Sergio began his career doing threat intelligence in the US Government’s NSA and now is the VP of Threat Intel at Dragos. We focus in this episode on where the data for threat intel is obtained, how the threat intel product is created, and how it should be used by an ICS asset owner.
- Where are the data ‘mines’ where the raw data is available and how to find the nuggets?
- What is a typical threat intel product / set of information?
- Does threat intel include attribution (who is the threat actor(s))? What is the difference between a threat actor and what Sergio calls an activity group? Is this important for the asset owner to know?
- How do you determine when you have enough completeness and accuracy to write and deliver threat intel product?
- How do you define the accuracy of a threat intel report or specific findings in a report?
- How would an asset owner use threat intel? Is it actually providing new recommendations that a good ICS security program wouldn’t already prioritize.
- Customers should drive threat intel through their questions so they can make better business decisions.
Links
Sergio’s Industrial Control Threat Intelligence Paper
OnRamp: 101-Level ICS Security Workshop Registration (started on March 18th)