CTI Report Template
This is a variation of Kraven Security's Cyber Threat Intelligence Report Template which contains great information already but I added my own preferences. Feel free to use this however you'd like.
Report: # Date: Priority: Low/Moderate/High/Critical Source and Reliability Information: Admiralty Scale Score [A-F][1-6] Sensitivity: Traffic Light Protocol
- Executive Summary
- Key Takeaways
- Intelligence Assessment
- Key Intelligence Gaps
- Indicators of Compromise (IOCs)
- MITRE ATT&CK Techniques
- Detection Opportunities
- Appendices
- Probability Matrix
- Priority Matrix
- Source Reliability and Information Credibility
- Confidence Levels
- Feedback Contacts
- Definitions and Acronyms
1. Executive Summary
A brief summary of the report. It should explain the report's significance, create a simple, easy-to-follow narrative of its key findings, and support a single decision. The reader should be able to make an informed decision based entirely on this summary. Aim to answer the following questions concisely:
- What intelligence requirement(s) has this report fulfilled?
- Why is this report relevant to the organization?
- What is the biggest takeaway?
- What new intelligence has been provided?
- Does this report support or contradict existing assumptions, security initiatives, or objectives?
2. Key Takeaways
A bulleted list of the key findings from this report. Aim to answer the following questions:
- Who is this report for?
- Where was the data collected (source)?
- Who was the attacker?
- Who was the victim?
- Why does this report matter to the target audience?
- What is the main takeaway from this report?
This bulleted list is followed by a table summarizing key intelligence and a general analysis of the threat the report discusses using the Diamond Model. This allows key intelligence metrics to be easily identified and visualized.
| Intelligence Requirements Addressed | Citation of the IR addressed by this report |
|---|---|
| Data Sources | |
| Threat Actor | Primary threat actor (and aliases) or N/A or Unknown |
| Victim Location | Country of victim |
| Sectors | Industry targeted |
| Motivation | Cybercrime / Espionage / Hacktivism / Ransomware / ICS / Other / Unknown |
| Capabilities | Adversary | Infrastructure | Victim |
|---|---|---|---|
| MITRE technique, malware, hacking tool | Threat Actor, alias, email address, persona | IP address, domain name, URL, C2 server | company, workstation/server name, email address |
3. Intelligence Assessment
This section should include:
- A call to action, recommendation, or judgment: This threat (e.g., activity, threat actor, malware, etc.) demonstrates X and could potentially impact us. Therefore, we should do Y.
- Any new information: This threat has a new tool, capability, TTP, etc. Key evidence: The threat has the following characteristics that uniquely distinguish it.
- Estimative language (see Probability Matrix): “I assess with a level of certainty that < judgment> will impact us .”
- Background information: Any relevant background information about the threat actor, malware, TTP, etc., to give context to this new assessment.
- Relations to your organization: How does this threat relate to your organization? Does it target your country or sector? Does it target vulnerabilities in the systems or technologies you use? Does it relate to any previous security incidents or detections?
This section should include a kill chain analysis technique like Lockheed Martin’s Cyber Kill Chain. List the IOCs or TTPs found at each stage of the attack to create an attack narrative for the reader. The security operations team can then use this to identify possible mitigations or gaps.
Cyber Kill Chain
- S1: Reconnaissance
- S2: Weaponization
- S3: Delivery
- S4: Exploitation
- S5: Installation
- S6: Command & Control
- S7: Actions on Objective
4. Key Intelligence Gaps
A bulleted list that summarizes additional information the CTI team needs to complete their analysis and raise the confidence of the assessment. You should highlight gaps affecting the assessment, such as if new information is discovered or existing information is proven wrong.
These gaps should be tracked externally from the report using a project/task management system.
5. Indicators of Compromise (IOCs)
This section consists of IOCs found on endpoint devices (workstations, servers, mobile devices), in network logs, related malware, and any vulnerabilities relevant to the threat being discussed.
- Endpoint Artifact: Endpoint Artifact, Type, Description, Tactic
- Network Artifacts: Network Artifact, Type, Description, Kill Chain Stage (first observed, last observed)
- Malware: Malware, Hash Type, File Hash, Description, Malware Analysis Report, Kill Chain Stage
- Common Vulnerabilities and Exposures (CVEs): CVE ID, CVSS (include version) Score, Patch Available (Y/N), Remediation, Date Reported, Patch Applied (Y/N/ N/A)
- MITRE ATT&CK Techniques: Tactic, Technique, Procedure, D3FEND, Security Control
- Detection Opportunities: Rule/Query, Name, Type, Description, Reference (source)
6. Appendices
Probability Matrix
| almost no chance | very unlikely | unlikely | roughly even chance | likely | very likely | almost certain(ly) |
|---|---|---|---|---|---|---|
| remote | highly improbable | improbable | roughly even odds | probable (probably) | highly probable | nearly certain |
| 01-05% | 05-20% | 20-45% | 45-55% | 55-80% | 80-95% | 95-99% |
Analysts are strongly encouraged not to mix terms from different rows. Products that do mix terms must include a disclaimer clearly noting the terms indicate the same assessment of probability.
To avoid confusion, products that express an analyst's confidence in an assessment or judgment using a “confidence level” (e.g., “high confidence”) must not combine a confidence level and a degree of likelihood, which refers to an event or development, in the same sentence.
Priority Matrix
You should assign each report a priority based on its impact on your organization. The following table describes four general priority levels you can assign to a report.
- Low: The threat requires regular monitoring and should be addressed when possible.
- Moderate: The threat needs to be monitored closely and addressed.
- High: The threat needs to be addressed quickly and monitored.
- Critical: Immediate action is required.
Source and Information Reliability
Each report should include an evaluation of source reliability. An industry standard is the Admiralty Scale, developed by NATO. This scale scores source reliability on a scale of A-F and information credibility on a scale of 1-6. Attaching an appendix that describes this to the reader provides clarity.
Source Reliability (A-F)
- A (Completely reliable): The source has a history of consistently providing accurate information.
- B (Usually reliable): Most of the time, the source provides accurate information.
- C (Fairly reliable): The source has provided accurate information on occasion.
- D (Not usually reliable): The source has provided accurate information infrequently.
- E (Unreliable): The source has rarely or never provided accurate information.
- F (Reliability cannot be judged): The source’s reliability is unknown or untested.
Information Credibility (1-6)
- 1 (Confirmed): Other independent sources have confirmed the information.
- 2 (Probably true): The information is likely true but has not been confirmed.
- 3 (Possibly true): The information might be true, but it is unconfirmed.
- 4 (Doubtful): The information is unlikely to be true.
- 5 (Improbable): The information is very unlikely to be true.
- 6 (Cannot be judged): The credibility of the information cannot be assessed.
Confidence Levels
- High: Good quality of information, evidence from multiple collection capabilities, possible to make a clear judgment.
- Moderate: Evidence is open to a number of interpretations, or is credible and plausible but lacks correlation.
- Low: Fragmentary information, or from collection capabilities of dubious reliability.
Sensitivity Matrix
Each report should attach a sensitivity level as defined by your organization’s data protection policy. This ensures data is handled appropriately and only shared with appropriate personnel. Attaching an appendix that describes this to the reader provides clarity.
- TLP:RED: For the eyes and ears of individual recipients only, no further disclosure. Sources may use TLP:RED when information cannot be effectively acted upon without significant risk for the privacy, reputation, or operations of the organizations involved. Recipients may therefore not share TLP:RED information with anyone else. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting
- TLP:AMBER: Limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients. Note that TLP:AMBER+STRICT restricts sharing to the organization only. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may share TLP:AMBER information with members of their own organization and its clients, but only on a need-to-know basis to protect their organization and its clients and prevent further harm. Note: If the source wants to restrict sharing to the organization only, they must specify TLP:AMBER+STRICT.
- TLP:GREEN: Limited disclosure, recipients can spread this within their community. Sources may use TLP:GREEN when information is useful to increase awareness within their wider community. Recipients may share TLP:GREEN information with peers and partner organizations within their community, but not via publicly accessible channels. TLP:GREEN information may not be shared outside of the community. Note: When “community” is not defined, assume the cybersecurity/cyber defense community.
- TLP:CLEAR: Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
Feedback Contacts
Provide a point of contact where the intelligence consumer can direct their feedback once the intelligence report has been published. This will help the CTI team improve future reports, ensure intelligence requirements are being met, and maintain communication channels.
Definitions and Acronyms
A list of key terms and acronyms used throughout the report. This lets the reader understand how the CTI team defines a particular technical term.