Threat Analyst Insights: How to Avoid Drowning in a Sea of Cybersecurity News
August 15, 2018 • Briana Manalo
Staying on top of the ever-evolving threat landscape can feel daunting for most security professionals. It seems as if there is a new threat actor, malware variant, or attack vector to stay ahead of almost every week, making it easy to feel overwhelmed in the sea of cyber news stories out there and lose sight of the research that involves what you truly care about.
As a junior threat intelligence analyst for Recorded Future’s Insikt Group, one of my responsibilities is to identify top trending cyber stories and determine which ones should be appropriately highlighted in our product with an Insikt Note. My colleagues and I then publish summaries for our customers accordingly.
Often, when I share the nature of my work with friends and acquaintances, I am asked questions like, “How do you sort through the noise?” and “What criteria are most important when prioritizing and crafting notes?”
Asking the Right Questions
Before working at Recorded Future, I taught elementary, middle, and high school students for three years right after graduating from college. As any young teacher will tell you, I quickly realized in my first year that it would take a lot more than neatly typed lesson plans and worksheets to help my students achieve the ambitious learning goals I wanted them to accomplish before the end of the school year.
Over time, I found that by focusing on the dialogue I had with students in the classroom, homing in on what they were curious or confused about, and then channeling what I learned from them into asking the right questions, I could guide my students into thinking concretely and clearly about the task or subject at hand.
The right questions hint at the answers before the answers become clear. They also help you stay focused while absorbing new information, providing a clear path to follow.
So, if you find yourself lost in a sea of cyber news, here are three distinct questions designed to help save you time and energy when evaluating each story you come across:
1. How does this impact me or my company?
Cybersecurity professionals constantly see articles referencing a new piece of malware, threat actor, or attack vector. Many tend to ask themselves some variation of the question, “What’s going on?” These may include, “Why should I care about this?” or, “Is my industry mentioned in this article?” or, “Why is my hair on fire?”
Of all such variations, the one I find helps me get the most out of a story is, “How does this impact me?”
Asking “how” instead of “what” helps you determine a realistic scenario, as opposed to the false ones that clickbait headlines so often suggest. Along the same lines, using the word “impact” forces one to think clearly about the consequences of an event and how near or far away you are from the bullseye of the story’s target. If you bear a question like this in mind while reading a new story or report, you can more easily distinguish the important stories from the less important ones and determine a course of action.
2. Who’s writing about this and why?
Not all sources are created equal. While mainstream news can be an excellent source for hearing about immediate happenings, reports from established security vendors provide greater depth and detailed analysis in both their paid and their freely available reports. Most importantly, security companies and researchers are much more likely to publish technical indicators along with their report that could be immediately actionable.
Additionally, individual security researchers are often eager to publish information ahead of others as a way of establishing their name in the field. No matter who published which findings first, it is ultimately those who provide truly actionable intelligence that end up proving to be the most helpful.
3. Can I do anything with this information today?
Threat intelligence isn’t intelligence unless it is actionable. At Recorded Future, that’s a saying we live by and a standard our customers have come to count on. If a story mentions an IP address, CVE, threat actor, malware, or virtually any term of interest, our customers know that they can take that term, plug it in to their Recorded Future web-based instance, browser extension, or integrated SIEM, and see everything we are picking up on it across over hundreds of thousands of sources. From three-month-old finished intelligence reports to today’s dark web mentions, we automate the manual aspects of threat research so that you can confidently say you took the best course of action with the resources you were given.
These are just some of the questions I use to help me remember what our customers need to see in our Insikt Notes. With these questions in mind, you may find it easier to navigate through today’s sea of cyber stories. Happy sailing!
You can start receiving more actionable threat intelligence from today’s top trending cyber stories, targeted industries, and more by subscribing to our free Cyber Daily newsletter.