Skip to content
/ CTI-Analyst-Challenge Public

An analytical challenge created to test junior analysts looking to try performing proactive and reactive cyber threat intelligence.

blog.bushidotoken.net/2024/06/the-cti-analyst-challenge.html
159 stars 14 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

BushidoUK/CTI-Analyst-Challenge

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

57 Commits
Demos
Demos
 
 
Diagrams
Diagrams
 
 
Templates
Templates
 
 
README.md
README.md
 
 

Repository files navigation

CTI_AC

CTI Analyst Challenge

  • This repository contains instructions and resources for an intelligence analysis challenge
  • It was created to test cyber threat intelligence (CTI) analysts looking to practice performing proactive and reactive CTI tasks.
  • CTI analysts need to review them and perform tasks to complete and fulfil their demo client's priority intelligence requirements (PIRs) and requests for intelligence (RFIs).

Getting Started

  • Analysts can decide whether they want to begin with the proactive CTI challenge or the reactive CTI challenge

  • Proactive CTI Challenge:

    • To begin the proactive CTI challenge, analysts need to review the Proactive CTI Diagram, the Demo Stakeholders, and the Intelligence Sources.
    • Analysts then need to follow the steps laid out in the diagram to think about stakeholder PIRs and then review the intelligence sources.
    • CTI Incident Reports then need to be written by the analysts to meet the PIRs of their chosen stakeholder.
    • Analysts can use the CTI Incident Report Template provided.

  • Reactive CTI Challenge:

    • To begin the reactive CTI challenge, analysts need to review the Reactive CTI Diagram, the Demo Stakeholders, and the Demon Incident Artifacts.
    • Analysts then need to follow the steps laid out in the diagram to think about the stakeholder's RFIs and then review the incident artifacts.
    • A reponse to the RFI then needs to be written by the analysts to fulfil the RFI made by their chosen stakeholder.
    • While reviewing the artifacts, analysts need to provide context about the threat, such as the level of danger it poses to the target organisations.
    • It is also advisable to provide potential Courses of Action (CoAs) to support requesting stakeholders while they are investigating incidents.
    • Analysts can use the RFI Response Template provided.

  • Additional Notes:

    • The way your reports are written may also depend on the type of organisation you are a CTI analyst for.
    • Analysts who work for a vendor with many clients may frame their reports differently than in-house CTI teams that work full time for the same single organisation.
    • For this challenge, it is recommended to write the reports in the format you are used to or want to get better at.

Resources

Resource Description Usage
Proactive CTI Diagram A diagram explaining the process involved in taking intelligence sources and satisfying stakeholder priority intelligence requirements (PIRs). Use this as a guide to understand the order of tasks you need to perform in a real-world scenario when working in a CTI team.
Reactive CTI Diagram A diagram explaing the process involved in taking incident artifacts and satisfying stakeholder requests for intelligence (RFIs). Use this as a guide to understand the order of tasks you need to perform in a real-world scenario when working in a CTI team.
Demo Stakeholders A list of fictional organisations that analysts are to use to practice fulfilling their PIRs using the Intelligence Sources and their RFIs using the Demo Incident Artifacts provided below. Imagine that these organisations are your clients or the company that work for. Your job as an analyst is to protect these entities and help them defend from emerging threats.
Demo Intelligence Sources A collection of threat reports and articles that need to be checked for relevence for their chosen organisation(s). Analysts need to scan through, understand, and extract the most important information from the threat reports and articles to provide actionable threat intelligence. Follow the Proactive CTI Diagram steps.
Demo Incident Artifacts A collection of Indicators and Compromise (IOCs) taken from real attacks but have been provided to simulate an RFI that a real-world stakeholder (such as a SOC or DFIR team) provided the CTI team for additional context and recommendations. Analysts need to triage, research, and assess the IOCs, artifacts, and incident details and provide a response to the stakeholder that support their actions while handling the incident. Follow the Reactive CTI Diagram steps.
CTI Incident Report Template A basic report template to help write CTI Incident Reports. Use the template as a guide to help perform proactive CTI activities.
RFI Response Template A basic report template to help write RFI Response reports. Use the template as a guide to help perform reactive CTI activities.

About

An analytical challenge created to test junior analysts looking to try performing proactive and reactive cyber threat intelligence.

blog.bushidotoken.net/2024/06/the-cti-analyst-challenge.html

Topics

training workshop threatintel cti cyberthreatintelligence

Resources

Readme
Activity

Stars

159 stars

Watchers

11 watching

Forks

14 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2