Joe will talk on: „Meet Me in the Middle: Threat Indications & Warning to enable Operational Threat Intelligence”
Discussions on threat intelligence often get bogged down between machine speed ingestion of atomic indicators and in-depth analysis of activity taking weeks (or months) to produce. Left in the cold in such debates is a very important but seldom considered middle ground: time-sensitive and incomplete but enriched threat intelligence. In various military settings, this is referred to as threat indications and warning (I&W) a step beyond a simple observable refined to ensure accuracy and timely receipt. The goal of I&W is to get actionable, important information to those in need of it most as quickly, efficiently, and accurately as possible, even if as a result some context or other insights are lost. As a result of this activity, consumers are better armed and equipped to deal with and counter threats as they emerge, rather than either reacting to items with no context whatsoever or only reading about their challenges weeks after the fact in a complete intelligence report. This discussion will explore the concept of threat I&W within the context of network security generally and threat intelligence specifically to identify this topic as a shamefully ignored middle ground between extremes. The presentation will explore the conceptual background behind this idea, then transition to real-life examples of I&W drawn from the speakers’ past activity in threat intelligence, incident response, and military operations. Attendees will walk away with two key lessons: first, do not let perfect (finished, complete intelligence) be the enemy of the good (actionable, if incomplete, information) when it comes to network defence; second, network defence consists of multiple phases of activity, from tactical to strategic, but ignoring the spaces in between results in fractured and incomplete operations. As a result of this discussion, attendees will be better armed and equipped to ask critical questions of their threat intelligence providers and have an enhanced set of expectations for what threat intelligence can do to support defensive operations.