<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Threat Intelligence Academy</title>
	<atom:link href="https://www.threatintel.academy/feed/" rel="self" type="application/rss+xml" />
	<link>https://www.threatintel.academy/</link>
	<description></description>
	<lastBuildDate>Thu, 25 May 2023 18:01:43 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=7.0</generator>

<image>
	<url>https://i0.wp.com/www.threatintel.academy/wp-content/uploads/2020/05/cropped-FAVICON-512x512-1.png?fit=32%2C32&#038;ssl=1</url>
	<title>Threat Intelligence Academy</title>
	<link>https://www.threatintel.academy/</link>
	<width>32</width>
	<height>32</height>
</image> 
<site xmlns="com-wordpress:feed-additions:1">177805935</site>	<item>
		<title>Starting and Growing a Cybersecurity Career</title>
		<link>https://www.threatintel.academy/start-grow-cybersecurity-career/</link>
		
		<dc:creator><![CDATA[Sergio Caltagirone]]></dc:creator>
		<pubDate>Thu, 25 May 2023 18:01:29 +0000</pubDate>
				<category><![CDATA[Blog]]></category>
		<category><![CDATA[Moderately Confident]]></category>
		<category><![CDATA[Webinar]]></category>
		<category><![CDATA[career]]></category>
		<category><![CDATA[job]]></category>
		<guid isPermaLink="false">https://www.threatintel.academy/?p=855</guid>

					<description><![CDATA[<p>*All content on this post was human-generated from 20 years of experience. Cybersecurity is a large field of study and practice.&#160; It can be daunting to start and grow a cybersecurity career. However, cybersecurity spans from extremely technical work to legal, policy, governance, and project management providing opportunities to almost everyone&#8217;s unique skills and talents.&#160; [&#8230;]</p>
<p>The post <a href="https://www.threatintel.academy/start-grow-cybersecurity-career/">Starting and Growing a Cybersecurity Career</a> appeared first on <a href="https://www.threatintel.academy">Threat Intelligence Academy</a>.</p>
]]></description>
										<content:encoded><![CDATA[		<div data-elementor-type="wp-post" data-elementor-id="855" class="elementor elementor-855" data-elementor-post-type="post">
				<div class="elementor-element elementor-element-5d12a34 e-flex e-con-boxed e-con e-parent" data-id="5d12a34" data-element_type="container" data-e-type="container">
					<div class="e-con-inner">
				<div class="elementor-element elementor-element-e23ac59 elementor-widget elementor-widget-text-editor" data-id="e23ac59" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default">
									<p><em><strong>*All content on this post was human-generated from 20 years of experience.</strong></em></p>								</div>
					</div>
				</div>
				<section class="elementor-section elementor-top-section elementor-element elementor-element-307cb4b elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="307cb4b" data-element_type="section" data-e-type="section">
						<div class="elementor-container elementor-column-gap-default">
					<div class="elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-f62e4c9" data-id="f62e4c9" data-element_type="column" data-e-type="column">
			<div class="elementor-widget-wrap elementor-element-populated">
						<div class="elementor-element elementor-element-168e9f6 elementor-widget elementor-widget-text-editor" data-id="168e9f6" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default">
									<p>Cybersecurity is a large field of study and practice.  It can be daunting to start and grow a cybersecurity career. However, cybersecurity spans from extremely technical work to legal, policy, governance, and project management providing opportunities to almost everyone&#8217;s unique skills and talents.  Two areas of particular interest are the connected fields of digital forensics and threat intelligence.</p><p>After over 20 years practicing in the field and mentoring and hiring hundreds in the field, I&#8217;ll share some insights for those who want to grow in this area.  Maybe most importantly, I&#8217;ll share some &#8220;hidden&#8221; knowledge that is not widely discussed.</p>								</div>
					</div>
		</div>
					</div>
		</section>
		<div class="elementor-element elementor-element-12a159d e-flex e-con-boxed e-con e-parent" data-id="12a159d" data-element_type="container" data-e-type="container">
					<div class="e-con-inner">
				<div class="elementor-element elementor-element-ad7e2f1 elementor-widget elementor-widget-heading" data-id="ad7e2f1" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default">
					<h2 class="elementor-heading-title elementor-size-default">Training and Education</h2>				</div>
				<div class="elementor-element elementor-element-c4c138a elementor-widget elementor-widget-text-editor" data-id="c4c138a" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default">
									<p>Here is what you need to know: training, and education are not very important to managers &#8211; they&#8217;re nothing but proxies for experience.  Experience matters far more to hiring managers.  In fact, after 3-4 years in your cybersecurity career and with a well-written resume you could remove the education section from your resume and you&#8217;d be fine (I don&#8217;t recommend that, but use it as an illustrative point).</p><h3>Cybersecurity Certifications</h3><p>Cybersecurity certifications can be important for two reasons (1) you trying to break into a specialty or new to cybersecurity, (2) your job requires it.  Certifications can be a path to experience. Otherwise certification chasing is not going to dramatically improve your career over time.  In fact, you&#8217;ll find many professionals after 7-8 years start removing certifications from their resumes.  Instead take courses which develop specific knowledge skills or areas you need to improve.</p><h3>Traditional Education/Higher Education</h3><p>Unlike many other fields, traditional education matters less in a cybersecurity career. Degrees in cybersecurity are still not universal and alone don&#8217;t provide much context to your skills and abilities.  HOWEVER, many jobs will require a 2 or 4 year degree (of which I completely ethically disagree with) and therefore they may be a necessary ticket to getting some positions.</p><p>What I, as a hiring manager, actually do love are those with non-technical higher education degrees &#8211; philosophy, journalism, literature, history, psychology, politics, etc. Partnered with some technical knowledge these individuals are usually the most capable individuals I&#8217;ve ever hired.</p><p>Remember: it takes longer to learn how to communicate and think critically than it does to dissect a packet or a binary.</p><h3>Military Training</h3><p>Many cybersecurity experts came from the military.  This is very valuable experience.  It is not a golden ticket to cybersecurity however.  For many it comes down to their communication skill in explaining verbally and via their resume how their experience translates into a position.  However, it does provide a benefit to a cybersecurity career generally.</p><h3>Non Cyber/Technical Training</h3><p>Don&#8217;t forget about all of the other skills and abilities you need to rely on!  Writing, public speaking, critical thinking and analysis, PowerPoint slide development (I&#8217;m not even joking), business dinner etiquette.  Think more broadly about your skillset and you&#8217;ll find yourself even more marketable.</p>								</div>
					</div>
				</div>
		<div class="elementor-element elementor-element-851b7bd e-flex e-con-boxed e-con e-parent" data-id="851b7bd" data-element_type="container" data-e-type="container">
					<div class="e-con-inner">
				<div class="elementor-element elementor-element-2b12ce2 elementor-widget elementor-widget-heading" data-id="2b12ce2" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default">
					<h2 class="elementor-heading-title elementor-size-default">Starting a Cybersecurity Career</h2>				</div>
				<div class="elementor-element elementor-element-e872a12 elementor-widget elementor-widget-text-editor" data-id="e872a12" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default">
									<p>There is an old adage that your first job will determine your career more than other decision.  There is SOME truth to that &#8211; but most of that truth comes from the decisions we make rather than those which are made for us.</p><p>Cybersecurity is a relatively new profession.  Therefore, many of the &#8220;old adages&#8221; need not apply and you have more power and opportunity than you think you do.  Your first position in cybersecurity is only a small stepping stone. It isn&#8217;t insignificant but it isn&#8217;t the determining factor many think.  Therefore, at this point in your career focus on just getting a position that follows these general guidelines:</p><h3>First Cybersecurity Jobs: Where to Start?</h3><ul><li>Government cybersecurity positions.  Governments, ahead of most other employers, will provided and pay for training early in your career.  This is a great place to start.</li><li>Look for &#8220;operational&#8221; experience such as in incident response or security operations.  Even if your interests lie beyond that area, this experience will make you better in all areas of cybersecurity.</li><li>Look for positions in bigger organizations rather than smaller as they usually spend more money on training and employee development.</li><li>Ignore your first job title &#8211; focus instead of the job&#8217;s role and the experience you&#8217;re going to gain.</li><li>Get a position within a security division of an organization.  Not only will this help guarantee you&#8217;re going to the position you&#8217;re looking for but this will look better on your resume when you progress.</li><li>Paid internships are AMAZING. Unpaid internships are exploitation.</li></ul>								</div>
					</div>
				</div>
		<div class="elementor-element elementor-element-fb3026f e-flex e-con-boxed e-con e-parent" data-id="fb3026f" data-element_type="container" data-e-type="container">
					<div class="e-con-inner">
				<div class="elementor-element elementor-element-1949d3a elementor-widget elementor-widget-heading" data-id="1949d3a" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default">
					<h2 class="elementor-heading-title elementor-size-default">Applying for Positions</h2>				</div>
				<div class="elementor-element elementor-element-1ad2a95 elementor-widget elementor-widget-text-editor" data-id="1ad2a95" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default">
									<p>Applying for positions is a terrible thing. It&#8217;s impersonal, imperfect, and highly biased.  Here are some things I&#8217;ve noticed that can help you.</p><ul><li>Write a cover letter for positions you really want.  As a hiring manager this is my only chance to get to know you and you can tell me any story you want.</li><li>Focus on the EXPERIENCE and RESULTS on your resume.  Don&#8217;t tell me what you did but what happened because of it.  If you can&#8217;t do that on a resume I can&#8217;t trust you can explain the impact of your actions in your daily job.</li><li>Apply directly on a company site instead of a job board site.  In many cases these systems are not connected and many managers and HR people don&#8217;t look at the job boards often enough but those who directly apply get attention.</li><li>Positively interacting with people from your potential employer and hiring manager on social media can be very helpful &#8211; especially if you establish some sort of informal relationship well before you apply.</li><li>Use your social network &#8211; tell people you&#8217;re looking, have people ask others on your behalf.</li><li>Ask directly if they have an internship program which isn&#8217;t advertised (many companies do).</li></ul>								</div>
					</div>
				</div>
		<div class="elementor-element elementor-element-dc6700f e-flex e-con-boxed e-con e-parent" data-id="dc6700f" data-element_type="container" data-e-type="container">
					<div class="e-con-inner">
				<div class="elementor-element elementor-element-ed0eda0 elementor-widget elementor-widget-heading" data-id="ed0eda0" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default">
					<h2 class="elementor-heading-title elementor-size-default">Growing Your Cybersecurity Career</h2>				</div>
				<div class="elementor-element elementor-element-442277c elementor-widget elementor-widget-text-editor" data-id="442277c" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default">
									<p>A dirty secret in the cybersecurity community: where you work or have worked has more weight than what you did.  There are many reasons for this (none of them good or ethical) but it is important for those choosing a career path to understand the reality of the situation.  Therefore, choose your employer more critically than you choose your job.</p><p>Cybersecurity is ALWAYS changing &#8211; therefore, while many like to have a career path mapped out, many find the map expires after too long as the field changes.  Therefore, be flexible and creative in your career path.  There is no &#8220;one path&#8221; or &#8220;right path.&#8221;  That same note applies to general progression &#8211; in many cases you&#8217;ll need to explore a &#8216;lateral&#8217; position change to get tangential experience before you can move &#8216;vertically.&#8217;</p><p>Changing jobs (and employers) is critical to your cybersecurity career path. The quickest and most effective way to improve your career is to quit.  While this message is unfortunate I can&#8217;t help but give you the truth.  You should probably change employers every 3-5 years.  Leaving a position after less than a year is a &#8216;red flag&#8217; without an explanation, but in this industry anything more than a year is generally reasonable.</p><p>Another important element is communication and community.  It is important to write or contribute to blog posts.  Consider writing for an <a href="https://www.threatintel.academy/writing-your-first-journal-article-jtiir/">academic journal</a> at some point.  Write and distribute blog posts about things you learn.  Attend and present at conferences.  These are all important elements to growing your career and sharing knowledge with others.</p>								</div>
					</div>
				</div>
		<div class="elementor-element elementor-element-d24d2cc e-flex e-con-boxed e-con e-parent" data-id="d24d2cc" data-element_type="container" data-e-type="container">
					<div class="e-con-inner">
				<div class="elementor-element elementor-element-f3f321e elementor-widget elementor-widget-heading" data-id="f3f321e" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default">
					<h2 class="elementor-heading-title elementor-size-default">Career Progression</h2>				</div>
				<div class="elementor-element elementor-element-ee9eb0e elementor-widget elementor-widget-text-editor" data-id="ee9eb0e" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default">
									<p>While there is no formula or common consensus as to a standard career progression.  As a long-time manager here is what I&#8217;ve seen for individual roles across the industry.</p><ul><li>An internship should last 3-9 months possibly up to a year.  Internships are not guaranteed to turn into full-time employment nor should you expect that.  In fact, at the end of your internship I recommend you start applying to many positions so as to gauge your market worth before accepting the first position offered.  <strong>Never accept an unpaid internship. </strong>That is just exploiting you.  The cybersecurity domain has enough money to pay everyone working a reasonable salary.</li><li>You can expect to spend 1-2 years in an entry or associate position before either being promoted or (more likely) changing jobs into a full individual contributor role.</li><li>You can expect to spend another 2-3 years as an individual contributor before being promoted or (more likely) changing jobs into a senior role.</li><li>A senior individual contributor in cybersecurity should have expected 4-5 years in the field before being promoted to this level. Expect to be at the senior level for anywhere between 2-6 years depending on your specialty &#8211; a more unique and in-demand specialty will be promoted quicker usually.</li><li>It is usually at this level and time that professionals begin to consider whether they want to stay individual contributors or move into management. Being a great individual contributor is not an indicator as to how good of a manager you will be &#8211; these are radically different skill sets.  Therefore, find manager mentors and talk to them and have them evaluate both your management skills and your desires before selecting management.  Note: managers should not necessarily be compensated more than their employees.  Managers don&#8217;t carry any more responsibility or risk than any individual contributor &#8211; the skills and objectives are just different.  Furthermore, it is individual contributors rather than mangers that are usually terminated for performance and therefore carry higher risk overall.</li><li>A principal individual contributor in cybersecurity should have about 10 years or more in the field to reach this level.</li><li>Above principle are individual contributor titles like: lead, technical director, distinguished, expert, etc.  These levels are usually reached after 13-17 years in cybersecurity.</li></ul><p>For management roles, timelines are radically different because the skill sets necessary to be an effective manager are far different than those that make you successful in cybersecurity in general.</p>								</div>
					</div>
				</div>
		<div class="elementor-element elementor-element-fe13171 e-flex e-con-boxed e-con e-parent" data-id="fe13171" data-element_type="container" data-e-type="container">
					<div class="e-con-inner">
				<div class="elementor-element elementor-element-606a83e elementor-widget elementor-widget-heading" data-id="606a83e" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default">
					<h2 class="elementor-heading-title elementor-size-default">Selecting a Cybersecurity Specialty</h2>				</div>
				<div class="elementor-element elementor-element-f4423b0 elementor-widget elementor-widget-text-editor" data-id="f4423b0" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default">
									<p>At some point in your early cybersecurity career you should consider selecting a specialty.  I would recommend this about 3-5 years into your professional career.</p><p>Being in cybersecurity is like being an engineer or doctor in many ways.  There are some generalists but that isn&#8217;t how people succeed in these field.  Instead, you start your career in the general field but then you specialize.  In cybersecurity you can specialize in lots of topics. Plus, many topics are tangential which means these areas can give you latitude to float across them more easily.</p><p>Most importantly, you&#8217;re not stuck in a specialty!!  All you need to do is follow the advice below to start a new specialty when you want.  Like medicine and engineering, many fundamentals transfer across specialties which will make transitioning easier.</p><p>Some cybersecurity specialties include: compliance, governance, security operations, incident response, threat intelligence, digital forensics, architecture design, security product development or management, secure coding and development, malware analysis, law and policy, etc.</p><p>You &#8216;select&#8217; a specialty in three ways:</p><ul><li>Gain experience, knowledge, or education in that specific area</li><li>Get a mentor that also specializes in that area</li><li>Contribute to communities of that specialty</li><li>&#8216;Advertise&#8217; your specialty: rewrite your resume focusing on your experiences in that area, modify your social media presence around that area, create content like blogging around that area</li><li>Lastly, get a job focused on that specialty (using your mentor and communities you&#8217;ve built in previous steps)</li></ul>								</div>
					</div>
				</div>
		<div class="elementor-element elementor-element-cae1c58 e-flex e-con-boxed e-con e-parent" data-id="cae1c58" data-element_type="container" data-e-type="container">
					<div class="e-con-inner">
				<div class="elementor-element elementor-element-b69da0b elementor-widget elementor-widget-heading" data-id="b69da0b" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default">
					<h2 class="elementor-heading-title elementor-size-default">Mental Health</h2>				</div>
				<div class="elementor-element elementor-element-72239e8 elementor-widget elementor-widget-text-editor" data-id="72239e8" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default">
									<p>I&#8217;ve been very open with my burnout, stress, and anxiety challenges.  <a href="https://www.activeresponse.org/chronic-stress-and-a-life-how-stress-almost-killed-me/">Read More</a>.</p><p>Remember, you are not your job.  Your value is not determined by your work or your employer.</p><p>Try not to carry the world.  Yes, you want a job that makes a difference. Cybersecurity is important, worthy, and an honorable field.  But, don&#8217;t give more than is reasonable. You are your best advocate, fight for yourself.  It&#8217;s okay for a job to be a job and not a &#8220;passion&#8221; or &#8220;what you love.&#8221;  </p>								</div>
					</div>
				</div>
		<div class="elementor-element elementor-element-99fe7c6 e-flex e-con-boxed e-con e-parent" data-id="99fe7c6" data-element_type="container" data-e-type="container">
					<div class="e-con-inner">
				<div class="elementor-element elementor-element-a06cee2 elementor-widget elementor-widget-heading" data-id="a06cee2" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default">
					<h2 class="elementor-heading-title elementor-size-default">Some Things That Helped Me</h2>				</div>
				<div class="elementor-element elementor-element-81d7e8b elementor-widget elementor-widget-text-editor" data-id="81d7e8b" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default">
									<p>A common question I get regularly is: what helped you achieve success in your career? Let me answer that here.</p><ul><li>Communication. More than any other skill, my time spent learning how to write and present to a variety of audiences is the most important skill I have.  It doesn&#8217;t matter how good your ideas are, if you cannot communicate them they don&#8217;t matter much.</li><li>Friendship, Honesty, and Community.  I only leave friends behind wherever I go.  I reach out to learn from others.  I&#8217;m an introvert, this isn&#8217;t easy, so when I feel myself wanting to shrink back is when I give myself the push to be more outgoing.</li><li>Analysis. The ability to collect, research, and explore data and ask the right questions to efficiently get to actionable results. One of my greatest teachers was were studies in theology which taught me effective textual and literary analysis techniques &#8211; how to find clues and contextual information in obscure and ancient writings.</li><li>Give Help and Ask for Help.  Nobody lives in a vacuum and it is only together that we thrive. When someone asks for help you should try to give it.  And in turn, you should not be ashamed to ask for help.</li></ul>								</div>
					</div>
				</div>
				<section class="elementor-section elementor-top-section elementor-element elementor-element-14ed71b elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="14ed71b" data-element_type="section" data-e-type="section">
						<div class="elementor-container elementor-column-gap-default">
					<div class="elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-43494f7" data-id="43494f7" data-element_type="column" data-e-type="column">
			<div class="elementor-widget-wrap elementor-element-populated">
						<div class="elementor-element elementor-element-41a677d elementor-widget elementor-widget-heading" data-id="41a677d" data-element_type="widget" data-e-type="widget" data-widget_type="heading.default">
					<h2 class="elementor-heading-title elementor-size-default">Watch the Webinar</h2>				</div>
				<div class="elementor-element elementor-element-1298459 elementor-widget elementor-widget-video" data-id="1298459" data-element_type="widget" data-e-type="widget" data-settings="{&quot;youtube_url&quot;:&quot;https:\/\/www.youtube.com\/watch?v=pykva0sI6u8&quot;,&quot;video_type&quot;:&quot;youtube&quot;,&quot;controls&quot;:&quot;yes&quot;}" data-widget_type="video.default">
							<div class="elementor-wrapper elementor-open-inline">
			<div class="elementor-video"></div>		</div>
						</div>
					</div>
		</div>
					</div>
		</section>
				</div>
		<p>The post <a href="https://www.threatintel.academy/start-grow-cybersecurity-career/">Starting and Growing a Cybersecurity Career</a> appeared first on <a href="https://www.threatintel.academy">Threat Intelligence Academy</a>.</p>
]]></content:encoded>
					
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">855</post-id>	</item>
		<item>
		<title>ChatGPT, Artificial Intelligence, and Cyber Threat Intelligence: a moment in time</title>
		<link>https://www.threatintel.academy/chatgpt-threat-intelligence/</link>
		
		<dc:creator><![CDATA[Sergio Caltagirone]]></dc:creator>
		<pubDate>Fri, 03 Feb 2023 17:29:22 +0000</pubDate>
				<category><![CDATA[Moderately Confident]]></category>
		<category><![CDATA[chatgpt]]></category>
		<category><![CDATA[threat intelligence]]></category>
		<guid isPermaLink="false">https://www.threatintel.academy/?p=807</guid>

					<description><![CDATA[<p>It is safe to say that the Chat GPT function from OpenAI has created a firestorm of conversation about the applications of artificial intelligence (AI) in knowledge work and scholarship, which includes cyber threat intelligence.&#160; Can ChatGPT really replace the thought and knowledge work done by many people? That question is outstanding and I cannot [&#8230;]</p>
<p>The post <a href="https://www.threatintel.academy/chatgpt-threat-intelligence/">ChatGPT, Artificial Intelligence, and Cyber Threat Intelligence: a moment in time</a> appeared first on <a href="https://www.threatintel.academy">Threat Intelligence Academy</a>.</p>
]]></description>
										<content:encoded><![CDATA[		<div data-elementor-type="wp-post" data-elementor-id="807" class="elementor elementor-807" data-elementor-post-type="post">
						<section class="elementor-section elementor-top-section elementor-element elementor-element-87138b7 elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="87138b7" data-element_type="section" data-e-type="section">
						<div class="elementor-container elementor-column-gap-default">
					<div class="elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-01dce92" data-id="01dce92" data-element_type="column" data-e-type="column">
			<div class="elementor-widget-wrap elementor-element-populated">
						<div class="elementor-element elementor-element-3d7aac3 elementor-widget elementor-widget-text-editor" data-id="3d7aac3" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default">
									<p>It is safe to say that the <a href="https://openai.com/blog/chatgpt/">Chat GPT</a> function from <a href="https://openai.com/">OpenAI</a> has created a firestorm of conversation about the applications of artificial intelligence (AI) in knowledge work and scholarship, which includes cyber threat intelligence.&nbsp; Can ChatGPT really replace the thought and knowledge work done by many people? That question is outstanding and I cannot answer, nor can anyone yet with any certainty.&nbsp;</p>
<p>But, it&#8217;s application to various topics, including cyber threat intelligence, is in question &#8211; and by proxy, it&#8217;s impact on those topics.</p>
<p>So, let me provide some perspective after 20 years of cyber threat intelligence AND having employed artificial intelligence and machine learning in this space for the last 10 years at least.</p>
<p>Before we pass any judgements, we must be clear of which we are speaking.&nbsp; Chat GPT is a &#8216;chat bot,&#8217; a simulated human chat client.&nbsp; Its role is not of &#8216;knowledge maker.&#8217;&nbsp; While it is impressive as to what it can produce, there is no question that using this particular AI for larger &#8216;knowledge making&#8217; applications would be a mistaken application of this technology.&nbsp; AI models are very specific to their function and expected output.&nbsp; When used outside those applications there are many well-known errors.&nbsp; You wouldn&#8217;t use a self-driving application to write a historical essay.</p>
<p><strong>So, my first point is</strong>: using ChatGPT in the production of threat intelligence would be a misapplication of this specific technology implementation. ChatGPT is a &#8216;chat bot&#8217; designed and engineered to simulate human conversation and interaction.&nbsp; It was not built as a &#8216;expert system&#8217; which the type of AI and ML would need to be to &#8216;speak more authoritatively&#8217; on a subject.&nbsp; The output of ChatGPT sounds authoritative not because of its ability to analyze knowledge but because it uses short declarative sentences in active voice as we normally do in conversation. Unfortunately, when we communicate knowledge, we also use short declarative sentences in active voice.&nbsp; Do not confuse sentence syntax with knowledge.</p>
<p><strong>My second point is</strong>: machine learning and artificial intelligence implementations are <a href="https://freecontent.manning.com/the-threat-of-learning-beyond-the-intended-purpose/">ripe for adversarial interference</a>. Its actually very easy, without defense mechanisms, for humans to influence AI and ML models to produce incorrect output (both intentionally and unintentionally).&nbsp; Therefore, without verifiable defense mechanisms against adversarial environments (and verified inputs for which it learns), one should not trust the output of AI and ML. <a href="https://www.nist.gov/news-events/news/2022/03/theres-more-ai-bias-biased-data-nist-report-highlights">See research on bias in AI</a>.</p>
<p><b>My third point is</b>: that it is important that for intelligence to be accurate not only must its output be critically examined, but so must the mental processes by which it is produced.&nbsp; ChatGPT is a &#8216;blackbox&#8217; meaning that its full analytic process is designed to be hidden from the user.&nbsp; In fact, without all the facts I would argue that ChatGPT likely uses significant amounts of &#8216;fuzzy logic&#8217; and other probabilistic and predictive approaches which inhibit the ability to question its logic.&nbsp; This means that we cannot actually verify ChatGPT used appropriate structured techniques, strong hypothetical generation and testing, and bias reduction that we require to produce good intelligence.</p>
<p><b>My fourth and last point is:</b> ChatGPT is not secure (as are most &#8216;community ML&#8217; programs).&nbsp; It learns from the input of its users.&nbsp; All of your input to ChatGPT are also sent back to the company to build better algorithms.&nbsp; Therefore, with the sensitivity of many cyber threat intelligence topics, I would recommend against sending the ChatGPT engine any sensitive content or questions.</p>
<p><strong>Therefore, it would be a mistake for intelligence analysts and producers to leverage ChatGPT in anyway in their work until these questions can be addressed effectively.</strong></p>
<p>This is not due to any fear of AI but simply because of the issues I&#8217;ve described above and their criticality to the production of quality intelligence.&nbsp; Machine learning and artificial intelligence can be leveraged in a threat intelligence processes, but it must address the issues I&#8217;ve outlined first.</p>								</div>
					</div>
		</div>
					</div>
		</section>
				</div>
		<p>The post <a href="https://www.threatintel.academy/chatgpt-threat-intelligence/">ChatGPT, Artificial Intelligence, and Cyber Threat Intelligence: a moment in time</a> appeared first on <a href="https://www.threatintel.academy">Threat Intelligence Academy</a>.</p>
]]></content:encoded>
					
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">807</post-id>	</item>
		<item>
		<title>CART: The 4 Qualities of Good Threat Intelligence</title>
		<link>https://www.threatintel.academy/cart-threat-intelligence-quality/</link>
		
		<dc:creator><![CDATA[Sergio Caltagirone]]></dc:creator>
		<pubDate>Mon, 31 Oct 2022 14:02:46 +0000</pubDate>
				<category><![CDATA[Moderately Confident]]></category>
		<guid isPermaLink="false">https://www.threatintel.academy/?p=714</guid>

					<description><![CDATA[<p>I write often of&#160;poor quality&#160;threat intelligence which pervades the security community.&#160; Poor quality threat intelligence not only has a&#160;heavy cost&#160;on its consumers,&#160;it also&#160;threatens the confidence threat intelligence consumers place in their providers.&#160; Confidence is the cornerstone of threat intelligence.&#160; Nobody will take intelligence from an untrustworthy source and act – at least they shouldn’t.&#160; It [&#8230;]</p>
<p>The post <a href="https://www.threatintel.academy/cart-threat-intelligence-quality/">CART: The 4 Qualities of Good Threat Intelligence</a> appeared first on <a href="https://www.threatintel.academy">Threat Intelligence Academy</a>.</p>
]]></description>
										<content:encoded><![CDATA[		<div data-elementor-type="wp-post" data-elementor-id="714" class="elementor elementor-714" data-elementor-post-type="post">
						<section class="elementor-section elementor-top-section elementor-element elementor-element-34daaa2 elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="34daaa2" data-element_type="section" data-e-type="section">
						<div class="elementor-container elementor-column-gap-default">
					<div class="elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-96aeee6" data-id="96aeee6" data-element_type="column" data-e-type="column">
			<div class="elementor-widget-wrap elementor-element-populated">
						<div class="elementor-element elementor-element-4d8ef1e elementor-widget elementor-widget-text-editor" data-id="4d8ef1e" data-element_type="widget" data-e-type="widget" data-widget_type="text-editor.default">
									<p style="overflow-wrap: break-word; margin-right: 0px; margin-bottom: 1.5em; margin-left: 0px; padding: 0px; border: 0px; font-size: 17.85px; line-height: 1.7; font-family: Georgia, serif; color: #111111;">I write often of <a style="overflow-wrap: break-word; color: #ca2017; text-decoration-line: underline; transition: all 0.1s ease-in-out 0s;" href="http://www.activeresponse.org/15-things-wrong-with-todays-threat-intelligence-reporting/">poor quality </a>threat intelligence which pervades the security community.  Poor quality threat intelligence not only has a <a style="overflow-wrap: break-word; color: #ca2017; text-decoration-line: underline; transition: all 0.1s ease-in-out 0s;" href="http://www.activeresponse.org/the-cost-of-bad-threat-intelligence/">heavy cost </a>on its consumers, it also threatens the confidence threat intelligence consumers place in their providers.  Confidence is the cornerstone of threat intelligence.  Nobody will take intelligence from an untrustworthy source and act – at least they shouldn’t.  It is important that the producer and consumer trust each other.  That trust needs to be based on transparency and verification.</p><p style="overflow-wrap: break-word; margin-right: 0px; margin-bottom: 1.5em; margin-left: 0px; padding: 0px; border: 0px; font-size: 17.85px; line-height: 1.7; font-family: Georgia, serif; color: #111111;">However, how does one appropriately assess threat intelligence?  The first step must be to identify the qualities which define “good” threat intelligence.  However, these are not binary qualities – there is a clear gradient based on use case.  Timeliness is a good example of this gradient as some intelligence (likely more strategic) has a more fluid timeliness requirement while tactical threat intelligence has stricter requirements.</p><p style="overflow-wrap: break-word; margin-right: 0px; margin-bottom: 1.5em; margin-left: 0px; padding: 0px; border: 0px; font-size: 17.85px; line-height: 1.7; font-family: Georgia, serif; color: #111111;">Further, one single threat intelligence source will not likely be able to satisfy all qualities simultaneously.  For instance, it is unlikely any one provider will have complete visibility across <a style="overflow-wrap: break-word; color: #ca2017; text-decoration-line: underline; transition: all 0.1s ease-in-out 0s;" href="https://www.threatintel.academy/diamond/">Diamond</a> elements or <a style="overflow-wrap: break-word; color: #ca2017; text-decoration-line: underline; transition: all 0.1s ease-in-out 0s;" href="http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf">Kill Chain </a>phases and consumers will have to rely on more than one to achieve satisfactory completeness.</p><p style="overflow-wrap: break-word; margin-right: 0px; margin-bottom: 1.5em; margin-left: 0px; padding: 0px; border: 0px; font-size: 17.85px; line-height: 1.7; font-family: Georgia, serif; color: #111111;">The four qualities are (CART): <strong style="overflow-wrap: break-word;">C</strong>ompleteness, <strong style="overflow-wrap: break-word;">A</strong>ccuracy, <strong style="overflow-wrap: break-word;">R</strong>elevance, and <strong style="overflow-wrap: break-word;">T</strong>imeliness.</p><h2 style="overflow-wrap: break-word; margin: 50px 0px 25px; padding: 0px; border: 0px; font-size: 1.5em; line-height: 29.4525px; font-family: 'Playfair Display', Georgia, serif; font-weight: bold; color: #111111;"><strong style="overflow-wrap: break-word;">Completeness</strong></h2><p style="overflow-wrap: break-word; margin-right: 0px; margin-bottom: 1.5em; margin-left: 0px; padding: 0px; border: 0px; font-size: 17.85px; line-height: 1.7; font-family: Georgia, serif; color: #111111;">Threat intelligence must be sufficiently complete to provide effective detection and (hopefully) prevention.  For instance, providing a domain indicator used in the exploitation of only one victim is not sufficient for other victims and therefore the intelligence is effectively incomplete and unhelpful.</p><h2 style="overflow-wrap: break-word; margin: 50px 0px 25px; padding: 0px; border: 0px; font-size: 1.5em; line-height: 29.4525px; font-family: 'Playfair Display', Georgia, serif; font-weight: bold; color: #111111;"><strong style="overflow-wrap: break-word;">Accuracy</strong></h2><p style="overflow-wrap: break-word; margin-right: 0px; margin-bottom: 1.5em; margin-left: 0px; padding: 0px; border: 0px; font-size: 17.85px; line-height: 1.7; font-family: Georgia, serif; color: #111111;">Threat intelligence must save organizations more in success than it costs them in errors and mistakes.</p><h2 style="overflow-wrap: break-word; margin: 50px 0px 25px; padding: 0px; border: 0px; font-size: 1.5em; line-height: 29.4525px; font-family: 'Playfair Display', Georgia, serif; font-weight: bold; color: #111111;"><strong style="overflow-wrap: break-word;">Relevance</strong></h2><p style="overflow-wrap: break-word; margin-right: 0px; margin-bottom: 1.5em; margin-left: 0px; padding: 0px; border: 0px; font-size: 17.85px; line-height: 1.7; font-family: Georgia, serif; color: #111111;">Threat intelligence must address a threat to the organization in a method that allows for effective action.  Intelligence addressing threats not faced by the organization is of no value.  Further, intelligence delivered in a type or method not usable by the organization is also unhelpful.</p><h2 style="overflow-wrap: break-word; margin: 50px 0px 25px; padding: 0px; border: 0px; font-size: 1.5em; line-height: 29.4525px; font-family: 'Playfair Display', Georgia, serif; color: #111111;"><span style="overflow-wrap: break-word;"><b>Timeliness</b></span></h2><p style="overflow-wrap: break-word; margin-right: 0px; margin-bottom: 1.5em; margin-left: 0px; padding: 0px; border: 0px; font-size: 17.85px; line-height: 1.7; font-family: Georgia, serif; color: #111111;"><span style="overflow-wrap: break-word;" xml:lang="EN-US">Threat intelligence must be received and operationalized fast enough to make an impact</span><span style="overflow-wrap: break-word;"> more valuable than the cost of the threat intelligence itself.</span></p>								</div>
					</div>
		</div>
					</div>
		</section>
				</div>
		<p>The post <a href="https://www.threatintel.academy/cart-threat-intelligence-quality/">CART: The 4 Qualities of Good Threat Intelligence</a> appeared first on <a href="https://www.threatintel.academy">Threat Intelligence Academy</a>.</p>
]]></content:encoded>
					
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">714</post-id>	</item>
		<item>
		<title>Intelligence or Marketing? Which is it and how to tell using the ADEPT model</title>
		<link>https://www.threatintel.academy/intelligence-or-marketing/</link>
		
		<dc:creator><![CDATA[Sergio Caltagirone]]></dc:creator>
		<pubDate>Sun, 05 Jun 2022 14:26:24 +0000</pubDate>
				<category><![CDATA[Moderately Confident]]></category>
		<guid isPermaLink="false">https://www.threatintel.academy/?p=681</guid>

					<description><![CDATA[<p>It is common to ask whether a blog or whitepaper by a cybersecurity company is marketing FUD (fear, uncertainty, doubt) or valuable threat intelligence. Funding bias is a real issue. Particularly in funded research studies. Funding bias (or sponsorship bias) is more subtle in cyber threat intelligence because private cybersecurity companies rely on customers to [&#8230;]</p>
<p>The post <a href="https://www.threatintel.academy/intelligence-or-marketing/">Intelligence or Marketing? Which is it and how to tell using the ADEPT model</a> appeared first on <a href="https://www.threatintel.academy">Threat Intelligence Academy</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p class="has-text-align-justify wp-block-paragraph">It is common to ask whether a blog or whitepaper by a cybersecurity company is marketing FUD (fear, uncertainty, doubt) or valuable threat intelligence. <a href="https://en.wikipedia.org/wiki/Funding_bias" target="_blank" rel="noreferrer noopener">Funding bias</a> is a real issue. Particularly in funded research studies.  Funding bias (or sponsorship bias) is more subtle in cyber threat intelligence because private cybersecurity companies rely on customers to stay in business and employ their staff. It is common for companies to use threat intelligence as a component of marketing. Let&#8217;s first put this to rest: on principle this is not wrong.</p>



<p class="has-text-align-justify wp-block-paragraph">The real issue for customers, readers, users, analysts, etc. is to find out if a company&#8217;s &#8216;intelligence&#8217; posting has actual intelligence value or whether it is intelligence disguised as a marketing or sales generator.</p>



<p class="has-text-align-justify wp-block-paragraph">In my 20 years of experience with years of working alongside marketing and sales while managing and operating intelligence teams, I have some unique insight into this problem. It&#8217;s not easy and it&#8217;s always a balance. On one hand, you want to publish the absolute best intelligence possible AND you want everyone to know about it &#8211; this is where marketing and sales comes in.  The more people know about useful intelligence the more useful it becomes.  We cannot ignore that unique value proposition to cyber defense.  On the other hand, I want to stay employed and continue to employ others doing great work &#8211; and we need sales and marketing support to do that. Cyber threat intelligence at scale cannot be a volunteer effort, and as we should expect to pay people for their time and skills, we should expect intelligence analysts to get paid as well.</p>



<p class="has-text-align-justify wp-block-paragraph">Therefore, every public release of intelligence from a private company is necessarily part of sales and marketing &#8211; even if unintentional. But, it&#8217;s not binary either, as every public intelligence release is neither &#8220;only sales&#8221; nor &#8220;only intelligence.&#8221; So, we need to find a way to distinguish when a piece of content is more marketing or more intelligence.</p>



<p class="has-text-align-justify wp-block-paragraph">I&#8217;ve developed this simple rubric that I use daily in both the production of intel (to prevent falling into traps) as well as the consumption of intel (to help quickly identify useful intelligence).</p>



<p class="wp-block-paragraph">This rubric I call the <strong><span style="text-decoration: underline;">ADEPT Model</span></strong> to evaluate threat intelligence and marketing.</p>



<p class="has-text-align-justify wp-block-paragraph">It is very simple. The ADEPT model has five elements: Avoidance, Defenses, Emphasis, Pitch, and Technicality.  Every piece of public threat intelligence content can be evaluated on whether it has the element or not: giving it a 1 or 0 score for that element.  Simply add up all the points across the five elements and the more ADEPT (points) a piece of content receives the more intelligence value it <em>likely</em> contains. As an analyst I must always preface that all models are bad, but some are useful.  I also consider this model terrible, but at the same time useful 🙂</p>



<h2 class="wp-block-heading">The 5 ADEPT Elements</h2>



<ul class="wp-block-list"><li><strong>Avoids</strong> mentioning product categories, product names, or buzzwords: words like ‘orchestration’ or other buzzwords in threat intelligence is inappropriate.</li><li><strong>Defenses</strong> a reader can take themselves regardless of product: good intelligence will always provide useful defensive action regardless of product.</li><li><strong>Emphasis</strong> on the activity, instead of the product responsible for finding it: most marketing will focus on the business case, while intelligence will focus on the activity.</li><li><strong>Pitch </strong>for a product or service is left to the end: businesses must pitch their products or services, but these must be at the end or clearly differentiated from the intelligence.</li><li><strong>Technically</strong> competent material: while threat intelligence should try to avoid ‘jargon’ it won’t hide from accuracy.</li></ul>



<h2 class="wp-block-heading">ADEPT Example: Intelligence vs Marketing</h2>



<figure class="wp-block-image size-large"><img data-recalc-dims="1" loading="lazy" decoding="async" width="800" height="450" loading="lazy" src="https://i0.wp.com/www.threatintel.academy/wp-content/uploads/2022/06/ADEPT_Example.png?resize=800%2C450&#038;ssl=1" alt="Using the ADEPT model we can evaluate this and other public cyber threat intelligence content to determine its value as marketing vs intelligence." class="wp-image-683" srcset="https://i0.wp.com/www.threatintel.academy/wp-content/uploads/2022/06/ADEPT_Example.png?resize=1024%2C576&amp;ssl=1 1024w, https://i0.wp.com/www.threatintel.academy/wp-content/uploads/2022/06/ADEPT_Example.png?resize=300%2C169&amp;ssl=1 300w, https://i0.wp.com/www.threatintel.academy/wp-content/uploads/2022/06/ADEPT_Example.png?resize=768%2C432&amp;ssl=1 768w, https://i0.wp.com/www.threatintel.academy/wp-content/uploads/2022/06/ADEPT_Example.png?w=1280&amp;ssl=1 1280w" sizes="auto, (max-width: 800px) 100vw, 800px" /></figure>



<p class="wp-block-paragraph">Learn ADEPT and the whole practice of <a href="https://school.threatintel.academy/courses/cti">Cyber Threat Intelligence</a> here at the Threat Intelligence Academy! (see what I did there?)</p>
<p>The post <a href="https://www.threatintel.academy/intelligence-or-marketing/">Intelligence or Marketing? Which is it and how to tell using the ADEPT model</a> appeared first on <a href="https://www.threatintel.academy">Threat Intelligence Academy</a>.</p>
]]></content:encoded>
					
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">681</post-id>	</item>
		<item>
		<title>Writing Your First Journal Article and Submitting to the Journal of Threat Intelligence and Incident Response</title>
		<link>https://www.threatintel.academy/writing-your-first-journal-article-jtiir/</link>
		
		<dc:creator><![CDATA[Sergio Caltagirone]]></dc:creator>
		<pubDate>Fri, 04 Mar 2022 20:53:33 +0000</pubDate>
				<category><![CDATA[Moderately Confident]]></category>
		<category><![CDATA[Journal]]></category>
		<category><![CDATA[JTIIR]]></category>
		<category><![CDATA[Writing]]></category>
		<guid isPermaLink="false">https://www.threatintel.academy/?p=655</guid>

					<description><![CDATA[<p>The Journal of Threat Intelligence and Incident Response focuses on topics, lessons, and knowledge of immediate practical value to practitioners in these fields.&#160; What does that mean? It means the editors are looking for knowledge that has worked for you or your organization in finding, tracking, remediating, and understanding cyber threats. MOST cybersecurity professionals have [&#8230;]</p>
<p>The post <a href="https://www.threatintel.academy/writing-your-first-journal-article-jtiir/">Writing Your First Journal Article and Submitting to the Journal of Threat Intelligence and Incident Response</a> appeared first on <a href="https://www.threatintel.academy">Threat Intelligence Academy</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p class="wp-block-paragraph">The Journal of Threat Intelligence and Incident Response focuses on topics, lessons, and knowledge of immediate practical value to practitioners in these fields.&nbsp; What does that mean? It means the editors are looking for knowledge that has worked for you or your organization in finding, tracking, remediating, and understanding cyber threats.</p>



<p class="wp-block-paragraph">MOST cybersecurity professionals have never submitted a journal article in their career.&nbsp; This means for most, the idea of submitting a journal article may be new or even a bit frightening.&nbsp; Second, journals have historically been known and understood only in the most privileged environments and circles leaving many individuals behind and left-out of contributing through this mechanism.</p>



<p class="wp-block-paragraph">So, considering all that I wanted to create a short page on demystifying the process and reduce some stress about what this is about.</p>



<p class="wp-block-paragraph">Also, read this JTIIR <strong><a href="https://www.threatintel.academy/jtiir/">Quick Start</a></strong>.</p>



<h2 class="wp-block-heading">Am I, or Is This Idea, Good Enough for a Journal?</h2>



<p class="wp-block-paragraph"><strong>“Our doubts are traitors, and make us lose the good we oft might win, by fearing to attempt.” – William Shakespeare</strong></p>



<p class="wp-block-paragraph">First, stop asking if you or your ideas are good enough. They are. In the progress of <strong><em>everyone’s career</em></strong> we solve a problem that others want to know “how did you do/know that?!”&nbsp; That’s it.&nbsp; It’s good enough. &#x1f60a; The purpose of this Journal is to capture, propagate, and archive all those improvements we’ve all made so the community can build on those to everyone’s benefit.</p>



<p class="wp-block-paragraph">This means we’re looking for content applicable to ALL professional levels.&nbsp; Your idea is not “too basic” for submission.</p>



<p class="wp-block-paragraph">Check the <strong><a href="https://digitalcommons.calpoly.edu/jtiir/">Topics of Interest</a></strong> page to make sure your idea is relevant to the purpose of the journal.</p>



<h2 class="wp-block-heading">Where To Get Ideas?</h2>



<p class="wp-block-paragraph">Another question I normally get: where do I get an idea to submit?</p>



<p class="wp-block-paragraph">Have you written a blog or whitepaper, presented a webinar, recorded a video, submitted or presented at a conference?&nbsp; Those are great places to start and JTIIR submissions can come from all those sources.</p>



<p class="wp-block-paragraph">Have you solved a problem during your work that led to a significant impact on finding, tracking, or remediating cyber threats?</p>



<p class="wp-block-paragraph">Do you have unique insight or unique perspective on a substantial unsolved or controversial problem within threat intelligence and incident response?</p>



<p class="wp-block-paragraph">All of those are great areas to consider.</p>



<h2 class="wp-block-heading">I’ve Submitted to a Conference, Why Should I Submit to a Journal?</h2>



<p class="wp-block-paragraph">First, great job! Thank you for <em>contributing anywhere</em> for the benefit of the community.</p>



<p class="wp-block-paragraph">A conference is a great place to share ideas but rarely are they good places to <em>archive</em> ideas so that they’re relied upon years later. &nbsp;Some conferences stream or post their conference presentations but many do not.&nbsp; Nor are conference presentations reviewed for content accuracy and rigor.</p>



<p class="wp-block-paragraph">We encourage you to not only give conference presentations but then consider writing your content up in journal form so that it can be further strengthened through review and archived and shared far into the future.</p>



<h2 class="wp-block-heading">How Long Does It Need to Be?</h2>



<p class="wp-block-paragraph">As long as it needs to be is the only answer.&nbsp; Length is never a consideration for acceptance.&nbsp; In fact, THE SHORTER THE BETTER.</p>



<p class="wp-block-paragraph">I personally <em>recommend</em> that for an articles with the greatest impact to target between 4 and 10 pages.</p>



<h2 class="wp-block-heading">How Should I Start Writing a Journal Article?</h2>



<p class="wp-block-paragraph">Start simply.&nbsp; Just state the problem you had or the problem you see.&nbsp; Then state your solution.&nbsp; Try to make that no more than 3 or 4 sentences. Forget formatting or length.</p>



<p class="wp-block-paragraph">Imagine a person pulled up a chair next to you and with wide eyes asked you “how did you do that?!” I like to call this part, “The Journey.”</p>



<p class="wp-block-paragraph">Now, just tell them.</p>



<p class="wp-block-paragraph">When you’re done go back and break up the journey into 3-5 parts.  You can call these “sections.” And now examine if each section is sufficient. Imagine the person next you asks, “can you tell me more about that?” And, &#8220;why did that work? Would it work for me?&#8221; Provide a little more insight and evidence that what you did worked and would likely work for others.  Have others tried it too and did it work? We call this &#8220;rigor.&#8221; </p>



<p class="wp-block-paragraph">Start finding external references – search for others who’ve worked on something similar and inject those where they fit.</p>



<p class="wp-block-paragraph">Now, look deeper for related work. Has anyone else written anything similar to what you&#8217;re discussing?  Most likely they have &#8211; write that up in a few paragraphs into a &#8220;Prior Works&#8221; section.</p>



<p class="wp-block-paragraph">Write an introduction, paint a picture for your audience. How did you &#8220;find&#8221; the problem? How common is the problem you&#8217;re describing? What would be the benefit of solving it?</p>



<p class="wp-block-paragraph">Write a conclusion, take your introduction and turn it around &#8211; start with your solution (&#8220;here is what we did&#8221;) and then end with the problem statement (&#8220;and we&#8217;ve shown this approach to effectively do X&#8221;).</p>



<p class="wp-block-paragraph">Lastly, go back to the top where you write those originally 3-4 sentences and you’re going to turn that into an “abstract.” All you do is state the problem, provide a sentence for each of the 3-5 parts, then state the value of what you’ve done.&nbsp; Now CUT!&nbsp; Cut it down to 150 words or less.</p>



<p class="wp-block-paragraph">Congratulations! You’re basically done! You should have all the ingredients of a Journal article.  An abstract, introduction, prior works, 3-5 sections describing your solution along with citations and evidence, and a conclusion.</p>



<p class="wp-block-paragraph">The hardest part is to format what you’ve done using this <strong><a href="https://digitalcommons.calpoly.edu/jtiir/styleguide.html">Style Guide</a></strong>.</p>



<h2 class="wp-block-heading">Do I Need to Write the Whole Thing?</h2>



<p class="wp-block-paragraph">NO!</p>



<p class="wp-block-paragraph">Writing a “article” is a scary endeavor. It’s not easy for most of us (including me).</p>



<p class="wp-block-paragraph">Plus, you may not be willing to make a commitment.&nbsp; What if you spend weeks writing an article and it gets rejected? Nobody wants that.</p>



<p class="wp-block-paragraph">You can submit just an abstract, draft, or outline and the editors will provide you feedback on (1) whether the idea is a fit and (2) whether it approaches the problem and topic properly for a journal article.</p>



<p class="wp-block-paragraph"><em>However</em>, the more of an article you provide – even just a draft or outline, the more we can evaluate and provide more valuable feedback.</p>



<p class="wp-block-paragraph"><strong>But</strong>, I fully and personally recommend you try to write the whole thing before you submit.&nbsp; The reason? Because in the end you’ll have a fabulous piece of work you can submit or post elsewhere even if not in the JTIIR.&nbsp; Plus, if you’ve not written a journal article, or have had little practice, I suggest you try it!</p>



<h2 class="wp-block-heading">How Do I Submit?</h2>



<p class="wp-block-paragraph">When you’re ready you’ll create an account and submit <strong><a href="https://digitalcommons.calpoly.edu/cgi/login.cgi?return_to=https%3A%2F%2Fdigitalcommons.calpoly.edu%2Fcgi%2Fsubmit.cgi%3Fcontext%3Djtiir&amp;context=jtiir">HERE</a></strong>.</p>



<h2 class="wp-block-heading">After I Submit, What Happens Next?</h2>



<p class="wp-block-paragraph">First, your name is entirely removed from the submission.&nbsp; We won’t know who you are to prevent bias.</p>



<p class="wp-block-paragraph">Next, your submission will be evaluated as to its fit for the purpose of the journal.&nbsp; We won’t be evaluating you or your idea.&nbsp; We need to make sure your submission is within our scope which you can find here.</p>



<p class="wp-block-paragraph">Then comes the biggest part: your submission will be sent to two or more reviewers.&nbsp; We try to match your subject with the reviewers that have the greatest experience in that area.&nbsp; The reviewers will then provide feedback and recommendations that you’ll receive.</p>



<p class="wp-block-paragraph">An editor will then consider the reviewer’s comments and recommendations and decide whether to accept your submission.&nbsp; There are several categories: accept with no revisions, accept with minor revisions, accept with significant revisions, or reject.</p>



<p class="wp-block-paragraph">Finally, if you’re accepted then your article will be scheduled. It’s important to understand that we are limited to a reasonable number of articles in each issue.&nbsp; Therefore, your submission may be accepted but scheduled for a later issue. This is common for any journal.</p>
<p>The post <a href="https://www.threatintel.academy/writing-your-first-journal-article-jtiir/">Writing Your First Journal Article and Submitting to the Journal of Threat Intelligence and Incident Response</a> appeared first on <a href="https://www.threatintel.academy">Threat Intelligence Academy</a>.</p>
]]></content:encoded>
					
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">655</post-id>	</item>
		<item>
		<title>Combining the Diamond Model, Kill Chain, and ATT&#038;CK</title>
		<link>https://www.threatintel.academy/diamond-model-kill-chain-attack/</link>
		
		<dc:creator><![CDATA[Sergio Caltagirone]]></dc:creator>
		<pubDate>Fri, 07 Aug 2020 17:10:41 +0000</pubDate>
				<category><![CDATA[Moderately Confident]]></category>
		<category><![CDATA[ATT&CK]]></category>
		<category><![CDATA[diamond model]]></category>
		<category><![CDATA[frameworks]]></category>
		<category><![CDATA[killchain]]></category>
		<category><![CDATA[models]]></category>
		<guid isPermaLink="false">https://www.threatintel.academy/?p=345</guid>

					<description><![CDATA[<p>Learn how the Diamond Model, Kill Chain, and MITRE ATT&#038;CK models are complementary and help analysts and organizations maximize their cybersecurity defense.</p>
<p>The post <a href="https://www.threatintel.academy/diamond-model-kill-chain-attack/">Combining the Diamond Model, Kill Chain, and ATT&#038;CK</a> appeared first on <a href="https://www.threatintel.academy">Threat Intelligence Academy</a>.</p>
]]></description>
										<content:encoded><![CDATA[		<div data-elementor-type="wp-post" data-elementor-id="345" class="elementor elementor-345" data-elementor-post-type="post">
						<section class="elementor-section elementor-top-section elementor-element elementor-element-b124dd3 elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="b124dd3" data-element_type="section" data-e-type="section">
						<div class="elementor-container elementor-column-gap-default">
					<div class="elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-fe4e25a" data-id="fe4e25a" data-element_type="column" data-e-type="column">
			<div class="elementor-widget-wrap elementor-element-populated">
						<div class="elementor-element elementor-element-a9314bc elementor-drop-cap-yes elementor-drop-cap-view-default elementor-widget elementor-widget-text-editor" data-id="a9314bc" data-element_type="widget" data-e-type="widget" data-settings="{&quot;drop_cap&quot;:&quot;yes&quot;}" data-widget_type="text-editor.default">
									<p><a href="https://www.threatintel.academy/diamond/">Diamond Model</a>, <a href="https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf">Kill Chain</a>, and <a href="https://attack.mitre.org/">MITRE ATT&amp;CK</a> Oh My! So many models to choose. Luckily, you do not have to choose. These three seminal cybersecurity and intrusion analysis models are not conflicting, in fact, they are complementary, you use all three – together.</p><p>The Diamond Model is for analysts to hunt, pivot, analyze, group, and structure mitigation for intrusions. (<a href="https://www.threatintel.academy/diamond/">Diamond Model of Intrusion Analysis</a>)</p><p>The Kill Chain is a phase-structured detection and defense-in-depth against adversary operations ensuring a broadly capable cybersecurity defense. (<a href="https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf">Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains</a>)</p><p>The MITRE ATT&amp;CK framework classifies adversary tactics and techniques to “convey threat intelligence, perform testing through red teaming or adversary emulation, and improve network and system defenses against intrusions.” (<a href="https://attack.mitre.org/">MITRE ATT&amp;CK™: Design and Philosophy</a>)</p><p>Each model has different, but interrelated, use cases and by combining them an organization can build a more effective cyber defense program. Here are some examples of how you can combine these models:</p><p><strong>Diamond “Phase” Meta-feature Maps Malicious Events to the Kill Chain</strong> As analysts discover malicious activity using the Diamond Model’s 720 hunting strategies, they can organize the activity by Kill Chain using the Diamond Model phase meta-feature.  Importantly, Diamond Model Axiom 4 states, “<em>every malicious activity contains two or more phases which must be successfully executed in succession to achieve the desired result</em>.”  For most analysts, the Kill Chain is the intrusion phase model they use to organize malicious events.</p><p><strong>Diamond Activity Thread Analysis Uses the Kill Chain Phase Ordering</strong> Analysts naturally form Diamond Model Activity Threads when associating events. An Activity Thread is a Kill Chain phase-ordered causally linked set of malicious events which help analysts identify intelligence gaps and new hypotheses.</p><p><strong>MITRE ATT&amp;CK Tactics are Kill Chain Phases</strong> The ATT&amp;CK framework classifies malicious activity into tactics and techniques. The ATT&amp;CK tactics are a phase-ordered Kill Chain. While ATT&amp;CK utilizes different phases for their framework from the original Kill Chain paper (as do many organizations and analysts), the specific phases are not the defining feature of the Kill Chain but rather the approach and methodology.</p><p><strong>MITRE ATT&amp;CK Techniques Describe Diamond Model “Methodology” Meta-feature</strong> The Diamond Model long lacked a consistent and effective taxonomy for classifying malicious behavior and methodology until MITRE ATT&amp;CK even through the model had a “place holder” for such a momentous occasion. Analysts can use the Diamond Model “methodology” meta-feature to classify the behavior of each event for further analysis and inclusion in detection and mitigation strategies.</p><p><strong>Threat Hunting with the Diamond Model Yields New ATT&amp;CK Tactics and Techniques</strong> The ATT&amp;CK taxonomy requires that analysts have previously discovered and analyzed a malicious technique prior to its inclusion in ATT&amp;CK. Using the Diamond Model’s threat hunting “approaches” and threat hunting strategies analysts can more efficiently find new threats for ATT&amp;CK classification. Anyone is welcome to submit new ATT&amp;CK tactics and techniques here.</p><p>In summary, make sure you are using the full features of these models together to maximize cyber defense operations:</p><ul><li>Diamond Model malicious events are mapped to the Kill Chain using the “phase” meta-feature, which is also the ATT&amp;CK tactic.</li><li>Diamond Model malicious events are mapped to ATT&amp;CK techniques using the “methodology” meta-feature.</li><li>Diamond Model Activity Threads use the Kill Chain analysis to develop defense and detection-in-depth strategies including “vertical correlation” for hunting hypothesis development.</li><li>ATT&amp;CK tactics are a phase-ordered Kill Chain.</li><li>Analysts threat hunting with the Diamond Model approaches and strategies will find new malicious techniques to complete the ATT&amp;CK taxonomy.</li></ul><p>All three models work together to enable the development of comprehensive hunting, detection, defense, and mitigation strategies. We will discuss how these models can be used cooperatively in strategy development and why it is no coincidence these models are so well intertwined in future Moderately Confident posts.  Stay tuned!</p>								</div>
					</div>
		</div>
					</div>
		</section>
				<section class="elementor-section elementor-top-section elementor-element elementor-element-5d11234 elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="5d11234" data-element_type="section" data-e-type="section">
						<div class="elementor-container elementor-column-gap-default">
					<div class="elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-6923611" data-id="6923611" data-element_type="column" data-e-type="column">
			<div class="elementor-widget-wrap elementor-element-populated">
						<div class="elementor-element elementor-element-eb0a747 elementor-position-top elementor-widget elementor-widget-image-box" data-id="eb0a747" data-element_type="widget" data-e-type="widget" data-widget_type="image-box.default">
					<div class="elementor-image-box-wrapper"><figure class="elementor-image-box-img"><img loading="lazy" decoding="async" loading="lazy" width="300" height="200" src="https://i0.wp.com/www.threatintel.academy/wp-content/uploads/2020/05/close-up-of-hand-holding-diamonds-1024952992-5b821835c9e77c004f663bb2.jpg?fit=300%2C200&amp;ssl=1" class="attachment-medium size-medium wp-image-127" alt="" srcset="https://i0.wp.com/www.threatintel.academy/wp-content/uploads/2020/05/close-up-of-hand-holding-diamonds-1024952992-5b821835c9e77c004f663bb2.jpg?w=768&amp;ssl=1 768w, https://i0.wp.com/www.threatintel.academy/wp-content/uploads/2020/05/close-up-of-hand-holding-diamonds-1024952992-5b821835c9e77c004f663bb2.jpg?resize=300%2C200&amp;ssl=1 300w, https://i0.wp.com/www.threatintel.academy/wp-content/uploads/2020/05/close-up-of-hand-holding-diamonds-1024952992-5b821835c9e77c004f663bb2.jpg?resize=400%2C267&amp;ssl=1 400w" sizes="auto, (max-width: 300px) 100vw, 300px" /></figure><div class="elementor-image-box-content"><h3 class="elementor-image-box-title">Diamond Model of Intrusion Analysis Course</h3><p class="elementor-image-box-description">This topic and dozens more are covered in the Diamond Model of Intrusion Analysis course</p></div></div>				</div>
				<div class="elementor-element elementor-element-56ce866 elementor-align-center elementor-widget elementor-widget-button" data-id="56ce866" data-element_type="widget" data-e-type="widget" data-widget_type="button.default">
										<a class="elementor-button elementor-button-link elementor-size-sm" href="https://school.threatintel.academy/courses/diamond?utm_source=moderatelyconfident&#038;utm_medium=post&#038;utm_campaign=diamondkillchainattack">
						<span class="elementor-button-content-wrapper">
									<span class="elementor-button-text">Free Preview</span>
					</span>
					</a>
								</div>
					</div>
		</div>
					</div>
		</section>
				</div>
		<p>The post <a href="https://www.threatintel.academy/diamond-model-kill-chain-attack/">Combining the Diamond Model, Kill Chain, and ATT&#038;CK</a> appeared first on <a href="https://www.threatintel.academy">Threat Intelligence Academy</a>.</p>
]]></content:encoded>
					
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">345</post-id>	</item>
	</channel>
</rss>
