Full Report
Community Feature - @michael_deeboCurated Intelligence member - Michael DeBolt - has expressed his views on what he calls the "CTI long game" and how CTI teams, as a core component of many security teams, should approach it and why it matters. The blog crucially covers the challenges that we as CTI analysts face and how we should tackle them. The key notes being, as Michael puts it, "frenzied media coverage" and the "pursuit of fame", which currently are two main pressure points affecting how CTI analysts to do their jobs.https://www.linkedin.com/pulse/lets-play-long-game-2022-michael-deboltAs highlighted in the blog, timeliness is a key factor in intelligence but for it to be the main or only reason for publishing something would be a miscalculation, potentially inducing confusion or misguided action. These points are extremely pertinent for CTI analysts. Whether you are part of an internal team, a partner, a vendor, or a consultant it would be best not to rush and cause issues as you should want to be seen as a trusted voice of clarity and reason. We duly recommended reading the rest of Michael's article and sharing it with your teams.Curated Intel Community Features are sourced using our Member Content channel on Discord. If you have recently produced a noteworthy piece of writing, a project, a podcast, an infographic or other CTI content let us know!
Analysis Summary
# Best Practices: Cyber Threat Intelligence (CTI) Management and Communication
## Overview
These practices focus on the strategic, long-term execution of Cyber Threat Intelligence (CTI) functions, emphasizing clarity, trust, and methodical analysis over reactive, fame-driven responses, especially concerning the management of threat group naming and geopolitical events.
## Key Recommendations
### Immediate Actions
1. **Prioritize Clarity Over Speed:** Resist pressure from "frenzied media coverage" or the "pursuit of fame" when issuing intelligence; ensure assessments are vetted for accuracy before release.
2. **Validate Timeliness Context:** Never allow timeliness to be the sole or primary justification for publishing intelligence; this risks inducing confusion or misguided organizational actions.
3. **Establish Trusted Voice Protocol:** Ensure all CTI communications (from internal teams, vendors, or consultants) aim to be perceived as a "trusted voice of clarity and reason."
### Short-term Improvements (1-3 months)
1. **Review Publication Triggers:** Define clear internal policies that mandate triangulation and verification steps before releasing new intelligence or reacting to breaking events, even during high-pressure situations (like geopolitical conflicts).
2. **Standardize Threat Group Naming:** Begin immediate internal discussions to adopt or define clear, non-proprietary threat group naming schemes to avoid counterproductive confusion (as standardization prevents organizational silos in attribution).
3. **Develop Geopolitical Response Playbooks:** Create documented procedures for rapidly assessing and integrating intelligence related to major, unfolding global events (e.g., armed conflicts) while maintaining analytical rigor against opportunistic crime or hacktivism.
### Long-term Strategy (3+ months)
1. **Invest in CTI Program Maturity:** Shift focus from short-term tactical alerts toward long-term strategic intelligence that helps develop enduring defensive postures ("Play the CTI long game").
2. **Formalize Attribution Standards:** Document and socialize a formal, standardized procedure for adversary attribution, aligning terminology and confidence levels across all CTI producers and consumers within the organization.
3. **Integrate with Defense Roadmaps:** Ensure CTI findings directly influence long-term security architecture decisions, configuration changes, and resource allocation, moving beyond simple indicator consumption.
## Implementation Guidance
### For Small Organizations
- **Focus on Source Vetting:** Allocate analyst time to critically assess CTI sources, favoring clarity and accuracy from established groups over high-volume, potentially sensationalized traffic.
- **Adopt Community Standards Early:** Utilize established, publicly available threat group naming conventions (if applicable to your sector) to streamline internal documentation rather than creating proprietary naming systems immediately.
### For Medium Organizations
- **Implement Internal Review Board:** Establish a small, cross-functional team (e.g., CTI lead, Communications, Legal review) to vet high-visibility or high-impact intelligence reports before external or broad internal dissemination.
- **Begin Documentation of TTP Mapping:** Start mapping observed Tactics, Techniques, and Procedures (TTPs) to established frameworks even if formal attribution naming is still inconsistent.
### For Large Enterprises
- **Formalize Naming Governance:** Institute a formal governance process for threat actor identification and naming, potentially creating an internal 'Attribution Working Group' responsible for signing off on major adversary designations.
- **Develop Scenario-Specific Comms Plans:** Create pre-approved communication templates and release schedules for reacting to specific high-impact scenarios (e.g., major nation-state activity, widespread supply chain compromise) to ensure measured responses.
- **Mandate Data Correlation:** Require CTI processes to correlate external intelligence with internal telemetry to validate findings and increase analytical depth, reducing reliance on uncontextualized external reports.
## Configuration Examples
*N/A - The article focuses on process, communication strategy, and CTI team culture rather than specific technical configurations.*
## Compliance Alignment
- **NIST SP 800-92 (Guide to Computer Security Log Management):** Practices support the need for structured analysis and correlation of data, which feeds into effective intelligence cycles.
- **ISO/IEC 27001 (Information Security Management):** Adherence to disciplined intelligence gathering, analysis, and communication supports the requirements for risk assessment and treatment outlined in Annex A controls.
- **Industry Best Practices for CTI Maturity Models:** Aligning with long-term maturity models that value accuracy and strategic value over immediate reactivity.
## Common Pitfalls to Avoid
- **Chasing Headlines:** Allowing the perceived necessity of being first to override the necessity of being correct, leading to the publication of half-baked or misleading intelligence.
- **Adopting Chaos in Naming:** Allowing different internal teams (or external vendors) to use conflicting names for the same adversary, which pollutes internal reporting and defensive prioritization.
- **Weaponizing Intelligence for Internal Gain:** Using CTI findings to promote specific teams or individuals ("pursuit of fame") rather than strictly serving organizational defense objectives.
- **Ignoring Context in Geopolitical Events:** Failing to differentiate between hacktivism, cybercrime exploiting the situation, and targeted nation-state activity when tracking conflicts.
## Resources
- **Michael DeBolt's Article (Source Context):** Referenced as the origin of the "CTI long game" concept.
- **Internal CTI Policy Documentation:** The primary resource for defining and enforcing standardized threat group naming conventions.
- **Established Threat Intelligence Frameworks:** Utilizing common frameworks (like MITRE ATT&CK) for TTP mapping, which standardizes technical language regardless of adversary naming.