Certified Threat Intelligence Analyst
Cyber Intelligence Tradecraft

The Certified Threat Intelligence Analyst - Cyber Intelligence Tradecraft training course follows the iterative processes of the intelligence lifecycle while covering non-inclusively. This course follows the International Association for Intelligence Education Standards for Intelligence Analyst Initial Training incorporating intelligence community member validated content and hands-on experience in the cyber environment since 2004.

I. Introduction to Intelligence
II. Critical Thinking
III. Analytic Writing
IV. Creative Thinking
V. Analytic Briefing
VI. Structured Analytic Techniques.
VII. Analytic Issues
VIII. Argument Mapping
IX. Case Studies

This course is unique and innovative providing students with academic understanding, live case studies, and a course that drives practical over memorization for a test. 

The course is likened to an apprenticeship during an intensive 5-day training course covering the intelligence lifecycle.

Anonymity and Passive Persona setup
Collection Methods and Techniques // Stakeholder Analysis
Collection Planning, IRs/PIRs/EEIs/Indicators/SIRs
Collection Process Flow
Collection (OSINT) Tools and Targeting
Threat Intelligence
Most likely Threat Actors - Adversary Targeting - Threat Matrices - D3A /// F3EAD
Hunch.ly - Hemingway Editor
Use of Maltego – overview
OPSEC – VPNs, Buscador, OPSEC Methods
Semantic Search - The DarkNet
Burn phone setup and use (US Only)
Open Source Intelligence OSINT
Production Methods
Structured Analytic Techniques – Their use
Adversary Denial and Deception
Source Credibility and Relevance
Source Validation
Denial and Deception
Confidence Levels
Types of evidence
Production Management
Critical and Creative Thinking
Cognitive Bias
Glossary and Taxonomy
What Intelligence Can and Cannot Do
Use of Mitre ATT&CK in Analysis
ATT&CK in examining patterns and trends
ATT&CK in Adversary tendencies
Estimation and Forecasting
Campaign analysis
Types and Methods of Analysis
Synthesis and Fusion
Analysis of Competing Hypothesis
Inductive/Abductive/Deductive Reasoning
Analytic Writing, BLUF, AIMS
Forecasting in your writing
Indicators of Change
Argument Mapping
Types of Reports
Product Line Mapping
Report Serialization, and Dissemination
Live Case Studies – Class briefs

Lecture, Hands-on, Apprenticeship, in-class exercises, student presentations covering structured analytic techniques, analysis of competing hypotheses, analytic writing and deliver, analytic products, templates, course material—40 CPEs


We also have a different module that can be included depending on the audience. This module is geared towards IR and SOC staff:

  • Intro to Cyber Intelligence
    • What does intelligence mean to the SOC?
    • What does intelligence mean to Incident Response?
  • A day in the life of an intelligence analyst
  • Intelligence Lifecycle
    • Define what your group does
    • Define how your group uses intelligence
    • Define how your group produces intelligence
  • Mitre ATT&CK
    • Tactics
    • Techniques
    • Tools
    • ATT&CK Navigator
    • ATT&CK Examples
  • Chronology and Timelines
    • ATT&CK Chronology
    • Comparing past and present
    • Comparing and contrasting different threat groups
  • Estimative ATT&CK
  • Adversary Targeting – Threat Profiling - Threat Matrices
    • Primary Threats
      • Nation-state
      • Foreign intelligence services
      • Military cyber units
      • Threat groups and proxies
      • Cybercriminals
      • Others
    • Adversary skills
    • Adversary maliciousness
    • Interest in your organization
    • Motivation – objective – conditions
      • Opportunity
      • Triggers
      • Course(s) of action
      • Capabilities
    • Level of automation
    • Potential impact
  • Threat Hunting
    • Purpose and Scope
    • Hunt level maturity
    • Threat Hunting Lifecycle
      • Lifecycle and Maturity Level matrix
    • Patrolling
    • Stalking
    • Searching, clustering, grouping, stack counting
    • Process flow
      • Entry point
      • Plan the hunt
      • Execute the hunt
      • Malicious or not?
      • Document the performed steps
      • Document the findings
      • Prepare the report
      • Hunt Key Metrics
    • Establish priorities Iterative Approaches and Feedback Loop
    • RACIs – who does what
    • Tactical Intelligence Risk
    • Situational Awareness
      • Emerging threats
      • Coordination with other groups
      • Likely adversary courses of action
    • Intake Forms
      • Request for Information (RFI)
      • Responding to RFIs
    • Incident Intelligence
      • Interfacing with the Cyber Threat Intelligence (CTI) teams
      • What do we need from CTI?
      • What can CTI do and what can they not do
    • Indicators Cyber DECIDE, DETECT, DELIVER and ASSESS (D3A) framework
    • Specific information requirements Cyber FIND, FIX, FINISH, EXPLOIT, ANALYZE and DISSEMINATE (F3EAD) methodology
    • Crown jewel information
      • Checklist questions
      • Possible intelligence requirements (non-prioritized)

The course delivers pragmatic and practical examples for attendees immediate use upon return to their organizations:

  • Use language that is recognized across the intelligence assessment community.
  • Assist stakeholders with intelligence requirements
    • Understand what Intelligence is and is not
  • Create useful intelligence requirements
  • Develop collection plans with precise targeting and tool selection
  • Provide evaluation and feedback necessary for improving intelligence production, intelligence reporting, collection requirements, and operations
  • Skill in using multiple analytic tools, databases, and techniques such as divergent/convergent thinking, ACH, SATS, etc.)
    • Skill in applying various analytical methods, tools, and techniques (e.g., competing hypotheses; chain of reasoning; scenario methods; denial and deception detection; high impact-low probability; network/association or link analysis; Bayesian, Delphi, and Pattern analyses)
  • Knowledge of how to evaluate, analyze, and synthesize large quantities of data (which may be fragmented and contradictory) into high quality, fused intelligence products
  • Execute safe collection in any environment
  • Ensure data provenance during collection
  • How to validate sources and data credibility
  • Provide subject matter expertise in developing cyber operations indicators
  • Consider efficiency and effectiveness of collection resources when applied against priority information requirements
  • Facilitate continuously updated intelligence, surveillance, and visualization input for stakeholders
  • Skill in identifying cyber threats which may jeopardize organization and supply chain interests
  • Identify collection gaps and potential collection strategies against targets
  • Knowledge of denial and deception techniques
  • Knowledge of intelligence analytic reporting principles, methods, and templates.
  • Ability to recognize and mitigate cognitive biases which may affect analysis
  • Ability to clearly articulate intelligence requirements into well-formulated research questions and requests for information
  • Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner
  • Ability to develop or recommend analytic approaches or solutions to problems and situations for which information is incomplete or for which no precedent exists

Target audience (who should attend):

This course is intended for

-Intelligence analysts, open-source intelligence collectors, researchers, cyber risk management professionals, incident response leadership, security operations leadership, CISO, CIO, students, cybercrime investigators, analytic report writers, recipients of internal and external intelligence (critical), curious professionals wishing to learn cyber intelligence tradecraft and intelligence strategies.

Requirements (knowledge pre-requisites)

Students should

-be familiar with Internet browsers, Office 365, general intelligence concepts

Hardware/Software Requirements

Students should have

-Laptop with administrative access, 8GB RAM, 100GB free hard drive space, Windows operating system works best but Mac with a VM for Windows works as well.

Contact Treadstone 71 Today for all your Cyber Intelligence needs.