Academy
Cyber Threat Intelligence experimental
Cyber Threat Intelligence The intelligence cycle applied to the cyber domain: actor profiling with the Diamond Model, the Kill Chain and MITRE ATT&CK, analytic tradecraft under uncertainty, sharing formats and platforms, and closing the loop into detection engineering. Foundations of Cyber Threat Intelligence. The intelligence cycle, the strategic/operational/tactical/technical levels of CTI, and Priority Intelligence Requirements. State the intelligence cycle's stages, apply them, and draft a set of Priority Intelligence Requirements against a stated decision need.. Intelligence cycle, Strategic vs tactical CTI, Priority Intelligence Requirements, Collection planning Foundations of Cyber Threat Intelligence Cyber threat intelligence (CTI) is not a synonym for a feed of malicious Internet Protocol (IP) addresses. It is a discipline: the deliberate transformation of raw observations about adversaries into structured, decision-useful knowledge. This module builds the vocabulary and process the rest of the course relies on. The intelligence cycle Every mature intelligence function, cyber or otherwise, runs on some version of the same cycle. ENISA's own Cybersecurity Threat Landscape methodology names six steps, with feedback built in rather than bolted on at the end. Direction sets what the organisation actually needs to know. Collection tasks sources against that need. Processing converts raw material (packet captures, malware samples, open-source reporting) into something an analyst can work with. Analysis and production is where judgement happens: correlating, weighing evidence, and writing a conclusion. Dissemination gets the product to the person who asked for it, in a form they can use. Feedback closes the loop: did the product actually answer the question, and what should collection do differently next time. Skip the feedback stage and the whole cycle degrades into a one-way broadcast that nobody can correct. Levels of CTI The same underlying event can be written up at any of these three levels, for three different readers. A ransomware intrusion is, at the strategic level, a data point in a sector risk trend; at the tactical level, it is a specific set of hashes, domains and techniques a detection engineer can act on this afternoon. Priority Intelligence Requirements A requirement written as "watch for threats" is not a requirement. A requirement written as "will our sector face increased ransomware targeting from double-extortion affiliates in the next two quarters, and which initial-access vector should we prioritise defending" is a Priority Intelligence Requirement (PIR): specific enough to task collection against, and specific enough that a later reader can judge whether the finished product actually answered it. A collection plan is simply the answer to "given this PIR, what sources will we task, and what gap remains if those sources come back empty." Writing the PIR before collecting anything is the single habit that separates a CTI function from an indicator-forwarding service. Why this discipline exists The modern private-sector CTI field owes a great deal to a single 2013 event: Mandiant's public report on Advanced Persistent Threat 1 (APT1), a persistent campaign later attributed to a Chinese military unit. The report's own appendices, listing hundreds of indicators from a multi-year campaign, are the direct ancestor of two ideas this course returns to repeatedly: that indicators are only useful if defenders can act on them (Module 4), and that a campaign can be reconstructed and correlated as a connected structure rather than a pile of unrelated alerts (Module 1). Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) Threat Actor Profiling and the Diamond Model. The Diamond Model of intrusion analysis, activity-attack graphs, campaign correlation, and attribution pitfalls. Describe the Diamond Model's four core features, construct an event graph from a described intrusion, and correlate it against a related campaign.. Diamond Model core features, Activity-attack graphs, Campaign correlation, Attribution pitfalls Threat Actor Profiling and the Diamond Model Once collection has produced raw observations, the analyst's first job is to structure them. The Diamond Model of Intrusion Analysis, published by Caltagirone, Pendergast and Betz in 2013, is the field's most widely taught structuring tool, precisely because it is simple enough to draw by hand and rigorous enough to support real correlation. The four core features Every intrusion "event," in Diamond Model terms, is a set of four features connected in the shape of a diamond: No single feature, on its own, is strong evidence of anything. A shared Internet Protocol (IP) address could be a coincidence, a shared hosting provider, or reused infrastructure sold on to an unrelated actor. What makes the model powerful is convergence: when adversary, infrastructure and capability line up consistently across multiple events, the correlation becomes hard to explain away as chance. From events to activity-attack graphs A single Diamond event describes one moment. Real campaigns are made of many. Linking related events into an activity-attack graph is what reveals the shape of a campaign, rather than a scattering of isolated alerts, and it is what let Mandiant correlate nearly 150 distinct victims over seven years into a single attributed campaign in the Advanced Persistent Threat 1 (APT1) report. Attribution pitfalls Attribution built on a single feature is attribution built on sand. A shared malware family could mean a shared developer, a leaked builder kit sold on criminal forums, or a deliberate false flag planted by a third actor hoping to implicate someone else. A shared victim country could simply mean two unrelated actors both find that country's sector attractive. Three pitfalls to hold in mind every time a correlation looks convincing: Shared or reused infrastructure. Hosting providers and bulletproof infrastructure get reused across unrelated actors constantly; infrastructure overlap alone is weak evidence.. False flags. A sophisticated actor with the resources to do so may deliberately leave artefacts pointing at a different group.. Commodity tooling. Widely available, off-the-shelf malware and frameworks are used by many unrelated actors; capability overlap alone does not establish a shared adversary. The discipline this module teaches is not "never attribute." It is "attribute on convergence, not on a single feature," and state the confidence level honestly (a theme Module 3 develops in full). Worked orientation This module's lab asks you to take a described intrusion, written up in the style of a real public report, and build its Diamond Model event graph by hand: naming the adversary, infrastructure, capability and victim features, then correlating that event against a second, related event to test whether the convergence holds. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) The Cyber Kill Chain and MITRE ATT&CK. The Lockheed Martin intrusion kill chain, MITRE ATT&CK tactics, techniques and sub-techniques, and TTP-based analysis. Model a described intrusion campaign onto both the kill chain and MITRE ATT&CK, and identify a defensive coverage gap.. Kill chain stages, ATT&CK tactics and techniques, ATT&CK Navigator, TTP-based vs indicator-based analysis The Cyber Kill Chain and MITRE ATT&CK The Diamond Model tells you who is involved in an event. This module supplies the other half: what the adversary actually did, described at a granularity a defender can act on. The intrusion kill chain Lockheed Martin's 2011 paper, *Intelligence-Driven Computer Network Defense*, modelled an intrusion as a chain of stages, arguing that breaking the chain at any single stage defeats the whole intrusion. The strategic implication is the paper's real contribution: a defender does not need to stop every stage. A single well-placed control, at any point in the chain, is enough to break that specific attempt. A phishing email blocked before it is opened breaks the chain at delivery; a well-tuned detection on unusual outbound beaconing breaks it at command and control, even if delivery and exploitation both succeeded. MITRE ATT&CK Where the kill chain gives seven broad stages, MITRE's ATT&CK knowledge base gives granular, empirically observed detail within each. A tactic is the adversary's goal for a phase of the operation (privilege escalation, persistence, exfiltration); a technique (and, more specifically still, a sub-technique) is how that goal is actually achieved. ATT&CK's tactics map loosely onto kill chain stages, but with dramatically more resolution underneath each one. Why TTP-based analysis outlasts indicators A file hash or an Internet Protocol (IP) address can be changed by an adversary in seconds, at zero cost. A tactic, technique or procedure (TTP) is a behavioural pattern, often built into tooling and operational habit over months. Changing it is slow and expensive for the adversary, which is exactly why Module 4's Pyramid of Pain ranks TTPs at the top: they cause the adversary the most pain to change. This is the core argument for TTP-based analysis over pure indicator matching: it survives the adversary's own attempts to evade detection by simply rotating infrastructure. The ATT&CK Navigator and coverage gaps The ATT&CK Navigator is a browser-based visualisation tool for exactly one purpose: laying an organisation's actual detection coverage over the full technique matrix, so gaps are visible rather than assumed. A heat map with strong coverage at delivery and exploitation but nothing at command and control is not a strong security posture; it is a posture with a wide-open back half of the kill chain, and the Navigator is what makes that visible before an incident does. This module's lab asks you to map a described campaign onto both models side by side and name, explicitly, which stage or technique currently has the weakest defensive coverage. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) Structured Analytic Techniques and Analytic Tradecraft. Cognitive bias in analysis, Analysis of Competing Hypotheses, words of estimative probability, and confidence and sourcing. State the Analysis of Competing Hypotheses method's core steps, run the matrix against a multi-hypothesis case, and assign a defensible confidence level to the conclusion.. Cognitive bias in analysis, Analysis of Competing Hypotheses, Words of estimative probability, Confidence and sourcing Structured Analytic Techniques and Analytic Tradecraft Good sources and a good model are not enough on their own. An analyst's own mind is part of the instrument, and it comes with known distortions. This module is about correcting for them deliberately, rather than trusting instinct. Cognitive bias in analysis Richards Heuer's 1999 *Psychology of Intelligence Analysis*, written for the Central Intelligence Agency (CIA)'s Directorate of Intelligence and still freely published by its Center for the Study of Intelligence, remains the field's foundational text on this problem. Two biases Heuer names are worth carrying into every cyber threat intelligence (CTI) judgement: Confirmation bias. The tendency to notice and weight evidence that supports a belief already held, while quietly discounting evidence that does not.. Mirror-imaging. Assuming an adversary reasons the way the analyst would, rather than accounting for the adversary's actual incentives, constraints and culture. Analysis of Competing Hypotheses Heuer's signature method, Analysis of Competing Hypotheses (ACH), inverts the natural instinct to pick a favourite hypothesis and look for support. Instead: list every plausible hypothesis, then test each piece of evidence against every hypothesis, actively looking for evidence that would disconfirm each one. The hypothesis with the *least* evidence against it, not the most evidence for it, is the more rigorously tested conclusion. A row where both hypotheses are equally consistent (or equally inconsistent) is diagnostically weak: it does not help discriminate between the hypotheses and should not carry much weight in the final judgement, however dramatic it looks in isolation. Words of estimative probability Sherman Kent's 1964 essay named a problem every analyst still faces: vague words like "likely" or "a serious possibility" mean different things to different readers. Kent proposed anchoring estimative language to a rough numeric range. Confidence is not the same as probability A probability estimate is a judgement about how likely an event is. A confidence level is a judgement about how much the analyst trusts the process and evidence behind that estimate. A report can state "almost certain" (a probability judgement) while also disclosing "low confidence" (an honest statement that the underlying sourcing is thin), and a rigorous analyst states both rather than only the more impressive-sounding one. This module's lab is a worked ACH matrix against a simulated multi-hypothesis case: build the matrix, identify the diagnostically weak rows, and write a one-paragraph conclusion that states both an estimative probability and an honestly earned confidence level. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) Indicators, Sharing Formats and Threat Intelligence Platforms. The Pyramid of Pain, the indicator-of-compromise lifecycle, STIX and TAXII, the Traffic Light Protocol, and open threat intelligence platforms. Describe the components of a structured indicator-sharing format, and construct a set of indicators as a correctly structured, correctly labelled sharing artefact.. Pyramid of Pain, IOC lifecycle, STIX and TAXII, TLP and sharing platforms Indicators, Sharing Formats and Threat Intelligence Platforms Intelligence that never leaves an analyst's notebook has no defensive value. This module covers how cyber threat intelligence (CTI) is encoded, classified for sharing, and operationalised, once analysis is done. The Pyramid of Pain David Bianco's 2013 blog post, written after watching how poorly the field applied the indicators in Mandiant's Advanced Persistent Threat 1 (APT1) appendices, ranks indicator types by how much disruption defending against them causes an adversary. The pyramid's whole argument, and the reason Module 2 keeps returning to tactic, technique, or procedure (TTP)-based analysis, is that defending only at the bottom levels wins battles the adversary can undo in minutes. The IOC lifecycle An indicator of compromise (IOC) moves through a lifecycle: identification and validation, operationalisation (loaded into a detection or blocking control), active use, and eventual retirement. Retirement matters as much as creation: IP addresses and domains are frequently reused by unrelated, benign infrastructure over time, and a detection list that never prunes stale indicators becomes a slow-building false-positive machine. STIX, TAXII and structured sharing Free-text reports do not scale. The Structured Threat Information Expression (STIX) is an Organization for the Advancement of Structured Information Standards (OASIS)-standardised language for expressing threat intelligence, and the objects and relationships between them, in structured, machine-parsable form. The Trusted Automated Exchange of Intelligence Information (TAXII) is the transport protocol built to move STIX content between organisations and platforms. STIX 2.1 and TAXII 2.1 were published as OASIS standards in 2021. The value of encoding a campaign as linked STIX objects, rather than a flat indicator list, is exactly the Diamond Model's own point from Module 1: relationships between the actor, the infrastructure and the indicators are preserved and queryable, not flattened away. The Traffic Light Protocol The Forum of Incident Response and Security Teams (FIRST), via FIRST.org, defines the Traffic Light Protocol (TLP), now at version 2.0, the sharing classification every CTI product should carry. Four labels, ascending in restriction: TLP:CLEAR (CLEAR) permits unrestricted sharing; TLP:GREEN (GREEN) permits community sharing outside public channels; TLP:AMBER (AMBER) permits limited, need-to-know sharing, with an AMBER+STRICT (STRICT) variant restricting further to the recipient organisation only; and TLP:RED (RED) restricts disclosure to named recipients only. Mislabelling in either direction is a real failure: over-restricting starves the community that needs the warning, under-restricting can burn a source. Platforms The Malware Information Sharing Platform (MISP), an open source threat intelligence and sharing platform maintained by the Computer Incident Response Center Luxembourg (CIRCL) community, is the field's most widely deployed open tool for exactly this workflow: storing indicators and their relationships in structured form, correlating them automatically against other stored intelligence, and exporting or synchronising with other MISP instances or Security Information and Event Management (SIEM) platforms. This module's lab asks you to take a small set of related indicators and encode them as a correctly structured, correctly TLP-labelled sharing artefact, ready to hand to a partner organisation or load into a platform like MISP. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) Intelligence-Led Defense: From CTI to Detection Engineering. Threat-informed defense, converting finished intelligence into a detection hypothesis, and closing the feedback loop into VIGIL's detection engineering module. Build a detection engineering brief from a piece of finished intelligence and state how its outcome feeds back into collection requirements.. Threat-informed defense, From intelligence to detection hypothesis, Closing the feedback loop, The VIGIL bridge Intelligence-Led Defense: From CTI to Detection Engineering Every prior module in this course builds toward one question: so what. Intelligence that never changes a defensive decision has done nothing. This capstone module closes the loop. Threat-informed defense MITRE's Center for Threat-Informed Defense frames the idea plainly: prioritise defensive investment based on real-world, observed adversary behaviour, not a generic or theoretical threat model that treats every possible technique as equally likely. Resources are finite. A defender who spends equal effort on a technique three different real adversaries use constantly and a technique that has never once been observed against their sector is not being thorough; they are misallocating effort. From finished intelligence to a detection hypothesis The workflow this module teaches has a specific shape: SENTINEL's own modules 0 through 4 produce the upstream reasoning: what to prioritise, and why, grounded in a named actor's actual observed tactics, techniques, and procedures (TTPs) (Module 2's ATT&CK mapping is the hand-off artefact). This course's companion, codenamed VIGIL (VIGIL), teaches detection engineering; its own Module 0 is where that prioritised technique becomes an actual rule against real telemetry. The two courses are deliberately sequential halves of one workflow, not two treatments of the same material: SENTINEL is the "left of boom" discipline of understanding and anticipating the adversary; VIGIL is the "right of boom" discipline of detecting, responding to, and investigating what they actually did. Closing the loop A detection built from cyber threat intelligence (CTI) sources that fires zero times in three months of production monitoring is not proof of a quiet network. It is a prompt: has the underlying assumption about actor behaviour changed, or was the original prioritisation wrong. A mature CTI function treats that silence as new information and feeds it back into requirements, exactly as the intelligence cycle from Module 0 describes. A detection that fires constantly and accurately, conversely, is evidence the prioritisation was sound and should inform what gets prioritised next. This is why Module 0's feedback stage is not a formality. Without it, a CTI function keeps producing intelligence disconnected from what defenders actually learned deploying it, and the whole point of intelligence-led defense, spending finite effort where the real adversary actually is, quietly stops being true. Capstone task Convert one piece of finished intelligence (a named actor, a technique, and the evidence behind the prioritisation) into a detection engineering brief: the ATT&CK technique, the log sources needed, a plain statement of what would count as a true positive, and an explicit note on what production feedback would need to look like to confirm or challenge the original prioritisation. Hand that brief to VIGIL's own Module 0 to see the other half of the workflow this course was always building toward. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/)