CYINT_dude Profile picture
Mar 8 9 tweets 3 min read
Many #threatintel teams likely have a new requirement to provide daily (or more!) updates on the UA/RU war to include cyber threat activity AND factors like sanctions, military developments, etc. This is not easy. Here are my ✅ tips for surviving "intel update fatigue" 🧵.
✅ Reduce, filter sources

There is too much information--much of it unconfirmed--from disparate sources. Stick to news from reliable and official sources (national CERTs, your intel providers, AP, Reuters, BBC, etc.) who have done the vetting for you.
✅ Change your dissemination habits; prioritize speed

If your team typically disseminates information via traditional reports (presumably over email), consider creating a dedicated chat channel with your security and business partners exclusively for fast updates...
...If you're trying to generate more than a handful of bullet points with each update, you will probably not be able to sustain that approach.
✅ Avoid predictions

There are too many factors that directly affect and are affected by the threat landscape to reliably predict who will do what and when. It is a highly uncertain environment. Don't be afraid to share gut feelings, but stick to facts and make caveats clear.
✅ Present opportunities, not just threats

While the potential for damaging threat activity is real, use this is a chance to propose opportunities/solutions for introducing or improving controls and hardening your environment.
✅ Stay focused on your organization

Your incidents and internal telemetry will remain the single best source for understanding what threats are actually affecting the org. Use this is a chance to improve internal collection and fill detection gaps.
✍️ CLOSING THOUGHTS

These tips all assume that the threats/potential threats are *relevant* to your org. If it is not relevant and you still have the req., have a candid convo w/ stakeholders about the resource tradeoffs and threats that ARE relevant and worrying to your org.
Intel literature has addressed the issue of focusing on "current intelligence" over strategic views but, the demand for current #threatintel in our domain is heree to stay: adjust your processes to maximize efficiency / END 🧵!
cia.gov/static/789d2c8…; cia.gov/static/a3e248b… ImageImage

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with CYINT_dude

CYINT_dude Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @CYINT_dude

Mar 14, 2019
#threatintel thread! The other week, I rendered a high confidence assessment related to malicious activity that I judged was targeting my organization's customers with intent to gain access to our proprietary content. Turns out I was TOTALLY WRONG (1/x)
The activity I THOUGHT was malicious was actually benign and completely expected. Reflecting on the analysis, I realized I fell victim to CONFIRMATION BIAS and FAULTY ASSUMPTIONS. I thought I was immune to these #threatintel phenomena, but I'm not (2/x)
First, I didn't fully understand what I was looking at: what normal customer-to-org interactions look like (authentication). This led to FAULTY ASSUMPTIONS about the nature of the activity I was examining. Boy did it look phishy! There was no way it was legitimate! (3/x)
Read 14 tweets
Dec 22, 2018
I’m a proponent of writing things down. As #threatintel analysts, a big part of our job is recognizing patterns and making connections. But sometimes, we don’t see the connections. Our brains can’t recall as much information as we think they can (1/x).
This is why it’s imperative to document and memorialize your knowledge. Use your IOC database, your commercial TIP, OneNote, Excel, Wiki, IR ticketing system, whatever you have to capture artifacts, IOC, notes (2/x).
Tag your data (hopefully you have a consistent tagging scheme); organize it; capture enrichment data and attributes that may allow for future correlation. Does this take extra time? Is it annoying sometimes in the face of an active campaign or IR operations? You bet (3/x).
Read 9 tweets
Mar 23, 2018
#threatintel thread! For the past couple of weeks I've focused on #threatintel REQUIREMENTS. As a consultant working with clients to develop their programs, I focused on this a lot--requirements are important. As a full-time analyst, it's much harder: because OPS!
But, really honing-in on the requirements--the specific questions that customers have, the topics they are interested in, how they can best consume information--has been a valuable investment. Here's what I've learned or re-discovered...
For each requirement (or set of requirements), there is information you need to answer the question and a process to follow to fulfill the requirement. Sometimes you'll have the information you need; sometimes you won't which means that you have to go get it (collection).
Read 16 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(