Cyber Threat Intelligence: From Community Perspective

The world of Cyber Threat Intelligence (CTI) is complex and often misunderstood. An analysis of community discussions reveals critical insights into the perceived strengths and challenges of CTI teams.

Motivation

The inspiration of writing this article arose from reading a Reddit thread with title: “Why does everyone still sh*t on CTI teams?” (Link)

I thought about conducting sentiment analysis using Generative AI and provide a categorized breakdown of insights, offering a clearer perspective on community thoughts.

Sentiment Analysis — OpenAI LLM

To conduct sentiment analysis following data points were extracted from the Reddit discussion thread in CSV format:

• Username of the commenter.
• Date and time of the comment.
• Scores related to the comment (upvotes, downvotes, and total score).
• The comment text.

Insights from raw data

1. Overall Sentiment: Categorized as ‘Positive’, reflecting a generally optimistic view towards CTI teams. Surprisingly Positive, but Let’s Not Get Complacent.
2. Average Sentiment Score: The average sentiment score is approximately 0.132, indicating a slightly positive overall sentiment in the comments.
3. Top Positive Insight: Networking isn’t a luxury, it’s a necessity in this field.
4. Major Concern: The heavy burden of personal responsibility in data security.
5. Top Positive Comment: Showcases a humorous confusion about acronyms, highlighting a light-hearted aspect: “I googled it and the top results were Computer Telephony Integration which didn’t align with the comments.”
6. Top Negative Comment: A comment with playful sarcasm about the overuse of acronyms: “WTF? TLAs FTW! 😉”.

Thoughts on Cyber Threat Intelligence

1. CTI’s Role in Incident Response: CTI is considered valuable when used as a supplement to threat hunting and the detection/analysis phases of incident response. Analyzing Indicators of Compromise (IOCs) and Indicators of Attack (IOAs) in the context of threat intelligence can provide a deeper understanding of Tactics, Techniques, and Procedures (TTPs) used by threat actors in the environment.
2. Differentiating CTI from General Threat Intelligence: Some argue that there is a distinction between CTI and general threat intelligence. CTI is seen as more focused and actionable intelligence, while general threat intelligence may lack specificity.
3. Technical Knowledge and Skills: A common criticism is that some CTI professionals lack the technical depth needed to provide meaningful insights. This includes situations where CTI analysts resort to basic web searches to gather information on threat actors.
4. Collaboration with Other Teams: CTI teams often struggle to collaborate effectively with other teams such as threat hunting, forensics, and incident response. Building relationships and ensuring that CTI provides value to these teams can be a challenge.
5. Value of CTI: Some believe that good-quality CTI can significantly improve an organization’s overall cybersecurity by helping allocate resources effectively and formulate a fitting security strategy.
6. The Need for Timely, Relevant, and Actionable Intelligence: To avoid CTI briefings feeling like “story time,” the intelligence provided must be timely, relevant, and actionable.
7. Maturation and Additional Functions: There is a call for CTI to mature and incorporate functions such as detection engineering and adversary emulation to demonstrate its value, as some organizations may not prioritize internal adversary attribution.
8. Communication and Understanding of Business Needs: Effective CTI teams should understand the business, tech stack, and asset inventory, focusing on tactical, operational, and strategic aspects. Bad teams might only focus on external threat actors without considering the organization’s unique context.
9. Role of Leadership: The leadership of CTI teams plays a critical role in documenting Priority Intelligence Requirements (PIRs) and setting the direction for the team’s efforts. Collaboration with intelligence customers is key in this process.
10. Maturity Curve: The maturity of CTI teams can vary across organizations. Some may be at the beginning of their journey, while others have established themselves as valuable contributors to an organization’s cybersecurity posture.

End Thoughts

While the article provides brief overview on what general community thinks about Cyber Threat Intelligence.

In the upcoming series of articles, we will delve deeply into “How-to” themed articles that aid in the effective utilization of Threat Intelligence across various functions within an organization or communicating with the vendor for relevant actionable intelligence.

This exploration will be conducted from both the Analyst, Vendor and Leadership perspectives, providing insights on how to seamlessly integrate Threat Intelligence into different facets of organizational operations.

Note — This article is also posted on Linkedin. If you wish to connect, quick OSINT should help in connect with me. Thanks! :)