Security news that informs and inspires

‘Every Intrusion Attempt Has a Story to Tell’

The cyber threat intelligence field is a relatively young one, and while it has matured quickly, practices and methods are still evolving. The field is awash in data and data analysis tools, but distilling all of that into intelligence that’s understandable and actionable for executives and other audiences can be a major challenge. And that’s when communication skills and creativity become vital.

“Every intrusion attempt or attack has a story to tell. This superpower is unique to us. It isn't intuitive to everyone else. It’s important to know how we can leverage this in the critical work we do,” Rebekah Brown, who works on Apple’s trust and safety team, said during a keynote at the SANS Cyber Threat Intelligence Summit Thursday.

“Establishing the connective tissue is really important. We will be far more effective if we can set that stage and make this matter to the person reading it.”

Brown realized the importance of bringing strong communications and storytelling skills to threat intelligence when she was assigned to work as a network warfare analyst during her time in the Marines. She had a background as a traditional intelligence analyst and was not enthused about the prospect of making the leap to cyber threat intelligence. But after some assurances from her superiors that she was a good fit, Brown dove in and soon discovered that her interests and skill set were naturally suited to the new field.

“I realized that there were not only puzzles to put together, but I could bring my communication skills to bear as a way to tell stories,” she said.

Digging into a pile of data and sussing out the story that will make people sit up and take notice is not always easy and is not necessarily intuitive for everyone in the CTI field. Or any other field, for that matter. The skills that enable someone to parse large, disparate data sets and correlate seemingly random pieces of information into a cohesive picture of an intrusion or campaign may not translate into effective storytelling. But Brown said developing that ability can be a major step for analysts and improve the overall organizational understanding of threats and security response.

“A lot of the work we do is based off incomplete information, so we do have to share and analyze to the best of our ability."

It’s vital, though, that analysts stick to the facts in the stories they tell and not give in to the temptation to embellish a little here and there in order to serve their narratives.

“When we have people’s attention it’s easy to learn what makes them tick, and when we do it’s important that the information we give them is truthful or accurate. If we put information out into the world that we know isn’t accurate, we don’t know what side effects that might invoke,” Brown said.

“A lot of the work we do is based off incomplete information, so we do have to share and analyze to the best of our ability. If we do put some inaccurate information out there, it’s important to correct and say, we have new information on this. People updating an assessment is probably one of the most useful parts of our field.”

Mistakes are a part of the process, as they are in any field of endeavor, but the probability of making an error can be magnified when external stressors such as massive workloads or sleep deprivation are present. The last two years have brought stress levels to an all-time high for many in the CTI field, not just because of the pandemic and the shift to remote work, but also because of the numerous major incidents that have arisen, including the SolarWinds intrusion, the Kaseya attack, the ransomware epidemic, and the Log4j vulnerabilities. Each of those has required long stretches of constant work for many CTI analysts, and after months or years of that, the stress compounds and can lead to errors.

“The more problems that arise, the more mentally taxing it is. And the more taxing it is, the more our analytic skills decrease and we shift more toward assumptions and into that disordered state where we’re not accurately identifying the threats,” Brown said.

“We need to learn where our limitations are and where our skills start to work against us.”