CREST Registered Threat Intelligence Analyst (CRTIA)

CRTIA Overview

The CREST Registered Threat Intelligence Analyst (CRTIA) examination is a comprehensive test that evaluates candidates' knowledge and expertise in collecting and analyzing information to support threat intelligence objectives. It assesses the candidate's understanding of key phases of intelligence generation, cyber-specific information sources, and common approaches to collection and analysis.

To pass the CRTIA exam, candidates must demonstrate a high level of competence in the collection, analysis, and dissemination of intelligence in accordance with legal and ethical guidelines. This certification is highly respected within the cybersecurity community and is a testament to a candidate's proficiency in the field of threat intelligence analysis.

As a candidate, it's expected that you possess a wide-ranging understanding of all areas of threat intelligence, as well as proven experience in conducting collection and analysis activities. The CRTIA exam evaluates candidates' ability to apply a comprehensive understanding of the principles and practices of threat intelligence analysis to real-world situations. Successful candidates must demonstrate a mastery of skills such as identifying information gaps, validating information, and drawing valid inferences from analysed data.

By earning the CRTIA certification, candidates can demonstrate their expertise and commitment to the highest standards of professional practice. This credential is highly regarded by employers and peers within the cybersecurity industry, making it an essential step for any aspiring threat intelligence analyst.

CRTIA Syllabus

The CREST examination syllabus for the CREST Registered Threat Intelligence Analyst is broken down into 8 key areas, running from appendix A through to H. Each appendix defines a number of topics that should be covered.

The key concepts underlying intelligence-led cyber threat assessments.

A1 - Business imperative
Background and reasons for intelligence-led security testing.
Understanding of the range of scenarios in which threat intelligence can be used within an organisation.
A2 - Terminology
Knowledge of common terms relating to threat intelligence, business risk and information security.
A3 - Threat actors & attribution
Knowledge of common attackers (e.g. hacktivists, criminals, nation states) and their motivation and intent.
The benefits of associating activity with real people, places or organisations.
A4 - Attack methodology
Knowledge regarding phases of the cyber ‘kill chain’ methodology.
Knowledge of common tactics, techniques and procedures (TTPs).
Understanding of, and familiarity with the Mitre ATT&CK framework.
Sequences of tool application, behavioural identification/observed behaviour.
A5 - Analysis methodology
Understanding of typical methodologies used to analyse collected intelligence and their application.
Knowledge of methods for analysis of threat, e.g. the diamond model.
Analysis of competing hypotheses (ACH), Intelligence Preparation of the Environment / Battlefield (IPB / IPE).
Familiarity with concepts and terminology concerning forecasting and predictive methodologies.
A6 - Process and intelligence lifecycle
Ability to plan and execute an intelligence-led engagement start to finish, including providing direction to junior staff and managing the client.
Understanding of the intelligence lifecycle (and variations of if including F3EAD) and how it relates to conducting a client engagement.
A7 - Principles of Intelligence
Understanding of the principles of intelligence and their application in Cyber Threat Intelligence context.

B1 - Requirements analysis (scoping)
Analysing a intelligence customer’s position to understand requirements. Scoping projects to achieve key outcomes relevant to the client’s organisation.
Accurate timescale scoping and resource planning.
Establishing rules of engagement, limitations and constraints.
B2 - Intelligence planning
Prioritising intelligence requirements (e.g. MoSCoW).
Basic mapping of how a customer will consume and apply threat intelligence.
B3 - Project review
Conducting a review after an intelligence-led engagement, assessing the successes and failures in conjunction with the customer.

C1 - Collection planning
Knowledge of building a collection plan that is efficient, agile, robust and appropriate.
C2 - Data sources and acquisition
Understanding of various intelligence sources and their relevance to an engagement e.g. OSINT, HUMINT, SIGINT.
Knowledge of legal frameworks relevant to collecting data from technical and human sources.
C3 - Data reliability
Understanding of how to assess the relevance of intelligence sources.
Knowledge of factors which affect the credibility of an intelligence source and how to rate specific intelligence sources for reliability.
Understanding of the key differences between deception, disinformation and misinformation. Understanding of how methods used in data collection can affect the availability or freshness of data.
C4 - Registration records
Knowledge of the information contained within IP and domain registries (WHOIS).
C5 - Domain Name Server (DNS)
Knowledge of DNS queries and responses, zone transfers and common record types.
Awareness of dynamic DNS providers and the concepts of fast-flux DNS.
C6 - Web enumeration and social media
Effective use of search engines and other open source intelligence sources to gain information about a target.
Knowledge of information that can be retrieved from common social networking sites and how these platforms are used by threat actors.
C7 - Document metadata
Awareness of metadata contained within common document formats, such as author, application versions, machine names, printer and operating system information.
C8 - Dump site scraping
Knowledge of online services commonly used to leak stolen data and how these have been used historically to share sensitive data.
C9 - Operational security
Understanding of how to securely conduct collection operations online, implementing robust procedures to protect the safety and anonymity of individuals.
Knowledge of how to establish identities for data collection, for example operating alias accounts for monitoring online activity.
C10 - Bulk data collection
Knowledge of how to collect data in bulk, such as from social media, Passive DNS or online feeds of malware.
Explain the benefits and challenges arising from collecting such data in bulk.
C11 - Handling human sources
Knowledge of interviewing techniques and tactics involved in cultivation of human sources.
Awareness of specific legal and reliability issues relating to human sources.

D1 - Contextualisation
Understanding of the environment surrounding data and data sources, for example political, economic, social and technological contexts.
D2 - Analysis methodologies
Ability to sort and filter data. Ability to use standard qualitative and quantitative analysis methodologies to process data and generate intelligence product. Awareness of social network analysis and behavioural profiling techniques. Awareness of threat modelling and techniques such as attack trees.
D3 - Machine based techniques
Awareness of structured and unstructured data analysis techniques. Awareness of machine learning techniques, for example supervised and unsupervised learning.
D4 - Statistics
Knowledge of fundamental statistical methods used during data analysis, including averages, standard deviation, statistical distributions and techniques for data correlation, for example: Time-series analysis, Graphing techniques, Charting techniques, Confidence levels.
D5 - Critique
Critical analysis of collected data, ensuring that all potential hypotheses are explored and evaluated. Ability to identify fake or conflicting data, for example misinformation. Understanding of prediction and forecasting and the differences between secrets and mysteries. Awareness of the importance of identifying and removing bias should this occur as an artefact of collection methods or analysis techniques.
D6 - Consistency
Ability to achieve consistency in analysis outputs and intelligence products throughout multiple engagements for a single customer or across industry sectors.

E1 - Forms of delivery
Understanding of effective delivery mechanisms that meet customer requirements, ranging from simple alerts to tailored reports.
Knowledge of why machine-readable data formats are important for efficient intelligence sharing and awareness of common vendor or community sponsored file formats.
E2 - Technical data sharing
Knowledge of what constitutes useful technical defensive intelligence, for example different types of host and network based indicators.
Knowledge of common formats for distributing indicators of compromise to collaboration partners and ability to interpret these.
E3 - Intelligence sharing initiatives
Knowledge of intelligence sharing initiatives and their relevance to individual clients.
E4 - Intelligence handling and classification
Knowledge of formal data classification or handling policies.
Understanding of why and how to establish secure mechanisms for delivery and sharing of intelligence with clients (for example the use of data encryption and strong authentication).

F1 - Client management & communications
Knowledge sharing, daily checkpoints and defining escalation paths for encountered problems.
Knowledge and practical use of secure out-of-band communication channels.
Regular updates of progress to necessary stakeholders.
F2 - Project management
Ability to manage a team of threat intelligence analysts providing services to customers.
Knowledge of the full engagement lifecycle including scoping, authorisation, non-disclosure agreements and review.
Ability to make decisions using sound judgement and critical reasoning.
F3 - Reporting
Ability to compile concise reporting with clear explanation of limitations, caveats and assumptions.
Ability to concisely communicate technical data and attack techniques in a coherent narrative that addresses the intelligence needs of the consumer.
Knowledge of methods for organizing and presenting complicated links between related intelligence in a variety of graphical forms.
F4 - Understanding, explaining & managing risk
Knowledge of the additional risks that threat led engagements pose.
Communication and explanation of the risks relating to intelligence collection. Effective planning for potential problems during later phases of an engagement.
Awareness of relevant risk management standards, for example:
  • Risk Management ISO 31000
  • Information Security ISO 27001
  • Business Continuity ISO 22301
  • Risk Assessment ISO 27005
F5 - Third parties
Ability to deal with external third parties in a professional and knowledgeable manner to facilitate threat led engagements.
Knowledge of public organisations, Government departments and regulatory bodies relevant to specific clients and their role in overseeing industry sectors.
F6 - Regulator Mandated TI schemes
Basic understanding of the range of regulator mandated, intelligence led, penetration testing schemes, their format and requirements.

G1 - Law & Compliance
Knowledge of pertinent UK legal issues:
  • Computer Misuse Act 1990
  • Human Rights Act 1998
  • Data Protection Act 1998
  • Police and Justice Act 2006
  • Official Secrets Act 1989
  • Telecommunications (Lawful Business Practice) (Interception of Communications) 2000
  • Regulation of Investigatory Powers Act 2000
  • Bribery Act 2010
  • Proceeds of Crime Act 2002
Awareness of relevant laws concerning employment rights, copyright and intellectual property.
Awareness of relevant international legislation and the complexities of working with multi-national organisations.
Understanding of how and when to interact with law enforcement during an engagement.
Knowledge of what written authority is necessary to comply with local laws.
G2 - Ethics
Awareness of the strong ethical requirements needed when providing accurate threat intelligence.
Understanding of the CREST Code of Conduct and the responsibilities it places on individuals and companies.

H1 - IP Protocols
IP protocols: IPv4 and IPv6, TCP, UDP and ICMP.
VPN Protocols (e.g. PPTP).
Awareness that other IP protocols exist.
Knowledge of how these protocols are used by adversaries when conducting attacks ways in which analysis can assist in the assessment of adversary capability, sophistication and lead to attribution to a specific threat actor.
H2 - Cryptography
Fundamental understanding of cryptography, including the differences between encryption and encoding, symmetric and asymmetric encryption, common algorithms.
H3 - Vulnerabilities
Knowledge of common vulnerabilities used in the exploitation of popular desktop, web servers and mobile devices, particularly those for which robust exploit code exists in the public domain.
Awareness of zero-day exploits and how these are used by adversaries.
Ability to characterise a threat using vulnerability information and suggest mitigations for common vulnerability classes.
H4 - Intrusion Vectors
Knowledge of the different vectors by which threat actors attempt to compromise a network, for example spear phishing, strategic web compromise / watering holes / drive-by downloads.
Awareness of common definitions of attack patterns and related vulnerabilities (e.g. CAPEC, OWASP)
Awareness of advanced techniques used by some well-funded threat actors which may not be detected by common IDS platforms.
H5 - Command & Control and Exfiltration Techniques
Knowledge of common malware control mechanisms and corresponding detection techniques.
Knowledge of the various protocols and techniques that can be used for egressing data from a network, facilitated by malware or standard operating system / network tools.
H6 - Attack Attribution
Knowledge of techniques that can be used to hide the source of an attack, for example use of VPNs, proxy servers or Tor.
Understanding of difficulties associated with attribution and how technical analysis of malware and related datasets can be used to provide demonstrable links between an attack and a threat actor.
H7 - Current threat landscape
A working knowledge of some threat actors, their objectives, and associated campaigns.
An understanding of how the threat landscape is changing, and factors which are likely to influence future changes.

CRTIA Examination

If you're planning to take the CREST Registered Threat Intelligence Analyst (CRTIA) exam, it's important to understand its format and requirements. The exam consists of two parts, including a multiple-choice written question section with 120 questions and two long-form written response questions.

Test-takers have a total of three hours to complete the exam, and they are given an additional 30 minutes for sign-in procedures.

To be admitted to the exam, test-takers must present two valid and unexpired forms of identification. The primary identification must be government-issued with the candidate's name, photo, and signature, while the secondary identification must have either the candidate's name and signature or name and recent photo. It's important to note that no personal items are allowed in the testing room, including phones and bags.

If you need to reschedule or cancel the exam, you must do so 24 hours before the scheduled appointment to avoid forfeiting the exam fee. Speaking of fees, the CRTIA exam costs £395, and it's a worthwhile investment for anyone aspiring to become a certified threat intelligence analyst.

CRTIA Training Provider

Advanced Cyber Threat Intelligence is a CREST aligned training course covering nearly every element of the CREST Registered Threat Intelligence Analyst (CRTIA) examination.

Advanced Cyber Threat Intelligence

Advanced Cyber Threat Intelligence

Designed to provide you with advanced knowledge and practical skills necessary to become a dominant force as a cyber threat intelligence analyst. Throughout this course, you will advance your understanding of cyber threat intelligence best practises and learn to apply techniques like OODA Loop and F3EAD Cycle to real-world scenarios.

  • 40+ hours of training content
  • CREST Aligned CRTIA course
  • 87 units covering an extraordinary amount of content
  • Includes 27+ hours of video training
  • arcX final exam with free re-test included
  • 100% online and on-demand self-study course
  • 24 engaging exercises
  • 900+ practice questions
ernst and young ministry of defence ncc group uk government raytheon home depot