Onsite at the FIRST CTI Conference in Berlin last week, we took in three days of fascinating and valuable cyber-threat workshops and talks. Here are key insights we drew from the event.
Cyber Risk and Threat: A Cry for Collaboration
Dr Jamie Collier and John Doyle, both from Mandiant, delivered the standout talk of the conference. The premise was simple: Cyber Threat Intelligence (CTI) teams need to start actively engaging with risk management teams.
The motivator is clear – risk is the language of the executive, and by learning to integrate CTI into risk management, CTI increases its overall ‘actionability’ as a discipline. The talk covered a range of topics and suggestions for achieving the crossover. One of the most insightful concepts is illustrated below.
Figure 1: Integrating CTI and RISK
Figure 1 includes many of the recognisable and established frameworks of CTI and risk management, but the presenters called out the OWASP Risk Rating Methodology as being the main intersectional model to combine risk and CTI analysis.
The nuanced presentation of Collier and Doyle gave a glimpse of their joint CTI-risk framework, detailed in full in their white paper Better Together: The Benefits of Integrating Cyber Threat Intelligence and Risk Management.
Analysing Technology Cyber-threats: A Novel Strategy
One of the best talks of the conference focused on a nuanced topic: Helping Organizations Anticipate and Approach Emerging Technology Threats. Natalie Kilber delivered a new analytical framework for assessing the true threat/risk from an emergent technology.
As an example, Kilber assessed NASA quantum-computing technology’s readiness in terms of data published about it (e.g. in academic peer-reviewed journals or as related to investments or patents), to accurately assess the overall validity of the risk the technology poses. Returning to the case study of the threat posed by quantum computing, one of the main factors to consider is if the threat is here, now, or still 20 years away?
Kilber’s clever and innovative framework is summarised below.
Figure 2: Kilber’s analysis framework
The way to interpret Kilber’s framework is as follows.
- Frame the issue to be considered, such as the threat/risk posed by quantum computing.
- Review any publications and activity related to the issue (as shown in column 3 of the table, e.g. venture capital investment in quantum computing).
- Map the evidence gathered in column 3 to the TRL ratings of column 2 to determine the maturity level shown in column 1.
This framework is useful for CTI specifically because of the inclusion of a Hype category in the Maturity Level column. So much of CTI is driven by hype and this talk delivered a clear framework to deconstruct this in a meaningful way.
The AI-CTI Relationship (It’s Complicated)
With no fewer than three talks dedicated to artificial intelligence, this was the dominant subject of the conference. Subjects varied broadly, from the engineering challenges of building an AI-based system, the objective value of large language models (such as ChatGPT) to the intelligence- analysis process.
What became apparent is that although there is an AI buzz within CTI, these are early days in terms of mainstream analysts using AI day to day. Here are the top three points we extracted from a full two hours of content and conversations on the subject:
- How we’re using AI: Considering how to use AI is largely about how you are using data in your CTI process: AI is good at jockeying data, so if you find your data and define the expectation for it, you’ve naturally established where you want your AI system and what you want it to do.
- Cyber-security (lest we forget): Given the size of AI, in terms of computing power, but also other issues – such as the size of data required to develop trained models, AI is a very cloud-based technology. So security can be an issue, and very serious consideration should be given to preserving data security when using AI.
- Where is the tradecraft?: Deploying AI in a CTI process is partly an engineering challenge, but the technology’s success or failure will be based on how human CTI analysts go about using the tool. This tradecraft – and even an awareness that there is a need for CTI tradecraft regarding AI tools – seems lacking within the CTI community at this point.
All in all, the 2023 FIRST CTI Conference was a huge success, provocative and pioneering. Next year’s summit is likely to bring even more evidence of how the CTI field is progressing, especially as AI continues its rapid rise. See you next year!