Sharing, Compared Part 1: How and Why Do We Connect?

Grace Chi -

BLUF

  • Cyber threat intelligence (CTI) practitioners consistently and strongly believe in the value of connecting with others for improved CTI outcomes - for themselves and others
  • The overall amount of benefits realized from networking increased over previous years, with a steadfast focus on awareness of timely, new information
  • All types of "content" (data, information, intelligence) are strongly valued, with raw data taking first place; emotional support is also critical for a subset of respondents

Background

Cyber threat intelligence (CTI) is an evolving field, with an industry-wide consensus that teams cannot effectively operate in an intelligence silo. All stakeholder segments – public, private, vendor, and academic - share this sentiment. In support of improved CTI sharing, stakeholders have invested in efforts around cross-boundary collaboration, technical standardization, managing trust, and reporting best practices. However, understanding the time and effort spent in CTI networking (i.e., connecting human-to-human for improved business outcomes) is often overlooked.

ℹ️
CTI Networking: The interaction of individuals for CTI-related work. This definition excludes personal purposes (e.g., career development, sales, and commercial interest).

Earlier this year, I published the CTI Networking Report 2024, the sequel to my inaugural study from 2022. The research was produced from qualitative and quantitative survey insights from CTI practitioners, providing context around my core hypothesis:

CTI networking is an afterthought in practice, despite of its demonstrated impact as a vital asset.

This blog series breaks down the report's key insights into bite-sized pieces. Part 1 covers the value of CTI networking: how and why individuals network. We revisit the perceived and demonstrated value of our efforts and the changes in behaviors and attitudes since the initial survey. I've included the report's data-driven insights and quotes from anonymous open-ended responses to add narrative context to the findings.

Methodology and Demographics: To understand how the survey was executed and the breakdown of respondent types by role, experience, and geography, check out the first chapter of the report.

Making an Honest Effort To Get Ahead

So, why do CTI practitioners spend time and effort interacting with other people in the field when they have so much to do within their organization?

TL;DR: they see it as necessary to stay ahead of evolving threats.

The survey posed several opinion statements to assess overall sentiments on CTI networking:

Qualitative responses validate a strong, unfulfilled desire to network with more peers with similar interests. Responses also validated the challenges in finding and balancing participation.

The belief in CTI networking value persisted, compared to the previous survey. While responses were mixed on the ease of finding and balancing efforts (a question newly added this year), consensus remained on its importance at all levels and a desire to do more.

ℹ️
In the original survey, the belief that CTI networking is important for team members of all levels had the highest level of consensus (>90%). This belief held steady in 2024, with no respondents "strongly disagreeing" with the sentiment.

An Observed Boost in Benefits

What benefits do respondents get out of their CTI networking efforts? Rankings for CTI networking benefits remained similar to the previous survey, but the percentage of positive responses grew across all benefits. Respondents were most interested in networking to look ahead, ranking benefits like staying strategically aware, finding/vetting new sources, and taking proactive measures higher than operationalizing technologies and working on existing analyses.

Boost to Benefits. Compared to the previous survey, the percentage of agreement across all 8 statements increased. While the ranking order of the bottom 4 statements remained the same, the percentage of “agree” and “strongly agree” responses all increased by 10%+.
"A sharing community provided more context to ongoing events. A peer relationship has provided attacker infrastructure that led to research analysis pivot.”

Raw Data Top of Mind

When looking at what types of content CTI practitioners seek, what was most valued? “Raw Data” shifted into the lead for top valued content type, beating out Contextualized Information, Processed Intelligence, Advice & Opinions, Technical Support, and Emotional Support. Despite being first in value, the benefit of “getting valuable threat data” dropped from first to third – potentially highlighting a gap in what's sought after versus received.

Experience Matters. Respondents with less than 10 years of security experience and those with less than 10 years of CTI experience both preferred contextualized information. Respondents with 10+ years of CTI experience preferred processed intelligence and the opinions of others more than those with fewer years, which may be a result of more mature networks.
"Common sharing group with trusted peers from my industry where we share ongoing campaigns and associated TTPs/IOCs."
"Working with individuals who publish feeds helps us build those on-the-ground relationships... [Working with] these parties... can help fix issues which benefits the community."
ℹ️
Context is Key: When sharing any form of CTI content, the more contextual information provided, the more well-received and actionable. Relevant context includes sources, timestamps, known gaps, etc.

Getting Emotional

The ranking spread for all content types (e.g., Raw Data, Contextualized Information, Processed Intelligence, etc.) decreased this year, showcasing closer weighting of value across types.

While Emotional Support ultimately ranked low overall, it ranked #1 the most across all content types, resulting in a unique reverse bell curve. Respondents at smaller companies (fewer than 1,000 employees) and those working in cybersecurity vendors/services organizations ranked Emotional Support higher than other segments.

The charts above represent the distribution of discrete ranking votes (#1 to #6) for each of the six content types. All types showed typical distributions consistent with the previous survey, with the exception of Emotional Support, which showed a stark preference for both first and last places. Emotional Support received the most votes for #1 and #6, and the least votes for #2-5.

Conclusion

The findings from Part 1 of our CTI Networking Report 2024 blog series underscored the enduring significance of human-to-human connection within the cybersecurity threat intelligence landscape. Despite the demanding nature of CTI work, practitioners recognized the intrinsic value of networking, viewing it as essential for staying abreast of evolving threats and industry developments. Our study revealed a steadfast belief in the importance across all levels, with a growing realization of its benefits, including strategic awareness and the ability to address emerging threats. Moreover, the emphasis on emotional support highlighted the demanding requirements of CTI roles, signaling a desire for more holistic ways to engage beyond technical expertise.

As we delve deeper into the next part of the series, we'll investigate where this participation is happening, opportunities for improvement, and strategies to enhance the efficacy of CTI networking to contribute to defensive measures. Stay tuned for more insights!