes, services, network traffic, activity from unusual geographic locations, unrecognized…