I'd like to expand on my recent Mastodon post about how I compile and publish Sources & Methods each month, as well as how I'm developing upcoming work:
I started the Sources & Methods newsletter because I'm always scouring the internet and looking through tons of articles, videos, papers, and tools in the CTI space or around it. I figured if I find all of this useful, maybe others will, too.
Though I never imagined I would run a newsletter, I supposed if I could make it easy to capture and compile these ideas on a regular basis it might be sustainable in the long run. That's why I invested time early on to design a workflow that would maximize what I can share and reduce my time spent getting it done. I also wanted to keep my costs very low so I can avoid charging for the newsletter or including ads.
Of course, I wouldn't be a CTI geek if I didn't find some way to work the intelligence cycle into the process, too. My requirements and stakeholders might be broad, but isn't this just a cycle of knowing my audience, what they need, where to find it, collecting it, processing it, sharing it out, then asking how I'm doing? But I'm preaching to the choir here. Let's dive in and see how the newsletter gets made.
The first step in my process, especially when I started the newsletter but also continuously, is to plan what I'll share and how. That meant deciding the structure of my product—newsletter emails—what to include, what sources I'll collect from, how often, and so on. I also set my production schedule to monthly, although you'll notice I'm flexible on the date. I did say it was free!
I was inspired by other newsletters that started before mine like the venerable tl;dr sec and CloudSecList for both the information they provide and how they share it quickly. They lay out content in a simple and digestible way that I knew my readers would likely recognize. I learned from Mandiant's Intelligence Production training that making your written products follow a consistent, familiar pattern helps consumers, and I think it applies just as well here.
True to the name Sources & Methods, I decided that in every issue I would share what I find are valuable and trustworthy sources of data, information, and intelligence, as well as ways to get the job done. From that idea, I came up with the categories you see every month–Sources, Articles, Tools, Events, and one Tip.
Sources and collection plan
I prefer to share content that costs you nothing but your time to consume, so all my sources are free. I have my favorites that I've watched over the years and have expanded the list for SRC&MTD to move beyond my own interests and make sure there's something for everyone. That never ends.
For each category of the newsletter I just mentioned, I keep a list of sources I trust to provide the bits worth sharing with you all and check them all on a daily or at least weekly basis. Most tools come from GitHub. That's it, that's my collection plan.
I keep that plan and other Markdown documents synced across my devices using the excellent Obsidian, a tool that I shared in issue #1. This helps me work on the newsletter from any device, mobile to tablet or desktop; this is essential for a workflow I can get into any time of day.
With my goals and sources in mind, it's time to turn on the fire hose, read a ton, and try a lot of open source tools. The good news is I was already doing that, I'm just sharing the highlights with you.
I use a few simple tools to keep tabs on those sources day to day:
- Reeder 5, a solid RSS feed reader that stays in sync across iOS, iPadOS and macOS
- My GitHub feed, which depends on the activity of folks I follow from both the offensive and defensive communities and to some extent GitHub's recommendations
- Mastodon (RIP InfoSec Twitter)
The important thing is, again, I can use these tools on any device any time of day so I don't lose track of ideas and can vet new content when I'm able.
Here's where it gets fun! My process for turning articles, open source repositories and such into the newsletter you see every month mostly revolves around GitHub Issues and Projects. I can quickly do this from any device when I need to and then go about the rest of my day. Thanks to GitHub for providing these features for free!
I create an Issue in my "ideas" repository for everything I consider featuring in the newsletter. It doesn't matter if I change my mind later because a tool turns out to be broken, or a story becomes outdated—the important thing is I can capture ideas quickly and deal with them later.
Articles, Events, Sources, Tips, and Tools each have their own GitHub Issue template. It helps me label each item correctly and remember what information to collect. For example, every Tool needs a description and a URL. Because I capture this up front in the idea phase, I save a lot of time when I put together each issue.
Besides item type, I use one other label that's crucial for scheduling content,
time-sensitive. Items with this label should be scheduled on the very next issue or I should consider skipping them. This ensures what I share is timely while giving me the confidence to push out items til later if they're timeless.
I also appreciate having a list of closed Issues I can search later to see if I've shared a certain article or tool already. I know your time is short and I won't waste it by repeating content I've already covered. Ever listen to a playlist that has the same song on it twice? Yikes.
I use a Kanban-style GitHub Projects board to organize those ideas into what I'd like to cover next, the issue after that, or any time later:
When I work on a new issue, I make sure everything that's in the "Next Issue" lane is still good to cover and that I don't have too much or too little of each type lined up.
The Sources & Methods monthly newsletter is really about curation, so beyond evaluating every item I share with you to decide if it's worth including, I'm not delving into what you'd call analysis. With the addition of a blog and plan to put out my own work under Sources & Methods, however, I do spend time on additional collection and analysis. So I'll share the tooling supporting me there.
I use a personal instance of OpenCTI, which is an open source threat intelligence platform. Instead of deploying it the way I would at work, I just run it on my home computer using Docker Compose, which gets the job done and doesn't cost me anything additional for hosting.
OpenCTI supports more than I can cover in this post (stay tuned), so here are the highlights:
- Its data model is based on STIX 2.1 with additional Object types
- It can best be described as a knowledge graph for cyber threats
- I can use it to import and automatically parse Observables and Entities in open source reports, and store my own products
- I can also manage a collection of Observables and Indicators, enrich them with various connectors, create relationships among them, investigate in a graph view, export as STIX bundles, and access them via a GraphQL API
I'll cover my open source report processing workflow in depth in an upcoming article. I'm not a security vendor, so all upcoming work under The Gist or The Finished Product will leverage open sources in some way along with my own research.
Back to the newsletter. I publish with Ghost, which allows me to run a newsletter, blog and website without much more effort than making the content itself. Its editor supports Markdown and all the other features I need. So far I'm quite happy with it!
When I started this newsletter about a year ago, I used Buttondown on their free plan then after a month or so moved to a paid plan. I really enjoyed Buttondown, and it fully supported my use case until I decided to move beyond just an email newsletter with Sources & Methods. Maybe it'll work for you, though.
At production time each month, I start with my Markdown template, gather items from the Next Issue column of the GitHub Project, write a quick introduction, then update the Events section, keeping an eye on CFPs that closed or conferences that already took place. I triple-check and preview the issue, click publish, and Ghost takes care of the rest. I'm one year in and this part still makes me nervous!
Finally, no good intelligence cycle-esque process is complete without gathering feedback and making changes. This stage is supported by some of Ghost's built-in features like open- and click-tracking, comments, and "More like this"/"Less like this" feedback links automatically at the end of each email.
I supplement Ghost's analytics with the open source and privacy-friendly Plausible Analytics. It helps me understand traffic sources, what topics folks are interested in, which parts of the world readers are based, popular days and times, and the breakdown of desktop versus mobile readers.
I hope you enjoyed this peek behind the scenes of the Sources & Methods monthly newsletter. In the spirit of feedback, please let me know what you think! Are you thinking of starting your own newsletter? Have you tried it before and done it differently? Let me know in the comments and don't forget to subscribe if you haven't yet.