Applying Improv Techniques to Threat Intelligence

Posted: 31st August 2018
Applying Improv Techniques to Threat Intelligence

Threat intelligence is no joke. And yet, a few lessons from improv comedy can help us become better practitioners of it. While improv and threat intelligence make for an unlikely alliance, I invite you to explore how the former can positively impact the latter — and how Recorded Future can help.

First, improv. As its name suggests, improv comedy is all about improvising. It’s about doing well with the unexpected and doing the seemingly impossible. As a threat intelligence practitioner, you need to be well versed in doing both. There are two principles of improv comedy that are as important for actors on a stage as they are for analysts in the trenches: accepting a new reality, and the principle of “Yes, and …”

Accepting a New Reality

Improv is nothing if not a continuous exercise in accepting a new reality. That reality comes from audience suggestions that serve as the basis of subsequent scenes. Improvisers can’t fight that new reality — they have to embrace it.

The same is true for threat intelligence practitioners. If something bad happens — a peer company is hit by a ransomware attack, or an exploit kit becomes available for a vulnerability that might impact your organization — you can’t wish that new reality away. You have to recognize it, accept it, and defend against it. Recorded Future can help you not only validate this new reality, but also better understand it.

Forming a More Complete Picture

The principle of “Yes, and …” is what makes improv what it is. The basic premise is that in improv comedy, the actors need to say, “Yes, and …” to any “yes” or “no” question they may face. Take, for example, the question, “Do you want to go fishing?” If an actor says, “No,” then the scene comes to an abrupt end. That’s no fun for the audience or the actors. If, however, an actor says, “Yes, and let’s fly a kite off the back of the boat to pass the time,” now we’re getting somewhere. This affirmation not only allows the scene to continue, but also introduces additional elements that make for a more complete picture.

And that’s exactly what Recorded Future does. Armed with the content provided by Recorded Future — be it a list of IOCs (indicators of compromise), threat actor profiles, exploit chatter on an underground forum, or something else — Recorded Future puts you, as an analyst, in the position to not only answer “yes” to a manager’s question about an incident but to also say, “… and here is all of the information available about it.” Boom. That type of response can make you a star — be it on stage or in a SOC (security operations center).

Practices to Consider

You may well be applying the principles of accepting a new reality and “Yes, and …” without even knowing it. If you are, keep it up! If not, I would encourage you to try out these improv anecdotes. They help instill and reinforce a confidence in handling any type of situation that may come your way, which helps you protect your organization as best as you can. Give it a shot — you may be surprised at how well these improv principles can improve your practice of threat intelligence.

David Peduto

David Peduto is the product support manager at Recorded Future. He’s a proud (although somewhat unexpected) graduate of the Improv Asylum’s training center in Boston, and co-founder of the Fletcher Improv Group at The Fletcher School of Law and Diplomacy, Tufts University.