2/2:
effort that your CTI team spent understanding this threat actor and TTPs, but efforts your DE team needed to re-do to initiate DE, because, and here's the totally over the top conclusion we've come to: Most CTI teams actually don't produce actionable output that's actionable for DE teams.
Sorry if it sounds provoking. Not the intention.
@claushoumann Hey, thanks for bringing this up, it’s definitely not provoking! In my organization, the DE tasks are handled by our SOC teams. When I mention the blue team in my talk, it's just a general term, we actually have six teams focused on defense and incident response.
You make a great point that CTI data might not always be useful for defenders, and this was something I was concerned about when I took over the CTI team. In our early rounds of purple teaming, we noticed that our defense success was getting worse. Collaboration wasn't great, and the defense teams ended up with a pile of reports that weren't helpful.
That's when we decided to switch things up and get all the teams directly involved in the purple teaming exercises. Now, DE is done by defenders within one of our SOC teams, working together with the other teams - CTI, incident response and red team - during these exercises. We only move to the next exercise when all the DE tasks are done, even if it means that the detection team says that they can't do anything with what we have now.
That's how we're trying to make all the data - from CTI insights to red team activities - actually meaningful and actionable for our defense and risk teams.
Claus Cramon Houmann
Carlos Gonçalves 🇧🇷