Profile picture
Citizen Porg @Cybor_Tooth
, 11 tweets, 3 min read Read on Twitter
@MalwareHobbit This is how I see CTI. First and foremost CTI should not be separated from DF / IR or security monitoring (SOC Analysts). Instead CTI should be integrated into both with CTI feeding DF / IR / SOC and vice versa.
I think CTI at its core is misunderstood. Many big name organizations treat CTI as Infosec Journalists. Intel consists of pulling data from other data sources and vetting it. Some consider this to be a core functionality of CTI... yet I disagree strongly.
Copy and pasting articles from feed to feed. Reading articles to IR / SOC peeps is NOT Threat Intel, and should NOT be regarded as such. Having a general knowledge of the threat landscape is important. Yet many who are at least half way decent at their jobs are already doing this
In my mind the journalism function of CTI aggregates global data and funnels it down to usable chunks, pertinent to the teams receiving it. This is a small part of it though.
A good CTI team should be delving into malware and phishing campaigns focused on an environment and capturing IOCs to provide to the SOC and DFIR teams. They should be looking for network and host based threats within the environment. Stuff that HIPS / AV isn't catching.
CTI really should be pulling information from threat hunting / global data / news / vulnerability reports / @shodanhq / @GreyNoiseIO / @RiskIQ and creating an threat landscape pertinent to THEIR ENVIRONMENT. They should also be assisting SOC / DFIR personnel in vetting findings
So yes... Defining CTI is difficult because many do not understand linking DFIR / SOC / CTI into one cohesive unit. In many cases you have the SOC regarded as low tier followed by IR with everything else along side in their own unique and special silos.
My personal opinion is that silos as a whole are themselves a huge threat to an environment. What good is data that is constrained by internal politics? What good is locking information between groups that is pertinent to both? How many times have we heard:
"Well <insert team name here> is responsible for that. We don't know how it got popped." No one is talking. It shouldn't be like that. 1 team 1 fight. CTI should be leading that charge to ensure information is flowing between groups, as well as providing said information.
If anyone else in CTI wants to comment, please feel free. I'm self taught at this and don't claim to know everything.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Citizen Porg
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!