cyint_dude @[email protected]

Woo hoo! My talk from the @sansforensics #threatintel summit is posted \o/ twitter.com/sansforensics/…

Posted up @CYBERWARCON ! #cyberwarcon

@_John_Doyle You have a bouldering area in your office?!?! Who sets the problems? My climbing gym is very close but an office gym is another level!

Getting a few sends in before work at our office climbing gym. #WorkforGoogle #BoulderingInBoulder

Woo hoo! Ticket for #cyberwarcon purchased! Looking forward to seeing folks there! #threatintel

@T1l2L3n Sadly, we are not able to offer FT remote for this role.

@CYINT_dude Just curious, i noticed it is marked as hybrid. Is there an FT remote potential with this one or does it require the hybrid part?

Hello! We are looking for a new cyber #threatintel analyst to join our team! Don't have any experience in the intel space? That's OKAY! We are looking for folks eager to learn and grow! thomsonreuters.wd5.myworkdayjobs.com/External_Caree…

@Bing_Chris Congrats, Chris!

@Bing_Chris Definitely IBM.

@4n6ir Or maybe even more simply: how have you (#threatintel) made security better at the organization (and/or what else could be done assuming right resources)?

No one cares about your #CTI Nostradamus quotient. Your confidence ratings and predictions and judgements are meaningless and won’t influence a decision if you don’t have a recommendation, you or they can’t act on it, and if you can’t associate a cost.

@KyleTDavis1 Keep a list of topics/issues customers care about and review if/how your team can address them. Collect sources and change processes where needed to fulfill requirements. And don't mention "PIRs" to stakeholders (because they don't care and that's okay). #threatintel

@KyleTDavis1 PIR's in the #threatintel space IMO have been mostly over-engineering and intellectualized, drawing too much from .mil in the overly prescriptive development and management, leading to overhead that most teams can't handle...

Somebody: You think PIRs are overrated? Me: Yes. Somebody: And threat intel platforms too? Me: OMG, yes. Somebody: And daily reports? Me: Particularly early on, but guilty as charged. Somebody: Is there anything you like? Me: Yes, useful stuff.

Microsoft's direct observations of AI abuse are consistent with NCSC's report from earlier this year in which they forecasted the ways in which AI would boost different stages of cyber operations #threatintel microsoft.com/en-us/security… ncsc.gov.uk/report/impact-…

I coin the collection and analysis of internal data and incidents: INTINT #threatintel

@HostileSpectrum Are you telling me that I can no long rely on TWITINT exclusively for my intel that I copy/paste directly to my most senior leadership?

For anyone still unclear on the point, X Twitter is not a medium for delivery of finished intelligence. It may be useful in exhortations for attention to tradecraft, or to highlight lines of analysis that may be further developed in product. A shop may also use it to highlight contract / case BLUF or specific KJ, this is however dependent on underlying analysis & production outside of this platform. Do not confuse the two

My colleague has identified a valid ChatGPT use case for security operations. Watch out for those 4625 logs poppin' off skrrt skrrt.

Hey speaking of which! Check out @item105 by @hawkinsw #threatintel

If your company is using AI internally, or developing customer-facing AI products, then #threatintel teams will be expected to start answering questions about the related risks (like, right now). This is going to be a very challenging requirement IMO.

NIST Taxonomy of Attacks > csrc.nist.gov/pubs/ai/100/2/… MITRE ATLAS > atlas.mitre.org

Re: #2 - there's no escaping it: we need to understand how AI systems work, their flaws, the threats, and the risks. Emerging frameworks from NIST, and MITRE ATLAS are providing helpful taxonomies. There is a rich corpus of academic research in AML (via arxiv.org)..

Microsoft and VF Corporation are the first two companies I'm aware of that have made Item 1.05 filings. sec.gov/ix?doc=/Archiv…, sec.gov/ix?doc=/Archiv…

Re: #1 - Executives will be closely watching how other companies are responding to the SEC's new "4 day disclosure" rule. The SEC Edgar search allows you to create an RSS feed of 8-K filings and it includes the "Items" filed. Pay attention to the "Item 1.05" filings.

Two collection requirements I anticipate #threatintel teams needing to prioritize this year: 1) SEC 8-K filings with the new "Item 1.05" for disclosures of possible material breaches and 2) adversarial machine learning TTP