The Hermeneutics of Cyber Threat Intelligence Part 2: Answering Why?

Why?

Why? Three letters, one powerful question. We all ask why. Possibly the very first question you've ever asked anyone was, "Why?"

In Cyber threat intelligence, what makes a good report? A good CTI report answers the "so what?" Why is this important, and why are you writing to tell them about it? Answering the questions may seem obvious; however, for many, it is not. Asking why should be one of the first questions you ask yourself as you begin your analysis.

Why is this important?

From a cyber threat analyst's perspective, answering this simple question is the difference between sharing data and sharing intelligence. If you can articulate why the information is important to the person you are sharing it with, then you have just created finished intelligence. Conversely, if you cannot explain why this is important, you either have some work to do, or it is simply information, not finished intelligence.

This article is part 2 of a series of articles applying the hermeneutic interpretation methodology to the cybersecurity discipline of Cyber Threat Intelligence. This article will discuss the importance of asking and answering why. Be sure to read The Hermeneutics of Cyber Threat Intelligence Part 1: Tactical Briefings, where I introduced foundational concepts in hermeneutics, such as the hermeneutic circle, presuppositions, and assumed knowledge. There, I showed an example of how these principles can be applied in CTI and create finished intelligence in the form of a tactical briefing.

Why Hermeneutics?

If you haven’t yet read the first article and you have yet to be introduced to what hermeneutics are, Hermeneutics is a framework and methodology for interpreting written and spoken language. Traditionally used to interpret religious text, and more recently applied to philosophy and legal disciplines.

"Hermeneutics is philosophy in the original sense of the word, the love of wisdom, the search for as comprehensive an understanding of human existence as possible." (International Institute of Hermeneutics)

When I started writing part 1 of this series, it wasn't a series; it wasn't even about hermeneutics. The original topic was the use of AI in Cyber Threat Intelligence. I intended to describe how cyber intelligence providers are using Generative AI and LLMs to make CTI analysts' jobs easier and to caution about the unintended consequences of over-reliance on AI, such as the risk of overlooking context or human intuition in threat analysis.

Recently, I spent a lot of time contemplating and getting back to my roots, I was reminded of my early days attending Bible college at age 18. Hermeneutics was an eye-opening class; it was the first time I got to really dig in and gain understanding, see things in different contexts, learn more about history and culture to understand the intentions of the written text, and also how we can make use of that wisdom today. And it was there that I had that lightbulb aha moment. Hermeneutics is where I learned the skills needed to analyze information, skills we currently need to better teach cybersecurity and CTI. But best of all, Hermeneutics is teachable and lucky for all of us; there is plenty of research and development into this framework. Quite literally centuries.

The more we focus on AI, the more we need to focus on humanities. How can we expect AI to imitate thought processes if we don't understand how our minds work?

As I started digging deeper into the topic, I was surprised to see how many other examples of Hermeneutics applied to other disciplines. However, even more exciting to me is that several articles have been written about AI and Hermeneutics within the past couple of years. I have to wonder why there is renewed interest. Perhaps this revival is due to a desire to get back to our roots and gain an understanding of our humanity now that so much focus is on artificial intelligence.

The Why in Cyber Threat Intelligence

Before we can examine the attackers' intentions, their motives are not the only ones that matter. We must ask ourselves why we are doing this, what our motivations are, and what the objectives and intentions of the people we are creating this finished intelligence for are.

Examine your intentions first! Ask yourself the important why questions! Why do you do what you do?

For me, it’s the aha, moments!

I love working in Cyber Threat Intelligence because of the aha moments. When the lightbulb lights up in my mind, and the dots connect for me, I get excited to share those ideas with others. It's seeing people light up when they learn something new or see something from a new perspective. That is what gets me out of bed in the morning and the reason I love what I do. I am spending the time researching in order to share this intelligence with people, which will make a difference in what they do. We need to give them timely and critical information to focus their attention on and use that information to protect themselves and their organizations from those who look to do us harm.

But isn't it obvious?

Culturally, we are conditioned not to state the obvious. "Thanks, Captain Obvious," or "Thanks tips," or the shortened version, "duh." Having the obvious pointed out to us makes us feel dumb. But feeling dumb is part of being human. The flipside is assuming that it is obvious to everyone or that, in the future, it will always be obvious.

Do not underestimate the power of stating the obvious

In my previous article, I touched on the principle of assumed knowledge. It's information we can assume people know before communicating with them. However, we must also account for the gaps in their foreknowledge, such as details about tactics that a threat actor may use, or terminology that might be unfamiliar to the audience. In situations where time is crucial, for example, keeping briefings brief, you do not want to overwhelm or confuse matters with too much information. Assumed knowledge is one thing, assumed analysis or interpretation is a completely different matter altogether. We cannot assume the reader will immediately make the same connections if any at all. We have to assume that people are busy, their focus may be divided, and if we are to get their attention, why should they pay attention to the information provided? We have to tell them why.

With the foreknowledge that AI will be used to read and summarize our reports. How much more important is it to clearly state the obvious in our finished intelligence reports?

Again, Why is this Important?

I mentioned earlier that finished intelligence answers the "so what" at a minimum and should explain why this is important. Why should they pay attention so they can take action? Why questions currently can't be answered by AI. Right now, Artificial Intelligence is still in its infancy and not yet capable of the higher reasoning skills to articulate why. Answering the why questions is what sets us apart from the machines. Include this question and answer at the top of every threat bulletin shared or reshared. It requires more work; you have to slow down and think and really analyze what this information means to you and the person you are sharing it with. However, we create real and valuable threat intelligence in this type of analysis.

My challenge to you is to ask why. Please share your thought-provoking why questions in the comments.

Follow me for more articles on Hermeneutics and Cyber Threat Intelligence. In part 3, I will discuss the planning and curation of cyber threat intelligence.