The Cyber5 Podcast

EP63: Defining Metrics for Attribution in Cyber Threat Intelligence and Investigations

Episode 63 | January 19, 2022

In episode 63 of The Cyber5, we are again joined by Sean O’Connor, Head of Global Cyber Threat Intelligence for Equinix.


Episode 63 | January 19, 2022

In episode 63 of The Cyber5, we are again joined by Sean O’Connor, Head of Global Cyber Threat Intelligence for Equinix.


We discuss attribution in the cyber threat intelligence and investigation space, and what the private sector can learn from public sector intelligence programs. We also discuss different levels of attribution, the outcomes, and the disruption campaigns that are needed to make an impact on cybercriminals around the world. We define the impact of attribution with different stakeholders throughout the business and how the intelligence discipline will likely evolve over the next five to 10 years.

Here are the 5 Topics We Cover in This Episode:

1) Lessons For Private Sector Intelligence Teams from Public Sector National Security Apparatus (Intelligence Life Cycle, MITRE ATT&CK, Cyber Kill Chain):

Many cybersecurity best practices and frameworks originate from the US public sector:

  • Intelligence life cycle: Defining priorities and communicating intelligence to stakeholders
  • Lockheed Martin Cyber Kill Chain: Defining broad malicious actions in IT networks
  • MITRE ATT&CK Framework: Identifying more specific malicious movements in IT networks
  • Structured analytical techniques by CIA analysts, such as Richard Kerr.

2) Attribution is Critical in Cybersecurity to Warrant an Action: 

Attribution to cyber threat actors by industry is still important as a starting point to derive appropriate controls for the SOC and the CERT within a large organization. How these threats pose a risk of monetary loss are important elements of context when providing these threats to business executives. Here are two typical starting points:

  • Review phishing telemetry for common TTPs and create rule-based detections based on phishing infrastructure used by actors. 
  • External threat landscape assessment for TTPs resulting in targeted threat hunts for most notorious ransomware gangs. Creating custom detections is typically the outcome until the appropriate disruptions can be put in place.

3) Disruption Campaigns Happen with Successful Information Sharing

Successful disruption campaigns come from non-public information sharing between vendors, enterprises, and public sector institutions like CISA or the FBI. They typically do not originate from marketing blog posts.

4) Threat Intelligence is a Service-Based Role that Goes Beyond the SOC

Success in cybersecurity (SOC and CERT) is keeping security incidents limited to “events” and ensuring they do not escalate into breaches. This occurs from multiple stakeholders having the proper visibility to ensure network telemetry is complete, accurate, and truthful. However, due to the services nature of intelligence work, it goes beyond just the SOC.

5) Threat Intelligence Should be a Floating Team to the Business

Threat intelligence should be a floating team that can operate outside of the SOC and is an asset to the overall business, not just limited to combating cyber threats. Often executives want intelligence on mergers and acquisitions and market entry in a given geopolitical area, and threat analysis needs to be tailored to different customers. A Chief Intelligence Officer may be more widely accepted in the future as the needs of the business expand and diversify.


Listen to other podcast episodes