The opinions expressed herein are my own and do not represent my past, present and future employer’s views in any way. Nothing posted here should be considered official or sanctioned by my past, present or future employer or any other organization I’m affiliated with.

Vidas sem fronteiras

Stack Exchange



CTI Analyst:

APT is a style, not a definitive category, and needs to be taken into consideration.

Intelligence collects and processes information about competitive entity and agents (maligned actors), needed by an organization for its security (defense) and well-being (operational).

Intelligence Sources: - HUMINT: Interpersonal (human) - GEOINT: Geospatial (satellite) - MASINT: Measurement/Signature (radar). - OSINT: Open-source collection (Internet, public records). - SIGINT: Signal Intercepts (cellphone, taps). - ALL SOURCE: Every available source (all above).

Counterintelligence is:


Types of Analysis:

Intelligence Life Cycle

CTI Analysis Elements:

Intrusion Analysis: fundamental CTI skill:

CTI Terminology

Indicators of Compromise

Indicator of Lifecycle describes how indicators beget indicators. It is a cycle enabled by people, processes, and technology of discovery, maturation and exploitation. It can be represented as a directed-graph state diagram describing the states and transitions that move an indicator between states. It suggests that on must have intelligence in the first place in order to acquire more intelligence. A large amount of intelligence about one adversary may not help at all against another adversary for whom an organization has no intelligence whatsoever. This is a shortcoming of the CTI approach that must be addressed in ways other than analysis and network defense; intelligence sharing helps fill this void.

Revealed: intelligence has been revealed t us about a specific threat to the assets we intend to defend.

RTU (Reported to Us): threat intelligence feeds from other organizations (given to us); these indicators will typically have less context, may be difficult to operationalize, and will have less context around them than internally derived indicators.

Vet & Operationalize: Vetting process includes determining the viability of using the information in hand either alone or to detect the malicious activity in the specific environment one is defending. Involves assessing whether the intelligence is reliable and whether it is good intelligence and adequately represents the malicious activity from which it was derived in a way that is actionable in a particular environment.

Mature: leverage the indicator for the discovery course of action; this action is research oriented. What must first be done is historically searching available data sources to discover whether this was observed in the past, and if so, investigate further to determine whether the activity was malicious or benign. Or two CoA’s should be applied: detect and the best available mitigating action, if any exists.

Utilized: indicators that are viable in one environment may not be viable in another; once vetted indicator is assigned to a course of action and deployed, and that course of action matches the network/system activity. Usually manifests in a log in log searching (discovery) or IDS rule firing (detection).

Intrusion analysis: indicator will rarely have or represent a complete set of malicious activity on its own, meaning that a CTI analyst must build a complete picture of the intrusion. The process of articulating each phase of the Kill Chain beginning with the utilized indicator will reveal many more indicators, each of which will then begin the life cycle anew. All intrusions potentially have additional indicators to be revealed once identified.

A CTI Analyst should be responsible in building detections off indicators revealed in an IR effort. The Indicator Lifecycle is not about how useful an indicator, but how it is based on its maturity and confidence we have in it. Only indicators that are characterized by this should be subject to a high level of analytical rigor and instrumentation.

Key indicators:

Discovery and Indicator Life Span:

Keep all your detections and all your indicators until their presence causes a problem. When computational becomes a problem, redesign, replace, or re-engineer how your detections and frameworks they ride on operate. I have accepted with naivety some of them but knowledgably rejected some.

Indicator Fatigue and Proper Use Cases:

Organizations and teams can either focus on actuating on intelligence or on producing intelligence. A team can bounce back and forth between these two concepts (but not doing both at the same time).

Blog posts about Information Technology, Information Security Industry and Life. Whatever comes to my mind.

Information Security Technical Articles/Notes

Pages containing reviews and notes about Information Technology and Information Security technologies. Whatever I am studying and working on.


Pages containing reviews and notes about Information Technology Vendors products and services. Whatever Vendor I deal with in my professional career.