Claus Cramon HoumannOct 2, 2025

Joe Slowik says we should rethink how we do CTI, I like this a lot as I see a lot of money being poured out for CTI where the benefits are at best unqunatifiable and at worst not there.

Intelligence Poverty and the Commercial Data Economy https://pylos.co/2025/09/01/intelligence-poverty-and-the-commercial-data-economy/ #General, #ThreatIntelligence

Intelligence Poverty and the Commercial Data Economy

A core part of my teaching at Paralus is guiding attendees towards mechanisms of fusing internal telemetry and understanding with external data sources and feeds to arrive at a more robust understa…

Stranded on Pylos
Show threadLojicholia enshrines triumphOct 2, 2025

@claushoumann folks like Jerry Gamblin have argued for a while that most teams don’t have a need and certainly aren’t equipped to actually use most CTI (like Jerry has argued that attribution is likely useless for most purposes).

This aligns with my thoughts as well: most teams have no intel loops, have no output consumers, no real need for most TI products, beyond maybe some RFIs during certain operation types.

Turns out maturity models still ruin everything around us…

Show threadClaus Cramon HoumannOct 2, 2025
@lojikil I must admit I on the same of the fence here. I see much money spent, frw results/outcomes and even less actionable
Show threadLojicholia enshrines triumphOct 2, 2025
@claushoumann I think we need to measure ourselves on eg Hunt Maturity Model and be honest about what our capabilities are vis-à-vis our budget. I think you’re right, we don’t really need it for most shops. Heck, @circl probably provides enough for most folks needs, if they even have a need.
Show threadcircl

@lojikil

For us, the major issues are still the basics, such as infrastructure exposure, and maintaining an inventory of software or third-party services.

As an example, we provide vulnerability.circl.lu , where organisations can register their software/vendors for notifications but many still fail at that level.

In "hunting" (detection engineering), the main challenge is often the basic TI (from free MISP communities) integration with existing equipment and services.

@claushoumann

Oct 2, 2025 at 2:24pmWeb