Study online at https://quizlet.com/_d1yqwy
1. Intelligence: The collection, processing, and analysis of info about a competitive
entity and its agents, needed by an org or group for its sec. and well-being
2. Counterintelligence: identification, assessment, and neutralization of adversary
intel activities
must consider:
gain-loss
potential disinformation
3. Classic Intel Sources: HUMINT
GEOINT
MASINT
OSINT
SIGINT
All Source
4. MASINT: Measurement and signature intel (radar, nuclear det., etc)
5. SIGINT: Signal intercepts (cell phone, line tapping, etc.)
6. Sherman Kent's (founder of CIA) Analytic Doctrine: Focus on policymaker
concerns
Avoidance of a personal policy agenda
intellectual rigor
conscious effort to avoid analytic biases
willingness to consider other judgments
systematic use of outside experts
collective responsibility for judgment
effective communication of policy-support info and judgments
candid admission of mistakes
7. data-driven analysis: good datasets and straightforward problems
accuracy is based on the dataset's accuracy
logically-driven and easily replicated
8. conceptually-driven analysis: numerous unknowns and undefined variables
and relationships
immediate interpretation of complex concepts
accuracy is driven by mental models ad feedback
9. Analysis: Detailed examination of the elements or structure of something
breaking something down into its constituent parts to understand its operation
10. Mental models: experiences-based assumptions and expectations of the way
the world operates
should be reviewed and updated as experience grows
1/8
, SANS FOR578 GCTI
Study online at https://quizlet.com/_d1yqwy
11. Structured Analytic Techniques (SATs): analyst approaches to better evalu-
ate info while reducing while reducing the impact of bias
more transparent, testable, and defendable
Heuer:
Getting organized
Exploration techniques
diagnostic techniques
re-framing techniques
foresight techniques
12. Intel Lifecycle: Planning and Direction
Collection
Processing
Analysis and Production
Dissemination
Feedback
13. Data -> Intelligence: Story about a campaign (operational environment)
IP address (data)
IP address is C2 for malware (information)
Malware is not on our system (information)
"adversary is not purposely targeting our systems and that this is an incidental
infection (intel)
14. CTI definition: Analyzed info about the hostile intent, opportunity, and capability
of an adversary that satisfies a requirement
Analysis on the threat, focus on the customer
15. Threat: Intent + opportunity + capability (IOC)
16. Intrusion: Any successful or failed attempt by the adversary
useful for identifying adversary trade-craft
Intrusion analysis is the fundamental CTI skill
17. Activity Group: unique clusters of intrusions mathematically defined by the
analyst\team's analytical weighting
intrusion set -> activity group -> campaign
18. Threat Actor: clustering of intrusions to represent who is responsible
helps put a face on the adversary
Note: FOR578 uses "activity group"
2/8