CTI Templates - center-for-threat-informed-defense/cti-blueprints GitHub Wiki
Each CTI Blueprints template provides intelligence support for one of these four goals:
- Know: Threat Actor Report
- Find: Intrusion Analysis Report
- Change: Campaign Report
- Inform: Executive Report
Each template is structured to create actionable intelligence that is targeted and relevant for specific roles who consume your intelligence. The templates contain embedded guidance for high-quality, consistent, and repeatable results.
The templates are also accompanied by sample reports, which are based on real, public threat intelligence. We constructed the samples using the CTI Blueprints templates and guidance. While the templates contain basic formatting and styling, these samples demonstrate the potential results you can obtain by customizing the templates to obtain a professional and polished result.
The Threat Actor Report is designed to be an encyclopedia for the organization for a given threat actor or category of activity. This report should be treated as a living document that should be maintained on a periodic basis by the intelligence team. The primary purpose of this report is to provide an easy reference for tactical teams to understand how the threat actor relates to your organization, what is already known about the group, and useful technical information that can inform follow on actions.
|
|
|
Download template: CTID-TAReportTemplate.docx |
Download sample report: CTID Threat Actor Sample Report.pdf |
The Intrusion Analysis Report is designed to be used in support of active hunting and incident response operations. This report should be treated as an iterative document that focuses more on speed to publication than completeness of information. Given the primary support to incident response teams, this analysis provides actionable indicators for analysts to search for in information systems. It is intended to provide tactical, real-time support to those trying to prevent harm to company systems.
|
|
|
Download template: CTID-IAReportTemplate.docx |
Download sample report: CTID Intrusion Analysis Sample Report.pdf |
The Campaign Report is designed to highlight new information related to a threat actor or capabilities. This should focus on new information and highlight how it poses a changed risk to your organization. This should not be an exhaustive product cataloguing all information about the topic, but rather a succinct report designed to convey a change in the status quo to the intended recipient.
|
|
|
Download template: CTID-CampaignReportTemplate.docx |
Download sample report: CTID Campaign Sample Report.pdf |
The Executive Report is designed to inform senior decision makers about a particular risk. This should be focused on executive audiences and in support of strategic problems. It will focus on why and how, rather than what and when. This report will be devoid of technical details and appendices in support of long-form, narrative writing to enable better business decisions.
|
|
|
Download template: CTID-ExecutiveReportTemplate.docx |
Download sample report: CTID Executive Sample Report.pdf |