CTI? I know I should… but… maybe later…
I discovered there is a parallel between the Cyber Threat Intelligence and Fitness industries. With a massive range of offerings, there is something for anyone at any size of budget. Do you want a gym that is open twenty-FIVE hours a day, has a pool, indoor track, and full movie theater for $500 a month? I am sure that is available! If you only need to walk on a treadmill that’s not at your house, there’s a $10 a month option available. #CTI offerings are no different. Need next-gen, single-pane-of-glass, AI-augmented, SOAR optimized, real-time, actionable intelligence? Done. Decided all you can afford or deal with is a Pastebin Pro account? No problem. Something for every team and budget size, right?
Do you even triage your IOCs, bro?!
But also like gym memberships, many companies have CTI teams or roles because it “it’s just something you have to have.” (Though there are some regulatory requirements as well, thankfully the FFIEC doesn’t mandate I work out every day in addition to having a threat intelligence function.) Generally, I find that companies do not have intelligence teams or programs because there is actual interest in or understanding of intelligence work and tradecraft. They do so out of a compliance mandate and industry peer-pressure. There is a bit of mysticism, much of it from overly-ambitious marketing, that makes actual “intelligence” seem beyond what an organization is capable of implementing. Much like a fitness center, many CTI beginners just head for the simple-to-use machines and have no workout plan.
Make those CTI gains!
I say this from someone who is providing workout plans & guides for intelligence teams. I think it is excellent whether you are a member of Super-Mega-CTI-Platform or you just go to the local OSINT sites every day. It does not matter to me, as long as you know what you are doing when you get there and make the most of your time and investment. Anyone and everyone can “do intel” regardless of team size, budget, or even job title.
Do not skip leg day, dude.
And just like the gym, you need to hang on to those improvements. Consistency is key. After your initial flurry of 2 months’ worth of working out every day, you feel better and look better. But then, gradually, you decide you’re good enough. You have an important meeting scheduled during your regular time. You give up your new-found habits, begin to lose motivation. You no longer go consistently. It is the same thing with intelligence work. After the shiny wears off your new threat intelligence tool or feed, you realize you still have a lot of mundane processes and procedures to implement. Your intelligence consumer’s needs change, goals shift, budgets are adjusted — your processes and metrics need to change too. But you have to keep at it, every day, to maintain your gains and to get better.
Intelligence work is a process. You are never “done.” You have to plan your efforts, record and analyze your results, re-evaluate your goals, and adjust accordingly. Do not make your intelligence function a checkbox or a means to keep up with the industry Joneses. Strengthen your intelligence program for the betterment of your organization! Make that membership count!
(Full disclosure: I thought of this while passing by my gym.)
