The Hermeneutics of Cyber Threat Intelligence Part 3: Planning and Curation

What does a Greek god, a German philosopher, and a Museum Curator have to teach us about Cyber Threat Intelligence?

In Greek, hermeneus means translator or interpreter. In stories about Greek mythology, the name Hermes from the Iliad and Odyssey might come to mind. Hermes, son of Zeus, was the messenger between the gods on Mount Olympus and the mortals on Earth. His role was to interpret the gods' messages and translate them into something mortals could understand. Likewise, in cyber threat intelligence, the analyst's role is to interpret the information and data of threat actors and their activities into consumable intelligence the recipients can understand. This requires careful planning and curation.

This article is part 3 of the series on The Hermeneutics of Cyber Threat Intelligence. Be sure to read Part 1: Tactical Briefings and Part 2: Answering Why

Planning Preparation

The first steps in planning require an understanding of the business objectives. Once you understand what your organization does, everything you do should be aligned with that. This involves research, site tours of the operations, talking to people in different roles and functions, and understanding the organizational goals, objectives, and values.

Asking The Right Questions

I always begin with questions, whether asked of me by our members, people I meet at conferences, or questions I ask myself that I would like to find the answers to. It is also good practice to introduce yourself to people within your organization to let them know you can research those burning questions that might keep them up at night. Ask what a bad day would look like for you and let them know that you are there to support them and find their answers.

Here is an example list of questions you should ask during the planning phase.

• What are our most critical assets?
• What threats are targeting our industry/sector?
• What threat actors are most likely to target our organization, and what are their motives?
• What are the emerging threats and tactics that threat actors are using?
• Is our workforce prepared?
• What sources and resources do we need to collect this information?

Gathering Intelligence from Different Sources (Fusion of Horizons)

German Philosopher Hans-Georg Gadamer describes a fusion of horizons as the process in which the members of a hermeneutical dialogue establish the broader context within which they come to a shared understanding.

You can only see as far as the horizon, only what is in your own viewpoint. But if you share your viewpoint with someone else, the two of you can create a larger picture. The more trusted parties in that picture, the broader the coverage, and the closer your shared viewpoints can come to creating an accurate model.

If you’re interested in this theory, there is a fun animated video available on YouTube The Fusion of Horizons | An animated exploration of a concept by Gadamer

This is why it is important to gather information from different sources and share your work with others. This will help us build a better picture of the threat landscape. Many security companies still insist on hoarding intelligence, but that is how we put ourselves at a disadvantage to our attackers.

Curation

When I think of curation, I think of museum curators carefully selecting pieces and artifacts that tell a story so people can learn about the history of the people who created the piece and its origin, relevance, and importance. In cyber threat intelligence, curation is similar: it tells a story, includes the source and its relevance, and tells people why it is important. When selecting artifacts, reports, and articles to share with your organization, ask yourself, is this relevant? Can I explain why this is important? If not, your work is not done. You must be able to articulate why. Don’t leave the analysis up to someone else to figure out why you shared the piece.

A Note on Strategic Presuppositions

To presuppose something is to create a bias. It does not increase understanding, and little new knowledge can be learned. However, there is a time and place for this in CTI, for example, when attempting to persuade someone of something important. To support a new security policy or procedure or effect change within the organization, research can be done to draw supporting evidence to help the audience understand. I caution that this should be used sparingly and not represent the bulk of your deliverables.

The goal of a CTI analyst should be to understand what people within your organization need from you. Understand your industry and sector. Understand the motivations and behaviours of the threat actors so you can be a better interpreter for your organization. I like to keep an open mind and allow the data to reveal the story rather than have a predetermined message.

Critical Thinking vs Hermeneutics

Is Hermeneutics just a fancy way of saying critical thinking? Why not just use critical thinking instead? Critical thinking is a part of hermeneutics, but it does not encompass the depth of how humans gain understanding. Today, I believe this term is overused and has lost its meaning. Hermeneutics is more about how people gain understanding rather than how to think. Learning how people gain understanding makes you a better messenger and interpreter. It’s about learning to think like an attacker, a board member, a CEO, a CFO, an IT support worker, a partner, a client, etc., and try to understand how the message would be received, what they need to know and understand, and deliver it in the most effective format.

Sometimes, We Get it Wrong

Like Hermes, we sometimes get it wrong in our role as CTI messengers. Revisit your past reports, correct mistakes, collaborate, and share your work so we can create a fusion of horizons. Like the museum curator, keep them coming back to see what stories you have to tell them today.