I find it uncontroversial to claim that content creators – whether in writing, music, or other – at some level must be aware of the needs and capabilities of their audience. While certain types of expression, such as the truly artistic, provide greater leeway in moving against (while trying to push forward) audience taste and understanding, most others are built for a reason: to inform, to entertain, to describe. When the audience or intended target of the message is misunderstood or ignored, the result is a message that is less effective than it otherwise would or could be.
With this general idea presented, I assert that the cyber threat intelligence community in many cases does a terrible job in knowing and catering to the needs of their primary audience. Threat intelligence exists for a purpose: to inform and educate on attacks, adversaries, or techniques to build awareness and bolster defense for those engaged in security operations. When threat intelligence ignores or pays mere lip-service to these in search of other, notionally “sexier” topics, the primary audience of threat intelligence – network owners and defenders – are ill-served. Furthermore, our community then builds (or cements) a reputation as so much “frictionless spinning in the void”, commenting on research and theoreticals divorced from actual, concrete experience and action.
Essentially, I have seen a lot of recent work across multiple firms that fall into one of several categories: glorified malware analysis reports masquerading as threat intelligence; technical research projects focusing on how information was collected and analyzed instead of its context and meaning; and (most unfortunately but also most rarely) reports that consist of so much technical “puffery” that they seem designed purely to solidify a Black Hat talk submission. I’ll ignore the last of these for this discussion, for I find exploration of the first two more interesting and meaningful.
First, in asserting that reports focusing on reverse engineering efforts or technical collection and analysis methods do not help the intended audience of threat intelligence, I am not stating that such reports are useless. They can still have much value – but only after recipients (who will in almost all cases be less technically proficient than the authors) attempt to distill the discussion of the RE process or other complex topics in order to yield actionable information (aside from the obligatory list of IOCs in the appendix – and you should already know how I feel about those). Essentially, the authors and analysts of these reports have created unnecessary friction for most of their audiences to act on and even understand the event described. This isn’t to say that threat intelligence consumers are stupid, but I will emphasize that the audience largely works in operations, have day-jobs, and are using these reports to guide and inform them in conducting said day jobs within limited amounts of time. Essentially: the audience is NOT the community of threat intelligence researchers, but the larger community of SOC analysts, IR personnel, and higher-level decision-makers.
This last point is most illustrative and useful in diagnosing the problem. In many cases, I would argue that threat researchers are doing something quite natural: writing something they themselves find interesting and useful. The problem here is that’s not the audience one must be concerned with – at the end of the day, one might get hurt feelings when the threat intelligence Twitter mafia comes down hard on you for a bad IDA screenshot or not outlining how some aspect of research was performed. But from an operational defender’s perspective, all of these considerations are not only unimportant, but insignificant and irrelevant. While it would likely be beneficial for defenders and threat intelligence consumers to execute “due diligence” in ingesting data and results of third-party analysis (and undertake the time-consuming task of vetting analysis independently), there is ultimately a level of trust (especially for paid products) that what’s provided is accurate – and over time, results and reputation will show if this is the case.
In providing friction or impediments to action, or in the worst cases completely ignoring the most critical parts of intelligence delivery (how do I spot this, how do I kill it, and how do I get rid of it), otherwise well-meaning and technically astute threat intelligence analysts do their customers and real audience a disservice. I believe this is completely unintentional, but nonetheless significant.
To correct this issue, organizations providing threat intelligence to clients must emphasize to their technical personnel exactly who they are writing for – operational defenders, and not fellow researchers. This may seem simple, but just emphasizing this point (write for this person) may provide enough to overcome this instance. More robust means of correcting include two separate actions: first, building up threat intelligence shops with at least some operational personnel, instead of almost exclusively from reverse engineers and similar research personnel; and second, running reports through an organization’s own operations shop (if they provide SOC/IR services) or a trusted third-party’s to vet and provide feedback on relevance to operational decisions. Finally, hiring and enabling good technical writers and dedicated intelligence analysts to take raw information and transform this into actual intelligence can, in organizations that can support such headcount, ensure a “filter” exists to more effectively communicate with the intended, desired audience.
Ultimately, I strongly find that threat intelligence reports that do not devote significant time and attention to threat context, threat mitigation, and defense but instead dwell largely in technical, “in-the-weeds” overview of the attack result in much effort wasted given what the intended, majority audience requires. As a researcher, I may want more myself – but in prior roles running operations, I simply did not have the time to care. The information that is superfluous in this case may be very valuable in certain contexts – within the community of technical and threat researchers – but will not provide the most easily digestible, actionable information to security operations personnel. The described state of affairs is not the result of some maliciousness on the part of researchers or condescension towards security operations personnel, but rather due to continued ignorance and lack of awareness for how threat intelligence can be used to assist day-to-day defense. Only by understanding and adopting this approach of defense-oriented research and reporting will threat researchers ensure that they provide information most-relevant to their clients, and best ensure their clients’ security moving forward.