Cyber Threat Profiling Resources

A library of reference materials, tools, and other resources to accompany The Ultimate Guide to Cyber Threat Profiling ebook, published by Tidal Cyber

"The concept of threat profiling offers the potential for threat prioritization, but even when security leaders choose to pursue it, misconceptions over its validity and utility and the lack of a clear and repeatable approach to profiling – as it relates to organization-wide threats – have all hampered its adoption. Even when teams do take steps to prioritize threats, efforts often prolong (in many cases indefinitely) or are impeded by a need for deep intelligence subject matter expertise."

The Guide was created to address each of these challenges, lower barriers to entry into cyber threat profiling, and drive its wider adoption.

Download the ebook here

Index

• Frameworks & Methodologies
• Threat Data Sources
• MITRE ATT&CK®
• Threat Quantification
• Threat-Informed Defense
• Detection Engineering, Threat Hunting, Adversary Simulation/Emulation, & Purple Teaming
• Risk
• Organizational Context
• Workflow Resources & Tools
• Cyber Threat Intelligence (CTI) Introductory Resources

Frameworks & Methodologies

Cybersecurity & Cyber Threat Frameworks & Foundational Resources (General)

• CIA Triad
• Diamond Model of Intrusion Analysis
• The Pyramid of Pain
• Lockheed Martin Cyber Kill Chain®
• MITRE ATT&CK®: See more below
• Threat Box
• The TTP Pyramid
• The OODA Loop

Threat Profiling/Modeling Frameworks & Methodologies

• Cyber Threat Modeling: Survey, Assessment, and Representative Framework: A 2018 review of key existing frameworks and methodologies for threat modeling
• Enterprise Threat Model Technical Report
• Prioritizing Information Security Risks with Threat Agent Risk Assessment (TARA)
  • Threat Agent Library Helps Identify Information Security Risks
• Guide for Conducting Risk Assessments
• Know Your Adversary: An Adversary Model for Mastering Cyber-Defense Strategies
• Threat Modeling Manifesto
• Process for Attack Simulation and Threat Analysis (PASTA)
• STRIDE
• DREAD
• LINDDUN
• Factor Analysis of Risk Information (FAIR™)
• Trike
• Visual, Agile and Simple Threat (VAST)
• Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE®)

Adversarial Threat Profiling Guidance & Resources (General)

• The Ultimate Guide to Cyber Threat Profiling
• Using Threat Intelligence to Focus ATT&CK Activities
• How to prioritize effectively with Threat Modeling and ATT&CK
• Resistance Isn’t Futile
• Adversarial Threat Modelling
• Emulation Planning for Purple Teams
• Prioritizing Information Security Risks with Threat Agent Risk Assessment (TARA)
  • Threat Agent Library Helps Identify Information Security Risks
• Understanding Cyberthreat Motivations to Improve Defense
• A Field Guide to Insider Threat - Many of the threat categorizations provided could apply to external actors, too

Threat Data Sources

Adversarial Threat Data (with Structured Metadata)

• Tidal Cyber Community Edition: A freely-available threat-informed defense platform for researching threat actors, building technique sets, and more. Community Edition users are able to share their work and participate in the larger Tidal Cyber community of defenders. (Transparency note: Tidal Cyber maintains this threat profiling resource repository!)
• MITRE ATT&CK®
• ETDA/ThaiCERT: Threat Encyclopedia
• AlienVault OTX
• MISP Threat Actor Galaxy
• SecureWorks Cyber Threat Group Profiles
• Palo Alto Unit42 Playbooks
• CrowdStrike Threat Landscape
• APT Groups & Operations (public Google Sheet)

Niche & General Cyber Incident Data Sources

• ransomwatch
• MalwareBazaar
• Verizon Data Breach Investigations Report (DBIR)
• APT & Cybercriminals Campaign Collection
• APTnotes
• Data Breach Chronology
• Breach-Report-Collection
• Map of worldwide ransomware attacks
• Catalog of Supply Chain Compromises
• Software Supply Chain Compromises - A Living Dataset
• DeFi Hack database

MITRE ATT&CK®

• Website
• Using MITRE ATT&CK for Cyber Threat Intelligence Training
• Hunting for Post-Exploitation Stage Attacks with Elastic Stack and the MITRE ATT&CK Framework
• Getting Started with ATT&CK: Threat Intelligence

Working with ATT&CK Data

• enterprise-attack.json: MITRE ATT&CK dataset represented in STIX 2.1 JSON
• ATT&CK Extractor: "Extracts ATT&CK techniques from blobs of text"
• attack-scripts: "one-off scripts for working with ATT&CK content"
• mitreattack-python: "A python module for working with ATT&CK"
• mitre_attack_oneliners.py: "MITRE ATT&CK ONELINERS for constructing Python objects with all ATT&CK techniques in them using the latest MITRE ATT&CK data"
• mitre-assistant: "A more flexible & better att&ck client"
• mitre_attack_csv: "Script to produce ATT&CK CSV files and MITRE ATT&CK CSV data storage"
• attack_layers_simple.py: "This sample is intended to demonstrate generating [ATT&CK Navigator] layers from external data sources such as CSV files"

Threat Quantification

• Quantifying Threat Actors with Threat Box
• Using Threat Intelligence to Focus ATT&CK Activities
• Sophisticuffs: The Rumble Over Adversary Sophistication
• NIST SP 800-30 Rev. 1, Guide for Conducting Risk Assessments: See especially Appendix D: Threat Sources
• Threat Agent Library Helps Identify Information Security Risks
• The next 50 years of cyber security.

Threat-Informed Defense

• Threat Informed-Defense Ecosystem start.me page: Living compendium of tools, trainings, & resources related to Threat-Informed Defense
• Tidal Cyber Community Edition: A freely-available threat-informed defense platform for researching threat actors, building technique sets, and more. Community Edition users are able to share their work and participate in the larger Tidal Cyber community of defenders. (Transparency note: Tidal Cyber maintains this threat profiling resource repository!)

Detection Engineering, Threat Hunting, Adversary Simulation/Emulation, & Purple Teaming

• Sigma Rules Public Repository
• Atomic Red Team: "Small and highly portable detection tests based on MITRE's ATT&CK"
• Foundations of Purple Teaming
• Purple Team Exercise Framework (PTEF)
• The Detection Maturity Level (DML) Model
• Awesome Detection Engineering
• awesome-detection-rules

Risk

Risk Resources (General)

• Starting Up Security
• The Risk Business

Measurement & Estimation

• Risk Measurement
• How to Measure Anything in Cybersecurity Risk, 2nd Edition
• Cost of a Cyber Incident: Systematic Review and Cross-Validation

Organizational Context

• Developing Priority Intelligence Requirements: Guidance around alignment between elements of your organization’s business & strategy, its technological assets, and relevant risks (as they relate to the development of intelligence requirements)
• U.S. SEC EDGAR Company Filings Database: Filings from public companies can be a great resource for surfacing high-level organizational priorities, objectives, and pressures (whether you are building a threat profile from inside or even outside of the organization (e.g. as an MSSP))

Workflow Resources & Tools

• Excel Pivot Tables: Or alternatively, building pivot tables in Google Sheets or Numbers
• Python Basics
• Working with ATT&CK Data

Cyber Threat Intelligence (CTI) Introductory Resources

• A Cyber Threat Intelligence Self-Study Plan
• Diamond Model of Intrusion Analysis
• The Pyramid of Pain
• Security Intelligence: Attacking the Cyber Kill Chain
• Security Intelligence: Introduction (pt 2)
• awesome-threat-intelligence
• CTI Fundamentals
• Getting Started with ATT&CK: Threat Intelligence
• Open-source-tools-for-CTI
• CTI Analyst Core Competencies Framework
• awesome-intelligence-writing

MITRE ATT&CK® is a registered trademark of The MITRE Corporation