Many #threatintel teams likely have a new requirement to provide daily (or more!) updates on the UA/RU war to include cyber threat activity AND factors like sanctions, military developments, etc. This is not easy. Here are my ✅ tips for surviving "intel update fatigue" 🧵.
✅ Reduce, filter sources
There is too much information--much of it unconfirmed--from disparate sources. Stick to news from reliable and official sources (national CERTs, your intel providers, AP, Reuters, BBC, etc.) who have done the vetting for you.
There is too much information--much of it unconfirmed--from disparate sources. Stick to news from reliable and official sources (national CERTs, your intel providers, AP, Reuters, BBC, etc.) who have done the vetting for you.
✅ Change your dissemination habits; prioritize speed
If your team typically disseminates information via traditional reports (presumably over email), consider creating a dedicated chat channel with your security and business partners exclusively for fast updates...
If your team typically disseminates information via traditional reports (presumably over email), consider creating a dedicated chat channel with your security and business partners exclusively for fast updates...
...If you're trying to generate more than a handful of bullet points with each update, you will probably not be able to sustain that approach.
✅ Avoid predictions
There are too many factors that directly affect and are affected by the threat landscape to reliably predict who will do what and when. It is a highly uncertain environment. Don't be afraid to share gut feelings, but stick to facts and make caveats clear.
There are too many factors that directly affect and are affected by the threat landscape to reliably predict who will do what and when. It is a highly uncertain environment. Don't be afraid to share gut feelings, but stick to facts and make caveats clear.
✅ Present opportunities, not just threats
While the potential for damaging threat activity is real, use this is a chance to propose opportunities/solutions for introducing or improving controls and hardening your environment.
While the potential for damaging threat activity is real, use this is a chance to propose opportunities/solutions for introducing or improving controls and hardening your environment.
✅ Stay focused on your organization
Your incidents and internal telemetry will remain the single best source for understanding what threats are actually affecting the org. Use this is a chance to improve internal collection and fill detection gaps.
Your incidents and internal telemetry will remain the single best source for understanding what threats are actually affecting the org. Use this is a chance to improve internal collection and fill detection gaps.
✍️ CLOSING THOUGHTS
These tips all assume that the threats/potential threats are *relevant* to your org. If it is not relevant and you still have the req., have a candid convo w/ stakeholders about the resource tradeoffs and threats that ARE relevant and worrying to your org.
These tips all assume that the threats/potential threats are *relevant* to your org. If it is not relevant and you still have the req., have a candid convo w/ stakeholders about the resource tradeoffs and threats that ARE relevant and worrying to your org.
Intel literature has addressed the issue of focusing on "current intelligence" over strategic views but, the demand for current #threatintel in our domain is heree to stay: adjust your processes to maximize efficiency / END 🧵!
cia.gov/static/789d2c8…; cia.gov/static/a3e248b…
cia.gov/static/789d2c8…; cia.gov/static/a3e248b…
• • •
Missing some Tweet in this thread? You can try to
force a refresh
