CREST Practitioner Threat Intelligence Analyst Exam Syllabus

• Understand the key reasons why an organisation would want TI and how they would use it.

- Terminology

• Demonstrate familiarity with commonly used terms relating to TI and intelligence processes.

- Threat Actor Types / Definitions

• Be able to distinguish between different threat actors and their likely objectives.

- Threat Vector & Vulnerability Types

• Understand the definition of a threat vector, and demonstrate knowledge of key threat vectors.
• Understand the definition of a vulnerability and demonstrate knowledge of common vulnerability types.

- The Intelligence Cycle

• Be able to name the stages of the cycle, and explain the key processes that occur at each stage.

- Analytic Models

• Know the components of the Diamond Model, and understand the relationship between them.
• Be aware of the meta-features of the model and be able to interpret them.

- Attack Lifecycle

• Understand the lifecycle of a typical attack, for example using a model such as the "Cyber Kill Chain”.

- Understanding Risk

• Demonstrate an understanding of the relationship between threat, capability, intent, and motivation.

• Be able to list the elements included in a typical Terms of Reference.
• Know why Terms of Reference are important to have before beginning a job.

- Importance of Project Review

• Be aware of the criteria used to assess intelligence output (for example Timeliness / Accuracy / Presentation / Answering the IR etc.).
• Understand why it is important to seek feedback on outputs.

- Dealing with Intelligence Gaps

• Know what an intelligence gap is, and how to identify one.
• Be able to identify likely sources of information to fill an intelligence gap.

• Know the key component parts of a collection plan and be able to interpret it effectively.

- Use of a Collection Worksheet

• Understand the benefit / necessity of recording collection activity.
• Know what information a collection worksheet should contain (for example what sources were checked, what search terms were used, when, etc.)

- Types of Sources

• Understand different types of source and their broad classifications (HUMINT, OSINT, etc.).

- Source Reliability and Grading

• The ability to interpret source reliability grading / information reliability grading (based on the UK 5x5x5 model).

- Specific Sources

• Know what information can be obtained from typical technical sources such as WHOIS, DNS, malware analysis, social media, document metadata etc.
• Understand the format of data and be able to interpret it accurately.

- Boolean Search Strings

• Ability to combine Boolean operators to form a precise search, as used by many search engines and proprietary products.

- Basic Source Analysis

• Understand reasons why some online sources are likely to be biased / inaccurate.

- Operational Security (OPSEC)

• Understand requirement for OPSEC and potential implications of failure.
• Knowledge of anonymization tools such as Tor and i2p.
• Understand the requirement to separate personal web use from work collection.
• Know the appropriate course of action in the event of an OPSEC breach.

• Ability to outline steps required to prove / disprove a hypothesis.

- Facts, Assumptions, Premises & Inferences

• Distinguish between facts and assumptions.
• Make a logical inference from available premises.
• Understand the requirement to identify assumptions and assessments as different from fact.

- Expressing Likelihood / Certainty

• Understand applicability of terms such as ‘possible’, ‘likely’ and ‘highly likely’.

- Circular Reporting

• Know what circular reporting is, and suggest ways in which it can be avoided.
• Understand the importance of managing sources effectively to prevent this occurring.

- Cognitive Biases

• Identify some of the major types of bias that can affect intelligence analysis.
• Know common ways in which analysts attempt to counter common biases.

- Analytical Techniques

• Be able to interpret data in graphical format, for example:
  - A network diagram
  - A timeline
  - A histogram
  - A scatterplot
  - A time series graph

• Knowledge of STIX, CYBOX and TAXII and how they relate to each other.
• Knowledge of the content and format of different types of STIX message.
• Understanding of the advantages / disadvantages of machine readable TI.

- Unstructured / Human Readable TI

• Understanding of the key advantages / disadvantages of spoken and written dissemination.
• Ability to select an appropriate dissemination mechanism, for example written product vs. verbal briefings.
• Understanding of importance of accuracy, brevity, clarity.

- Intelligence Sharing

• Understanding of ‘Need to Know’ and ‘Need to Share’ concepts.
• Ability to identify information that can / cannot be shared publicly.
• Knowledge of common intelligence sharing initiatives.

• Identify examples of illegal and unethical behaviour.
• Demonstrate understanding of repercussions of illegal / unethical behaviour.

- Handling of Classified Material

• Understand GPMS classifications and their meanings.
• Understand the implications of breaching GPMS.
• Demonstrate the correct course of action in the event of a breach of GPMS handling.

- Key Legislation Pertaining to Intelligence Collection in the UK

• Demonstrate working understanding of the constraints on intelligence collection operations imposed by:
  - Computer Misuse Act 1990
  - Human Rights Act 1998
  - Data Protection Act 1998
  - Police and Justice Act 2006
  - Official Secrets Act 1989
  - Telecommunications (Lawful Business Practice) (Interception of Communications) 2000
  - Regulation of Investigatory Powers Act 2000
  - Bribery Act 2010
  - Proceeds of Crime Act 2002

- Dealing With Legal / Ethical Uncertainty.

• Know appropriate action if given a task of questionable legality / ethics.

- CREST Code of Conduct

• Demonstrate understanding of code as it applies to the individual.