Level I: Foundations of Cyber Threat Intelligence and Counterintelligence
Objective: Build foundational knowledge in cyber threat intelligence (CTI), basic counterintelligence (CI), threat actor analysis, and open-source intelligence (OSINT).
- Introduction to Cyber Threat Intelligence (CTI)
- Understand the intelligence lifecycle: direction, collection, processing, analysis, dissemination, feedback
- Difference between data, information, and intelligence
- Types of CTI: strategic, operational, tactical, and technical
- Fundamentals of Counterintelligence
- Definition and role of counterintelligence in cyberspace
- Types of CI: defensive, offensive, and investigative CI
- Common CI operations and objectives (denial, deception, disruption)
- Threat Actor Typologies
- Nation-state actors (APT groups)
- Cybercriminal organizations
- Hacktivists
- Insider threats
- Understanding motivations: political, financial, ideological, personal
- OSINT and Data Collection
- Legal and ethical OSINT collection practices
- Tools: Maltego, Recon-ng, theHarvester, Shodan
- Surface, Deep, and Dark Web distinctions
- Social media intelligence (SOCMINT)
- Reporting and Communication
- Intelligence report formats: Situation Reports (SITREPs), Intelligence Briefs, Threat Assessments
- Writing for technical and non-technical audiences
- CI terminology and structured analytic techniques (SATs): hypothesis testing, red teaming, indicators
Checkpoint Quiz and Lab:
- Analyze a simple threat actor profile from open sources
- Create a short intelligence brief based on OSINT
Level II: Applied Analysis, Attribution, and Threat Hunting
Objective: Apply analytic skills in cyber attribution, behavior-based profiling, and threat hunting techniques. Deepen integration of CI principles.
- Behavioral and TTP Analysis
- MITRE ATT&CK and D3FEND frameworks
- Diamond Model of Intrusion Analysis
- Cyber Kill Chain
- Indicators of Compromise (IoCs) vs. Indicators of Behavior (IoBs)
- Attribution and Adversary Profiling
- Analytical methods to assess adversary origin and intent
- Geo-political context and adversary capability assessment
- Tradecraft: denial and deception techniques used by threat actors
- OPSEC and counter-deception strategies
- Threat Hunting and Data Correlation
- Proactive vs. reactive detection
- Hypothesis-driven threat hunting
- Leveraging SIEMs (e.g., Splunk, ELK), EDR tools (e.g., CrowdStrike, SentinelOne)
- Correlating network, host, and user behavior data
- Insider Threats and Human Intelligence (HUMINT)
- Psychological and behavioral indicators
- Behavioral analytics in UEBA systems
- Insider threat mitigation frameworks (e.g., NITTF)
- CI-Driven Incident Response
- Role of CI analysts in IR teams
- CI-based malware reverse engineering focus
- Incident attribution vs. incident remediation
Practical Exercise:
- Profile an APT using MITRE ATT&CK
- Simulate a hunt mission using synthetic logs to detect anomalous behavior
Level III: Strategic Analysis, Operations, and Fusion Intelligence
Objective: Operate at a strategic level, fusing CI and CTI into actionable intelligence products supporting enterprise or national security missions.
- Strategic Intelligence and Risk
- Nation-state threat assessments
- CI contribution to enterprise risk management
- Maturity models: CMMI, NIST CSF, MITRE CTID
- Cyber Counterintelligence Operations
- Offensive CI operations in cyberspace (OCO)
- Deception planning, honeypots/honeytokens
- Counter-surveillance in cyberspace
- Campaign-level adversary analysis
- Fusion Intelligence and Interagency Collaboration
- Intelligence fusion centers and joint task forces
- Data sharing platforms: DHS AIS, STIX/TAXII, InfraGard
- Legal considerations and classification
- CI-Cyber Threat Briefing to Executives
- Structured strategic briefings
- Executive dashboards and risk scoring
- Briefing DoD, DHS, or corporate boards
- Case Studies and Advanced Tradecraft
- Dissect real-world CI/CTI campaigns: SolarWinds, Operation Aurora, etc.
- Apply SATs to high-ambiguity situations
- Predictive analysis and forecasting
Capstone Project:
- Create a full-spectrum threat assessment report on a geopolitical actor
- Develop a CI-informed mitigation plan for a simulated enterprise
Suggested Tools and Platforms to Practice
- MITRE ATT&CK Navigator
- MISP (Malware Information Sharing Platform)
- Velociraptor or GRR for DFIR
- YARA rules for malware profiling
- OpenCTI platform
Career and Certification Pathways
- Consider formal certifications:
- CCTA (Level I-III by MCSI or equivalent bodies)
- GCTI (SANS GIAC Cyber Threat Intelligence)
- C|TIA (EC-Council Certified Threat Intelligence Analyst)
- DoD 8570/8140-approved certs (e.g., CASP+, CISSP)
- Clearance often required for CI roles in government
- Build a portfolio: intelligence reports, threat profiles, hunt hypotheses
Want to learn more? Tonex offers Certified Counterintelligence Cyber Threat Analyst (CCTA I–III), a 2-day course where participants apply adversary-centric thinking to map campaigns, TTPs, and objectives as well as use structured analytic techniques to reduce bias and improve forecasts.
Attendees also produce clear, decision-oriented threat reports and briefings, integrate HUMINT/SIGINT with cyber telemetry for high-confidence judgments, lead and mature an intelligence program across CCTA I–III levels, and elevate cybersecurity outcomes by enabling earlier detection and targeted mitigation.
This course is especially beneficial for:
- Cybersecurity Professionals
- Threat Intelligence Analysts
- SOC/IR Leads and Managers
- Red/Blue/Purple Team Practitioners
- Security Architects and Engineers
- Government, Defense, and Critical Infrastructure Personnel
Tonex offers dozens of Certification Courses in a wide variety of topics.
Tonex has worked with industry organizations and clients to insure our Certification Courses are up-to-date and provide pragmatic training knowledge to insure immediate results from your certification experience.
We offer Tonex certifications that are recognized by our clients as valuable in insuring a consistent and thorough knowledge of the subject and how to apply that knowledge.
For more information, questions, comments, contact us.
