Many #threatintel teams likely have a new requirement to provide daily (or more!) updates on the UA/RU war to include cyber threat activity AND factors like sanctions, military developments, etc. This is not easy. Here are my ✅ tips for surviving "intel update fatigue" 🧵. ✅ Reduce, filter sources

There is too much information--much of it unconfirmed--from disparate sources. Stick to news from reliable and official sources (national CERTs, your intel providers, AP, Reuters, BBC, etc.) who have done the vetting for you.

#threatintel thread! The other week, I rendered a high confidence assessment related to malicious activity that I judged was targeting my organization's customers with intent to gain access to our proprietary content. Turns out I was TOTALLY WRONG (1/x) The activity I THOUGHT was malicious was actually benign and completely expected. Reflecting on the analysis, I realized I fell victim to CONFIRMATION BIAS and FAULTY ASSUMPTIONS. I thought I was immune to these #threatintel phenomena, but I'm not (2/x)

I’m a proponent of writing things down. As #threatintel analysts, a big part of our job is recognizing patterns and making connections. But sometimes, we don’t see the connections. Our brains can’t recall as much information as we think they can (1/x). This is why it’s imperative to document and memorialize your knowledge. Use your IOC database, your commercial TIP, OneNote, Excel, Wiki, IR ticketing system, whatever you have to capture artifacts, IOC, notes (2/x).

#threatintel thread! For the past couple of weeks I've focused on #threatintel REQUIREMENTS. As a consultant working with clients to develop their programs, I focused on this a lot--requirements are important. As a full-time analyst, it's much harder: because OPS! But, really honing-in on the requirements--the specific questions that customers have, the topics they are interested in, how they can best consume information--has been a valuable investment. Here's what I've learned or re-discovered...