Threat Inteliigence / OSINT / NETSEC / NATSEC

Reading room

During discussions with other practitioners and security researchers, as well as during SANS training, I noticed that one of the points that keeps coming up is the exchange of information about publications on specific issues. This is especially interesting in the case of more niche topics, where I could both help find publications in the field I dealt with and rely on the knowledge of my interlocutors on topics I lacked experience to select sources. To help those looking for materials I would like to share my experience on books which, in my opinion, are worth attention for both people already working in threat intelligence and those who are just starting their adventure. I have put together the list of topics to make it easier to navigate.

  1. The Science of Intelligence Analysis
  2. Cyber Threat Intelligence
  3. Computer forensics and incident response
  4. Malware analysis
  5. American Intelligence
  6. Russian Intelligence
  7. Chinese Intelligence
  8. Intelligence and counterintelligence of non-state organizations

Intelligence and intelligence analysis

Intelligence, intelligence analysis - publications on intelligence in a broad context regarding the basics, organization, forms and methods of intelligence activities.

Intelligence: From Secrets to Policy - comprehensive analysis of the role and importance of intelligence for the contemporary state apparatus. The book focuses on the American realities, but the chapters on the interaction between intelligence organizations and the executive and legislature are universal.

Thwarting Enemies at Home and Abroad: How to Be a Counterintelligence Officer - a handbook of counterintelligence tactics and methods published in 1987. Naturally, a must-see, as you can probably deduce from the name of my website 🙂 And more seriously, I still definitely think that most of the activities in the private sector, especially CTI, are counterintelligence. That is why it is worth knowing the methods of work of colleagues working in less cyber conditions.

Psychology of Intelligence Analysis - study of the problems that analysts have to deal with in terms of avoiding transferring their views to intelligence products. It is also here that one of the best-known structured analytical techniques is described - Analysis of Competing Hypotheses (ACH). Available for free from CIA resources.

Curveball - a cautionary tale about how pressures on political interpretations of intelligence led to erroneous conclusions about WMD in Iraq.

Active Measures - especially today a current and valuable position. The history of the use of intelligence operations to spread disinformation and control the narrative of events.

Cyber Threat Intelligence

Cyber Threat Intelligence - cyber side of intelligence and publications related to threat analysis methods for employing proactive measures.

The Cuckoo's Egg - in many respects, the first instance of CTI analysis, even if the person concerned was not aware of it 🙂 The story of how an astronomer at Lawrence Berkley began to track a burglar based on a discovered error in the accounting system, which led to the detection of a cyber intelligence operation aimed at gathering information from US government network.

Intelligence-Driven Incident Response: Outwitting the Adversary - in my opinion, the publication closest to the actual CTI textbook. A reliable description of the theoretical and practical side of using the knowledge obtained as a result of the analysis of hostile behavior in our environment to help protect the network.

Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains - the famous publication of Lockheed Martin employees describing the methodology of activity analysis based on the isolation of successive, deterministic stages. Over the years, the assessment of the model has become controversial, but still a must-read for CTI analysts. I wrote about the use of the cyber kill-chain in one of the posts.

The Diamond Model of Intrusion Analysis - just like the previous item, one of the key articles for the practice of threat intelligence. Description of the categorization of activity based on the distinction of four elements - attacker, victim, infrastructure and opportunities that must be present in each intrusion attempt.

MITRE ATT&CK: Design and Philosophy - ATT & CK is like Cyber Kill Chain and Diamond Model, one of the most popular threat intelligence tools today - description of hostile activity based on cataloging in a standardized way the tactics, techniques and procedures used in the intrusion attempt.

The Threat Intelligence Handbook A Practical Guide for Security Teams to Unlocking the Power of Intelligence - a high-level description of the use of threat intelligence in the protection of the organization, along with an overview of sources, scenarios and concepts. Free from Recorded Future.

Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionageas I wrote in one of the posts, attribution is one of the most complex and controversial issues in CTI. The publication by Timo Steffens describes a complete methodology for determining those responsible for hostile actions based on a number of technical and non-technical factors. Considering that this is the first book that describes the subject in such a comprehensive way, it is a must-read.

Computer forensics and incident response (DFIR)

File:Digital Forensics - Imaging a hard drive in the field.jpg - Wikimedia  Commons

Computer forensics and incident response (DFIR) - CTI is largely an analysis of hostile activity identical to what CERT teams do. The difference is that when incident responders put out fires, CTI analysts try to determine who and how will set the fire in the future. Either way, the skills in DFIR are extremely essential for the intelligence analyst. And given the growing importance of cyber operations, not even strictly dealing with CTI.

Incident Response & Computer Forensics, Third Edition - a complete guide to analyzing security incidents, starting with their identification, through gathering evidence, and ending with data analysis and handling specific types of artifacts. A bit old (2014), but still an ideal item as a DFIR textbook.

The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory - memory analysis is definitely my favorite part of computer forensics. Malicious activities do not always have to use the tools uploaded to the victim's disk - using Living off the Land techniques and fileless malware, you can successfully break in without leaving artifacts in the file system. However, if the attacker wants to even start the process, we can find traces of actions just by analyzing the memory. The Art of Memory Forensics guides us in a very accessible way both through the understanding of the structure of memory operation in the system and the acquisition and analysis of artifacts. Unfortunately, the passage of time is noticeable here - especially between Windows 7 and Windows 10 there have been changes in the memory handling of the system, so keep this in mind when reading.

Windows Internals - to find traces of malicious activity, we need to know how the system behaves under normal conditions. The Windows Internal series deals with the description of the infrastructure and internal elements of the Windows family systems, which will allow us to understand how an attacker can manipulate its functions and what traces can leave.

Practical Linux Forensics - despite the domination of Windows in the OS market, it is also worth knowing how to go about analyzing Linux artifacts. Practical Linux Forensics presents in an accessible way the elements of Linux that may be important from a computer forensics perspective and shows how to collect artifacts in order to recreate malicious activity.

Practical Packet Analysis - Network traffic analysis is one of the most important weapons of CTI analysts, who can thus discover how C2 works, the infrastructure used for the attack and the instructions sent by attackers. And the most information we can find when analyzing packets containing traffic content.

Malware analysis

File:Ghidra-disassembly,March 2019.png - Wikimedia Commons

For a long time, malware analysis reports were almost synonymous with threat intelligence reports. Fortunately, the situation has changed over the years and the CTI reports include a cross-section of activities combining data from various sources. Still, malware analysis is an important element of threat intelligence, allowing to learn about the attacker's capabilities.

Threat Intelligence and the Limits of Malware Analysis - let's start with Joe Slowik's publication on the role of malware analysis in the threat intelligence process and what its limitations are.

Practical Malware Analysis - a step-by-step classic of the genre showing how to go about analyzing samples - from creating a working environment and very simple listing of characteristics to tackling techniques that make analysis difficult.

Hacking, The Art of Exploitation - including this item in this section may come as a surprise - after all, it is a publication about offensive techniques. The programming part, however, is so well written that it helps a lot in understanding the way programs written in C and Assembly work, which is useful in analyzes.

Practical Reverse Engineering - a more advanced publication dealing with low-level application analysis. Lots of examples to help understand more difficult issues.

Reversing: Secrets of Reverse Engineering - and another item on reverse engineering, I recommend it especially because of the chapter on Windows API analysis.

American Intelligence

Hunt For Red October Alec Baldwin GIF - Hunt For Red October Alec Baldwin Jack  Ryan - Descubre & Comparte GIFs

The American intelligence services are by far the best described agencies among the services of the world. This state of affairs is a result of two factors - first, the large budget, which translated into the possibilities and prestige of the agencies, drew them into mass culture and constantly creates demand for publications. Second, the USA is a democratic country, which translates into a greater degree of transparency in the activities of government agencies and supervision over them. Researchers therefore have access to a wide range of materials and resources.

Spies, Patriots, and Traitors: American Intelligence in the Revolutionary War - starting with the ancient history of American intelligence, Spies, Patriots, and Traitors deals with intelligence practices in the eighteenth-century United States.

Ghost Wars and Directorate S - two publications by Steve Coll describing CIA activities in Afghanistan from the Soviet invasion to September 11 and after September 11, respectively. Mandatory items for understanding the role of the CIA in the fight against non-state actors.

The Way of the Knife - the history of the evolution of the CIA that took place after 9/11 and gave the agency a more paramilitary character.

The Art of Intelligence - a look at the paramilitary operations accompanying the invasion of Afghanistan by the former Deputy Director of the CTMC at CIA.

88 Days to Kandahar - and on the other hand, the history of these operations through the eyes of the Islamabad station chief.

Circle of Treason - the history of the investigation in the case of Aldrich Ames written by the persons who conducted it.

Spy - the story of Robert Hanssen's betrayal and the investigation that led to his capture.

Spycraft - history of technical means used to gather information by the CIA.

A Secret Life - a Polish story - the history of Ryszard Kuklinski's handling by the CIA.

See No Evil - a first-hand account of a CIA officer conducting operations in the Middle East. A very interesting look at the conflict in Lebanon. George Clooney's film "Syrian" is based on this book.

Dark Territory - book on a more cyber side. History of the development of American cyber offensive capabilities.

Countdown to Zero Day - and again more aggressive cyber operations. Kim Zetter on Stuxnet, one of the most famous malware in history that damaged Iran's uranium enrichment infrastructure.

Russian Intelligence

Putin Defends Shirtless Photos: 'I See No Need to Hide'

The Russian services pose a greater challenge to researchers than the American ones. Fortunately, thanks to the combination of memoirs of former officers, leaked information and accounts of people involved in competing with Russian intelligence, there is a lot of read.

The Mitrokhin Archive - The KGB and its First Directorate (ancestor of the modern SVR) in their own words. The publication was written on the basis of materials from the internal KBG archives donated by Vasily Mitrokhin.

Spy Handler - the autobiography of Victor Cherkashin, the KGB officer responsible for handling of Aldrich Ames and Robert Hanssen.

Comrade J - a bit more modern take, a story about an SVR officer responsible for operations in the USA in 1995-2000.

Sandworm - the story of the Sandworm group related to Russian intelligence, responsible for a devastating attack using the NotPetya malware.

Russians Among Us - the title may not be most fortunate, but definitely worth reading. A story of SVR officers (including Anna Chapman) who operated in the US as "illegal".

Chinese Intelligence


As if the case of Russia, it is more difficult to find detailed studies than in the case of the USA, than China is even further down the road of both countries. It is a futile effort to look for memoirs of former officers, disclosed documents or OSINT sources. The reason is, of course, the language barrier and the closed nature of the country. All the more valuable are the publications of authors who have managed to find out about the information.

Chinese Intelligence Operations - a book that was my entry into the world of Chinese non-cyber intelligence operations. Quite dry and academic in its form (and from 1994), but certainly a must-have.

Chinese Communist Espionage: An Intelligence Primer - the history of Chinese intelligence and a description of its activities through the analysis of the disclosed cases of operations (for example through criminal proceedings against detected officers). Released in 2019 and it could be considered a continuation of Chinese Intelligence Operations, were it not for the fact that Nicolas Eftimiades has published a new book on Chinese intelligence, namely:

Chinese Espionage: Operations and Tactics - also case studies and analysis of Chinese operations in terms of disclosed information on operations detected. It is worth noting that the three items mentioned focus mainly on "classic" (not cyber) operations, which makes them even more recommendable for people who usually deal with the CTI aspect.

Chinese Industrial Espionage: Technology Acquisition and Military Modernization - industrial espionage is one of the best-known symptoms of Chinese intelligence activity. The authors describe here the assumptions and implementations of supporting R&D activities by acquiring foreign technology.

APT1 Exposing One of China's Cyber Espionage Units - Mandiant report which popularized the term "APT" and described the activities of a unit of the People's Liberation Army in the field of cyber operations.

Non-state actors

Mies, joka palkattiin tappamaan Pablo Escobar – brittisotilas kertoo, miksi  uskomaton operaatio meni pieleen ja miljoonapalkkio huumeparonin päästä  valui läpi sormien - Viihde - Ilta-Sanomat

One of my favorite aspects of intelligence is how non-state organizations deal with operational security and the conduct of covert operations. Without the organizational and financial resources of the state structure, they often compete with state agencies very effectively. Of course, their successes are most often tragedies, because we will be talking here about criminal organizations, terrorist groups and drug cartels. However, understanding how they manage to survive while being hunted by government agencies is crucial to understanding the concept of intelligence operations.

Terrorism and Counterintelligence: How Terrorist Groups Elude Detection - obligatory item in which the author analyzes the behavior of terrorist groups in the context of how individual organizational features affect the organization's ability to survive. What's even better, this publication was a doctoral dissertation, so it's available for free here.

Killing Pablo - the history of the hunt for Pablo Escobar and the problems that law enforcement agencies had to face while working in conditions of widespread corruption.

The Exile - Osama Bin Laden's escape in the aftermath of the 9/11 attacks and his hiding until his death as a result of US operation.

Hezbollah: The Global Footprint of Lebanon's Party of God - an in-depth analysis of Hezbollah's overseas operations.

The Green Book - Irish Republican Army training manual.

Black Flags - the history of the creation of ISIS. Important case study on the formation of the structure of a terrorist organization.