hack.lu

CTI is dead, long live CTI!
10-16, 14:30–15:00 (Europe/Luxembourg), Salle Europe

Recently a CSIRT colleague said: "CTI is dead" which made us wonder and ponder.


The Cyber Threat Intelligence (CTI) remains a bit of a buzzword. What a CTI team does, for who it does it and how, are still covered in mystery or a maintained artistic blur.

Often CTI is regarded as retrieving threat reports, digesting them or researching a malware or infrastructure to make a report. Other teams then retrieve, digest, extract IOCs and or TTPs and then implement mitigations or write another internal presentation. While this may help protect from certain attacks, many reports do not directly concern our constituencies. And more to the point, the reports may not be timely when an incident is being handled by a CSIRT.

A complementary approach, could be to identify, collect and analyze the data that we already "have" but sometimes tend to forget. We will present a more constituency centric approach and some of the challenges we face as an MSSP.

By combining these complementary approaches, an outward looking and inward knowing, we could revive CTI in a more long term, less buzzword way, and more importantly better protect our constituency.

David Rufenacht is senior threat intelligence analyst at InfoGuard. Previously, David worked for the Swiss National Cyber Security Center providing threat assessments to critical infrastructure. He holds a master degree in international relations as well as in social anthropology.